V2X Exploitation: Steering Through Auto Cyber Seas

session v v so coming up Ravi rajput who is a renowned figure in the field of vulnerability research and exploit development with a particular emphasis on Intel and arm processors over the past 8 years and more he has dedicated his skills to enhancing the safety of Automotive Systems by identifying and rectifying system vulnerabilities and vulnerability research as one of our esteemed speakers at besides Mumbai 2024 among his many notable accomplishments his presentation at blackhead Asia 2023 stands out prominently this prestigious event saw the launch of Auto hack OS a uniquely conceived system specifically aimed at probing car security this further consolidate his stature as a prominent Authority in the industry particularly in Sp of vulnerability research give a round of

applause for Ravi rajput sir [Applause] hello am I audible yeah thank you so okay so uh welcome to besides Mumbai welcome to R Auditorium so this is a theater right and my mom would be proud so let's start the uh v2x exploitation uh hi I'm rabi rajput and since like few years people call me as a frustrated researcher okay so I'm a security manager at reactor. uh I had been uh working in binary exploitation colonal exploitation as specific uh AIML security which I had started uh few months back uh automotive and Telecom exploitation uh I am xn Amad chapter lead uh I'm author and Project Lead of autohack os which is an operating system for your automotive

security vehicle security uh I am a training author at Auto saac Pro which is available on pentes Mac uh and hacking 9 I had been speaker at blackout Asia 2023 nullcon heatcon rudon B Delhi Maharashtra amdavad indor Bounty bash United con and lot more okay uh I'm a core team and organizer of Telecom security Village in Defcon us uh I had launched a SEI uh platform which is which is like AI versus Ai and it uses AI to hack your implemented models I do blog at v2x exploit. sh and I'm a trainer speaker and Mentor excited all right know I think what I do for my living I crash the car okay okay so uh this is my like you

know we are moving towards a world of autonomous vehicles where you don't need a driver to drive the car right if you don't have a human to drive the car what will drive the car software where there is a software there is vulnerabilities there are vulnerabilities right so welcome to the world of vehicle hacking so before we understand how this you know Tesla and all those Automotive this you know autonomous vehicles are made Let's understand how the electronic components in the and this machinery called car or vehicle came into the picture so it came like it started as uh you know a distributed architecture let's we we we'll uh discuss about the vehicle architectures okay so this is called

distributed vehicle architecture you if you have a car which you bought before 2016 uh it is likely that you might have this distributed vehicle architecture where every you know every function like your your you know window your horn everything is going to be handled with one particular microprocessor or microcontroller so there were hundreds of them right so what they came up with domain base vehicle architecture where they combine few of the microcontrollers into one made it little more powerful which can give you more functionality and made it a domain so if you uh like if you have XUV 700 or mg Hector plus you might know that there is an Adas to right so you

have seen the videos of people sleeping in the car and the car actually moves really fast and it doesn't crash right that is Adas okay there are the sensors which track the distance between the car which track the Lan and everything and it calculates the safety okay and it drives automatically right that is done on the domain based architecture which we are looking at right now for the future this is jonal zonal architecture so Tesla is zonal architecture okay there is only one computer which handles everything okay so it is divided into Zone and telematics and everything so what is this telematics control unit so it is your uh your computer in the car your

ECU in the car which handle the remote fun somewh which handle your calls right now the vehicles have come up with e right uh let me tell you one example I was working in uh I I had uh gone to you know on-site project in 2022 and it was a EV manufacturer company so coming with a telecom background as well you know uh we try to hack that you know telematics unit so anyone running the car or like talking in the car basically we are able to listen them right that is done on the telematics so uh this is what we call Smart Cars okay so what is a smart cars nothing a bunch bunch of a lot of

sensors actuators there is some algorithm working behind they had developed on the programming language called autosar which is basically C and C++ but they take the data they calculate okay if any of the calculation go wrong your car can crash okay uh looking at this in that again that on-site project what I did was uh I I write a buffer overflow exploit for the browser it was integer overflow and once you just visit that particular website which like I just hosted on uh on my laptop and I I turned on the access point and connected the vehicle with that access point so that I can you know connect with an IP okay but if you host that basic JavaScript which

was exploiting your browser the car stopped the first thing that happens when your car stop is your breake fail right your Hydraulics get stopped right so this was a PC I had done so this is how uh in the real like the adaptive cruise control automatic emergency break and everything those these are these are done on the base of the sensors right moving next okay welcome to the world of v2x vehicle to everything right uh people have gone crazy behind iot we want everything connected right with the connections there comes vulnerabilities simple is that so now your vehicle is connected to the network called v2n so basically this is you can see this this is a telecom

