BSidesIowa 2019 Car Hacking 101

okay ready get started then alright awesome welcome to the talk today I'll be talking about car hacking and introduction to the canvas and so real quick about myself my name is Daniel I'm an au ski I'm a senior in Computer Engineering at Iowa State I'll be graduating in a couple weeks here I enjoy red teaming and penetration testing side of security I also do a bit with web technologies and web application development and I enjoy cars so that's kind of where this talks time from I currently work for Ice Age Iowa State we put on the five cyber defense competitions a year I've been doing that for quite a while and I'll be finishing up with them as I graduate and then I

also work at I use IT security team and I've been doing that since August so okay so they always say start to talk off with something to drag the audience in and get their attention so I want you to kind of visualize yourself if somebody wanted to kill you how they would do that and you might think they could grab a weapon like a gun or a knife or some you know blunt object and strike you over the head however that's messy that leaves evidence behind and that's very easy to pick up on and what if we wanted to do this to make it look like an accident and the way we could do that is via a car so in 2015 the two

guys on the left there Charlie Miller and Chris valasek you probably heard of the jeep hackers in the news and they in 2015 demonstrated that it was possible to remotely control a vehicle from the telematics unit which we will talk about in detail a little bit how they could gain access from a cellular network and get on to the primary functional network of a vehicle also known as the canvas and so hopefully you know knowing that most people drive and have cars and especially now that we're moving into autonomous vehicles and really trying to go down that path here's a screenshot showing the funding that marries companies like uber are getting to develop these autonomous vehicles you

can see kind of the the threat landscape here as we are starting to rely more and more on networks and electronic components to control so I wanted to explore in the research that I did on my own time you know once a attacker gets onto a vehicle remotely what can they do to the vehicle okay so a quick overview I talked about why I want to give this talk I'm gonna talk about remote exploitation possibilities very quickly that's not the focus of this talk but the focus of this talk is actually the can bus that stands for the controller area network this is your primary network on a car in terms of controlling the components that are necessary to

make the car function and then I want to talk about how you can reverse engineer the can because as we'll see it's all very proprietary information that car manufacturers do not want to give out and then we'll look at how we can practice these reverse engineering techniques on an actual simulator we don't need a car for this which is awesome and then we'll apply our techniques to an actual vehicle we'll talk about different hardware setups that we can actually start practicing on real vehicles and then I'll finish up with some sources on learning materials materials that have helped me and you may want to look into okay so talking about remote access you know as

attackers we want to be able to do this you know not plugged into the obd2 port which will is a Diagnostics port on your car we'll talk about that we want to be able to do this ideally from the internet in 2015 the G Packers demonstrated that was possible by the telematics unit so that the TCU as it's also called essentially provides statistical data to anyone that's interested to kind of give an example you have after market and also OEM TCU's an example of an aftermarket would be progressive snapshot so the insurance companies that basically allow you to plug this device into your obd to it tracks different information on how you drive and i think you can get like

discounted rates i don't think they would like me so i would not probably plug one of those in om TCU's also exist such as OnStar I'm sure all of you have heard of that and there was a different one that the G Packers took advantage of but it was OEM okay so many of these have cellular modems so that's giving us the connectivity of essentially all across the world and that research paper down there talks about different attack vectors using telematics units okay so the second remote access Avenue that I want to talk about is Bluetooth this is a lot shorter range however they are usually insecure implementations because you have to realize when car

developers and engineers are putting together cars the the life cycle of them you know if you're driving a 2010 vehicle this is already an implementation of Bluetooth that's probably you know nine years old and so one of the research papers that I was reading found out that the Bluetooth stack that they attacked on a vehicle was actually it was found the source code was readily available online it was a very pretty much copy/paste implementation of an embedded Bluetooth stack so they're able to find the source code find vulnerabilities within it and then attack those to get access to the can bus the problem with Bluetooth again it's low range but also it usually requires pin pairing so when you try to

