75
By Land, By Sea, By Air… brought to you by One World Labs (OWL) Research Chris/Jesse (Thanks Jinx!)

By Land, By Sea, By Air… - 84

  • Upload
    grlaa

  • View
    66

  • Download
    4

Embed Size (px)

DESCRIPTION

Chris Roberts (One World Labs) (HackCon 2012)

Citation preview

  • By Land, By Sea, By Air

    brought to you by

    One World Labs (OWL) Research

    Chris/Jesse

    (Thanks Jinx!)

  • Cars (updated from 2012) Breaking them down, making friends with Mercedes, Volvo etc. Architecture and attack vectors

    Floating things Fishing for ferries, simple Wi-Fi attacks

    Tractors.Seriously? What started it, and why Methods for accomplishing the evil genius plan

    All things with engines: Busses and trams (Oslo ones noted, targets were in the USA) Boeing again, this time Dreamliners Drones, quick thoughts on what to do with the pesky things

    Missiles and things that go bang: Pac-3, a Coyote and Dr. Strangelove

    Q&A: Ask questions throughout.

    Overview

  • Un-Hackable

    Not a challenge, merely a statement. Based on the LACK of built in electronics

    John Deere Model B and a Witte 2hp Hit and Miss engine

  • Un-Hackable

    Yea, we know about these, early days of cruise liners designed to go forth and make friends

    Anyone want to guess whos? (bonus points for date) (First Norwegian plane, 1912)

  • Hackable

    Mercedes E220 cdi, between 80 and 100 Million lines of code!

    Modern Combine Harvester, 500-1M lines of codenot including the different heads

    Modern aviation, 5 to 7 Million lines of code (not including the entertainment systems)

  • Putting it into Perspective

    VS. Quantity of

    Code:

    Something to consider here is the security of the code, whos using, accessing, developing, and which of the 3rd party organizations are managing the source code, or portions thereof? (heres a hintthe Mercedes code is less distributed)

  • Example of ProgressBrakes

    Evolution from:

    Un-Hackable To

    Hackable

    And to add insult to injury, this doesnt take into consideration the Airbags processors, Safe-Net, Tyre Pressure Sensors, TCS or myriad of other systems built around JUST brakes

  • CAN (Bus) and AUTOSAR (Controller Area Network) AND (AUTomotive Open System Architecture)

    Thanks to jcelectronica.com for the graphics!

  • Cars Overview (and updates)

    Main CAN networks within a vehicle, the image only shows a low number of devices attached to the networks.

    CAN and MOST ne two r k s interoperabi l i ty wi th in the vehicle. Primary access is via the Bluetooth interface which can be on either system (we love standardsnot!)

  • MOST Architecture

    The communication profile defines that in a CANopen network there must be at least one master application and one or several slave applications, the main target for the management of this is the CGW (gateway module) Applications being defined as ABS, Cruise control etc

    Every slave node contains a state machine with the four states called: 1. Initialization, 2. Pre-Operational 3. Operational 4. Prepared Theres primarily 5 different management messages that can be sent to these nodes:

  • Intellibus Exploded

    Thanks Boeing for the graphics.more on this one later

  • Traditional Access Controls

    Original access controls involved PHYSICAL access to the target system, either through independent/human analysis or ODB-II (later years) all required access and physical presence on-site.

  • OUR Access Controls

    Laptop with necessary software (will go into that in a moment) Bluetooth adaptorand either a software patch for 232/Bluetooth, or dongle/Serial/USB device that can take output and move data across Bluetooth spectrum (2.4GHz)

  • The Easier Way

    There is also logging software that once connected to the vehicle will initiate a sniffer/management interface to be able to query what devices are embedded. (ALL can be run via Bluetooth over RS232)

    Vehicle tuning software freely available, most of the systems have the necessary embedded logging, monitoring and management software.

  • In PracticeYesterday

    Fishing lessons for what is advertising within the 2.4 Spectrum.this is one method for examining what targets are within range. At this point you will also need VISUAL identification to understand attack vectors (different based on vehicle type)

  • Volvo Fishing from the 6th Floor Making friends with a Volvo while sitting in Joes Application Penetration Lessonto the side is the CAN232HSW, below is the latest EControls S/W with the Bluetooth Capture Interface running.

    And YES, we made f r i e n d s with it.

  • In PracticeThis Morning

    For all those who are not Linux friendly, Mac/Windows has multiple Bluetooth sniffers/scanners that can be used for initial target analysis.