Tower right your vehicle is connected to your Telecom Tower your phone because you are using phone your Telecom Network knows that if you have a phone there that there must be a human right a pedestrian so P2 n not only that your traffic lights that is i2n infrastructure to network so everything correlate so now we have we are we are entering to the world where everything is calculated and the cars will be automatic they will decide if the traffic light is red they will stop green they will move right so how it is done it is done on the base of normally two communication which we will discuss so this is uh v2x where cv2x is

important that is cellular v2x vehicle to everything moving next so what is v2x v2x technology refers to the intelligent transportation system where all the road entities including vehicle pedestrian cycle motorcycle everything you know are connected in 2015 simens which is uh good company like uh renowned company in semiconductors implemented the fully dynamic system on Germany uh uh Germany's A9 Highway which resulted into 35% less accidents and 31% reduction in the injuries right and this is the motive even our favorite Elon Musk is working on that right so these are the protocols normally uh that we will see in the future and like the protocols are already in the market okay and to your surprise there is not a much change in

the protocol so there are the two networks first intra vehicle sub Network where your you know your your communication data going in within your car is called in intra vehicle Network while inter network is like your pedestrian vehicle to vehicle vehicle to motorcycle everything is connected to the central server okay so this is called inter vehicle sub Network so the roadside unit is your pedestrial motorcycle bike and everything your roadside unit is the transport infrastructure right so let's discuss this diagram this is v2n the satellite is nothing your internet I would say your Telecom V2 is your you know uh you know what we can say signal and all v2v is your vehicle to vehicle how

much is the distance is is your vehicle uh kind of damaged or something you know that data will also be broadcasting and v2p there will be a Cloud Server you know what where there is a Cloud Server two things will emerge misconfiguration and API so if you think that this is irrelevant to my domain no this is relevant to your domain as well all right what are the communications vehicle to sensus represents the communication between the senses in the intra vehicle you know uh sub Network vehicle to vehicle where the cars will communicate vehicle to pedestrian where your phone will be connected to your Telecom and it will be able to identify with thec uh with the

application vehicle to grid uh for your charging stations and vehicle to infrastructure all right okay there comes a new protocol you know this protocol word takes us to some you know college days

right so people were thinking what to do uh like how can we Implement an ad hoc network where you don't have to authenticate like you have to authenticate for sure sure but the authentication latency is less you can authenticate faster you can transfer the data faster which is the daily use protocol for that any idea your Wi-Fi they come up with new idea let's create the stack of Wi-Fi every protocol is implemented with your code simple it is you okay so in a nutshell protocol is nothing protocol is collection of lot of data structures okay defines the rule basically okay so they rewrite some of the rules and they came up with an idea called wave protocol that is i i e

802.11p okay acts similar to Wi-Fi but more powerful more less less latency that is like more faster normally used in vehicle to vehicle okay so uh okay that we will discuss uh in the further slide okay the next second option that is C v2x your cellular vehicle to everything now you have e in your car okay your car will connect to your Tower your mobile Tower okay so your car becomes UE user equipment in the background there is lot of you know wires going around you know on the Telecom side and they basically do routing of your data and your calls and your voice that is done on ENB that is enod B this is for LT mind it guys 5G is the

current situation 6G we will discuss maybe some day later okay for your vehicle to communicate with your cellular there need an application there need to be some rules that identify your phone's data and vehicles data that is called v2x application server then there comes v2x control flow which gives you authorization and revocation okay then there is multimedia broadcast which basically handles a lot of vehicles moving faster

because because we are not able to authenticate so fast correct we are moving so fast single cell point of point to multi-point okay so these are the workings of uh cv2x okay moving next so how basically it will work is either your vehicle will contact with another vehicle okay so there are the three cases uh let's discuss that first yeah let's let's discuss D2D communication so there are the three cases okay if I am not uh you know in the network in in the Telecom network but another vehicle's Network like another vehicle is connected to the network and they are in the distance of 500 M they will communicate but my vehicle have do not have any network so I will

transfer my data to that vehicle and that vehicle will transfer got the point so I will use that vehicle as a router for myself right that is called partial coverage fully coverage where I I'm directly able to you know communicate with a cellular base station out of network it says both the vehicles all all the vehicles are not able to communicate with the Telecom or your cell tower but they will communicate on what we had discussed wave protocol I 802.11p okay they will authenticate they will understand everything okay and and they will store they will try to you know connect the tower again and again and if they get the you know Tower we can say in the layment term Tower they

will push all of the data so that okay uh in the near future it might come that you your insurance will be calculated on your driving behavior there are a lot of applications right so those data your driving behavior and everything will be pushed to the network and from that Network to Cloud right okay so this is done with v2x application okay or otherwise your vehicle is directly connected to a telecom okay so cell base communication your first first thing like how how basically it works is like how my my car will connect to the Telecom Tower first your car that is UI sends authentication request to the mobile management uh ident entity that is mme which is on the Telecom

site okay this is not new thing mobile management entity is not new thing if you had lost your phone you had you you you might go to the police station what they will do they will put your IMEI into the tracking they will just update this mme okay this is one thing second thing let me talk some blackhead stuff before a few years not a long even we were able to track anyone's phone you know how okay so your phone wherever you travel they have to update your location on home location HLA okay so the location that you are standing okay so I come from Gujarat my and I like I come from Gujarat I I bought the

