May 2016 Lab Automotive Security Hands On

easy use they're responsible for breaking or post earring displaying so if they're going to dashboard and they know how to do that and they know what messages they should send and receive and there is no master saying wait should this component really be talking to that component making that worse is the fact that the way the can protocol works is there is a destination address only in the packet you'll see that when we look at the protocol a little bit so if a if the braking system send out information onto the canvas it goes to every single component is attached to that same can bus and all it has is a destination address and whatever has

that address is expected to handle that message but there's no source address so it has no way of knowing where that message came from it could have come from the braking system which is where its expecting it to work could have come from your device that you plug into the obd2 port or could come from anywhere else so no authentication very promiscuous protocol every packet generally goes to every device whether they're supposed to ignore anything that's not either broadcast or address to that but they don't have to yes I had this changed much of a possibility this no not at all ken was created by Bosh maybe in like the seventies or a nice it

the only thing I've really done is they've layers and stuff on top of it to me for longer messages and things like so originally there's only 11 bit can identify if I was 11 or 29 bit there's some of the protocols actually push a bunch of can frames together to form bigger pack that's kind of like to take you through never ends and put together with your IP packet but the underlying protocol no hasn't changed oh there's discussions that should be changed but you know there's a there's also problems because this was built for speed right and a lot of cases ski is more important than security in the car if you a message is going to your brace to say

hit the emergency brakes of my collision detection system saw something it might be more important to get that message they're not checked whether it came from about a source of so they tended to I won't even say they prioritized safety over security as more than they didn't really think about security and they didn't used to have to kinetic the inside of the cars I'm messages like this so this is a standard can't frame you have to memorize all that and there's 30 seconds or you can't you glad ya hey um vast majority of this you're not going to see in most can packets so in a minute here I'll go through times of typical can packets and it will make

a lot more sense because it seems very imposing especially because the fields and the protocol joke Lionel necessarily on white of demarcations boundaries so let's see if you're looking at hex it might say you something they repel ok and read that but really that's two totally different fields that just happens to be translated text that way but it's usually not as complicated as this would make it seem so Sokka can is something that was written I think by Volkswagen to allow Linux to talk to can controllers and it basically fits in kind of here the applications can talk to a socket just like they're talking to any other UNIX socket based program tcp/ip soft or whatever there's drivers

build into Linux now that support this and then the Slovak can does the necessary of magic to take it from a unit socket to something that can be others I can control you need a hardware camp controller to actually talk to other can't hardware because the Linux kernel doesn't do timing right for some reason so you do need some sort of chip in there to translate to can them and talk to natural color or something but we've got some software that John can talk about the contain can't message it isn't big cars and things like that so I want to go a little bit more into details of how can the can protocol works like I

said every can frame is just a message that gets sent out into the entire canvas it's got only an identifier as far as where it's going the most common kinds of can messages and the ones that you'll see the most in the dump that's included on your virtual machine are diagnostic trouble codes so this is what mechanics are looking for when they plug in one of their devices it sends a request first request descends into what diagnostic trouble codes to support and then where are the values and those guys are going to be engine rpm oxygen levels current gas mileage dozens probably hundreds of other ones and so this is request response the reason I bring this

up is a lot of people say well why can't they just make this little cork in your car read only because that's not how the protocol works you have to be able to send a request for the data in order to get the data back so there's a lot of people that are now saying oh car cybersecurity that's a good market we're going to sell something that's really in that way people will be protected snake oil it will not work your car could not meet emissions testing and stuff like that if you cannot write to the work so as an example of a diagnostic trouble code request and response which might have is 70 0 that is the can identifier

of what is supposed to respond to this request 0 1 and 0 0 all this is is so 70 0 is the target that's the key identifier mode 0 1 is there's six different modes that diagnostic trouble codes to be in and then 0 0 is a option and all it is says give me all kids that are supported by this car so they reply that you would get to that is 78 it increases by eight just so you know what it's a response problem then it increases the mode by 40 so you know again which mode is talking about so you kind of match up for responses and requests 00 is the function that you

