automotive security practical guide to car hacking 101 track 2... · socketcan, can-utils, vcan...
TRANSCRIPT
![Page 1: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/1.jpg)
Yogesh Ojha, Cyber Security AnalystTata Consultancy Services, india
Car Hacking 101Practical Guide to Automotive Security
https://cyberweek.ae
![Page 2: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/2.jpg)
2
GoalThe goal of this talk is to help you get started with Car hacking fast, easy and cheap.
This is to help more people clear the entry barrier in Car Hacking.
More importantly all this, you will be able to practice in the simulator on your favorite Linux Distribution without worrying to break your car.
![Page 3: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/3.jpg)
USER INFORMATION____________________________________Yogesh OjhaFrom NepalCyber Security AnalystTata Consultancy Services India------------------------------------
Primary Research area includesIoT Security, Hardware Hackingand mobile application security
------------------------------------
Mediumhttps://medium.com/@yogeshojha
3
/Users/yogeshojha/HITB> whoami
![Page 4: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/4.jpg)
4
Agenda● Introduction to Hardware and Software system in a Vehicle● Introduction to vehicle communication network, CAN and ECU● Attack Surface in a vehicle● DEMO: Sniff and Exploit CAN Bus on a Simulator● Intro to can-utils and other car hacking tools● Demo on ICSim● Further resources you may want to look into
![Page 5: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/5.jpg)
5
What this talk is not about!
This talk by no means is an exhaustive talk in Automotive Security, instead this is an 101 guide to help you get started and clear entry barrier.
This is not a talk that makes you “Zero to Hero in Automotive Security in X or Y minutes”
![Page 6: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/6.jpg)
How does a modern car function?
6
When you are driving a car today, you are driving a hugely powerful computer that happens to have wheels and steering.
![Page 7: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/7.jpg)
Complexity in a modern car
7
1.7
6.5
100
![Page 8: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/8.jpg)
Your car, is a computer and a network!
8
![Page 9: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/9.jpg)
Your car, is a computer and a network!
9
A modern car can have as much as 50 ECU
![Page 11: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/11.jpg)
What/Why Car Hacking? hmmm
11
![Page 12: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/12.jpg)
History of Car Hacking
12
Hackers Remotely Kill a Jeep on the Highway—With Me in It July 21, 2015
We Drove a Car While It Was Being Hacked - May 19, 2014
-
![Page 13: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/13.jpg)
Identifying attack surface
13
Ask yourself these question, before identifying attack surface▪ Figure out the several signals received, Radio Waves, Key Fobs, Distance sensors etc.▪ Is there a physical keypad?▪ Any touch or motion sensor?▪ Any diagnostic ports? OBD-II?▪ Is there a infotainment system? Does it use bluetooth?
Find out several many ways that data can enter a vehicle. Question yourself, what if the data is malformed? Does it still function or it will stop responding or simply crash?
![Page 14: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/14.jpg)
Attack surface on a modern vehicle
14
![Page 15: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/15.jpg)
Attack surface on a modern vehicle - Bird’s Eye view
15Source: Car Hacker’s Handbook
![Page 16: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/16.jpg)
Network within the Car
16
▪ The CAN Bus• Released in 1986, mandatory from 2008• Runs on two wires: CAN high (CANH) and CAN low (CANL)
▪ The SAE J1850 Protocol• Developed in 1994• Older and slower than CAN• Much cheaper than CAN
▪ The Keyword Protocol ▪ The Local Interconnect Network Protocol
• Cheapest among all• Complement to CAN
▪ The MOST Protocol• designed for multimedia services
▪ The FlexRay Bus• high-speed bus upto 10Mbps• Used for time sensitive communication• More expensive than CAN
▪ Automotive Ethernet• Cheaper alternative to MOST and FlexRay
![Page 17: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/17.jpg)
The CAN bus
17
Controller Area Network
Released in 1986 by Bosch
Central Nervous system that allows communication between all/some parts of a car
ISO 11898 defines CAN for Automotives
Runs on two different wires CANH and CANL
Every vehicle released after 2008 must have CAN
Typically more than 1 CAN bus on a modern CarTesla model S has 6 of them
![Page 18: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/18.jpg)
With and Without CAN
18
![Page 19: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/19.jpg)
But, why CAN bus?
