Get best of the week

The best materials for hacking cars with DEF CON 2019-2020

image

DEF CON is the world's largest hacker conference held every year in Las Vegas.
In recent years, the topic of automotive safety auditing has become increasingly popular.
We suggest you familiarize yourself with the list of performances over two years (and a brief description) and select the three best performances that are worthy of an early translation / compendium on Habré.

Zoz: Hacking Driverless Vehicles
Woody: The Ford Hack Raptor Captor
Lennert Wouters: Passive Keyless Entry and Start Systems
Elijah Roberts: Tell Me Lies Automotive LIDAR and Low Tech
Neiko Rivera: Infotainment Hacking
Victor Murray: Legal Over the Air Spoofing of GNSS and its Effects
Rotem Bar: Hacking into Automotive Clouds
Greg Hogan: Reverse Engineering and Flashing ECU Firmware Updates
Ken Munro: Lojackd pwning car alarms vehicle trackers
Aaron Cornelius: Intro to UDS
Brent Stone: Reverse Engineering 17+ Cars in Less than 10 Minutes
Jmaxxz: Your Car is My Car
Benjamin Lafois: Another Car Hacking Approach
Ben Gardiner: CAN Signal Extraction from OpenXC with Radare2
Jerry Gamblin: So You Want To Hack A Car
Eric Evenchick: Go Hack Cars
Dan Regalado: Meet Salinas, 1st SMS commanded Car Infotainment RAT
Phil Lapczynski: Flash Bootloaders Exposing Automotive ECU updates
Nathaniel Boggs: Automotive Exploitation Sandbox
Ben: Misbehavior Detection in V2X Networks
Ben: When CAN CANT
KEVIN2600: Grand Theft Auto Digital Key Hacking


2020


Zoz: Hacking Driverless Vehicles


Did you watch “Remember Everything” and wanted to kick-start Johnny to the taxi driver? Unmanned vehicles already exist and can be hacked. Autonomous and unmanned systems already plow the skies and oceans, and are also tested on our streets, highways and sidewalks. The trend is that a tipping point will soon come, and all these devices will become commonplace. That is why it is time to discuss their capabilities and potential vulnerabilities.

This session is an informative and carefree look at the current state of affairs in the field of unmanned civilian vehicles, as well as what hackers or other scammers can do with them. Such topics as complete sets of familiar and proposed sensors for use, decision profiles and failure-tolerant modes of operation that can be used by attackers will be considered. The report aims both to inspire car makers and end users to think about resilience to the actions of cybercriminals, and to give paranoiaans the false hope that we can resist the car revolution.



2019


Woody: The Ford Hack Raptor Captor


This report will show the security protocol vulnerabilities in the new Ford keychains. Attackers will be able to exploit these vulnerabilities in different areas. So, it is possible to disable the remote control without the spread of interference. The machine may also be tricked, and its mileage counter will be reset to zero. Further, the car can be turned on and off, and its trunk can be opened and closed using a replay attack after resetting the mileage counter. Also, to bypass security systems, the main access code from the car console can be selected. This report will also demonstrate how to reset and restore your keychain if it is attacked with deauthentication. We will demonstrate a script written using gnu-radio, which allows you to automate the collection of radio frequencies of key fobs from Ford.



Lennert Wouters: Passive Keyless Entry and Start Systems


Our study identified several vulnerabilities in the Tesla Model S passive keyless entry system. This report is a comprehensive overview of how we reverse-engineered their keychain, the problems we discovered, and full evidence that this attack is realizable. This proof exploits the weak encryption vulnerability and allows you to make a clone of the Tesla Model S keychain in seconds using commercial equipment that is commercially available. Information from the FCC database suggests that the same attacks can be carried out on vehicles from McLaren, Karma and Triumph Motorcycles, as they all use passive keyless entry systems from Pektron. I will share our experience and responsibly tell about all the discoveries indicating all manufacturers.



Elijah Roberts: Tell Me Lies Automotive LIDAR and Low Tech


What will be the widespread use of lidars in unmanned vehicles?

Join us to learn how lidars work and consider the surface of network attacks. We will also discuss the development of low-tech countermeasures, in which solid-state objects appear invisible and rarefied air is converted into virtual steel walls.



Neiko Rivera: Infotainment Hacking


We will show the insides of QNX and Android and take a closer look at each of the systems and its unique attributes. We will find common errors in the configuration of Android systems, and also show how to extract data and begin the process of reverse engineering (without going deeper into reverse engineering of apk files). You will learn the basics of hacking systems for advanced privileges, so you will come to a starting point from which you can begin to engage in reverse engineering!



Victor Murray: Legal Over the Air Spoofing of GNSS and its Effects


The normal operation of many systems depends on the accurate location information provided by the global satellite navigation system (GPS). Publicly available tools for working with SISS do not have mechanisms to maintain the integrity of information and are vulnerable to information spoofing. The U.S. federal law prohibits the substitution of GSSN data or other signals over the air, which makes it difficult to assess vulnerabilities outside a closed laboratory environment. This study proved the futility of a mobile information substitution system in GSSN, which allows the legitimate and real exploitation of vulnerabilities. A mobile data substitution system was used to assess vulnerabilities in ground unmanned vehicles. GSSN in autonomous ground transportation was hacked using various types of attacks, including forced lane change,exit from the road and vehicle stop.