pin a or pair a phone to a vehicle it's going to give you like a six digit code to plug in and that prevents anybody from connecting to your car however the research in this paper here discovered that it's actually very possible to brute force this if you're given enough exposure so for example if you set up some sort of device that would try to brute force vehicles in a parking garage you could get in within a few hours to get attached to a vehicle and again these devices the Bluetooth and the telematics they're connected to the medium speed and high speed can buses on a vehicle which will see very shortly allows us to control pretty much

everything on a vehicle with some exceptions okay so talking about how we can connect all the components necessary to make a car work cars have a lot of things such as brakes and ABS systems fuel injectors and timing for the engines they have gearboxes power steering and a lot of other components such as Park Assist which are have hardware to turn steering wheels and all that so the way these components are controlled is via a bus and this bus works basically the same way that a bus and your computer would work with RAM and processors and i/o devices so for Can Tho for the cars real-time is very crucial we want a very fast and fault-tolerant bus

because we need timing timing is crucial so if you want to think about traction control abs and also how the engine fires to perform both performance wise and then also fuel economy so the awesome thing about the bus for us attackers is that we can see what everybody else is transmitting there's no encryption there's no control over who is sending what with a few exceptions that I'll discuss ok so the controller area network or can bus is essentially a network of nodes you might hear them being referred to as ECU's or electronic control units and they consist of three components one of those being a transceiver that basically takes the the data the voltage from the can

bus and converts it to what the controller can use and that's you're essentially your link layer for the ECU and then finally you have a processor that's either sending information onto the bus or receiving that information and doing something with it in 2008 was made mandatory for all cars under 8,500 pounds so if you're looking at hacking like a semi-truck this is going to be probably a different protocol and a different setup than kin but if you're thinking about sedans or consumer vehicles it's going to have kin on it and the goal again is to be fault tolerant to have short bursty transmissions so that this is extremely fast and reliable and the great thing

about kin from a reverse engineering standpoint it's extremely simple which we will see in the next slide here or I guess two slides so it's a diagram I made it just shows how can is set up at a very primitive level you essentially have two twisted pair wires that are running all throughout the car and you have can't high and can low and then they are terminated at each end by 120 ohm resistors and then all the notes are just hooked up to both of those wires and they can read and write on to the bus so again you have kin of high can high and can low and they are transmitting essentially the same signal

but it's used by a differential signaling and the way or the reason differential signaling is used is it helps filter out any noise again looking for fault tolerant capabilities and again the twisted pairs help remove any sort of noise so here's a trace it also shows how the frame is set up but you can see the traces here in terms of how the voltage drops and Rises and this represents your logic one in your logic zero so the differential signaling again helping to cancel out noise but we're looking at a neutral level of about 2.5 volts and then up at about around 2 plus 2 volts to that we have what is the recessive or logic one

at 2 2.5 volts and then the signal will go up to what's called a dominant signal or a logic zero and so that's how your your binary data is represented so looking at the frame the most important part arguably about a can data frame is what's called the arbitration ID this represents what the frame does or what it controls and also its priority so this is a big thing for attackers to keep in mind is that the lower the number of the arbitration ID the higher priority it has on the bus so for example if we have arbitration ID 101 that wants to write on the bus but arbitration ID 100 is already writing on

the bus then it's going to wait for that 100 level to to finish before it starts writing next we have the RTR which is not very important here but it's set to zero when we have a can data frame or a can frame that's representing data to be sent out then we have the data length which is the number of bytes of data the most you can have in a standard can frame is 8 bytes and then finally we have our eight bytes of data that essentially tells something to turn the sync turn signal on or turn the student wheel so many degrees or tell our tachometer what the RPM is at okay some some caveats and things to keep in mind

about cam or can is we are never going to be able to tell where they can frame originated from and this is great as attackers because it allows us to impersonate basically anything on the network each node each ECU is listening for a specific arbitration ID and it only cares about the data that it needs such as the speed or a tachometer is looking for the value that represents rpm so that I can set the set up your dashboard accordingly okay so another thing to keep in mind and this is a quote from Ford's Open XC program open XC is something I guess to be aware about they're trying to open-source some things with how vehicles work and how

