Backdooring -- why and how!

1. Alexey Sintsov
@asintsov
alexey.sintsov@here.com
DEFCON RUSSIA DC#7812
BACKDOORING A CAR
AND OTHER HEADUNIT SECURITY THINGS

2. # Why we are interested?
Let’s do it…
• Navigation for cars
• Maps
• REST API services
• Traffic
• POI
• Even road angle degree
• And more
• RDS traffic data supplier
• Embedded software
• Middleware
• UI Clients
• … and more
• 3D maps for self driving cars

3. # Why security?
???
• How OUR software can impact on car security?
vs.
• How other components affect our security?

4. # Backdoor?
???
Backdoor – unauthorized remote access to car’s headunit or other components
It’s what you want to do after exploitation of any vulnerability…

5. # Backdoor for a car
• Find a reason why you need a backdoor
• Find a way how to deploy a backdoor
• Find a way how to get control

6. # Backdoor for a car
Reasons
• Monetization?
• CC/Banking -- LOW
• BT Mining -- LOW
• Botnet -- LOW
• Thief Auto -- ???
• Targeted attack
• Police/Gov -- HIGH (Legal Backdoor)
• Spying -- ???
• Killing(WTF?) ???
We do not know, HOW to use it and WHY we need it

7. # Backdoor for a car
Reasons
• Monetization?
• CC/Banking -- LOW
• BT Mining -- LOW
• Botnet -- LOW
• Thief Auto -- ???
• Targeted attack
• Police/Gov -- HIGH (Legal Backdoor)
• Spying -- ???
• Killing(WTF?) ???
We do not know, HOW to use it and WHY we need it

8. # Backdoor for a car
Reasons
Backdoor is unauthorized remote access to HeadUnit:
• You know where is you target
• You can control some elements:
• Light
• Radio
• Door locks
• Navigation routes
• For self driving cars…
• Other – depends of internal network design
- ABS, Engine, etc  Easy! Easy!
• CPU usage
• Privacy and valuable data

9. # Break in
Car Security eq IoT Security?

10. # Break in
Attack surface – I/O
• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc

11. # Break in
Attack surface – I/O
• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc
Internet services
security

12. # Break in
Attack surface – I/O
• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc
… and even data/file format
Internet services
security
Client-side security

13. # Break in
Attack surface – I/O
• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc
… and even data/file format
Internet services
security
Client-side security
Spoofing/injection/sniffing and fuzzing

14. # Break in
Attack surface – I/O
• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc
Internet services
security
Client-side security
… and even data/file format
Spoofing/injection/sniffing and fuzzing
Also for LPE

15. # Car Security is like…
… MOBILE + SMART GRID/SCADA security

16. # Car Security is like…
… MOBILE + SMART GRID/SCADA security
… even with AppStore!

17. # Break in
Simple backdoor?
• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc

18. # Simple backdoor?

19. # Break in
Designed RA?
• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc

20. # Designed RA?

21. # BMW MiTM

22. # BMW MiTM

23. # BMW MiTM
Can we do the same without MiTM?
- No, we can’t…
© TRUE HARDCORE WHITE-HAT GUYS

24. # Automotive industry

25. # Automotive industry
Same story with
software… ;)

26. # More hacks…
Just use online search…

27. # Big world
One platform, different software…
• Windows
• QNX OS
• Linux
DEP? ASLR?

28. # With one rule them all…
WINDOWS
One platform, different software…

29. # With one rule them all…
HARMAN
One platform, different software…

30. # With one rule them all…
HARMAN
One platform, different software…
• ARM/Tegra
• QNX OS
DEP? ASLR?
Canaries?
- Yes and NO

31. # With one rule them all…
HARMAN

32. # HARMAN
Toyota

33. # Deploy a backdoor (as a binary)
Other vectors
• Vulnerabilities in software update mechanism
• Importing files from USB/SD
• Browser Client-Side RCE bugs
• Other components RCE bugs (RDS and etc)

34. # Deploy a backdoor (as a binary)
Tasks
• Penetration vector
• RCE bugs and etc
• Find a RW place on the HU
• Update services re-usage
• Bad mounted memory
• LPE bugs
• Find a way for auto-run
• How to change cron (or etc) jobs?
• DLL/SO Hijacking
• Find a way how to connect to C&C via Internet
• Local VPN configs/keys
• Route table
• Proxy settings

35. # Car WORM??
Is it possible?

36. # Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)

37. # Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)
• If you hack the Internet
Proxy? (Spreading)

38. # Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)
• If you hack the Internet
Proxy? (Spreading)
• If you hack ConnectedCar
API Server? (Spreading)

39. # Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)
• If you hack the Internet
Proxy? (Spreading)
• If you hack ConnectedCar
API Server? (Spreading)
• Car2Car, wireless (Worm)

40. # Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)
• If you hack the Internet
Proxy? (Spreading)
• If you hack ConnectedCar
API Server? (Spreading)
• Car2Car, wireless (Worm)
• Infected files for import? (File
infection)

41. # Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)
• If you hack the Internet
Proxy? (Spreading)
• If you hack ConnectedCar
API Server? (Spreading)
• Car2Car, wireless (Worm)
• Infected files for import? (File
infection)
Ahh… Comeon!

42. # LPE
Tasks
• Bugs in local service
• From user to root
• From HU to ECU
• Bugs in ECU
• Local services usage
• ECU control normal usage – sending commands
(like SomeIP)

43. # Hardening
Defense
• No RW places for backdoor
• Processes list and configs  control and integrity
• Encrypted storages (key chains) *
• Local network segmentation
• HU does not need access to some components
• Update mechanism/design for software (good example - BMW)
• 3rd party developers – need to know what they are doing*

44. # Security market
Defense
• IPS for CAN
• Trusted and hardened HU/OS
• Encryption for CAN/ECU/internal traffic
• IPS for internal wireless/network
• moarrr …
• AV for car?
….

45. # Future
Targets for future researches
• Remote exploits for Browser and car’s APPs
• Including attacks on ConnectedCar design/implementation
• …and Car2Car design and implementation… and etc
• Malware/Backdoor prototype and demo
• File infection and file format exploits (USB/SD card)
• Wireless radio exploits (short/long radio vectors)
• LPE exploits -from HU to ECU, from ECU to HU, from user to root)
• Self driving car spoofing and manipulation
• Fake signs
• Radar/LIDAR data spoofing
• All possible mixes 8)

46. # Future
Targets for future researches
• Remote exploits for Browser and car’s APPs
• Including attacks on ConnectedCar design/implementation
• …and Car2Car design and implementation… and etc
• Malware/Backdoor prototype and demo
• File infection and file format exploits (USB/SD card)
• Wireless radio exploits (short/long radio vectors)
• LPE exploits -from HU to ECU, from ECU to HU, from user to root)
• Self driving car spoofing and manipulation
• Fake signs
• Radar/LIDAR data spoofing
• All possible mixes 8)
And even more… it’s a BIG
area and a lot of things can
happened 8)

47. #FIN
alexey.sintsov@here.com @asintsov