search

bugcrowd / vulnerability-rating-taxonomy

Bugcrowd’s baseline priority ratings for common security vulnerabilities
https://bugcrowd.com/vrt
Apache License 2.0
446 stars 85 forks source link

Add New Automotive Security Bug Ratings #317

Closed shipcod3 closed 3 years ago

shipcod3 commented 3 years ago

After constant meetings and help from one of our clients in automotive security we have finally come up with new automotive security bugs rating inspired by ISO/SAE DIS 21434 and also driven with our calculation from our customized Threat Analysis and Risk Assessment (often referred as TARA and only for the purpose of automotive security bugs). Here are the proposed new additions for the VRT:

Automotive Security Misconfiguration > Battery Management System > CAN Injection (P3) Automotive Security Misconfiguration > Battery Management System > Firmware Dump (P3) Automotive Security Misconfiguration > Battery Management System > Fraudulent Interface (P4) Automotive Security Misconfiguration > Steering Control > CAN Injection (P3) Automotive Security Misconfiguration > Pyrotechnical Device Deployment Tool > CAN Injection (P3) Automotive Security Misconfiguration > Headlights > CAN Injection (P3) Automotive Security Misconfiguration > GNSS / GPS > Spoofing (P4) Automotive Security Misconfiguration > Sensors > CAN Injection (P3) Automotive Security Misconfiguration > Immobilizer > Engine Start (P3) Automotive Security Misconfiguration > Vehicle Anti-theft Systems > CAN Injection (P3) Automotive Security Misconfiguration > Automatic Braking System > Unintended Acceleration / Brake (P3) Automotive Security Misconfiguration > Powertrain > CAN Injection (P3) Automotive Security Misconfiguration > Basic Safety Message > CAN Injection (P3) Automotive Security Misconfiguration > Roadside Unit (RSU) > Sybil Attack (P4) Automotive Security Misconfiguration > Infotainment, Radio Head Unit > OTA Firmware Manipulation (P2) Automotive Security Misconfiguration > Radio Head Unit > Denial of Service (P4)

I do understand that we need to have granular definitions for CAN Injection, but we believed that identifying the right assets where we can perform CAN Injection could help us in future submissions for automotive security bugs since these assets are also calculated on our very own TARA.

Calculations were made via Exploitability, Knowledge of Target, Window of Opportunity, Proximity, Equipment Rating (Tools), Confidentiality, Availability, Integrity, and Impact to Driver / Driver Control.

For reviewers from the Bugcrowd side please do message me if there are questions regarding the TARA. Harris of Bugcrowd was also involved with the calculator ratings.

nnons commented 3 years ago

Some more additions to VRT: Automotive Security Misconfiguration > Bluetooth > Denial of Service (P4) Automotive Security Misconfiguration > Bluetooth > BLE > Fingerprinting (P4) Automotive Security Misconfiguration > Bluetooth > BLE > Unauthorized UUID Write (P2) Automotive Security Misconfiguration > Bluetooth > Key Negotiation of Bluetooth (P1)

shipcod3 commented 3 years ago

@lotuseatersec - we can't list the bluetooth as an asset since it is an attack surface and not just automotive security specific but for IoT as well. For assets somehow similar to this we have radio head unit and the infotainment system as P4 already. For Fingerprinting, I am not sure if we could mark that as P4 since we have fingerprinting banners (although a different kind of issue but somehow similar in terms of info gathering) as P5.

The ones proposed in the thread have gone with the decision already and are calculated via TARA. Thus, we can't include this yet.

shipcod3 commented 3 years ago

As discussed with @plr0man here are some revisions:

Automotive Security Misconfiguration > CAN Injection > Battery Management System (P3) Automotive Security Misconfiguration > Battery Management System > Firmware Dump (P3) Automotive Security Misconfiguration > Battery Management System > Fraudulent Interface (P4) Automotive Security Misconfiguration > CAN Injection > Steering Control (P3) Automotive Security Misconfiguration > CAN Injection > Pyrotechnical Device Deployment Tool (P3) Automotive Security Misconfiguration > CAN Injection > Headlights (P3) Automotive Security Misconfiguration > GNSS / GPS > Spoofing (P4) Automotive Security Misconfiguration > CAN Injection > Sensors (P3) Automotive Security Misconfiguration > Immobilizer > Engine Start (P3) Automotive Security Misconfiguration > CAN Injection> Vehicle Anti-theft Systems (P3) Automotive Security Misconfiguration > Automatic Braking System > Unintended Acceleration / Brake (P3) Automotive Security Misconfiguration > CAN Injection > Powertrain (P3) Automotive Security Misconfiguration > CAN Injection> Basic Safety Message (P3) Automotive Security Misconfiguration > Roadside Unit (RSU) > Sybil Attack (P4) Automotive Security Misconfiguration > Infotainment, Radio Head Unit > OTA Firmware Manipulation (P2) Automotive Security Misconfiguration > Radio Head Unit > Denial of Service (P4)

plr0man commented 3 years ago

Thanks @shipcod3! Additional suggestions from my end:

  1. Unless we expect the proposed Automotive Security Misconfiguration -> Infotainment, Radio Head Unit to grow in the future (only one variant currently proposed under this subcategory), it may be better to split this between the already existing Infotainment and the proposed Radio Head Unit subcategories, instead of creating a dedicated mutual subcategory. So the result would be instead of Automotive Security Misconfiguration > Infotainment, Radio Head Unit > OTA Firmware Manipulation (P2) add these two -Automotive Security Misconfiguration -> Infotainment -> OTA Firmware Manipulation (P2) -Automotive Security Misconfiguration -> Radio Head Unit -> OTA Firmware Manipulation (P2) The alternative would be to get rid of Radio Head Unit and Infotainment and have one mutual Infotainment, Radio Head Unit

  2. I wonder if there is anything we can do to marry the proposed Automotive Security Misconfiguration -> CAN Injection subcategory and the two already existing entries: Automotive Security Misconfiguration->CAN->Injection (Disallowed Messages) (P4) Automotive Security Misconfiguration->CAN->Injection (DoS) (P4) We could probably move those from Automotive Security Misconfiguration->CAN to Automotive Security Misconfiguration -> CAN Injection or vice versa

Here is one option of what this could look like with both points taken into consideration:

Automotive Security Misconfiguration -> CAN -> -> Injection (Battery Management System) (P3) -> Injection (Steering Control) (P3) -> Injection (Pyrotechnical Device Deployment Tool) (P3) -> Injection (Headlights) (P3) -> Injection (Sensors) (P3) -> Injection (Vehicle Anti-theft Systems) (P3) -> Injection (Powertrain) (P3) -> Injection (Basic Safety Message) (P3) -> Injection (Disallowed Messages) (P4) //already existing -> Injection (DoS) (P4) //already existing

Automotive Security Misconfiguration -> Battery Management System -> -> Firmware Dump (P3) -> Fraudulent Interface (P4)

Automotive Security Misconfiguration -> GNSS / GPS -> Spoofing (P4)

Automotive Security Misconfiguration -> Immobilizer -> Engine Start (P3)

Automotive Security Misconfiguration -> Automatic Braking System -> Unintended Acceleration / Brake (P3)

Automotive Security Misconfiguration -> Roadside Unit (RSU) -> Sybil Attack (P4)

Automotive Security Misconfiguration -> Infotainment -> OTA Firmware Manipulation (P2)

Automotive Security Misconfiguration -> Radio Head Unit -> -> OTA Firmware Manipulation (P2) -> Denial-of-Service (DoS) (P4)

hakluke commented 3 years ago

Hey @shipcod3 - are these also in the methodologies?

shipcod3 commented 3 years ago

@hakluke not yet as we still need to push this one to the VRT for the mappings. I am actually currently analyzing what Pawel have in mind as I am currently thinking about this additions.

shipcod3 commented 3 years ago

@plr0man - Let's have one mutual Infotainment, Radio Head Unit category then. That is indeed a good idea. For the number 2 suggestion, I kinda liked this alternative you suggested:

