Episode I: Hacker Menace

Brief History

• 1913 – Ford’s first Assembly Line– What wires there were, were direct feed

• 1968 – VW puts first on-board computer• 1975 – Datsun 280Z – real-time fuel injection• 1980 – First Remote Keyless Entry (RKE) systems in Fords• 1991 – OBD-I and California Air Resources Board• 1993 – Smart Key (Passive Key) in Chevy Corvette• 1996 – OBD-II mandatory for all cars sold in US• Late 1990’s – Firestone recall (100+ deaths)• 2001 – EOBD mandatory for petrol vehicles sold in EU• 2007 – TPMS mandated in all cars in US (ref Firestone)• 2008 – ISO 15765-4 (CAN) required for all cars sold in US

Automobiles are made of many parts

Overview of Automotive Communication

• Digital communication• Shared medium

– Reduce Heavy Wiring Harnesses!

• CAN Bus – ISO 11898• LIN – Broadcast Serial• K-LINE, L-LINE – ISO 9141 (OBD)• J1850 and the last generation• Others

• Warning: MANY AND VARIED STANDARDS AHEAD– ISO and SAE

CAN details

• 1986 – First CAN protocol release by Bosch (CAN 2.0 in 1991)• 1993 – ISO 11898, SAE J1939• 8-byte messages

– Combined to form larger messages

• Arbitration ID (11-bit / 29-bit)– Source?– Dest?– Type of message?– Anything

• ISO 15765-2 – ISO/TP (up to 4k messages)• Used for more than just Cars!

Firmware Reflashing

• SAE J2534• Intended to allow mechanics to update (“flash”)

ECM’s without removing/touching them• “Adding Functionality”

– Reflashing to remove hurdles

• CAN as a Post-Exploitation Playground– Once you’ve connected to the CAN bus, game over.

It’s all just details from there.

Voltage doesn’t kill peopleCurrent does.

V2V Communication

• (from Wikipedia)• Safety• Traffic management• Driver assistance systems• Policing and enforcement• Pricing and payments• Direction and route optimization• Advertising, Travel-related information• General information services• Automated highways

V2V

• 802.11ish Wireless Communications(5.9GHz)

– Between Vehicles on the road– “…considerable research…ranging from safety to navigation and

law enforcement.”

• PKI and Rolling Certificates– Providing “Secure” communications– Updated monthly in-transit

• Multiple technologies have been suggested

• My car becomes an attack tool– Or grab a recent addition at the junk yard!

• And isn’t this technology supposed to control the steering, brakes, and accelerator!?

Privacy and TPMS

• TPMS sensors represent ISM-band wireless attack vectors directly against the Body Control Module (BCM)– But wait! There’s more!

• TPMS Sensors have a pseudo-unique identifier– And they broadcast plaintext messages– Every 30 seconds or so– IMME, RfCat, HackRF or other radio receiver

• Track specific vehicles

The Online Automobile

• Connectedness and it's inherent concerns

– Wifi

– Bluetooth

– Internet Uplink

– “Third-Party Assistance”

– TPMS Sensors and Receivers

– Infotainment Systems: the Automotive Tonsils

Chris and Charlie: Friend or Foe?

• Done. Now what?

Paths forward

• Segmentation and Intrusion Detection/Prevention

• Patching Security flaws• Updates via recall• Cell• On-street ISM Wireless

• Significant attention to security in Automotive design and implementation

• Hardware, Firmware, Software, Protocol hackers: GO!

In your playtime…

• CANCAT - Hacker tool for controlling/reversing CAN bus messages

• SocketCan - Linux NIC for CAN

• OpenGarages.org (Craig Smith)

– Car Hackers Handbook

• CanBusHack.com (Robert Leale)

• iamthecavalry.org/automotive (Josh Corman)

Where have we been

• UW/UCSD research– Attack Surface and Attacks on Automotive

Components

• Charlie and Chris– First showing how to manipulate CAN bus– Latest showing One remote exploitation path

• Corey Thuen– Progressive Insurance Dongle

• IamTheCavalry– Calling Industry to Standards and Ratings

What to expect in the future

• Connectedness is everywhere

What to expect in the future

• Connectedness is everywhere

What to expect in the future

• Regulation:– Will Markey/Blumenthal bill be the end?– NERC CIP for Automotive?

• Automotive OEMs and Tier 1 companies– Compliance: Likely– Actively pursuing Security: Probably– Defensible Automotive Design– Proactive Product Evaluation/Hacking

• Tier 2+:– Tier 1’s and OEM’s pressure, and help to “CTJ”

• Researchers:– Diversify, gaining steam (blood in water)– Deeper Hacks, more plentiful bounty– Closer relationships between researchers and OEM/Tier1’s

What to expect in the future

• Big Business:– Capitalizing on your data for $$$ and $$$– Insurance companies figuring out to use tech to reduce their risk– In-Car Targeted Advertising

• Sith:– Stealing data (you sync your contacts with your car?!?)– Auto-worms (Automorphic)– Automotive Extortion– Exploiting Manufacturers’ Back End systems through Cars– “Enemy of the State” style assassination by vehicle.

• As passengers• As targets of compromised vehicles• If do right, no can forensicate!

Thank you!

Matthew Carpenter

Principal Security Researcher

matt@grimm-co.com

Resources

• SocketCAN - ~$110-150 (depends on hardware)– http://elinux.org/CAN_Bus– https://canusb-shop.com/

• Komodo CanSolo- $350– http://www.totalphase.com/products/komodo-cansolo/

• CanCat - $50– https://github.com/atlas0fd00m/CanCat

• RfCat - $100– https://rfcat.com

• HackRf - $300– https://greatscottgadgets.com/hackrf/

Resources

• Wikipedia gets this right:– https://en.wikipedia.org/wiki/CAN_bus

• Look for “Standards” and “Higher Layer” sections• ISO 11898• ISO 15765-2/4• SAE J1939-15

• J1939 Document from Vector:– http://vector.com/portal/medien/cmc/application_notes/AN-ION-1-

3100_Introduction_to_J1939.pdf

• UCSD research:– http://www.autosec.org/pubs/woot-foster.pdf– http://www.autosec.org/pubs/cars-usenixsec2011.pdf

• UW/UCSD research:– http://www.autosec.org/pubs/cars-oakland2010.pdf

• Legislation:– http://www.markey.senate.gov/news/press-releases/markey-report-reveals-automobile-

security-and-privacy-vulnerabilities– http://www.wired.com/2015/07/senate-bill-seeks-standards-cars-defenses-hackers/

Resources

• Open Garages – Car Hackers Handbook– http://opengarages.org/handbook/

• Progressive Dongle Hack - Corey Thuen– http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-

insurance-dongle-totally-insecure/

• Chris and Charlie– http://www.countermeasure2013.com/documents/presentations/Miller_and_Valasek_Adven

tures_in_Automotive_Network_and_Control_Units.pdf– http://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf– http://illmatics.com/Remote%20Car%20Hacking.pdf