Rotem Bar: Hacking into Automotive Clouds


In this conversation, Rotem will share his experience of hacking automotive cloud services, talk about the methods used and the goals he pursued after connecting.

Rotem will also talk about the main communication areas that he is looking for, about the integration of suppliers and the differences between conventional and automotive clouds. Next, Rotem will talk about possible goals, including those to which he can do the most damage, after which you can jump into the rabbit hole.

In this talk, Rotem will give examples from his life:

  • From zero to heroes - full backend control with examples
  • Common failures that allow me to switch between networks
  • The dangers in connected machines - how to capture a car through the cloud




Greg Hogan: Reverse Engineering and Flashing ECU Firmware Updates


Many ECUs do not support reading firmware via CAN, but since many car manufacturers make mistakes and need to fix firmware errors. They release patches and use firmware reading via CAN. It will be a deep immersion in the possibility of obtaining firmware, decrypting them (and changing if you need it) and writing the file with firmware updates to Honda ECU. Automotive tools for ECUs come from the Stone Age, so let's upgrade the ECU with a modern web browser!



Ken Munro: Lojackd pwning car alarms vehicle trackers


Our studies have shown the possibility of direct injection into CAN via APIs, and we intend to show this in detail.

Viper Alarms use the backend from CalAmp, manufacturer of LoJack. We show how car tracking devices can be compromised, and the recovery of a stolen car can be prevented.

This study also led us to a compromise between OEM-approved car trackers and immobilizers. The rabbit hole was very deep.

This is a history of systemic compromise due to weak platform vendors and outsourcing security systems.



Aaron Cornelius: Intro to UDS


“What is UDS and how can it help me break into cars?”

The purpose of this report is to give a brief introduction to UDS (ISO 14229), to show its capabilities, to explain why automotive ECUs implement it and what is its use in breaking cars. The report will provide examples of using standard socket interfaces in Linux, as well as CanCat scripts that will help people find UDS devices and services in their vehicles.



Brent Stone: Reverse Engineering 17+ Cars in Less than 10 Minutes


Brent will conduct a live demonstration of reverse engineering of 17 or more CAN networks of unknown passengers in less than 10 minutes using new automation methods. These uncontrolled methods are more than 90% accurate and compatible when using production CAN networks and in various driving conditions. He will then introduce the Python and R code that he uses for demonstration. This code is published on the public repository on GitHub at github.com/brent-stone/CAN_Reverse_Engineering . An explanation of how this code works is also published there.



Jmaxxz: Your Car is My Car


For many of us, our cars are one of the largest purchases made. In a world where everything is connected to something, it’s quite natural that we would like to be able to remotely monitor our vehicles: reminders of the parking place, checking door closures or even remotely starting to heat (or cool) the cabin to our arrival. There are many vendors offering aftermarket alarm systems that provide these amenities and peace of mind. But how can we be sure that the manufacturers of these systems provide digital security access to our cars? In his speech, Jmaxxz will talk about what he discovered when he looked into one of these systems.



Translation on Habré:



Benjamin Lafois: Another Car Hacking Approach


Cars have had infotainment systems for several years. These systems perform the main tasks: radio, music, navigation, speakerphone via Bluetooth, but can also perform more complex functions using wireless connections (with cloud-based data processing) and connection to the car bus. Previous reports presented some vulnerabilities from the past. This presentation will present a different approach to compromising embedded infotainment systems using software and hardware attacks.

While the previous methods focused on the OS and hacking networks (access to DBus, telnet, firmware update mechanisms), these vulnerabilities no longer exist, so now a new approach is needed - using third-party applications. Previously, it was necessary to circumvent several levels of protection, such as a multi-level signature (installation package, code signing) and read-only file systems - these are just some of the examples. An examination conducted after the operation showed that the identified vulnerabilities will be used by cybercriminals in many different cars.

How to start testing such systems? What steps to take to compromise infotainment systems and what vulnerabilities can be found and exploited?



2018


Ben Gardiner: CAN Signal Extraction from OpenXC with Radare2


OpenXC creates its own firmware - both for closed and open assemblies, using JSON files that denote CAN signals as a data structure. These designations are similar to CAN database files (.dbc). The reverse engineering of openXC open assemblies (as a training example) shows that it is very simple to define and extract CAN signal notation from a binary file. Participants will learn what dbc files are, how strings lead reverse engineers to interesting code through cross-references, what tools are used by cybercriminals to reverse engineer raw binary firmware and how they use them, about simple and useful means of containment, and how Descriptive data structures (in particular JSON) help cybercriminals in reverse engineering and risk mitigation options.The report will use the free tool radare2 RE to present binary code.