  • Mercedes CAN Bus PID IDs

    Simple spreadsheet demonstrating the availability of the CAN Bus IDs necessary for the injection (in this case this morning we decided to put all the Taxis into neutral (#003-6-0-0-0-0-0-40-0-0 PID ID injection)

  • Data ElementsBackground Vehicle architectures, CANBUS and other necessary data elements are regularly posted on-line, below Mercedes E220 DieselABS/Engine management systems are noted, allowing us to modify and/or influence the control surfaces.

  • Our Test Subjects

    Mercedes S600 interface

    Porsche Interface Main Audi/VW group interface, this was done on an A8L

    Think of all the fun you could have bringing the Presidential motorcade to a standstill in the middle of DC one day(Kidding, honest)

  • Other Targets Engine ignition (spark, timing etc) Fuel injection

    Emissions controls Collision avoidance systems Heating/air conditioning Navigation systems Suspension systems Transmission controls Lights, horn, wipers, defrosters Entertainment systems Braking (anti-lock brakes) Steering (steering assist etc) Seat & pedal positions Communication systems Safety systems Noise cancellation Security systems Current vehicle designs have +/- 100 processors/microprocessors/chipsets

    Number of processors expected to double within the next 5 years.

    A typical car contains 3 to 5 miles of wiring

  • FerriesBriefly Making friends with the ferries down at the docks

  • Sit!! Stay, No Damm Walkies!

    Doesnt help when the prey leaves the scene of attack on a semi-regular basispatience is a virtue, so is knowing/understanding how long you have to prepare and execute an attack..even more of an issue when dealing with cars in traffic

  • Despite Walkies p0wned

    Remember patience is a virtue...this mornings activities (EARLY morning)

  • Tractors:

    Remember Un-Hackable?

    NEVER say Un-Hackable

  • Tractors

    Why Blame Jesse, and a late evening over pancakes

    Why again? Because cars are single/one-time hits Because nobody else has done it 2 Billion metric tons of food (more on that later)

    Seriously? Yes, seriously, bear with us on thiswe are not

    going to give away the code, but well at least point you in the right direction.

  • How to Tractor Jack Several components to the

    art of tractor configurations

    Main target needs to remain obliviously the distribution

    Same process as virus/trojan propagation, you need a host and a carrier

    Distributed architecture (We love FTP Servers)

    Simple code insertion and/or manipulation

  • Method 1 - Variables Easier of the two methods, still involves a re-

    write of the configuration file, however the depth variable JUST needs to be fooled.

    Ensure within the code you at least attempt to hide the variables.

    GUI Depth has to remain constant whereas code depth variable can be adjusted for a different unit of measurement WYSIWYG (Not!).

    Within two of the consoles the variables are standard library input/outputs, so the knowledgebase necessary is minimal. (cin/cout) for one of them.

    In ALL cases a detailed understanding of ISOBUS will be necessary (John Deeres ISOBUS Data Dictionary is 159 etc.)

    IDA Pro Software

  • Method 2 1+1=3 Code Some of the systems do not use

    simple depth variables, for these we need to do some math adjustment

    C o d e d e p e n d a n t u p o n manufacturer

    Simply put we need to influence the libraries that are in place by adding in our own adjustments

    Specify (declare) the integer and then ensure the correct library variables are found, and then just simply cout/cin!

  • Deployment Coding done, deployment method is by utilizing the existing

    infrastructure (and programs deployed by manufacturers)

    Two options here Upload to manufacturers server (use your imagination!) Direct influence of the endpoint devices (PCs that

    manage the in-tractor consoles) This can be done by identifying networks and then the correct open portshint (use a bloody sniffer & proxy on your code!)

    Dont forget the language variants for the config files!

    Certify/Sign the code, a couple of the sneakier manufacturers have some level of security. Circumventing this is simply taking the original code, decompiling (IDA Etc) and then reverse engineering into the authentication methodology.

  • Now What?

    Code deployed, now its a matter of waiting for the updates to be picked up by the endpoint PCs

    From PCs (which automatically pick up updates) the consoles on-board are updated via USB cable/card/stick.

    As long as youve done your work correctly new configuration will be accepted by the terminal and adjusted/rates are now offset to your specifications.

    Our test subjects Yellow/Green tractors accepted the modified code on the second try...(the test)

  • Now We Wait Given all thats past the following happens:

    Crop sown March/April Sprouting 2-4 weeks later (IF it were normal) Configuration file 1 should have a shallow setting thus increasing

    frost and/or wind damage (roots etc) (1+1=1.5)

    At this point crop producer realizes they have an issue, and re-seeding would occur, then we have two options. Same configuration file 1 would have the shallow setting thus

    increasing wind damage (roots etc) (1+1=1.5) OR secondary configuration file is available that now has a depth

    variable of 1+1=4 (or more..) so crops would eventually come upbut too late for harvest (affects germination)

    OR given we have access to planter, and its possible that depth would be suspected, modify the spacing variable and decrease yield (seed weight variable in some Mnf.)

