environment for the can protocol strive 2018 vÄsterÅs ... · 5 kayak bella - biondi id[hex] dlc...
TRANSCRIPT
![Page 1: Environment for the CAN Protocol STRIVE 2018 VÄSTERÅS ... · 5 Kayak Bella - Biondi ID[hex] DLC DATA[hex] Device Values 19b 3 00 00 00 doors 1 / 2 / 4 / 8 188 3 00 00 00 blinkers](https://reader033.vdocuments.us/reader033/viewer/2022060608/605f6ac3a956bf7c6424e01d/html5/thumbnails/1.jpg)
STRIVE 2018VÄSTERÅS, SWEDEN
Towards an Integrated Penetration TestingEnvironment for the CAN Protocol
1
Giampaolo Bella and Pietro Biondi
![Page 2: Environment for the CAN Protocol STRIVE 2018 VÄSTERÅS ... · 5 Kayak Bella - Biondi ID[hex] DLC DATA[hex] Device Values 19b 3 00 00 00 doors 1 / 2 / 4 / 8 188 3 00 00 00 blinkers](https://reader033.vdocuments.us/reader033/viewer/2022060608/605f6ac3a956bf7c6424e01d/html5/thumbnails/2.jpg)
2Bella - Biondi
Automotive communication domains
Vehicle to Vehicle
Vehicle to Infrastructure
User to Vehicle
Intra-Vehicle
FOCUS!
![Page 3: Environment for the CAN Protocol STRIVE 2018 VÄSTERÅS ... · 5 Kayak Bella - Biondi ID[hex] DLC DATA[hex] Device Values 19b 3 00 00 00 doors 1 / 2 / 4 / 8 188 3 00 00 00 blinkers](https://reader033.vdocuments.us/reader033/viewer/2022060608/605f6ac3a956bf7c6424e01d/html5/thumbnails/3.jpg)
3
Controller Area Network
The Controller area network (CAN-bus) is provided:● Serial communication protocol● Message anti-collision protection● Error detection
AuthenticationConfidentiality
PROBLEM
Bella - Biondi
![Page 4: Environment for the CAN Protocol STRIVE 2018 VÄSTERÅS ... · 5 Kayak Bella - Biondi ID[hex] DLC DATA[hex] Device Values 19b 3 00 00 00 doors 1 / 2 / 4 / 8 188 3 00 00 00 blinkers](https://reader033.vdocuments.us/reader033/viewer/2022060608/605f6ac3a956bf7c6424e01d/html5/thumbnails/4.jpg)
4
Instrument Cluster Simulator (ICSim)
Bella - Biondi
It works on Linux, requires the configuration of a virtual CAN interface through the following commands:
sudo apt install can-utilssudo modprobe cansudo modprobe vcansudo ip link add dev vcan0 type vcansudo ip link set up vcan0
MAX: speed up to 100 MPH
![Page 5: Environment for the CAN Protocol STRIVE 2018 VÄSTERÅS ... · 5 Kayak Bella - Biondi ID[hex] DLC DATA[hex] Device Values 19b 3 00 00 00 doors 1 / 2 / 4 / 8 188 3 00 00 00 blinkers](https://reader033.vdocuments.us/reader033/viewer/2022060608/605f6ac3a956bf7c6424e01d/html5/thumbnails/5.jpg)
5
Kayak
Bella - Biondi
ID[hex] DLC DATA[hex] Device Values
19b 3 00 00 00 doors 1 / 2 / 4 / 8
188 3 00 00 00 blinkers 1 / 2
244 5 00 00 00 00 00 tachymeter 00 00 . . 01 5D
Send the hex value (e.g. 99 99) to the tachymeter.. Then we can observe the maximum speed reached.
“cansend vcan0 244#0000009999”
The aim: understand which frame IDs are associated to which device of the car.
