Finding Obvious Automotive Security Bugs Using Common Tools & Attacks

Morning to each and everyone. Um it's good to be back in India. Um this is actually my fourth time in India and my second time in Aabad. So I'll be talking about finding obvious automotive security bugs on the fly from common tools and attacks. Um this talk is like an introduction if you're an application security researcher, a web hacker or a network penetration tester. So just to give you about my background um I'm currently working for Vic1. Uh Vic1 is an automotive automotive cyber security company. Um we are a subsidiary of Trend Micro. So Trend Micro is an anti virus company and Vic1 is not an acquisition of Trend Micro. We're a different like it's a brainchild of Trend Micro. So

yeah um who am I? I'm Jay Turla but here in India because I have a lot of Indian friends they call me Jan Shikre from the movie Singham. Yeah they said welcome to Amdabad Singham. Yeah. So um yeah I currently work as a principal security researcher and I came all the way from the Philippines. So um my first visit of India was in Nalcon. I think that was like 2017 or 16 I forgot but it's been it's been a while and um I'm one of the organizers for the car hacking village Philippines in of course in Philippines and we regularly uh present at rootcon which is a hacker conference when everybody gets drunk even in the morning. So yeah. Um, yeah.

Rootcon is like a villain, right? But we're a villain because we create organized chaos in Routton. So if you if you're a bad guy and then you are too drunk, we will boot you out. So yeah. Um just I will be flying out to Singapore tonight because um we made it to the finals of an IC IoT and OT hacking contest u managed by the government of Singapore and um we're the first Filipino team all all team Filipino um called team Pinois which is a derogatory for uh term for Filipinos. Um yeah, so we we made it to the finals and we are claiming our bounties to Singapore and also getting more bounties for the

finals. Yep. So yeah, like I said, um this is an introduction if you're an application security engineer, a hacker, a penetration tester because from my uh from my side, I started as a web pan tester, a bug bounty hunter, a security researcher, and a network penetration tester before I moved as an automotive security researcher. All right. So these are the attack surfaces that we will be talking about which are the mo most common bugs that you can find. Uh we have the infotainment and then we have the controller area network or the CAN or the CAN bus and then we have the RF which is uh radio frequency. So we will demystify some common misconceptions

about RF attacks as well. So uh for infotainment um it's pretty much like other IoT to IoT devices like um there are Bluetooth attacks that you could do. Um you could also perform malform or format string vulnerable vulnerabilities via RF and Bluetooth. Um there's a sample scenario that I'll be posting later on. And then weak authentication or passwords on services like SSH or Telnet. So you don't know uh maybe some of you might be familiar that in some infotainments if you connect it to the Wi-Fi um they have a service running called uh which is SSH or secure shell or sometimes Talnet. There's like a couple of presentations from other researchers detailing their findings about it. It's not that common since

2018 up, but cars like 2018 below. Um, some of them are running SSH or Tnet, which is really stupid sometimes and sometimes they have like weak passwords and of course sometimes they don't have authentication. So if you just do tnet orn netcat and then you're in you got shell and it's your um technique already how to get your privilege as root and then of course um you can also try to find buffer overflow or memory corruption and services. So take for example um if your infotainment has Wi-Fi uh you can try to find buffer overflow. So you need to do some fuzzing, you need to do some reverse engineering if you got the hard because

you need to have a hardware of course you need it's it's not supposed to be like remote access. And then um I will be showing a demo about USB auto run to code execution which um was the reason why Mazda went to Defcon um because of my finding. So this is a sample format string vulnerability um from from a 2011 BMW 330i. So remember this is 2011 but we can still see a lot of infotainments that are having this kind of vulnerability. So basically what he did is that he set his smartphone to percent X percent X percent X that's the name of the iPhone or phone I mean and then he tried to connect uh using Bluetooth with

his phone name with percent X which is a format string and then after that uh he crashed his infotainment for BMW. Okay. So, um, in in automotive security testing, like this could be a hindrance sometimes because you can't use your um your GPS or you can't play your favorite songs or you can't play your um or you can't call uh you can't do some if you're if you're driving and then you want to do some you want to call your uh your contacts or your friends. So sometimes it's hard to do with holding your phone while driving because it's dangerous and also sometimes in some countries it's actually illegal if you do that. I don't