  • Target Audience

    USA Corn, Wheat and Soy

    Brazil Soybean, wheat and corn

    Europe Wheat, barley and oilseed

    China Wheat, barley, oilseed and rice

    Russia Wheat, barley, corn and sunflower

    Rough estimates we could affect approximately 1.5-2Billion metric ton of food productionnot bad for some m i n o r e d i t s a n d c o d i n g t o configuration files

  • Target Audience - Revised!

    Due to the threat of lynch mob behavior from the Thotcon crew in Chicago we have REMOVED Barley from the target list (and hops)thereby preserving the BEER. and still destroying food!

    USA Corn, Wheat and Soy

    Brazil Soybean, wheat and corn

    Europe Wheat, and oilseed

    China Wheat,, oilseed and rice

    Russia Wheat, corn and sunflower

    Rough estimates we could affect approximately 1.5 to 2 Billion metric ton of food productionnot bad for some minor edits and coding to configuration files

  • Busses/Trams:

  • Busses, Reasons and Logic. Transportation:

    1000s of targets throughout the city, country etc..and if you head to the USA we have plenty. Cummins Diesels (Las Vegas ones have Cummins ISL and hybrid enginesand weve tested those in-situ..thanks B-Sides)

    Freely available data on the Internet on city by city location for assessing impact.

    Ease of access: Wireless and other methodologies for management of the facilities, busses,

    engines is readily available and does not take a genius to acquire. None of the 3rd party software packages consider security in their design/

    implementations

    Its a mobile target. 40-60 human capacity, seen the movie speed? we can do it better, faster

    and cleaner. Its a bus, its there, theres lots of them and they frequently stop and

    present themselves in easily locationslot less hassle than taking out a bank these days!

  • Architecture and Access Points

    Location, location, location: Bus depots, unguarded, lack of security and ease of access, most major

    hubs have insufficient controls both physical and electronic. Refueling points, these are already stocked with the necessary APs that can

    be watched, cracked and eventually cloned onto your own AP. Just ride the damm things, take public transportation

    Architecture: Wireless, several different implementations observed/tested/used so far,

    some simple 802.11, some utilizing the 850-1900MHz (Cellular modem systems that also have the GPS units embedded)

    OBDII/J1939 connectors if you have to do the physical connections first to check out what your quarry looks like close up (SAE standard connectors)

    Access Controls:

    Access Point (used both a re-configured AirMagnet AP as well as a Sprint MiFi to test out.

    AirMagnet's wireless suite through to Backtracks arsenal of tools, this gave both the initial what am I dealing with, through to providing the cracked WEP keys necessary for the build

  • Bus Menu, Pick your Targets

    Thanks to a Canadian transit discussion boards we have a full menu of whats running, where its running and what engine, transmission and systems are installed.

    Think of it as fishing with a menu its coordinated, target practice.

  • Busses, the Take Down Game:

    Configure access point based on prior work done (wardriving the bus depot, crack the WEP password and then configure duplicate/secondary

    If you are going in S/W based they youll need the necessary Cummins software downloaded, installed and your wireless cards communicating on the COM ports ready to work. (if using CAN only then CAN232HSW is a good program for USB/Wireless activities.)

    Set: Wait for your busensuring your AP is advertising, and you have Cummins

    INSITE program locked, loaded and waiting. (as above this is necessary for both S/W as well as the

    If you are going for a simple re-flash instead of full access youll need the INLINE program with the modified configuration files locked/loaded and ready to send.

    Match: On the busses tested theres a 4 digit code between the cellular/802.11

    access controls and the main driver interface units, lockouts are not enabled, let the brute force begin. (simple port login code/authentication retry)

    Controls accessed once on the network (and authenticated) now its possible to use the INSITE/INLINE programs to interface with the Cummins engine management systems.

  • Busses, The Variables Eco Friendly things:

    Some of those damm busses now have batteries, never fear, UQM comes to the rescue, same basic methodology, however instead of working with RPM and other stuff, you get to play with voltage.