Automotive Security Misconfiguration -> CAN ->
-> Injection (Battery Management System) (P3)
-> Injection (Steering Control) (P3)
-> Injection (Pyrotechnical Device Deployment Tool) (P3)
-> Injection (Headlights) (P3)
-> Injection (Sensors) (P3)
-> Injection (Vehicle Anti-theft Systems) (P3)
-> Injection (Powertrain) (P3)
-> Injection (Basic Safety Message) (P3)

Automotive Security Misconfiguration -> Battery Management System ->
-> Firmware Dump (P3)
-> Fraudulent Interface (P4)

Automotive Security Misconfiguration -> GNSS / GPS -> Spoofing (P4)

Automotive Security Misconfiguration -> Immobilizer -> Engine Start (P3)

Automotive Security Misconfiguration -> Automatic Braking System -> Unintended Acceleration / Brake (P3)

Automotive Security Misconfiguration -> Roadside Unit (RSU) -> Sybil Attack (P4)

Automotive Security Misconfiguration -> Radio Head Unit, Infotainment -> OTA Firmware Manipulation (P2)

How do you like to move forward after this? I would like to see your proposed suggestions all in all :)

Looks like we can have this finalized as the following:

Automotive Security Misconfiguration > CAN > Injection (Battery Management System) (P3)
Automotive Security Misconfiguration > Battery Management System > Firmware Dump (P3)
Automotive Security Misconfiguration > Battery Management System > Fraudulent Interface (P4)
Automotive Security Misconfiguration > CAN > Injection (Steering Control) (P3)
Automotive Security Misconfiguration > CAN > Injection (Pyrotechnical Device Deployment Tool) (P3)
Automotive Security Misconfiguration > CAN > Injection (Headlights) (P3)
Automotive Security Misconfiguration > GNSS / GPS > Spoofing (P4)
Automotive Security Misconfiguration > CAN Injection > Sensors (P3)
Automotive Security Misconfiguration > Immobilizer > Engine Start (P3)
Automotive Security Misconfiguration > CAN Injection> Vehicle Anti-theft Systems (P3)
Automotive Security Misconfiguration > Automatic Braking System > Unintended Acceleration / Brake (P3)
Automotive Security Misconfiguration > CAN >Injection (Powertrain) (P3)
Automotive Security Misconfiguration > CAN > Injection (Basic Safety Message) (P3)
Automotive Security Misconfiguration > Roadside Unit (RSU) > Sybil Attack (P4)
Automotive Security Misconfiguration > Infotainment, Radio Head Unit > OTA Firmware Manipulation (P2)
Automotive Security Misconfiguration > Infotainment, Radio Head Unit > Denial of Service (P4)
plr0man commented 3 years ago

Sounds good! If I understand correctly we would be looking at:

Automotive Security Misconfiguration -> CAN ->
-> Injection (Battery Management System) (P3)
-> Injection (Steering Control) (P3)
-> Injection (Pyrotechnical Device Deployment Tool) (P3)
-> Injection (Headlights) (P3)
-> Injection (Sensors) (P3)
-> Injection (Vehicle Anti-theft Systems) (P3)
-> Injection (Powertrain) (P3)
-> Injection (Basic Safety Message) (P3)
-> Injection (Disallowed Messages) (P4) //already existing
-> Injection (DoS) (P4) //already existing

Automotive Security Misconfiguration -> Battery Management System ->
-> Firmware Dump (P3)
-> Fraudulent Interface (P4)

Automotive Security Misconfiguration -> GNSS / GPS -> Spoofing (P4)

Automotive Security Misconfiguration -> Immobilizer -> Engine Start (P3)

Automotive Security Misconfiguration -> Automatic Braking System -> Unintended Acceleration / Brake (P3)

Automotive Security Misconfiguration -> Roadside Unit (RSU) -> Sybil Attack (P4)