know with India though. But yeah, I mean it's hard for me. It's really hard for me to drive in India. It's kind of confusing because you know you have the right lane drive, we have a left lane drive. So maybe if I'll drive right now, I will surely crash one of the cars. Yeah. So this is from the Mazda uh infotainment. So um in the US, if you have uh a 2017 below Mazda, if you connect to your Wi-Fi, uh you got this default credentials. Um so it gives you root right away. So it's like a back door, but yeah. So it's JCI JCI in some countries it's root JCI so it's password it's like uh username and password and

then uh there's a normal privileged user called user JCI so yeah um this has been patched already so that's why it's okay to talk and I've asked them to like I'll just show the previous hack that I did back then and then um this is a sample USB to code execution. Um, I got curious to re uh so I read up one of the details from a PDF that allows you to pull up data from CMU. Uh, CMU, this is the supplier for the infotainment and also analyze the app from Tres. So there's a um a developer from San Francisco who are who is into creating apps for Mazda and then there's a documentation to like

how do you pull up the data from the infotainment the log files. So what I did is that I read one of the code and here it is. So basically it's actually trying to call an SS um a shell script. So from there um I modified one of the pulling up um file and then after that uh I actually modified the SSH script to allow me to somehow execute um you name space minus a just for PC purposes. So this is the actual um Mazda that I own at home. So yeah, you just need to uh insert the flash drive on the USB port. Yeah. And that is the infotainment. It's touchscreen. It's 2017 actually. And you wait for a few seconds

before you are able to pop up the shell. Waiting. Let's wait. Yeah. Um I don't see a lot of I don't see Mazda but that's a PC and then after that it executes um my message and then also executes uh yeah and then from there uh you get a normal privilege user so you can actually try to elevate your privilege as well. So for infotainment there are some stupid attacks that works. Um there's also one experience that I have wherein I reported to hacker one back then I can't disclose the car. Uh if I actually insert a um a keyboard to the car I can control the infotainment but then that's not a vulnerability right because that's plug

and play. So the vulnerability there is that it do uh after a minute it does the infotainment it uh so basically it's actually uh um you need to re restart the car for you to be able to use the infotainment again. So that's actually um you may it may sound stupid really but it's it's so it's so simple but sometimes you get a reward for it and I tell you there are some um automotive companies that are rewarding this kind of bugs. Yeah. So next is one of the famous like if you do car hacking um it's not just about opening the car it's not just about um you know using flipper zero uh we have a protocol called controller

area network and then um this is the standard protocol made by Bosch and if this is my testing methodology when I try to do a pantest or automotive security testing for our clients or for when and I try to hunt bugs for automotive. Um the first thing that we need to do just like in any penetration testing is we do a recon or we do information gathering. So from there uh we will try to enumerate UDS services by sending diagnostic session control. So when you say UDS this is the unified diagnostic services and um the next thing that I do is actually to use caring karibu. So caring karibu is like my go-to tool. It's like my end

map for um scanning the controller area network looking for uh diagnostic um diagnostic session control and then I try to fuzz the arbitration ID of the car. So after that I tried to perform can spoofing and replay attacks when opening doors, windows, trunks or other significant uh sensors. So for example, if I'm already uh I'm already inside the canvas of the car. Let's just say OPD2. I'm not ripping off one of the parts. So the next thing that I do is I log my can dumps or what I did. For example, I open the car, I press the emergency button, um I try to uh open the trunk. So those sensors or those functionalities of the car, um I try to

log it all and then after that I try to repeat it and if there's like one arbitration ID or there's like one functionality that I was able to replay, it's like MITM, man. And if it's successful, I try to replicate it. And then uh after that, I try to rip off one of the uh parts of the car like the brake lights, the ADAS or the body control module of the car. And then there's also like an old attack in cars. Uh you can perform CAN injection uh through DOSs. So denial of service. Um there's there's an old attack called fire host attack where if wherein if you send zero as an arbitration ID and the