you can pull information from them but it's pretty neutered and you don't get to do a lot with it it's very you know the data that they want you to get you're gonna get and that's about it however this is actually a quote from their site and they say that the frame IDs arbitration of these are considered sensitive information by vehicle manufacturers and so they're not going to give you the information on how to control different components of your car and so again you we can mimic basically any sort of can frame we can send any sort of information we'd like on to the network and there's not a lot of security built into can okay so going

into starting to look at how we can reverse engineer this I thought when I started researching this that the barrier to get into this would be high that's actually not true we don't even need a car to begin hacking with can which is great so we're going to talk about how we can use a simulator and there's some prereq information before we can get to that so there was a subsystem for linux built called socket can I believe by Volkswagen actually and they they open sourced it and so it's a networking stack that allows us to interface with canned network devices in addition to that there's this awesome library called can utils can utils is

utilities to allow us to work with can and we'll see I'll demonstrate a few of those here in just a second so for example one of them is called can't sniffer this allows us to dump all the canned messages that are going out onto the line and then we can also do filtering based on arbitration ID data information stuff like that okay so now we want to start looking into how we can actually do this in practice there's this awesome open-source tool called icy sim icy sim is a simulator for socket can and for essentially a canvas and it requires sock you can and can you tell us to interface with it and it essentially

sets up our virtual networking device that is what could be a vehicle on you know your laptop so it's got two different displays this one is the essentially your your dashboard if you will it's got your speed and then this is a vehicle with indicating the doors that are locked and unlocked and then it's got your turn signals as well and then there's also a control GUI which I'll show you as if you know you were pressing the pedal or stuff you can interface with your keyboard to do that and we can use this to practice reverse engineering can frames as you'll see the skills that you learn here and the reverse engineering techniques you learn

here all the scripts you write in different code to work with this transfer directly over to a car which is awesome because it's better to do research here than just sit in your car and winter with the heat on trying to hack away I learned that very quickly okay so now I'm going to demo icy sim very quickly but we're gonna do that live demo because why not

okay so let me make this bigger here okay so I've got I CSUN and Ken utils already on my device I can run this script here to set up a virtual networking device for the can and so I can just go ahead and run that real quick and get that set up and then I can start up the IC sim simulator itself on my new VK and zero networking device so now we've got this fun little GUI here and then I can also start the controls panel I'm not sure why they chose a PlayStation controller but they did I don't know why pedals would have been a better solution but that's what they did so so I've got both

of them open here if I click on the control panel I can hit the up arrow and that's going to start increasing my speed so now it's like I'm pressing on the throttle if I do things like left and right arrow keys I can turn the turn signals on and I can also lock and unlock doors via the shift a shift B X a Y so and then lock them with the left shift so so that's what I see sim provides us and this is actually all going on to the can frame a very realistic implementation of simulated canned data and so we can use canned utils now to start messing with and seeing this data so I'm going to go into

the can utils depository here and we can run like and dump can't dump just dumps everything on to everything onto the wire just dumps out so you can see it so this basically looks like a bunch of numbers it's not telling us much I can stop it and you still not going to help but again we are not going to get information as to what frame correlates to what from car manufacturers it's our job to reverse engineer that so another utility I like is called can sniffer I can use the dash Z flag to colorize changes and it's actually going to strip out all the frames that aren't actively changing so I'm just looking at what's

changing so I can run that on my view can 0 and I'll zoom out a little bit so it stops moving but now we just get to see what's changing in live real-time here so now this is a very primitive way to go about doing this but what I'm going to do is start messing with the turn signals and seeing if I can identify what value is changing within these active frames here so I'm going to turn the right turn signal on and I won't have you guys look forever but if you look right around here by 188 we can see that this value is changing from 0 0 to 0-2 so I can filter out with canned

sniffer by hitting the minus sign and typing in 6 zeroes here so now I filtered out all of the canned frames now let's say I just want to look at the ones that are arbitration ID 100 so I can do plus 100 and then okay so I did plus 107 0 0 that's for the bit mask essentially and since the arbitration idea is only 11 bits I could have done f00 but 7 0 0 works just fine so I've masked out everything that's not a 100 arbitration ID and so now I can zoom in a little bit more here and hopefully you can see it better my controls panel but now you can see 188 switching between 0