Jerry Gamblin: So You Want To Hack A Car


At the beginning of work in the field of hacking cars, it may turn out that this is a complex and expensive hobby. In this report, I will tell you about what you need to buy (and what you can probably skip). I will also release a short guide and script that will help new hackers create a system for hacking cars.



Eric Evenchick: Go Hack Cars


Golang is a pretty elegant language, and it is great for hacking cars. SocketCAN provides an excellent environment for interacting with CAN devices, so why not use it from programs written in Go? We will show an open source library on Go that will simplify work with SocketCAN and show how to work with raw data from CAN and ISOTP. Participants will receive all the information necessary to crack CAN buses using Go.



Dan Regalado: Meet Salinas, 1st SMS commanded Car Infotainment RAT


Currently, any car under the age of 5 comes with an infotainment system, which is an iPad-like screen. This system allows you to use GPS navigation, select your favorite music from your iPod, make or receive calls through the car speakers, or even ask the car to read an incoming SMS message. Despite the fact that the latest technologies of self-driving, appearing everywhere, can no longer be processed by a microcontroller, a built-in OS is required to support all these functions, and therefore the world began to worry about the possibility of catching a ransomware virus or a virus stealing information on your car that will read your SMS messages while driving or carry out DoS attacks on the CAN bus, because of which the machine will not work properly.All these scenarios used to be hypothetical, but now we have taken an infotainment system, reverse engineered all of its main components and all for the same purpose: to infect this system with malware, which can be used to remotely control a car using SMS messages.



Phil Lapczynski: Flash Bootloaders Exposing Automotive ECU updates


Unified Diagnostic Services (UDS) provide powerful interfaces for automotive diagnostics. OEMs use them to update firmware, manipulate calibration data, send and receive information from automotive ECUs, and more recently, for air updates. This report reveals the topic of car bootloaders, and it also explains how poor security systems or incorrect implementation decisions can be used by hackers to exfiltrate firmware or gain the ability to constantly execute code.



Nathaniel Boggs: Automotive Exploitation Sandbox


The sandbox for exploiting vulnerabilities in cars is a practical educational tool designed to provide interested persons with little (or absent) experience with an introduction to automotive safety and to give them the opportunity to gain practical experience working with this equipment through the basic sequence of actions for carrying out an attack on a typical automotive development board. The attack sequence gives the user instructions for remote exploitation, privilege escalation, exfiltration, and data modification using artificial vulnerabilities located on a remote test platform running OS and equipment commonly used in automotive systems.



Ben: Misbehavior Detection in V2X Networks


In the scientific literature, there are several approaches to detecting malfunctioning in V2X networks, and many of these approaches may not take into account automotive restrictions. Only a few approaches do this, and as far as I know, there is only one approach that has been tested in real cars. And this approach has its own problems - although this is a very important first step towards full implementation. I will show how this (and one or two) approach works and how it can be fooled. Although detection of malfunctioning is an integral part of the security system of V2X networks, nobody seems to care about deploying these networks, and there are still no suitable methods for detecting malfunctioning. I will hypothesize why the situation is such, and I will discuss it with the audience.



Ben: When CAN CANT


A CAN bus is required for all vehicles sold in the United States since 2008. However, CAN is frightening and terrible in its own way. CAN has served as a convenient punching bag for automotive safety research for a number of reasons, but all available analysis tools have one drawback. All of them invariably use a microcontroller with integrated peripheral CAN, which automatically works with communication details at a low level (levels 1 and 2 in ISO) and ensures that this peripheral device behaves well at these low levels. Nevertheless, a good hardware hacker understands that the only purpose of electronics is to obey our will, and the surefire way to find errors is to make what they say “This CAN’t happen!” Happen. CANT is a (partially) peripheral device with a CAN bus, implemented in software,which allows security researchers to test the error handling capabilities of CAN devices at the busbar level. The ability to selectively attack specific ECUs in a way that is not detectable by automotive IDS / IPS systems (see ICS-ALERT-17-209-01) is invaluable to automotive security researchers as more and more car manufacturers integrate advanced security measures into their vehicles.as more and more car manufacturers integrate advanced safety measures into their vehicles.as more and more car manufacturers integrate advanced safety measures into their vehicles.



KEVIN2600: Grand Theft Auto Digital Key Hacking


The safety of car monitoring systems is often a topic of discussion. Modern cars use control modules with key fobs, which allows access to the car only to authorized users. While it has been proven earlier that most traditional car key systems are unsafe, a tipping point comes in the game. Instead of the usual system with a key fob, some car owners will be able to access their vehicle using smartphone authentication as a digital key for the car.

In this speech, we will talk about research and attacks on one of the digital key control systems present in today's market. We will also study the functionality of these systems and the possibilities for exploiting vulnerabilities through various attack vectors, after which we will demonstrate the security limitations of such a system. By the end of this presentation, participants will not only understand how to use these systems, but also learn what tools can be used to achieve our goals.




image

About ITELMA
- automotive . 2500 , 650 .

, , . ( 30, ), -, -, - (DSP-) .

, . , , , . , automotive. , , .

Read more useful articles:

More articles:


All Articles