CAN frame with eight bytes of zero because zero is uh is the lowest priority the lowest priority of canvas CA can frame is treated as first in the canvas network. So after that um if you try to like open the car you won't be able to or if you perform a certain functionality um it seems like it's not working because you were able to doss the canvas network and then the next thing is um check out other known CAN injection attacks and take it away. Um I have a tool that I developed which I presented at Defcon back then. Um it's called canot which is controller area network tools of trade. So um sorry from that um I can able to look

on the source code of those Python scripts and then try to like change the arbitration ID from that and from there I can try to replicate it on other vehicles as well. Sorry. So, um the next thing that you could do is fuzz and always log everything you do like unlocking, spoofing, diagnostic sessions, uh security session like security access and then ECU hard reset. So, there's a way that allows you to like reset your mileage, do an ECU hard reset and everything. So, you try to log everything that you do. Um there's a recent famous can injection attack. Um basically this is the reason why Toyota web 4s uh were stolen in Europe, in Canada and also in the US and then

luckily not in the Philippines. So um a hacking device can allow thieves to steal a wide range of car models using an attack method called CAN injection. So this was found by Ian Sabore who is actually my mentor and a good friend um is currently recovering from cancer right now and um Ken Tendel who is the guy behind creating the can canvas from Bosch uh Dr. Ken Tendel is also an inspiration because uh what they did is that Minset's RAV 4 was stolen. So they tried to research on how it was done and they found out that there's a syndicate or there are a couple of um thieves, cyber thieves that actually uses that kind of device, but it costs like

€25,000 and then it's disguised as a JBL speaker. So what h how do you open the car? You just need to break the headlights, find the canvas using the multimeter. So, you need to use a logic analyzer or or you need to um use a multimeter and measure 3.5 volts for can uh canvas. There are two wires and then you use a device to connect. It cost $25,000, but I can actually recreate that one by just using $5 parts. Okay, I'll show you one. Wait, I will uh get my device. When I went to the airport in uh in Delhi, um they try they tried to play on some of the things that I have cuz I

have like a lot of hack RF and then they also saw my flipper. They also saw my hack RF and they said, "What is this?" And I said, "Is this GPS? Is this like for controlling the uh machines in the airport? I said no, it's just my microphone or game boy. So yeah. Yeah. So basically this is hack RF but that's not the one that I'm showing for can injection attack. So basically you can recreate this kind of attack. So, $25,000 versus um $5 parts.

Uh last year I was giving out PC board PCB boards like this, but it ran out during RootCon at the conference that we have in the Philippines. So, uh, you just need an Arduino Nano, which is for like $3, and an MCP2515, and then you program with the you reverse engineer that one and get the CAN frame that's sending to the headlights. So, for just $5, you could actually create this kind of hack, but they're selling it for [Music] €25,000. Yeah. So yeah, they tried to look on it and I said I just said that I'm a firmware engineer in the airport. So that's why it's safe. Yeah, it's my first time that I'm being stopped. Like it took me time in

the airport. I I I didn't experience this in the US or uh in Singapore as well. So these are some of my tools. Nano can that I've shown the real and then $5 and then contact which is for $75. Um the tech maker this was given to me by a couple of friends from Ukraine and they are joining the fight against Russia right now but um I don't want to be biased really about that but they're good guys as well. Um they created the can sniffer using SDM32. And then we have value can 4 which costs $175. And then I have a new one called Contact Pro as well. Uh it costs like $200. Um the good thing about those

expensive tools is that it comes with a software. Um unlike this you need to code your own firmware or you need to upload your own sketch. So this is my favorite tool that I do. Um I use um carrying karibu and I try to brute force or it's not really brute forcing but you are trying to fuzz the uh arbitration ID and also discover the responses from the uh the car. So as what you can see there as an example um 710 7DF and 7E0 they respond to they have a response of 77A. So that means that there these are unified diagnostic services of a [Music] car. So this is a sample demo when you

do spoofing. Um this is from a Toyota wiggle of a friend that I have in the Philippines. So you can actually try to spoof the uh the instrument cluster. So I've actually Oh, so this is a um a known car, a small car in the Philippines just it's just like the Eon Yundai Eon, but then um this is a Chinese brand which I can't disclose because I was able to disc uh it's still being patched right now. So basically um we just connected to uh we we tried rooting the infotainment and then we noticed that you can actually install voice applications on the infotainment and then after that uh we tried using the voice messages and

then we intercepted the CAN frames that are sent by the voice messages and we can actually open um the trunks of the car. We can also open the sun roof and yeah the windows as well and also close it back. So this is actually a violation of ISO 21434 if you can actually do it remotely and uh yeah I will not disclose what's the name of this Chinese brand. Um, if you want to learn more, you could actually play our CTF at Vic1 and Block Harbor at ctf.blockharbor.io. So, we had this pre-qualifying CTF um last wait two months ago and then we had a CTF in Japan finals and um in since I'll be going to the US in October 18, we will

have the finals and the winner gets uh $100,000 US for being on the top uh for being the top of the CTF. So um there are already six teams. The current leading team is from Japan actually and then a couple of US cyber security uh automotive cyber security companies. So yeah it's a good um even though the CTF or the pre-qualifying is already done uh you can still play the challenges that we built uh during our qualifying rounds. So um you also get hands-on on our VSOC platform for vehicle security. So for example, if someone is actually trying to do a CAN injection on your um on your car and then there's a V uh we have