![Page 6: Environment for the CAN Protocol STRIVE 2018 VÄSTERÅS ... · 5 Kayak Bella - Biondi ID[hex] DLC DATA[hex] Device Values 19b 3 00 00 00 doors 1 / 2 / 4 / 8 188 3 00 00 00 blinkers](https://reader033.vdocuments.us/reader033/viewer/2022060608/605f6ac3a956bf7c6424e01d/html5/thumbnails/6.jpg)
STEP 1: preparation of a machine to simulate the victim system
6
Towards the Integrated Pentesting Environment
Bella - Biondi
Install ICSim Vulnerable server
![Page 7: Environment for the CAN Protocol STRIVE 2018 VÄSTERÅS ... · 5 Kayak Bella - Biondi ID[hex] DLC DATA[hex] Device Values 19b 3 00 00 00 doors 1 / 2 / 4 / 8 188 3 00 00 00 blinkers](https://reader033.vdocuments.us/reader033/viewer/2022060608/605f6ac3a956bf7c6424e01d/html5/thumbnails/7.jpg)
7
Towards the Integrated Pentesting Environment
Bella - Biondi
STEP 2: automation of the pentesting experiments using an exploit for Metasploit Framework
244#000000999919b#00000F188#030000
crazytachymeter.rb
Post exploitation:1. Open FILEMAP:
a. read and save all CAN frames in array
2. Infinite while loop.Flooding CAN-bus
![Page 8: Environment for the CAN Protocol STRIVE 2018 VÄSTERÅS ... · 5 Kayak Bella - Biondi ID[hex] DLC DATA[hex] Device Values 19b 3 00 00 00 doors 1 / 2 / 4 / 8 188 3 00 00 00 blinkers](https://reader033.vdocuments.us/reader033/viewer/2022060608/605f6ac3a956bf7c6424e01d/html5/thumbnails/8.jpg)
8
Towards the Integrated Pentesting Environment
Bella - Biondi
STEP 3: include the exploit to Metasploit Framework
PATH: modules/post/hardware/automotive/
Options for Metasploit:
FILEMAP INTERFACE SESSION
![Page 9: Environment for the CAN Protocol STRIVE 2018 VÄSTERÅS ... · 5 Kayak Bella - Biondi ID[hex] DLC DATA[hex] Device Values 19b 3 00 00 00 doors 1 / 2 / 4 / 8 188 3 00 00 00 blinkers](https://reader033.vdocuments.us/reader033/viewer/2022060608/605f6ac3a956bf7c6424e01d/html5/thumbnails/9.jpg)
9
Towards the Integrated Pentesting Environment
Bella - Biondi
STEP 4: exploitation through Metasploit
![Page 10: Environment for the CAN Protocol STRIVE 2018 VÄSTERÅS ... · 5 Kayak Bella - Biondi ID[hex] DLC DATA[hex] Device Values 19b 3 00 00 00 doors 1 / 2 / 4 / 8 188 3 00 00 00 blinkers](https://reader033.vdocuments.us/reader033/viewer/2022060608/605f6ac3a956bf7c6424e01d/html5/thumbnails/10.jpg)
10
Towards the Integrated Pentesting Environment
Bella - Biondi
https://github.com/pietrobiondi/Crazy-Tachymeter
Download and Improve the Pentesting Environment
The exploit is currently subject to a Metasploit pull request
![Page 11: Environment for the CAN Protocol STRIVE 2018 VÄSTERÅS ... · 5 Kayak Bella - Biondi ID[hex] DLC DATA[hex] Device Values 19b 3 00 00 00 doors 1 / 2 / 4 / 8 188 3 00 00 00 blinkers](https://reader033.vdocuments.us/reader033/viewer/2022060608/605f6ac3a956bf7c6424e01d/html5/thumbnails/11.jpg)
11
Conclusion
Bella - Biondi
![Page 12: Environment for the CAN Protocol STRIVE 2018 VÄSTERÅS ... · 5 Kayak Bella - Biondi ID[hex] DLC DATA[hex] Device Values 19b 3 00 00 00 doors 1 / 2 / 4 / 8 188 3 00 00 00 blinkers](https://reader033.vdocuments.us/reader033/viewer/2022060608/605f6ac3a956bf7c6424e01d/html5/thumbnails/12.jpg)
12
Future Work
Bella - Biondi
❏ Upgrade of ICSim: make it more compliant with the real world❏ Improvement of Integrated Pentesting Environment❏ Write new exploits for CAN-bus❏ Accumulate all exploits in the Metasploit Framework❏ Define cryptographic tools to obtain confidentiality and authentication
![Page 13: Environment for the CAN Protocol STRIVE 2018 VÄSTERÅS ... · 5 Kayak Bella - Biondi ID[hex] DLC DATA[hex] Device Values 19b 3 00 00 00 doors 1 / 2 / 4 / 8 188 3 00 00 00 blinkers](https://reader033.vdocuments.us/reader033/viewer/2022060608/605f6ac3a956bf7c6424e01d/html5/thumbnails/13.jpg)
13
Thank you for your attention
STRIVE 2018VÄSTERÅS, SWEDEN
Pietro Biondi
www.pietrobiondi.it
Giampaolo Bella
www.dmi.unict.it/~giamp/
![Page 14: Environment for the CAN Protocol STRIVE 2018 VÄSTERÅS ... · 5 Kayak Bella - Biondi ID[hex] DLC DATA[hex] Device Values 19b 3 00 00 00 doors 1 / 2 / 4 / 8 188 3 00 00 00 blinkers](https://reader033.vdocuments.us/reader033/viewer/2022060608/605f6ac3a956bf7c6424e01d/html5/thumbnails/14.jpg)
14
Q&A
Bella - Biondi