Automotive Security Misconfiguration -> Infotainment, Radio Head Unit ->
-> OTA Firmware Manipulation (P2)
-> Denial-of-Service (DoS) (P4) //note that the existing equivalent under Infotainment has a slightly different name `Denial of Service (DoS / Brick) (P4)` not sure which name we'd end up going with
-> PII Leakage (P1) //merging existing Infotainment subcategory into `Infotainment, Radio Head Unit`
-> Code Execution (CAN Bus Pivot) (P2) //merging existing Infotainment subcategory into `Infotainment, Radio Head Unit`
-> Code Execution (No CAN Bus Pivot) (P3) //merging existing Infotainment subcategory into `Infotainment, Radio Head Unit`
-> Unauthorized Access to Services (API / Endpoints) (P3) //merging existing Infotainment subcategory into `Infotainment, Radio Head Unit`
-> Source Code Dump (P4) //merging existing Infotainment subcategory into `Infotainment, Radio Head Unit`
-> Default Credentials (P4) //merging existing Infotainment subcategory into `Infotainment, Radio Head Unit`

The next step, if we have a consensus, would be to come up with CVSS scores and remediation advice.

shipcod3 commented 3 years ago

Yes that is indeed right @plr0man. I can help you with the CVSS scores as we already have a TARA rating for this one and also help you with what to put to remediation advice.