XCarbon installed in one of the cars. So we we have a solution um to alert you if someone is trying to steal your car. We have this product called X Nexus. um you get hands-on on that as well. Um on the CTF you will be provided with the credentials so that you can play with our platform and it's for free. So now next is the exciting part because people want to open cars. So um RF cloning uh key fob attacks um the node attacks that we know today are replay but you can't do it because there's rolling codes in cars. Uh we have the relay which is the most known technique used by thieves that are

stealing luxury vehicles and then they actually try to take off the parts of your car and after that they sell it to other people. And then there's easy way to somehow test if your car is vulnerable to this attack. It's called roll back and roll jam attacks. Um roll jam you need to jam first but roll back you don't need to jam. Okay I will explain it later. Um you could also check if you could pull the encryption mechanism used by the key fob. So you can dump the firmware of the key fob and then you can do RF testing uh frequency analysis and then check for raw signals or signals without rolling codes. But

like I said most cars right now they have rolling codes. And then part of the testing that we do is also RF signal jamming because maybe we can try to um disable the radars of the car. I'll show you one um one example um at Geekbond 2020. Yeah, this is from Singham I think. But yeah, so in 2020, a contestant from Alibaba who used to work at Tran Micro as well interfered with the radar of an autonomous car, causing the car to mistakenly believe that there were no obstacles ahead and resulting in a crash. So there were three different cars hacked in a contest in 2020. So, I know you will guess what car is

that, but since it's no secret anymore, it's a Tesla, actually. So, um in 2024, that same researcher um used a device that jams or emits 77 GHz. That's um that's a big uh radio frequency, right? Um because hack RF is only until 6 GHz and then the blade RF is until 6 GHz but um blade RF2 is I think 8 or 12. I'm not sure. I forgot. But so if you buy a radar um a device that allows you to create noises using 77 GHz, it cost a lot. But this guy from China from Alibaba cra um was able to source out um a transmitter that allows him to transmit 77 GHz. He didn't disclose what device was that but

um I'm trying to research on it as well. This is patched in 2024. So when I went to GeekCon cuz I participated at Geek Pawn or GeekCon in Singapore. Uh it's a Chinese hacker conference. Uh Jhat was invited like in 2016 back then and then a couple of iPhone jailbreakers. So the contest that I entered was opening one of the cars there as well and was able to do it in 2 minutes and then this guy I was rooting for him because he was able to do it in 2020. But um Tesla updated their of course their safety mechanism for their sensors. So it doesn't work anymore. So there's also another attack called roll back attacks. Um so when you

try to use flipper zero hacker ref um using unlock signal, you won't be able to open the car if you unlock it again or even if you replay it again because there's an encryption called rolling code. But there's a roll back attack that was actually people have been doing it but Levent Cisco created a like a database uh out of the Asian cars that they have and then I also contributed to that. Um we found out that out of the vehicles that we tested for newer vehicles uh 40% of the vehicles are vulnerable to roll back attacks while 60% are not vulnerable. So I always get get that question sir how do I use flipper um actually you

just need to um flash it with a new firmware with actually not the official firmware you can use other firmware and then after that you need to own it so that you will understand it it's the easiest RF but it's not the only tool like I know it's hard to get it in India because I I've been asked a lot like sir how do I get flipper sir how do I get flipper I said um actually there are things that you could do maybe you can import it from another country but um I don't want to import it to my country because the customs also know what this is already um I paid like if I convert it I paid like 8,000

