Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Backdooring a car

3,335 views

Published on

Backdooring -- why and how!

Published in: Automotive
  • Dating direct: ❤❤❤ http://bit.ly/2F4cEJi ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Follow the link, new dating source: ❶❶❶ http://bit.ly/2F4cEJi ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Backdooring a car

  1. 1. Alexey Sintsov @asintsov alexey.sintsov@here.com DEFCON RUSSIA DC#7812 BACKDOORING A CAR AND OTHER HEADUNIT SECURITY THINGS
  2. 2. # Why we are interested? Let’s do it… • Navigation for cars • Maps • REST API services • Traffic • POI • Even road angle degree • And more • RDS traffic data supplier • Embedded software • Middleware • UI Clients • … and more • 3D maps for self driving cars
  3. 3. # Why security? ??? • How OUR software can impact on car security? vs. • How other components affect our security?
  4. 4. # Backdoor? ??? Backdoor – unauthorized remote access to car’s headunit or other components It’s what you want to do after exploitation of any vulnerability…
  5. 5. # Backdoor for a car • Find a reason why you need a backdoor • Find a way how to deploy a backdoor • Find a way how to get control
  6. 6. # Backdoor for a car Reasons • Monetization? • CC/Banking -- LOW • BT Mining -- LOW • Botnet -- LOW • Thief Auto -- ??? • Targeted attack • Police/Gov -- HIGH (Legal Backdoor) • Spying -- ??? • Killing(WTF?) ??? We do not know, HOW to use it and WHY we need it
  7. 7. # Backdoor for a car Reasons • Monetization? • CC/Banking -- LOW • BT Mining -- LOW • Botnet -- LOW • Thief Auto -- ??? • Targeted attack • Police/Gov -- HIGH (Legal Backdoor) • Spying -- ??? • Killing(WTF?) ??? We do not know, HOW to use it and WHY we need it
  8. 8. # Backdoor for a car Reasons Backdoor is unauthorized remote access to HeadUnit: • You know where is you target • You can control some elements: • Light • Radio • Door locks • Navigation routes • For self driving cars… • Other – depends of internal network design - ABS, Engine, etc  Easy! Easy! • CPU usage • Privacy and valuable data
  9. 9. # Break in Car Security eq IoT Security?
  10. 10. # Break in Attack surface – I/O • Wireless components and ECUs • Long Radio: • GSM/UMTS • Radio/RDS • GPS • Short Radio: • WiFi/Bluetooth • TPMS • Keyless lock/start • Radars/Sensors/Cameras • HeadUnit • Software components • WEB Browser • MP3/etc • RDS • Applications/Connected Car services • etc • Service/diagnostic ports • Local I/O • CAN interfaces on HU • Ethernet • etc • etc
  11. 11. # Break in Attack surface – I/O • Wireless components and ECUs • Long Radio: • GSM/UMTS • Radio/RDS • GPS • Short Radio: • WiFi/Bluetooth • TPMS • Keyless lock/start • Radars/Sensors/Cameras • HeadUnit • Software components • WEB Browser • MP3/etc • RDS • Applications/Connected Car services • etc • Service/diagnostic ports • Local I/O • CAN interfaces on HU • Ethernet • etc • etc Internet services security
  12. 12. # Break in Attack surface – I/O • Wireless components and ECUs • Long Radio: • GSM/UMTS • Radio/RDS • GPS • Short Radio: • WiFi/Bluetooth • TPMS • Keyless lock/start • Radars/Sensors/Cameras • HeadUnit • Software components • WEB Browser • MP3/etc • RDS • Applications/Connected Car services • etc • Service/diagnostic ports • Local I/O • CAN interfaces on HU • Ethernet • etc • etc … and even data/file format Internet services security Client-side security
  13. 13. # Break in Attack surface – I/O • Wireless components and ECUs • Long Radio: • GSM/UMTS • Radio/RDS • GPS • Short Radio: • WiFi/Bluetooth • TPMS • Keyless lock/start • Radars/Sensors/Cameras • HeadUnit • Software components • WEB Browser • MP3/etc • RDS • Applications/Connected Car services • etc • Service/diagnostic ports • Local I/O • CAN interfaces on HU • Ethernet • etc • etc … and even data/file format Internet services security Client-side security Spoofing/injection/sniffing and fuzzing
  14. 14. # Break in Attack surface – I/O • Wireless components and ECUs • Long Radio: • GSM/UMTS • Radio/RDS • GPS • Short Radio: • WiFi/Bluetooth • TPMS • Keyless lock/start • Radars/Sensors/Cameras • HeadUnit • Software components • WEB Browser • MP3/etc • RDS • Applications/Connected Car services • etc • Service/diagnostic ports • Local I/O • CAN interfaces on HU • Ethernet • etc • etc Internet services security Client-side security … and even data/file format Spoofing/injection/sniffing and fuzzing Also for LPE
  15. 15. # Car Security is like… … MOBILE + SMART GRID/SCADA security
  16. 16. # Car Security is like… … MOBILE + SMART GRID/SCADA security … even with AppStore!
  17. 17. # Break in Simple backdoor? • Wireless components and ECUs • Long Radio: • GSM/UMTS • Radio/RDS • GPS • Short Radio: • WiFi/Bluetooth • TPMS • Keyless lock/start • Radars/Sensors/Cameras • HeadUnit • Software components • WEB Browser • MP3/etc • RDS • Applications/Connected Car services • etc • Service/diagnostic ports • Local I/O • CAN interfaces on HU • Ethernet • etc • etc