asked for and then you would see a 400ex data probably in multiple can frames saying which pits are supported on that car again we'll see an example that later on if we look at the camco moonstone that's diagnostic trouble codes those are relatively benign there was asking for data they can't really do anything I think you only thinking that they can really change as they can turn on and off the malfunction life a little check engine light so there's a dtc that can clear that other night but can't really do anything to your car unfortunately there's all its other can traffic which can do things to your car and has virtually no standardization because every manufacturer doesn't

completely different these usually what you'll see is something like this example down here it's pretty similar but a little bit different this is a basic royalties and as you can see all those fields that you saw when two slides ago most of that is not in most cam frames so this is a simple request this is using a 29 bit canít IDE so 24 e 0 and I 7s the target that is supposed to respond to this cannon packet the three is just it's a three bites data length and then 00 01 FF sent to that address my Chevy Volt unlocks to all the doors so that's a nice simple can command but that's an example of what

can commands applying through your car and thousands per second all the time so John is going to go into the software hardware the rims to play with some of us this stuff but before I do that does anybody want ask questions about the not very expert i can person who stand in front of them yes so this caught hacking things have become more populist like the pasta two or three others so this is been around for quite videos what's the past 17 years why does they're not car hacking then because of this because before there was no connectivity outside of the car people could only connect to this mccann must be a serial via USB in

recent years now this one's Wi-Fi bluetooth or cellular there's the infotainment system in the dashboard it almost always has a cellular chef nowadays so now what cars can be accessed from outside the car and that's the worst case up to over the internet you know so at the g-pack we found seven hundred thousand cars over exposed on the internet that they can get to that overboard just over the GSM p.m. so that's the compliment oh good and it's going to get worse because they're starting bilities vehicle to vehicle and vehicle infrastructure of mesh networks so as you're driving down the road like if you're going to construction the construction sign is going to send your

car or message saying hey slow down because if you're pointing up to a construction zone so that's adding another radio called digital short range duflot Grange communications and then so that's another radio where you have access from outside the car so it's only in your worst trial I am working with a bunch of groups who are trying to make things better by the way I say department transportation and stuff like that so there will be improvements but right now we're kind of a vision telling us what about more automated we look like Google's self-driving car is it still fall on the same procedure here at onboard processor that oh so the question was in and let

the Google self-driving car is there more of a centralized brain and my guess is yes but I don't know for sure i would think there's something that's taking all that sensory input and making it smart decisions based on a variety of input but i don't know the details of how it works i'm guessing who was also upgrading that two things beyond can't are probably using flex rating on what we have that so we can drive down to the Bluebird APC center and see if you can draw any secrets out of you who want to go yeah you could talk to me out of me no someone who's working on to accept our cars okay so these will work on our

self double car cactus grapes plus my honey Google self-driving car all right there's no other question don't print over John he can tell us about on boys or this so I'm just going to really briefly talk about that some of us offer our some of the hardware that's kind of involved with with doing this sort of work sort of mostly focused on things that we're going to work with on the lab tonight but there's also a couple additional toys to play with after the lab so first off I'm going to kind of separate this between command line and gooey during software so on the command line this this is kind of the de facto standard prank can you tell us is an

awesome package it's sucker can user space utilities and tools and it includes like a dozen or more different command line tools to do different things right so you can see can send send a packet over the campus can jen generate frames i felt can't frames to go onto the campus and that's a little bit closer to two buzzing can't dump can't sniffer pretty much what you what they sound like is what they are and in the lab tonight there's a couple different ways of using these tools and there's a bit of an explanation around that on around this there's also ken matrix which so there are these things called DBC files which are essentially these like manufacturer proprietary

files on how to format frames on the canvas and the proprietor afraid so they're they're expensive they can't be purchased these are usually accessed and used by people that are going to be maintaining your car you know mechanics for those sorts of people but there are there have been periods where those essentially get released and there are different formats aside from dvc which people like to use so this tool is a pretty solid at change like six different tension formats and the most prominent one that I found is the kite there's a kayak format essentially this can babble is the same thing as can matrix except it only goes DBC to the kayak so the chem major