Simard from Gujarat only that is my home location I I had visited here in Mumbai okay that is my virtual location my virtual location will get update every time okay within minutes there were some sites just pay1 or $2 they will give you vlr okay now it doesn't work anymore okay so this is what mobile management entity was second the mobile Man U you know management entity will identify and that okay you you don't have any unpaid bills and everything then it will allow you to connect that is it will send you the authentic authentication code or we can say generate a authentication Vector in the third it will send you the authentication vector and this is how

you connect your car to the Telecom all right so let's talk about uh attacks okay so first thing black hole and gry hole attacks where I you know okay have you ever uh heard about imsi catcher MZ catcher Stingray yeah correct perfect so what you do is you make your cell tower and broadcast with a lot of power okay before few years it was so easy because your phone does just understand if there is a signal uh with more powerful like more strength uh Network they will connect and this is how MZ catches were able to trck your phone to connect my tower okay once they are connected I can do mitm okay and this is how black hole and gray

hole Works flooding go to China okay in just 18,000 Indian rupees we'll get zmer for everything okay so I saw a gmer in 80,000 that blocks your 2G 3G 4G 5G WiFi GPS what is that flooding uh sorry jaming flooding is like I roll up my SDR and bombard a lot of those authentication packets I don't need to acknowledge that I just send authentication you your Tower your Telecom Tower will think that okay there are a lot of request for authentication and it will be overrun and it will stop working okay uh the last point it says that how we will do that in the vehicle let's take an example we have a four vehicle we want to Target an like

we want to Target someone we'll have that four vehicles we'll position like one front one back one left one right okay then we will roll up this flooding or jamming right and we will isolate that Target so that it cannot communicate with the cell tower right this is so these are the attacks on availability okay uh next attacks on Integrity now you have achieved mitm with MC catches why why don't you inject the false messages right that is integrated attacks replay attack for sure GPS poofing so GPS like your vehicle or even your phone takes the clock from the GPS okay once you match that clock which is easy you can spoof the location of

the GPS and your vehicle's location will go crazy okay mind it GPS or we can say location tracking in auton uh autonomous vehicle is more crucial because because you are on a some some path and if you make that vehicle go crazy like where it shows it is lost like okay I'm I'm I'm I'm heading towards this direction I spoof the GPS and such a way that my car will decide I'm heading in the wrong direction it will take a U-turn okay let's make that

ATT right okay so this is integrity obviously mitm comes up with confidentiality attacks as well so this vehicles have the pre-share keys okay I can Sni them okay and location tracking that we had discussed the last attack that is Attack on authenticity that is certificate replication attack so vehicle manufacturers decided okay B hacking hacking let's work on cryptography you know people think that we can stop hacking by cryptography right so they come up with certificates we came up with

ideas so how this thing work is my vehicle will authenticate with your vehicle okay now something wrong happened like my vehicle certificate expired or maybe I'm not able to make a key exchange or maybe if I'm do able to do the mitm I drop that key exchange packet your car will immediately Blacklist my car okay so there will be a list of the certificates that are in Blacklist okay now I will use you know those blacklisted or like okay uh because we had authenticated earlier we can reuse that certificates okay uh Cyber attack that is single compromise node pretend to be fake entities and impersonation attack okay so these are crypto attacks you know why uh how how you can

do that isolate the car from Network again coming back to that same example there is a target car we will you know cover that car with our four cars one front one back left and right we'll Jam that so that car cannot uh you know communicate with the your cellular we'll have another car which will try to authenticate okay and this is how you can do with this authenticity attacks we had talk a lot a lot about you know car hacking and all but are they really possible to make this possible we need to hack Telecom right just Google awesome Telco security this are real research papers and by the way I do run Telecom

security Village at Devcon so I know that right so this is your MC catcher how you can do that uh you you have heard about ss7 right your WhatsApp one hack few years back we got when we were in lockdown we wanted to hack WhatsApp right so uh this is ss7 is your internal Network which transfer your data to someone's if you we can uh you know hack that ss7 that is possible by sron how sron sron is nothing your VI so you can hack your Telo Telecom with your VIP okay so just Google that you will get a lot of resources to learn next just Google awesome vehicle security okay and you will get a lot of

resources

okay H next next perfect okay so any questions happy to help you happy to answer yeah uh let's make business out of it I'm guu guy okay so there are a lot of mitigations uh at a protocol label like you can do that but that will require another you know hours of discussion but yeah there are there are uh this are possible mitigations are possible like again uh keep in mind uh my mentor used to tell me that you cannot stop a hacker you can just just create a hurdle for him and he will come up with an idea and this is how we will evolve any more question or

yeah yeah

never thought about that but good idea yeah because basically your vehicle is identified with a v2x application how like what if we port or we develop that application we root our phone install that nice idea thank you great any more question or feedback or anything you understood right so I'm not discouraging you guys from not buying eveve okay but this is reality okay yeah no worries okay so this is my email address uh frustrated researcher at gmail.com uh my blog is v2x v2x exploit. sh you can find me on any social media with uh frustrated researcher

next no more questions right all right thank you I think I'm a good uh teacher I guess so thank you you bye-bye