SlideShare a Scribd company logo

Car hacking 101 rev2

Z
ZachZaffis

A very high level intro to car hacking a virtual cluster. Check out twitter for links to the OVF/VM that goes with it. @ZuluAlphaFoxTwo

Technology
1 of 27
Download to read offline
THE INFAMOUS CAR HACKING TALK AKA INTRO TO CAR HACKING SPONSORED BY MACCHINA
WHOAMI • Zach Zaffis, Most of you know me, if not, hi I’m Zach • President of SecIC • Works for ProCircular doing security things • Has a friend named Will (@WillCaruana) who’s an “alcohol fueled high voltage wizard” • Who has spurred my cybering hardcore and should be an inspiration to us all • I am by no means a car hacking expert, despite anything you have heard. Seriously, Depaepe and I sat down at a table at GrrCon last year and bashed or heads against this shit writing shell scripts and what not till we won second place. If we can do it you can do it! And here’s how! @ZuluAlphaFoxTwo
WHAT IS CAR HACKING? ITS KINDA LIKE OTHER HACKING, BUT WITH CARS….
SO WHERE TO START THERE ARE MULTIPLE PROTOCOLS GOING ON IN THE CAR AT ANY GIVEN TIME A GOOD PLACE TO START IS THE CANBUS
THE CAN BUS SO WHAT IS CAN? CAN is a simple protocol used in manufacturing and in the automobile industry. Modern vehicles are full of little embedded systems and electronic control units (ECUs) that can communicate using the CAN protocol.
HOW IT WORKS Notes: CAN runs on two wires: CAN high (CANH) and CAN low (CANL). CAN uses differential signaling which means that when a signal comes in, CAN raises the voltage on one line and drops the other line an equal amount
CAN PACKET LAYOUT Notes: Arb Id’s run from 000-7FF Data is sent in hex code so a single data bit length is 00 while two bit length is 00 00 with a maximim of 8 bits for standard frames you will have 16 digits. 00 00 00 00 00 00 00 00 00 00 00
TYPES OF CAN FRAMES • Extended Packets • The ISO-TP Protocol • The CANopen Protocol • The GMLAN Bus • The SAE J1850 Protocol • The PWM Protocol • The VPW Protocol Notes: All of these protocols run on the can bus, We wont be digging into any of these till later sessions, But just note, that the canbus is just a carrier for multiple protocols. There are also much more than this list.
RIGHT SO LETS CONNECT! • I advise moving in the digital realm first.
OPEN THE VM! • If you are following along, here’s the vm specifics. • (adjust the cores down to one. Sorry I did ram but missed CPU before packing it) • U: carhacking • P: hackingcar • Open a terminal
WHAT ARE WE USING? • SocketCan (CanUtils) • Set of open source CAN drivers and a networking stack contributed by Volkswagen Research to the Linux kernel. Formerly known as Low Level CAN Framework (LLCF). • ICSim • Instrument Cluster Simulator: A virtual cluster simulator by OpenGarages Craig, form about 4 years ago or so.
LETS GET INTO IT • Cd into the ICS folder on the desktop • Run the Setup vcan script in the folder (sudo yo!) • This script sets up the virtual can interface • If config • You should see a vcan interface • Good to start the sim
LET’S BUILD A CLUSTER • Run the icsim program (./icsim [options] [interface]) • -r randomizes, -s seed value, -d debug • No random for this round, Let’s learn together ./icsim –s 0 vcan0 • Now lets openup terminator • Single pane multi terminal
YOU NOW HAVE A VIRTUAL CAR! • So now lets hack! • From here its basically a mix of RE and traffic sniffing.
WHAT YOU’LL USE • candump • Dumps can bus to a file • cangen • Generate can frames based on inputs • canplayer • Replays candump files
CANDUMP • candump –l to dump to file (that’s an lowercase ‘L’) • candump –c –c vcan0 in another window to watch active can traffic • There is none till we start sending because we are cheating.
CANGEN [OPTIONS] [INTERFACE] • The basics of RE for this is to fuzz from bottom to top. • -I • I for ID/arb ID • -r for random (good for fuzzing or making the cluster dance and sing) • -i for increment, starts at 000 all the way up to 7FF • -g delay in ms • -D • Data to send -r for random, or define manually • -L • Length of the packet sent • Without it it will pad out
SO LETS LOOK AT A BASIC START • cangen –I i –D FFFF –L 2 –g 20 vcan0 • This will send a can packet to the bus starting at 000xFFFF all the way to 7FFxFFFF • Now watch for a change • When we see a change stop down can dump and then the fun begins.
GOT SOMETHING! • Once you have a change on the icsim virtual cluster, stop the dump, and stop the can gen • Run cangen –I i –d 0000 –L 2 –g 5 vcan0 • This will ‘clear the board’ and potentially reset the changes. Alternate is you can stop icsim and restart it with the same seed number • Gedit (if you have a mouse) the can dump file and we use the rule of 50% to start the RE
RULE OF 50% • Rule of 50% is take any problem and find a logical middle point, then cut in in half from there. • Is the issue external or internal? Cut there and test. Is the issue system or user level? Cut there and test. So on and so forth. • General engineering technique to problem solve. • So in this instance we will look at line count and cut (yes cut) about half off. • Pick about half, ctrl+X then Ctrl+S
CAN PLAYER TO THE RECUE! • So now pwe play the file back with can player. • Canplayer –i <candump.xxxxx> vcan0=vcan0 • Hit go and watch the icsim board, if the change happens then the arb Id lives in the packets in the file. • If it doesn’t change then pop back into the file and select all, paste the clipboard contents save and run canplayer again. • This is the process you will now follow until you whittle down the arb id to the single known value.
ARB ID OBTAINED! • So with that arb ID we can now try and manipulate further. • Use cansend now to manipulate the packet as you please to see if there are other combinations of data that will work • cansend vcan0 arbid#Data • Try something like, just a single set of FF’s • Now try 01 • Now 11 • Now 02 • Now a0 • Go nuts
SO THERE YOU GO THE UTMOST BASICS! • Lets add a little realism to it now. • The can is NEVER this quiet • ICS comes with a canbus emulator as well! Its an awesome tool!
CONTROLS ABOUND Controls [options] [can interface] ./controls –s 0 –l 0 vcan0
THIS IS MORE LIKE IT! • So the controller it brings up gives you the ability to play parts of the car • Capture RE and replay, all the same idea just much more convoluted.
SO THAT’S WHERE I’LL LEAVE YOU • There will be more car hacking talks to come! (lots) • The 201 is all about how to connect on up to an actual car!
RESOURCES • Macchina.cc • Great forums with plenty of help • Carhackingvillage.com • Has the car hackers handbook available and good resources (also on the OVF to accompany slides) • https://github.com/zombieCraig/ICSim • Icsim github page