    Detroit: Wait for your bus, accurately identify it as a Detroit, and go get

    coffee, they are old and they run on coal and capacitors.they are also leaving the playing field.if anyone gets a crack on one let me know (Caterpillar too)

    If you have to go find the codes: Details on the CANBUS and AUTOSAR speed/modules and offsets

    get that data from either manufacture download, or the power train site (Mercedes/Volvo/MAN)

    Physical:

    Two main options, either OBDII connected engine management scanner (several options available) or theres now a lot of Palm pilot management systems that will read the majority of engines, however not used these on the busses

  • Bus Not Stop? Wifi To The Rescue

    Theres two options on these types of assessments, either a rapid re-flash of the configuration files (UQM configuration package) or the Reader which can be configured to run either wireless or Bluetooth over the Com1/3 port (serial re-mapped or just use O/S built in options)

    Management software for the hybrid engines, this also works for the mall type busses (tried and tested) Concept is sti l l the same, the AP needs to be configured for the bus to recognize and associate. Next, simple 4 digit pin, either crack or social engineer it, and then fire up the UQM Motor S/W

  • You Know We Had To

  • Setting the scene. Roles of the humble computer in planes Components to be aware of, and acronym hell Its secure..right? Heck its a damm plane after all !!

    Planes.Seriously?? From cars to planesand howbrief insight into planning 101 The theory and practicality of tagging a 747/787/A380/F15 What you need in the toolbox (no, not giving code away)

    Scenarios and what to do with the damm idea now 35,000 feet up and its all nice and quiet. CFIK (Or how to annoy Jesse), Eco Friendly, or Nickerson Complex

    Q&A: Ask questions throughout.

    This is your Capt. Speaking

  • Box of Electronics in the Planes

    Boeings Electronic Distribution System (BEDS)

    Teledynes LoadStar Server Enterprise (LSE) and NFS Devices ( IP to Av ion i cs , O f f -board communications etc)

    I n t e l l i b u s ( M u l t i - d r o p communications via single link)

    L-3 Communications, specifically their Air Data Acquisition Systems (AirDAS) and NetDAS

  • Thanks Patent Office! Thankfully the Patent office has all the Boeing Patents for most on-board/off-board systems.

    And snippets of code to demonstrate their point, this datas bloody useful and allows a much cleared picture of the acronym hell to be built (and to understand how these things work)

    And if you get stuck, they have some nice relationship mapping diagrams too (thanks chaps)

  • In English? (Queens Version)

    For this, well focus on Intellibus (although its not the core of all the systems well hit in a moment)

    Bus Master/Controller Runs the damm network, scheduling/membership etc

    Network Device Interface (NDIs) (or Intellibus Interface Module (IBIM) Analog (accelerometers, pressure transducers etc) Digital (Mil-STD-1553 devices), ARINC 429 devices (application

    specific data bus.widely used) Single/Multiple channel modes

    CIM Modules (IBIM in a can) single modules stacked for multiple uses in one chassis Analog and Digital as above, same target types!

  • Components Youll Need! A healthy appetite for research! And Google Docs is your friend.

    Depending upon target: Wind Rivers Workbench and a healthy understanding of VxWorks.

    (Real Time OS)

    http://www.patsnap.com/patents/view/US20090138385.html# The above URL will help (A LOT) in understanding command

    architecture for one type of interface to the target system.

    An in-depth knowledge of DO-254

    If you are going to write your own codes: Active-HDL Testbench or similar for building, emulating and then encapsulating the code.

    Laptop with either Vista TEC S/W (Telemetry) or other controller based communication (along with interface (L-3=CDM Etc)

    A Plane or a testing environment (well talk about that later)

  • Theory Tagging a Plane

    Walking up with Laptop and Cat-5 is not going to worklets get that straight

    Ground based maintenance systems are easiest targets for access.and dont require specialized equipment

    Secondary access vector would be the portable ground support systems

    If you have to go in while on the planeyoull need to get to cockpit or cabin crew areas (and will still need communication programs/SW)

  • Remember Research?

  • Enough Theory.

  • No More Theory 787 Left, TTP Interface, and software from TTTech, Right one of the communication chips / controllers thats used by the TTP in the whole FADEC (Full Authority Digital Engine) that controls engines ;-)

  • No More Theory 747

    Above is a model of the FADEC found on a 747-8, combined with the requirements from the diagram below we can ascertain that a revised Engine Rating Plug/ID Plug could be introduced (thereby circumventing the original version thats driven off the Power Lever Angle (Go-Stick) Current: CMM IPC 73-23-15 Full Authority Digital Engine Control - GEnx 2B 16-Jul-11114E9849G1, 114E9849G2, 2124M70P02, 2124M70P03 GENX 2B All we do, modify the configuration, and post via either the eADL (airborne loaders) or Portable Data Loaders.

  • Goodbye Theory Hello Helicopter

    SMART Card readers integrated into the avionics and controls within this particular target, nice thing here is the company in question also looks after both standard avionics and autopilot systems. (USB too!)