and 2 if I did my left turn signal it's now switching between 0 and 1 if I try to do them both at the same time we can see it's going from 2 to 3 so clearly 3 indicates both at the same time like your hazards your 1 is your left and your 2 is your right so it's a very elementary way of reverse engineering the frames but we've learned that arbitration ID 188 refers to basically our turn signals and so this is how we can get started building out a essentially like a Excel spreadsheet on what can frame does what all right so let me head back into presentation here

okay cool all right so we've already demoed this stuff okay so can dump is fast we can't make a lot out of it but you know even if your car's in park it's not doing anything a lot of stuff is actually still going on on that that network so you're gonna see a lot of frames flying across again we demonstrated that you can use canned sniffer to see the differences in the frames and so we're able to identify our arbitration ID and the data that controlled the different turn signals so again I talked about how this is proprietary information for the car manufacturers you're likely not going to find this information just given out by

the manufacturer but we can reverse engineer the information ourselves by doing actions on the car and then seeing the resulting information some people have contributed their own research online so if you're looking to hack on a particular model I suggest looking it up but again this changes year to year so it's kind of frustrating so you really would need to find something for your exact year and model so there is you know this is pretty Elementary how we're going about reverse engineering this this is a little bit of a better method and I call it the binary search tactic and so this involves essentially logging your canned frames using can't dump and logging that into a file and then

performing a specific action on the car such as unlocking a door and then you would stop logging now you perform essentially your binary search on this so you cut the log in half you play one side if that half actually repeats the action then you keep that half throw the other half away if not then you try and play the other half and you keep cutting it down cutting it down cutting it down until essentially you have one line left and that's the the frame that is controlling that action on the vehicle and so it's kind of a surefire way of getting this information out it's one thing to keep in mind though that I

learned through my research is that not everything is controlled via canvas so for example an ECU may send information out onto the canvas but it might not actually control that hardware for example I figured that the the canvas or information sent on it would control the windows going up and down however that's actually not the case that you see you just sends out indicators that the window is in motion but it doesn't actually control it so that's one thing to keep in mind okay so now I want to move into how we can actually do some real car hacking so this is an example setup that I used using a Raspberry Pi 3 for 35 bucks

what's called a PI can - can interface it's a shield that sits on top of the pie and gives you a serial port and then to hook up to your obd2 or diagnostics port on the car you need to buy another cable so so runya just under I think 200 something like that to get all that going yes I have not done anything with Arduino so I can't comment on that but the other option that I actually really do like it is a bit more it's not as secure in terms of having an OPD to plug but there's something called the cannibal this is a kind of open source board it's very small I think it's one

guy making the board but anyway it's only thirty bucks you can purchase it and then it's got hookups for your can hike and low and then ground and as you can see those three wires are going in twos that cut off oh no it's kind of hard to see but they're going into the the obd2 port on my vehicle so I keep talking about woody to port what the heck is this thing it's used for diagnostics it's required on your car if you've ever gone in for emissions testing they're going to plug into your vehicle and then run Diagnostics on that so it is required in all vehicles there are 16 pins on this the ones that we

care about are always going to be standard pin 6 and 14 or you can Hein can low there are other pins that are mandatory for each car but there are also pens that the manufacturer can decide what they want to do with that so usually again that's proprietary this provides access to what's called the gateway module and what this does is essentially a router for all of can buses but we'll see as I picked up on my research and through reading research papers some of these gateway modules actually have firewalls and they prevent what information can be sent on the bus one way to get around this simply wire yourself up right behind the gateway module but that does require

taking part in your car that's not something I wanted to do with my daily driver the only thing I have so maybe for future research and I mentioned that okay so this diagram I can't verify the legitimacy of it I literally found it on some forum I do not know where this guy got it from but it's at least shows an example of how a canvas might or can network might be set up the DLC here the blue is your data link connector that is also your also known as obd2 port and then you've got your gateway module that's basically acting as your router for all your different buses so you can see HS you can see ms that stands for

medium speed and high speed high speed is your more critical stuff like you know breaking or you know what your RPM and speed are at medium speed is more things like thinking infotainment and so different things that aren't as data or speed critical so there's many different modules for example PCM that stands for your powertrain control module and Pam is your parking assist module if you have your car equipped as as such ok so I went to my parents place over break they were thrilled to be here to hear that I was going to be hacking their car and so this is essentially how my setup works I've got a little router here with the PI or a switch here and then the

