Hacking Connected Cars: Tactics, Techniques, and Procedures (Paperback)

About the Author v

Acknowledgments vii

Foreword xv

Introduction xix

Part I Tactics, Techniques, and Procedures 1

Chapter 1 Pre-Engagement 3

Penetration Testing Execution Standard 4

Scope Definition 6

Architecture 7

Full Disclosure 7

Release Cycles 7

IP Addresses 7

Source Code 8

Wireless Networks 8

Start and End Dates 8

Hardware Unique Serial Numbers 8

Rules of Engagement 9

Timeline 10

Testing Location 10

Work Breakdown Structure 10

Documentation Collection and Review 11

Example Documents 11

Project Management 13

Conception and Initiation 15

Definition and Planning 16

Launch or Execution 22

Performance/Monitoring 23

Project Close 24

Lab Setup 24

Required Hardware and Software 25

Laptop Setup 28

Rogue BTS Option 1: OsmocomBB 28

Rogue BTS Option 2: BladeRF + YateBTS 32

Setting Up Your WiFi Pineapple Tetra 35

Summary 36

Chapter 2 Intelligence Gathering 39

Asset Register 40

Reconnaissance 41

Passive Reconnaissance 42

Active Reconnaissance 56

Summary 59

Chapter 3 Threat Modeling 61

STRIDE Model 63

Threat Modeling Using STRIDE 65

VAST 74

PASTA 76

Stage 1: Define the Business and Security Objectives 77

Stage 2: Define the Technical Scope 78

Stage 3: Decompose the Application 79

Stage 4: Identify Threat Agents 80

Stage 5: Identify the Vulnerabilities 82

Stage 6: Enumerate the Exploits 82

Stage 7: Perform Risk and Impact Analysis 83

Summary 85

Chapter 4 Vulnerability Analysis 87

Passive and Active Analysis 88

WiFi 91

Bluetooth 100

Summary 105

Chapter 5 Exploitation 107

Creating Your Rogue BTS 108

Configuring NetworkinaPC 109

Bringing Your Rogue BTS Online 112

Hunting for the TCU 113

When You Know the MSISDN of the TCU 113

When You Know the IMSI of the TCU 114

When You Don’t Know the IMSI or MSISDN of the TCU 114

Cryptanalysis 117

Encryption Keys 118

Impersonation Attacks 123

Summary 132

Chapter 6 Post Exploitation 133

Persistent Access 133

Creating a Reverse Shell 134

Linux Systems 136

Placing the Backdoor on the System 137

Network Sniffing 137

Infrastructure Analysis 138

Examining the Network Interfaces 139

Examining the ARP Cache 139

Examining DNS 141

Examining the Routing Table 142

Identifying Services 143

Fuzzing 143

Filesystem Analysis 148

Command-Line History 148

Core Dump Files 148

Debug Log Files 149

Credentials and Certificates 149

Over-the-Air Updates 149

Summary 150

Part II Risk Management 153

Chapter 7 Risk Management 155

Frameworks 156

Establishing the Risk Management Program 158

SAE J3061 159

ISO/SAE AWI 21434 163

HEAVENS 164

Threat Modeling 166

STRIDE 168

PASTA 171

TRIKE 175

Summary 176

Chapter 8 Risk-Assessment Frameworks 179

HEAVENS 180

Determining the Threat Level 180

Determining the Impact Level 183

Determining the Security Level 186

EVITA 187

Calculating Attack Potential 189

Summary 192

Chapter 9 PKI in Automotive 193

VANET 194

On-board Units 196

Roadside Unit 196

PKI in a VANET 196

Applications in a VANET 196

VANET Attack Vectors 197

802.11p Rising 197

Frequencies and Channels 197

Cryptography 198

Public Key Infrastructure 199

V2X PKI 200

IEEE US Standard 201

Certificate Security 201

Hardware Security Modules 201

Trusted Platform Modules 202

Certificate Pinning 202

PKI Implementation Failures 203

Summary 203

Chapter 10 Reporting 205

Penetration Test Report 206

Summary Page 206

Executive Summary 207

Scope 208

Methodology 209

Limitations 211

Narrative 211

Tools Used 213

Risk Rating 214

Findings 215

Remediation 217

Report Outline 217

Risk Assessment Report 218

Introduction 219

References 220

Functional Description 220

Head Unit 220

System Interface 221

Threat Model 222

Threat Analysis 223

Impact Assessment 224

Risk Assessment 224

Security Control Assessment 226

Example Risk Assessment Table 229

Summary 230

Index 233