definitely appears to be more flexible in that regard there's also stock york and our soccer camp d and can i bus and so i'm just going to kind of buzz through these really quickly but the what's cool about soccer candy is it allows you remote access to can't work so say i have my laptop and it's connected to a car then and there's a network interface where this is like on the Wi-Fi or something i can go to another device and send network packets to my box and it will then relay them on to the can and then relay the responses back and this isn't just good to get remote more remote access but it's also

gives you many to one access you have six people accessing that one can bus and if i had more time and money that's the kind of thing that we would have been doing tonight with a car parked outside i could have just bought a car and put it up there I you know that essentially the tool that I'll be using and the toll that I've seen mentioned a lot of time at different papers that to get that many to one access to the campus and cannabis can do something similar so like I mentioned there's a couple Glee based software apps so kayak can't act app and can't bust ripple where the first couple i'll talk about

kayak is will do some really cool like overlays on maps gps information and we need pretty much when you expect us to to view what's happening in a car right it's going to take the the can information and just may employ it throw it out on a couple different pots and different graphs you can take that can tak app pretty similar you can receive a new host also report came oz triple I haven't played with this but I wanted to give this kind of an honorable mention because there's a there's also a harbor platform behind this which I'll show you a little bit later it's pretty cheap I had money would actually buy one yet but

I've been waiting for them to come back in stock so i get by it i was hoping that one for tonight but it has a pretty solid community around it and the app from the screenshots and the website looks pretty spectacular so I'm just gonna give it that one honorable mention and then Wireshark you know everybody's tried and true you've gotta love Wireshark yes they can do can so yeah given you can just monitor a camp bus you can record with it you can do all kinds of cool stuff and that's above the lab and then there's IC sim which is an instrument cluster simulator which I thought was really cool because it shows you into my cluster service to show like

your speedometer right and then there's a control for that and you can actually plug in a lake a xbox controller and actually control things you know accelerate accelerate turn left turn right and that's cool you know you can make the dots change on the instrument cluster but what's more cool is it at the same time that you're doing that you open up by candle or something and you monitor the campus you can actually see that this isn't just making it move by a little bit it's actually sending those camp buses the Ken packets on to the cam Frank's onto the bus and then pulling them back off so you can monitor all the stuff you can do replays you can see

what would happen to an instrument cluster if you were a fuzz it right and there's also another tool which I didn't mention but in the lab coat fur card virtual car and in that case you can actually live off the engine if you send it to rate the rate can frames so it's kind of another way to illustrate you know what can happen if you actually plug in to a campus and so I'm going to talk about some hardware here I have a couple examples with me so this is a can't act that's a picture of one this is this is one in real life it works pretty well it works pretty well as in compatibility

wise i have heard comments that it may have a significant drop rate so you may have to do things multiple times and it may be somewhat unreliable but it has a couple cool features which if you up will release the slice if you click on that link you know you can find where i was able to find anything on the web site about these extra features but that's a presentation and it goes to a point every station where he talks about a Star Trek place and there's things on here like resistors to terminate the campus which is cool so you don't actually have to have a terminated campus this can terminate for you and these things right here actually allow

you to reconfigure the pinouts for the db9 so if you know much about zero connections there's there's multiple ways within these things out and if you have they just a regular serial cable like this you know it can have a variety of different ways those pins can connect to the camp and that allows you to configure it so whatever whatever setup you have you can make it work with that which is really cool again so this is the chemos triple its honest on the price might have actually dropped 2 i'm not sure but it looks like that there's also an aluminum case one and there's a pretty big community around the applications and stuff go pretty far

it's very interesting stuff and then this isn't really hardware but i wanted to mention the car hacker's handbook so I know at least one or two people in this room have read this or parts of it this is to be given a way to write prove yourself that's all I got the second you can show us something interesting you can have this book or your strong amount of interest in the topic eat and have that book but yeah so it's 4995 you get the print book and and you'll get the ebook as well and if you just spend the 40 bucks you just get the ebook so you can have the paper version for improving