PI's plugged in by an OB by the obd2 cord and then I've got my laptop plugged into the PI so not the most ideal setup it's a bit of extra wiring that's why I recommend looking at the cannibal because it is nice to just be able to plug that directly into your computer but I think I'll skip let's see if I can open up this video the video is not great I really wish I would have taken more videos when I was down there however see if I can drag that over there so I you'll have to ignore the come on you'll have to ignore the annoying subtitle or information up there but anyway you can see I'm using can send to

send a single frame on to the vehicle and you can't hear it here perhaps I could turn the volume up okay that's fine but anyway it it's demonstrating that just sending one frame can control the locks on the vehicle and so that that was me messing around with the ford edge so I do have another video here this was with a Ford Fusion let me try and play this here okay so here I'm using can send again just within a bash script here and it's sending out information for the tachometer to read values to read so you'll see on the video as soon as we get here I think I run it and then the tachometer is gonna

jump up and down because I'm basically intercepting or writing over what it's currently reading and then you can make the tachometer move if I were to write at a higher speed it would stick at one level so you could do all sorts of fun things with that on the on the canvas okay so I can do stuff without touching the button I can make dials move that's not really that great but I'm just testing the safe stuff with cars it's been demonstrated that you can disable power steering by flooding the bus so the the Jeep hackers demonstrated this you essentially no longer have power steering you can kill the engine by sending a proper diagnostic message and

just basically shut the car off you can bleed brakes again diagnostic messages that are built into the vehicle stopping a or preventing a driver from stopping on tractors they have system setups where they can inflate their tires you can send messages to make the tires think they're under inflated and make them explode which is very expensive and also remote steering braking cell rating has all been demonstrated to be attack surface because those modules are built into the canvas for networking purposes so some really cool resources that I definitely recommend if you want to get into this area one is the car hacker's handbook this is actually available for free online or you can buy it in print that's

what I did it's a nice book by no starch really good read it gives you a broad overview of the entire area of car hacking so definitely suggest reading that cover to cover next is Charlie Miller and Chris valasek the jeep hackers research materials they've got a website up if you type car hacking it comes up pretty much at the top but they've got really good research papers they've donated or given out all their code on information on how they were able to accomplish what they were able to next is linked to can utils in IC sim repositories again if you don't have a car to start hacking on you could do that on your laptop by these open-source

libraries if you are not the kind of command line type person kayak is actually a Java GUI I believe it's Java that lets you do a lot of the same things as can utils so definitely look into that if you prefer gooeys and then finally open garages is a community based round tuning engines but also car hacking there's quite a few car hackers on there willing to share information and help each other out so awesome community there and that is all I have for the talk there's some my sources but yeah so thank you very much I can take any questions if there any out there yeah

yep so yeah so remote exploitation is something I want to keep exploring definitely something for the future I have looked into TPMS which is the tire pressure monitoring system in terms of being able to track vehicles via that I've done a little bit of research into that people have demonstrated that it is possible to actually uniquely identify vehicles by the signal that it sends because the the TPMS systems for your tire pressure it's actually wireless and so it's sending that information up into the wheel well but if you get powerful enough antennas you can intercept that signal and uniquely identify a car and so there's been some research done on that but that's about all I've looked

into in terms of like Wireless based it's a frequency similar to Bluetooth but it's it's usually not bluetooth at I don't think yeah sure

right so there have been so the question was can you essentially make permanent changes by the information sent on to the canvas and so the answer to that is the information sent on the canvas is you know you have your ECU's that are reading that information and doing something to it but you're not like executing code on like an engine control unit for example however there has been research done that shows essentially via Diagnostics message messages and sending information on the canvas how you can overwrite or write code into those units but that is essentially very specific to that unit only and I haven't looked too much into that myself right so your your individual units are just looking for