Recommended

Explorer's Guide to Shooting Satellite Transponders
Explorer's Guide to Shooting Satellite TranspondersExplorer's Guide to Shooting Satellite Transponders
Explorer's Guide to Shooting Satellite Transponders
Jay Turla
 
Building your Car Hacking Labs & Car Hacking Community from Scratch
Building your Car Hacking Labs & Car Hacking Community from ScratchBuilding your Car Hacking Labs & Car Hacking Community from Scratch
Building your Car Hacking Labs & Car Hacking Community from Scratch
Jay Turla
 
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
NoNameCon
 
Car Infotainment Hacking Methodology and Attack Surface Scenarios
Car Infotainment Hacking Methodology and Attack Surface ScenariosCar Infotainment Hacking Methodology and Attack Surface Scenarios
Car Infotainment Hacking Methodology and Attack Surface Scenarios
Jay Turla
 
Automotive Security Bugs Explained for Bug Hunters
Automotive Security Bugs Explained for Bug HuntersAutomotive Security Bugs Explained for Bug Hunters
Automotive Security Bugs Explained for Bug Hunters
Jay Turla
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
44CON
 
Real time system_performance_mon
Real time system_performance_monReal time system_performance_mon
Real time system_performance_mon
Tomas Doran
 
Scratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieScratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry Pie
ESUG
 

Recommended

Explorer's Guide to Shooting Satellite Transponders
Explorer's Guide to Shooting Satellite TranspondersExplorer's Guide to Shooting Satellite Transponders
Explorer's Guide to Shooting Satellite Transponders
Jay Turla
 
Building your Car Hacking Labs & Car Hacking Community from Scratch
Building your Car Hacking Labs & Car Hacking Community from ScratchBuilding your Car Hacking Labs & Car Hacking Community from Scratch
Building your Car Hacking Labs & Car Hacking Community from Scratch
Jay Turla
 
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
NoNameCon
 
Car Infotainment Hacking Methodology and Attack Surface Scenarios
Car Infotainment Hacking Methodology and Attack Surface ScenariosCar Infotainment Hacking Methodology and Attack Surface Scenarios
Car Infotainment Hacking Methodology and Attack Surface Scenarios
Jay Turla
 
Automotive Security Bugs Explained for Bug Hunters
Automotive Security Bugs Explained for Bug HuntersAutomotive Security Bugs Explained for Bug Hunters
Automotive Security Bugs Explained for Bug Hunters
Jay Turla
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
44CON
 
Real time system_performance_mon
Real time system_performance_monReal time system_performance_mon
Real time system_performance_mon
Tomas Doran
 
Scratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieScratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry Pie
ESUG
 