yourself or you can just go to car hacking on the starch any questions about the hardware software either they didn't cover that much but and a lot of that sort of stuff it's going to get hands on with it we'll do that on the web oh you know what Syria week is both to configure the interface board you guess oh you essentially yes yeah so there are some tools that would just like kind of run Robin and just go from one to the other like go to 500k 125k and you know whatever all the numbers are you pretty much guess wait yeah so that's pretty much what i did network collinar it's unfortunate that has to be

that way a lot of this stuff is actually that way if you want to figure out what does what can message does what on the campus and will actually try to do a little bit of demo that later you're going to trial and error and filter through a bunch of stuff on the bus because it's very very noisy you can see that if you look at the cam recording and also the they can replay stuff so the lab just a couple quick discussion so we get a couple people that came in late does everybody have the vm if you don't have a vm put your hand out to people ok so there's a USB charge of that yeah ok can

we please get that to them there's I have a bunch more it's also on a sip share st s of T feeds on the internet try to make it as available as possible let me know if anybody has any issues that the BM as well we're used to having issues you're good ok good use vmware player use vmware player hey bebeh he was using VirtualBox that issues of people every virtual box of success but favorite player seems to be a constant yes because second USB stick all of those have alum your son so there's a couple objectives for what we're trying to do with the lab so there's three main things first one I found a set of the vm

that you can use to interface and write to a canvas read from a can bus so oh pretty much all over the lab is for virtual can but it translates 121 you know instead of V can 0 you do can 0 and it's pretty much the same thing as long as you have ever talked about earlier your pod rate set up correctly we also want to kind of amira also going to that we can familiarize ourselves with some fundamental cam tools the socket can sweet that i mentioned earlier a couple of the GUI tools that sort of thing and then interface with a virtual card and bus so there is a virtual car that you

can pipe that will make a ver car interface and you can send things to it from that as if it was a natural car and you can see what happens you can fuzz it without worrying that you're going to break the car blow of an engine so lab setup oppose do you guys already have this because you have the vm the vm is right there but if you don't you can just run this command if you have yet and then you'll just have to CD into the lab run kick start and run git pull so there's been a couple additions to the github repo the branch since i made the vm so i made that the auditions today so

do you do this if you run these three commands then you'll get the most updated version it also the kickstart script is kind of nice because it'll set up things like your interface go set up the interface if you have physical or virtual i'm assuming most people are going to do virtual so whatever it says on your news Hardware they know they're young it'll set up everything for you if you get some error message just let me know but at the end should say you know you're good you're good you know you got through all these steps in its successful again the username is car hacks ajx pebble TX and ssw 0 rd the password that is also up there in the

top right do you forget or you can ask so i will go back to the slide in a second that you have this as a reference but some stages login go to desktop lab and then setup script kickstart and that should take a few minutes so there's there's three main footers within here I just want to talk about them briefly set up so in the setup directory is where the scripts are to set this up if you were to just download a plain Jane Kali ma 2016 got one and you run that it'll take like an hour and a half but it'll set everything up compile things it'll do the maven set up it'll everything

will get set up and will tell you that airs tutorial so here's here's where the actual labs are there the beginner ones and intermediate ones there are read only one of the right ones the reason why I split that up is because if you actually wanted to do this on a car just follow you know you could with caution you know and I make no decree that this will not hurt your car so you know this is of your own volition but presumably the read on these stuff wouldn't cause damage to the campus or to the car and an external so I linked to a bunch of external projects I just put them under one quarter those are all submodels and

get so whatever you're pulling it you have to make sure you have that dash dash recursive or else it would it be empty for that is all of God so I am going to leave this slide up pause the recording and kind of come around and help people with this with this lab if people will seem to be having a tough time with it I can do some demonstrations of the on the actual vm might have it all set up here and then you know maybe in a little bit I don't know how long but dan will be able to set up show us a bit of an upgrade okay yeah go get to go outside to my car do

it yeah it's going to be like a like I close up and personal outside hopefully it's not raining I don't think it is demonstration so anyways that's about it I'm going to be walking around let me know you guys have any issues or questions or concerns