INR when I um to the customs in my country, but I didn't pay customs money for evil crow RF version 2, which is still the same. It's 1 GHz, but um it's using ESP32. Flipper zero uses SDM32. Now, um Evil Crow RF and Flipper uh and Flipper uses the same antenna, right? They use the C1101 module. And I would prefer hack RF with porta. Do you know why? So this is an hack RF that the um airport police keeps on playing. So it has wider range and also it's only um it's touchscreen as well and it's up to 6 GHz. So when you test cars, um, basically I like this better. So it's touchscreen. So if you want to

capture, wait, I have sticky fingers. Sorry. From Okay. So basically um when someone is actually transmitting a a frequency or for example opening their key uh key fob you will see signals here and then you can replay or um replay record and then replay it again. So you don't need to use a computer for you to do it as well. And there are things that you could do a lot of things you could create a jammer as well for higher frequency. So yeah, Flipper is not your only answer. So we have evil crow RF. These are alternatives that you could buy when you do RF testing. So let's um I saw this in Tourcon. Yeah, this

meme. So friendship ended with human flipper is my best friend. I don't know. I don't know why this meme was in Turkcon but it was funny as hell because yeah the guy because I don't know is he Indian Pakistan or Bangladesh is the is is this guy a known guy in India? Oh no. Okay. So maybe it's not Indian. Uh so this is from a Toyota wig. So I locked it and then recorded three signals, three valid signals from a Toyota using hackerf and then let's wait. So yeah um you can see that red line those are this that is the first signal the second signal and the third signal right and was able to open the

the we go. So basically it has rolling code. So if you only if you only record one signal, it won't open. Now he said it's not practical if you use three signals to record a car. There's a way to loop it. So there's a way to loop it in um in flipper zero. There's also a way to loop it on hackerf. Now sometimes it doesn't work because it depends on the roll back. Um but really the attack here is that you can open the car with three valid signals. So yeah, everything is happy with flipper. So let's have a flipper demo. Yeah. So um this is for the car that we always bring in the car hacking village

Philippines because we had a lot of vulnerabilities aside from RF attack. Um it's hard to take a video P with just you and holding flipper and your camera. So um it uses three valid signals to also open Mazda 2017. And the funny thing is that it's also uh 2023 is also vulnerable. Yeah. Now you might be asking are there newer models that are affected? Yeah. Um I recently found a Toyota uh SUV. It's not Fortuner. It's an uh another SUV from Toyota which I can't disclose and I just reported. Um I needed five signals to open it and was able to. But um the good thing is that I just needed two valid signals and I need

to loop it for me to um and then loop it like three times again and then I was able to open the car. It has a rolling code as well. This is a bonus demo. Um this is from Tesla's Geekbond. So, I went to Geekbawn and and I played with one of the Tesla that was not hacked. But as what you can see, um even though I I didn't uh record the signal for opening the um the charger port, it allows you to open it because it's static. So, it's free for all. You don't need to like capture it. There's already a lot of valid signals on [Music] GitHub. Right. And um everyone loves Flipper.

This is not automotive already. So this is from the hotel that I'm staying right now. Yeah. So this is not automotive or this NFC. But of course Tesla is using NFC, but it's not vulnerable to this kind of attack. Um th this is the first time in a hotel wherein I don't need to brute force the key. So I just like plugged up. I didn't need a word list to brute force the mifari keys. So I said wait it happened because I need to brute force on some. But yeah it was easy to do that. Um questions. Any

questions? I hope don't I don't get in jail for doing that in the hotel. Because um in Rootcon we had a lot of reports from other attendees that are using their flipper and it was funny as hell cuz the hotel managers questioned us. I have a question for you. So the rolling code, right? Like why is it only three signals or five signals unlocks the car and not this one? That's a good that's a very good question. All right. So it it is not for all vehicles like I said 40% and 60% right. Um those vehicles that are doing it is because there's a sliding window for you not to be able to lock your car. So the third

signal is because that's the sliding window and it does a counter uh re-synchronization. So that's the reason. Yeah. I sorry I wasn't able to explain that a while ago but that's the reason there's a sliding window on the third signal. Thank you. Yeah it shouldn't be that way but it's a stupid way. Um but yeah like I said sometimes with the automotive I mean there are a lot of like improvements at the auto I'm not saying automakers are stupid but sometimes there are miss out. It's just like any bug bounties like someone was able to find a default admin on Netflix and it's using default credentials and it's P1, right? So take for example just

like that. Any more questions? Yeah, please don't ask me where to buy Flipper. It's on flipperzero.com. All right. Um any any more questions? Okay, that's it. Um, okay. Thanks. Thanks everyone and I hope that you enjoy the talk.