19
Really cheap to implementReliableHigh Resilience to noiseReduced wiringEfficientMandated by Law
![Page 20: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/20.jpg)
CAN Bus explained
20
![Page 21: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/21.jpg)
CAN Bus explained
21
Airbag Engine Transmission
Infotainment Dashboard Door System
![Page 22: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/22.jpg)
CAN data frame
22
![Page 23: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/23.jpg)
CAN message Identifier
23
Lowest ID = Highest Priority
Airbag, ABS - Very High Priority, Lowest IDDoor Lock, Infotainment - Low Priority, Highest ID
![Page 24: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/24.jpg)
CAN message structure
24
ID Byte 0 Byte 1 Byte 2 Byte 3 Byte 4 Byte 5 Byte 6 Byte 7
0x111 0x0B 0xB8 0xED 0xAB 0xEF 0xEE 0xDC 0XAB
![Page 25: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/25.jpg)
CAN message structure
25
ID Byte 0 Byte 1 Byte 2 Byte 3 Byte 4 Byte 5 Byte 6 Byte 7
0x111 0x0B 0xB8 0xED 0xAB 0xEF 0xEE 0xDC 0XAB
Engine RPM
0x0BB8 = 3000
Engine Control Module
Instrument Cluster
![Page 26: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/26.jpg)
How does the CAN message actually look like
26
![Page 27: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/27.jpg)
Journey so far...
27
What’s Next?How do I access the CAN Bus?
![Page 28: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/28.jpg)
Journey so far...
28
OBD-II Port
![Page 29: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/29.jpg)
Getting on the CAN Bus
29
![Page 30: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/30.jpg)
The OBD-II Port
30
● Found on vehicles after 1996● Included in all modern cars ● Mandated by government for emission testing● Direct access to CAN bus● Standard Pinout, 6 & 14 for CAN, CAN High and CAN Low● Direct communication on the CAN bus
![Page 31: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/31.jpg)
The OBD-II Pinout
31
![Page 32: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/32.jpg)
Hardware/Software Needed
32
Hardware● USB to CAN/CAN to USB
Software● Read/Write CAN packets● Encode/Decode CAN packets
![Page 33: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/33.jpg)
OBD-II connectors - CAN Hardware
33
Hardware
● Kvaser $$$$● EMS Wünsche $$$$● Macchina M2 $$$● Korlan USB2CAN $$● ELM327, Terrible $
![Page 34: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/34.jpg)
CAN Software
34
● SocketCAN, can-utils, vcan● Wireshark● CANard● carloop
![Page 35: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/35.jpg)
SocketCAN
35
● CAN to LINUX/UNIX Network Interface
● Comes pre-packaged with Linux Kernel
![Page 36: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/36.jpg)
can-utils
36
● candump : display, filter and log CAN data to filescandump can0
● canplayer : replay CAN log files● cansend : send a single frame● cangen : generate (random) CAN
traffic● cansniffer : display CAN data content
differences
![Page 37: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/37.jpg)
37
Demo #1
can-utils
![Page 38: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/38.jpg)
Myth or Fact: Entry barrier for Car/CAN hacking is high
38
● Myth:○ You would need to have a car to learn CAN hacking○ You don’t even need to have a car to learn CAN hacking
● Myth:○ You would need many expensive software toolkit○ You have many open source tools to use for free.
● Fact:○ You would need expensive hardware kit for CAN hacking.○ Partly true, devices like USB2CAN can be pretty expensive
sometimes.
![Page 39: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/39.jpg)
ICSim: Instrument Cluster Simulator
39
By OpenGarages
Requires: ● SDL2● SDL2_image● can-utils
Open Source GUI Toolkit for Car HackingCreated by Car Hacking researcher Craig SmithIncludes:● Dashboard with speedometer● Door lock● Turn signal Indicators● Control panel to interact with the simulated automobile network
○ Apply acceleration, brakes, control door locks, and turn signals
![Page 40: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/40.jpg)
General methodology for CAN hacking
40
● Access to CAN Bus● Sniff the packets● Reverse Engineer the CAN packets● Identify the Arbitration ID● Replay!
![Page 41: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/41.jpg)
Setting up the ICSim
41
Installing dependencies$ sudo apt-get install libsdl2-dev libsdl2-image-dev
Install can-utils$ sudo apt-get install can-utils
Download ICSim$ git clone https://github.com/zombieCraig/ICSim.git
![Page 42: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/42.jpg)
42
Demo #2
ICSim
![Page 43: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/43.jpg)
Fun tip! Dos Your Car!
43
You know lowest ID wins
Lowest ID has highest priority!
![Page 44: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/44.jpg)
Fun tip! Dos Your Car!
44
You know lowest ID wins
Lowest ID has highest priority!
while(1){
send_can_packet_in_id_0(XX);}
![Page 45: Automotive Security Practical Guide to Car Hacking 101 TRACK 2... · SocketCAN, can-utils, vcan Wireshark CANard carloop. SocketCAN 35 CAN to LINUX/UNIX Network Interface Comes pre-packaged](https://reader034.vdocuments.us/reader034/viewer/2022051814/603a428f343a142355601736/html5/thumbnails/45.jpg)
Thanks & Further Reading
45
Car Hacker’s Handbook - Must read
More on can-utils & socketCAN
OpenGarages
Charlie Miller & Chris Valasek researches