  • Toolbox 101 (And a Map)

    New version of the toolbox, used on the 757-200 from Newark to Oslo on Sunday, access to the systems through the interface under the seat that provides both power and entertainment access. Main network IS susceptible to influences

  • Next Steps 35,000 feet Concept: Drop a plane from the sky (preferably without being on-

    board)

    FADEC/EEC (Full Authority Digital Engine Control)Redundant systems, but no manual override, complex systems, integration issues etcsome listed below: Code to documentation anomalies Incorrect code comments Redundant code Aliasing Unstructured code Mismatched data types Overflows miss-handled Want me to carry on? This was just a helicopters issues! 6 Million lines of code, and a HEAP of errors just waiting for attention

    TTP Modules and Controllers

  • CFIK (The Jesse) Syndrome Remote avionics lockout to enable a revised pre-programmed

    route to take over once airborne Rockwells AFDS-770 is the target Controls speed, altitude, flight path/angle modes, and most

    importantly heading/track modes (with landing selectors)

  • Unhappy JesseAutopilot

  • Other Targets

  • Some Future Thoughts

    Intellibus FADEC TTP TTP/IP How about we talk about the Tactical Telemetry Systems?

  • The Nickerson Complex

    Leave plane in sky, mess with the Environmental Control Systems (ECS)

    Pressurization/depressurization of cabin systems to induce Hypoxia, mild decompression sickness etc

    Youll need the CPCS (Cabin Pressure Control System) module loader, along with a revised program that would be able to remove the ability to manually over-ride the system, once done you can then alternate between 40,000 and 3-8,000 depending upon target system

  • Missilesish:

  • Things That go Bang

    Intellibus Missiles and X-47 UCAVs Boeing & Northrop networks

    Intellibus meets IVHM Health management

  • Coyote Acquisition Method

  • Acquisition II

    SHOPPING LISTS

  • Acquisition III L o c k h e e d a n d Portland telling us about the SQL database they are usingwould be secret if they kept it OFF the bloody Internet

    Left, packing list (Lockheed and Raytheon, Right a man from Boeing threatening his loyal guidance system with a screwdriver

  • Guidance Systems 101 Ok, got the guidance sorted, the challenge now is how and what to be able to influence to actually get the logic onto the device. Thankfully we yet again have the wonders of the Net to thank!

  • Tactical Telemetry (UTTM)

    Above, Input/Output block diagram for how it handles messages/sources. Top right Nice GUI interface to part of the device below thats attached to some of those nice missiles we talked about earlier

  • Thanks Walter

  • Boards and Gates (Not Bill) FPGA (Field Programmable Gate Array PrPMC (Processor mezzanine cardsandwich) PrXMC (Switches sandwich) PrAMC (Advanced sandwich cardsmart!)

  • DoD Standards for PAC-3

    Now we have this, as well as the configurations for the actual communications architecture, all we need to do is put the jigsaw together: (I think)

  • PAC-3 Missile- Delivered

    Target = Guidance Systems PAC-3

    Baseline Architecture = Got that (Patent Office)

    Components Involved = Sorted (FPGA/PrPMC)

    Communication Sorted = Mac Panel/MicroTCA

    Communication Methodology = DoD Document

    How CORDIC (so far) COordinate Rotation DIgital Computer (Math)

  • Consequences ?

    (Always wondered that, if a USA made missile, fired against a USA target would it work? Or is there any programming to terminate it?)

  • Sit! Stay! Play Dead

  • One World Labs (OWL) works with individuals and organizations ranging from small operations through to multinational corporations and regularly partners with some of the leading organizations in the field of Information Security.

    OWL Research assists businesses with all areas of data security, architecture and design, including security assessments, and critical incident response. Our in-house laboratory allows us to work at the forefront of vulnerability research, and provides valuable intelligence integrated into our service offerings. All security services are conducted by experienced and certified information security specialists.

    OWL maintains a presence in the community with regular presentations both at conferences and on TV/Cable channels.

    Doing what little one can to increase the general stock of knowledge is as respectable an object of life, as one can in any likelihood pursue - Charles Darwin

    Thank you! (Questions?)

  • No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of One World Labs, Inc.

    Data contained in this document serves informational purposes only and does not constitute legal, regulatory, or technical advice to any specific person or entity for any particular purpose. (Nor does it demonstrate a legitimate reason to go and duplicate what you see!)

    O.W.L has no control over any information that you may access through the use of links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages or any information found therein.

    Theres probably more legal language, but you get the idea, you are on your own insofar as your actions (Im around for any questions)

    Copyright,2012 One World Labs (All rights reserved)

    Legal Stuff