  18. 18. # Simple backdoor?
  19. 19. # Break in Designed RA? • Wireless components and ECUs • Long Radio: • GSM/UMTS • Radio/RDS • GPS • Short Radio: • WiFi/Bluetooth • TPMS • Keyless lock/start • Radars/Sensors/Cameras • HeadUnit • Software components • WEB Browser • MP3/etc • RDS • Applications/Connected Car services • etc • Service/diagnostic ports • Local I/O • CAN interfaces on HU • Ethernet • etc • etc
  20. 20. # Designed RA?
  21. 21. # BMW MiTM
  22. 22. # BMW MiTM
  23. 23. # BMW MiTM Can we do the same without MiTM? - No, we can’t… © TRUE HARDCORE WHITE-HAT GUYS
  24. 24. # Automotive industry
  25. 25. # Automotive industry Same story with software… ;)
  26. 26. # More hacks… Just use online search…
  27. 27. # Big world One platform, different software… • Windows • QNX OS • Linux DEP? ASLR?
  28. 28. # With one rule them all… WINDOWS One platform, different software…
  29. 29. # With one rule them all… HARMAN One platform, different software…
  30. 30. # With one rule them all… HARMAN One platform, different software… • ARM/Tegra • QNX OS DEP? ASLR? Canaries? - Yes and NO
  31. 31. # With one rule them all… HARMAN
  32. 32. # HARMAN Toyota
  33. 33. # Deploy a backdoor (as a binary) Other vectors • Vulnerabilities in software update mechanism • Importing files from USB/SD • Browser Client-Side RCE bugs • Other components RCE bugs (RDS and etc)
  34. 34. # Deploy a backdoor (as a binary) Tasks • Penetration vector • RCE bugs and etc • Find a RW place on the HU • Update services re-usage • Bad mounted memory • LPE bugs • Find a way for auto-run • How to change cron (or etc) jobs? • DLL/SO Hijacking • Find a way how to connect to C&C via Internet • Local VPN configs/keys • Route table • Proxy settings
  35. 35. # Car WORM?? Is it possible?
  36. 36. # Car WORM?? Is it possible? • All HU in one network segment? (Worm)
  37. 37. # Car WORM?? Is it possible? • All HU in one network segment? (Worm) • If you hack the Internet Proxy? (Spreading)
  38. 38. # Car WORM?? Is it possible? • All HU in one network segment? (Worm) • If you hack the Internet Proxy? (Spreading) • If you hack ConnectedCar API Server? (Spreading)
  39. 39. # Car WORM?? Is it possible? • All HU in one network segment? (Worm) • If you hack the Internet Proxy? (Spreading) • If you hack ConnectedCar API Server? (Spreading) • Car2Car, wireless (Worm)
  40. 40. # Car WORM?? Is it possible? • All HU in one network segment? (Worm) • If you hack the Internet Proxy? (Spreading) • If you hack ConnectedCar API Server? (Spreading) • Car2Car, wireless (Worm) • Infected files for import? (File infection)
  41. 41. # Car WORM?? Is it possible? • All HU in one network segment? (Worm) • If you hack the Internet Proxy? (Spreading) • If you hack ConnectedCar API Server? (Spreading) • Car2Car, wireless (Worm) • Infected files for import? (File infection) Ahh… Comeon!
  42. 42. # LPE Tasks • Bugs in local service • From user to root • From HU to ECU • Bugs in ECU • Local services usage • ECU control normal usage – sending commands (like SomeIP)
  43. 43. # Hardening Defense • No RW places for backdoor • Processes list and configs  control and integrity • Encrypted storages (key chains) * • Local network segmentation • HU does not need access to some components • Update mechanism/design for software (good example - BMW) • 3rd party developers – need to know what they are doing*
  44. 44. # Security market Defense • IPS for CAN • Trusted and hardened HU/OS • Encryption for CAN/ECU/internal traffic • IPS for internal wireless/network • moarrr … • AV for car? ….
  45. 45. # Future Targets for future researches • Remote exploits for Browser and car’s APPs • Including attacks on ConnectedCar design/implementation • …and Car2Car design and implementation… and etc • Malware/Backdoor prototype and demo • File infection and file format exploits (USB/SD card) • Wireless radio exploits (short/long radio vectors) • LPE exploits -from HU to ECU, from ECU to HU, from user to root) • Self driving car spoofing and manipulation • Fake signs • Radar/LIDAR data spoofing • All possible mixes 8)
  46. 46. # Future Targets for future researches • Remote exploits for Browser and car’s APPs • Including attacks on ConnectedCar design/implementation • …and Car2Car design and implementation… and etc • Malware/Backdoor prototype and demo • File infection and file format exploits (USB/SD card) • Wireless radio exploits (short/long radio vectors) • LPE exploits -from HU to ECU, from ECU to HU, from user to root) • Self driving car spoofing and manipulation • Fake signs • Radar/LIDAR data spoofing • All possible mixes 8) And even more… it’s a BIG area and a lot of things can happened 8)
  47. 47. #FIN alexey.sintsov@here.com @asintsov

×