shipcod3 commented 3 years ago
VRT Remediation Advice CVSS References
Automotive Security Misconfiguration -> CAN -> Injection (Battery Management System) (P3) Filter malicious CANBus requests or codes that can be injected to the battery management system. CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H https://i.blackhat.com/USA-20/Wednesday/us-20-Kiley-Reverse-Engineering-The-Tesla-Battery-Management-System-To-Increase-Power-Available.pdf
Automotive Security Misconfiguration -> CAN -> Injection (Steering Control) (P3) Filter malicious CANBus requests or codes that can be injected to the steering control. CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3
Automotive Security Misconfiguration -> CAN -> Injection (Pyrotechnical Device Deployment Tool) (P3) Countermeasures of this attack include selection of suitable technologies, hard-wired plausibility checks, usage of cryptography, and hardening against brute force attacks of the keys or algorithms. CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H https://www.rapid7.com/db/modules/post/hardware/automotive/pdt/
Automotive Security Misconfiguration -> CAN -> Injection (Headlights) (P3) Filter malicious CANBus requests or codes that can be injected to the headlights. CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3
Automotive Security Misconfiguration -> CAN -> Injection (Sensors) (P3) Filter malicious CANBus requests or codes that can be used to manipulate the sensors. CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3
Automotive Security Misconfiguration -> CAN -> Injection (Vehicle Anti-theft Systems) (P3) Filter malicious CANBus requests or codes that can be used to manipulate the Vehicle Anti-theft Systems. CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3
Automotive Security Misconfiguration -> CAN -> Injection (Powertrain) (P3) Filter malicious CANBus requests or codes that can be used to manipulate the Powertrain. CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3
Automotive Security Misconfiguration -> CAN -> Injection (Basic Safety Message) (P3) Filter malicious CANBus requests or codes that can be used to manipulate the Basic Safety Message. CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3
Automotive Security Misconfiguration -> Battery Management System -> Firmware Dump (P3) Implement secure boot, obfuscate the code, and compression algorithm with hardware-backed dictionary. Find creative ways to break disassemblers and debuggers. CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H https://en.wikipedia.org/wiki/Security_through_obscurityhttps://www.researchgate.net/publication/320859156_Source_Code_Vulnerabilities_in_IoT_Software_Systems
Automotive Security Misconfiguration -> Battery Management System -> Fraudulent Interface (P4) Protect and make sure the battery management system does prevention from operating outside its safe operating area. CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H https://en.wikipedia.org/wiki/Battery_management_system
Automotive Security Misconfiguration -> GNSS / GPS -> Spoofing (P4) Implement a system that detects GPS spoofing which evaluates or prevents the system from believing and acting on the false data. CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H https://www.kaspersky.com/blog/gps-spoofing-protection/26837/
Automotive Security Misconfiguration -> Immobilizer -> Engine Start (P3) Implement a secure gateway to protect against immobilizer attacks and assign significant bytes in data and a method to send an abnormal signal overwriting the false data when a communication error has occurred. CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H https://www.kaspersky.com/blog/36c3-immobilizers/32419/
Automotive Security Misconfiguration -> Automatic Braking System -> Unintended Acceleration / Brake (P3) Implement a secure gateway to protect against ABS attacks. CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H  https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3
Automotive Security Misconfiguration -> Roadside Unit (RSU) -> Sybil Attack (P4) Known approaches to Sybil attack prevention include identity validation, social trust graph algorithms, or economic costs, personhood validation, and application-specific defenses. CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H https://en.wikipedia.org/wiki/Sybil_attack
Automotive Security Misconfiguration -> Infotainment, Radio Head Unit -> OTA Firmware Manipulation (P2) Implement key signing and firmware verification. CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L https://www.wired.com/2015/02/firmware-vulnerable-hacking-can-done/
Automotive Security Misconfiguration -> Infotainment, Radio Head Unit -> Denial of Service (DoS / Brick) (P4) Filter malicious payloads or string attacks. Apply rate limiting on the app level side. CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L https://www.owasp.org/index.php/Application_Denial_of_Servicehttps://www.forbes.com/sites/leemathews/2017/04/10/a-malware-outbreak-is-bricking-insecure-iot-devices/#36603e4a29a3https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Denial_of_Service_Cheat_Sheet.md
Automotive Security Misconfiguration -> Infotainment, Radio Head Unit -> PII Leakage (P1) Do not store PII such as call logs, text messages, and contact lists or names as plaintext in the infotainment system. CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H https://www.prnewswire.com/news-releases/carsblues-vehicle-hack-exploits-vehicle-infotainment-systems-allowing-access-to-call-logs-text-messages-and-more-300751244.html
Automotive Security Misconfiguration -> Infotainment, Radio Head Unit -> Code Execution (CAN Bus Pivot) (P2) Filter arbitrary commands and apply input validation to any media devices to prevent executing from the infotainment system. Make sure that the infotainment system is on a sandbox module and does not have direct interaction to the CANbus network CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H https://www.vice.com/en/article/3kvw8y/researchers-hack-car-infotainment-system-and-find-sensitive-user-data-insidehttps://www.bleepingcomputer.com/news/security/you-can-hack-some-mazda-cars-with-a-usb-flash-drive/http://illmatics.com/carhacking.html
Automotive Security Misconfiguration -> Infotainment, Radio Head Unit -> Code Execution (No CAN Bus Pivot) (P3) Filter arbitrary commands and apply input validation to any media devices to prevent executing from the infotainment system. CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L https://www.vice.com/en/article/3kvw8y/researchers-hack-car-infotainment-system-and-find-sensitive-user-data-insidehttps://www.bleepingcomputer.com/news/security/you-can-hack-some-mazda-cars-with-a-usb-flash-drive/http://illmatics.com/carhacking.html
Automotive Security Misconfiguration -> Infotainment, Radio Head Unit -> Unauthorized Access to Services (API / Endpoints) (P3) Filter services that allow you to control the vehicle or infotainment system from being accessed by unauthorized users. Apply authentication mechanisms to certain endpoints. CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L https://www.troyhunt.com/controlling-vehicle-features-of-nissan/
Automotive Security Misconfiguration -> Infotainment, Radio Head Unit -> Source Code Dump (P4) Implement secure boot, obfuscate the code, and compression algorithm with hardware-backed dictionary. Find creative ways to break disassemblers and debuggers. CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L https://en.wikipedia.org/wiki/Security_through_obscurityhttps://www.researchgate.net/publication/320859156_Source_Code_Vulnerabilities_in_IoT_Software_Systems
Automotive Security Misconfiguration -> Infotainment, Radio Head Unit -> Default Credentials (P4) Do not ship systems with any configured accounts or with default and common usernames and passwords. Do not hard code any backdoor accounts or special access mechanisms. CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N https://www.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002)https://www.owasp.org/index.php/Configuration#Default_passwords