certain arbitration IDs that they and they only care about and just reading that information and doing something with it but it's not like you're not sending a code to execute or anything so yeah any other questions yes yeah yeah so the question was have I thought about getting some different sort of car to work with and so yeah I would love to I'm trying to graduate college and get that paid for if anybody would like to donate something I would love to mess with it what's that yeah I know right exactly yeah just use this to the loan but yeah so I think in the future though if I continue down this Avenue I would

definitely love to get my hands on something there have been people who build out essentially bread boards where they go to a junkyard and they pull out different ECU's and wire them up onto them can bus essentially and then practice hacking that way so that's something I definitely want to look into a little bit smaller scale but more more research opportunities there at a lower cost I suppose yeah maybe so I often look into that for sure it's definitely I want to continue researching in this area so I'll keep that in mind yeah any other questions yes

yep so a great question the question was can you use the obd2 dongles with bluetooth to send information on to the can bus the answer is yes and people have done it this is something so one thing I didn't mention during the presentation we talked about arbitration IDs having priority the arbitration ID number zero zero zero has the highest priority of all the arbitration IDs and so if you were to flood the bus with arbitration ID zero zero zero it would depend on the car and the Gateway module in terms of what the manufacturer is restricting however on some vehicles it has been shown that if you flood the bus with zero zero zero the car actually

won't start or if it is started and then you start flooding you might you would have unexpected behavior and so what you could do with that is have one of those modules have code on it that in the the car hacker's handbook actually talks about this in terms of how you can write exploit code and then run it using one of those dongles for example it have a timer wait for the car to start or something and then execute code to run that can to send canned data out you could disable somebody's car that way potentially so that's something my my roommate I actually want to look into the summer trying to do because you know

you could immobilize somebody's vehicle potentially so yep absolutely any other questions yes

yes right yeah so I've read through it briefly I don't understand like fully in detail step-by-step how they did it but it was a telematics unit similar to GM's OnStar and so they it was essentially exposing they were able to enumerate thousands of vehicles that were vulnerable to this but with the cellular modem they were able to get on to that and execute commands to then actually inject data onto the can bus because the telematics unit is pulling information it's wired directly onto the canvas and it's getting information to send out for example if you were in a crash or different information about like how with progressives snapshot like how the car is working and so it's wired

directly out of the can bus I can't tell you all the specifics about it I've just briefed over there their information on it but yeah so essentially there was I believe a 3G modem on the telematics unit they were able to scan and find these devices and via some open ports they could then inject the in Reverse a lot of hearse engineering effort to then inject finally can information onto the bus so that's as much as I I know about it so yeah it was it was the OEM for the the Jeep but it's not OnStar I forget what exactly it's called yes you connect that's it yep so yes yeah

right yes so it's kind of sad but I was going I was doing a little bit of research for when you go and get your car tested for emissions I don't know exactly what the people were doing but there was plenty of people bragging online about how they were doing stuff to their vehicle that would obviously not pass emissions but they were putting something probably in front of the gateway module just behind the obd2 connector to send out fake information so that could pass and apparently this was not all that difficult to do again you're just splicing a node into the bus and then you would just be overriding whatever information that the actual bus

is sending to that obd2 port and then they were passing their emissions tests when they shouldn't have been right exactly so and that's why what I want to do in the future is wire myself behind that gateway module so that I can have unrestricted access to writing and reading from the bus I believe you can read everything but writing I was having issues doing certain things with that I believe are because of the gateway module yeah so yep I'm sorry what all right any other questions

yeah um career potentially I really like cars I like the autonomous technology and how we're moving in that direction so potentially moving towards that for career-wise I like the hands-on like physical aspect of it but this is all like from what I've done here and the research that I've done it's all personal like just on my own time I was able to take like an independent study class at Iowa State and this is kind of how that kicked off and then I've just been expanding on it ever since so yeah career potentially down the line but right now this is just personal for fun so yep absolutely cool well I think we're out of time

we're getting there so thank you very much appreciate you coming