Using Apache Camel as AKKA
Using Apache Camel as AKKAUsing Apache Camel as AKKA
Using Apache Camel as AKKA
Johan Edstrom
 
Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...
Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...
Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...
Puppet
 
Chasing AMI - Building Amazon machine images with Puppet, Packer and Jenkins
Chasing AMI - Building Amazon machine images with Puppet, Packer and JenkinsChasing AMI - Building Amazon machine images with Puppet, Packer and Jenkins
Chasing AMI - Building Amazon machine images with Puppet, Packer and Jenkins
Tomas Doran
 
vim brownbag - Richard forth
vim brownbag - Richard forthvim brownbag - Richard forth
vim brownbag - Richard forth
EdwardElric59
 
Things you should know if you plan to ship a game
Things you should know if you plan to ship a gameThings you should know if you plan to ship a game
Things you should know if you plan to ship a game
DevGAMM Conference
 
Java tuning on GNU/Linux for busy dev
Java tuning on GNU/Linux for busy devJava tuning on GNU/Linux for busy dev
Java tuning on GNU/Linux for busy dev
Tomek Borek
 
Cooking a rabbit pie
Cooking a rabbit pieCooking a rabbit pie
Cooking a rabbit pie
Tomas Doran
 
High performance network programming on the jvm oscon 2012
High performance network programming on the jvm oscon 2012 High performance network programming on the jvm oscon 2012
High performance network programming on the jvm oscon 2012
Erik Onnen
 
Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new framework
Tomas Doran
 
Jvm tuning in a rush! - Lviv JUG
Jvm tuning in a rush! - Lviv JUGJvm tuning in a rush! - Lviv JUG
Jvm tuning in a rush! - Lviv JUG
Tomek Borek
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP Hooks
Shane Macaulay
 
Do You Need a Service Mesh? @ London Devops, January 2019
Do You Need a Service Mesh? @ London Devops, January 2019Do You Need a Service Mesh? @ London Devops, January 2019
Do You Need a Service Mesh? @ London Devops, January 2019
Matt Turner
 
Rails development environment talk
Rails development environment talkRails development environment talk
Rails development environment talk
Reuven Lerner
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Liang Chen
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
infodox
 
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration DisastersBSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
infodox
 
Zero mq logs
Zero mq logsZero mq logs
Zero mq logs
Tomas Doran
 
Message:Passing - lpw 2012
Message:Passing - lpw 2012Message:Passing - lpw 2012
Message:Passing - lpw 2012
Tomas Doran
 
Software + Babies
Software + BabiesSoftware + Babies
Software + Babies
ArangoDB Database
 
nodebots presentation @seekjobs
nodebots presentation @seekjobsnodebots presentation @seekjobs
nodebots presentation @seekjobs
Esteban (Steven) De Salas
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
 

More Related Content

Similar to Car hacking 101 rev2

Chasing AMI - Building Amazon machine images with Puppet, Packer and Jenkins
Chasing AMI - Building Amazon machine images with Puppet, Packer and JenkinsChasing AMI - Building Amazon machine images with Puppet, Packer and Jenkins
Chasing AMI - Building Amazon machine images with Puppet, Packer and Jenkins
Tomas Doran
 
Cooking a rabbit pie
Cooking a rabbit pieCooking a rabbit pie
Cooking a rabbit pie
Tomas Doran
 
Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new framework
Tomas Doran
 
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration DisastersBSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
infodox
 
Message:Passing - lpw 2012
Message:Passing - lpw 2012Message:Passing - lpw 2012
Message:Passing - lpw 2012
Tomas Doran
 
Software + Babies
Software + BabiesSoftware + Babies
Software + Babies
ArangoDB Database
 

Similar to Car hacking 101 rev2 (20)

Using Apache Camel as AKKA
Using Apache Camel as AKKAUsing Apache Camel as AKKA
Using Apache Camel as AKKA
 
Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...
Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...
Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...
 
Chasing AMI - Building Amazon machine images with Puppet, Packer and Jenkins
Chasing AMI - Building Amazon machine images with Puppet, Packer and JenkinsChasing AMI - Building Amazon machine images with Puppet, Packer and Jenkins
Chasing AMI - Building Amazon machine images with Puppet, Packer and Jenkins
 
vim brownbag - Richard forth
vim brownbag - Richard forthvim brownbag - Richard forth
vim brownbag - Richard forth
 
Things you should know if you plan to ship a game
Things you should know if you plan to ship a gameThings you should know if you plan to ship a game
Things you should know if you plan to ship a game
 
Java tuning on GNU/Linux for busy dev
Java tuning on GNU/Linux for busy devJava tuning on GNU/Linux for busy dev
Java tuning on GNU/Linux for busy dev
 
Cooking a rabbit pie
Cooking a rabbit pieCooking a rabbit pie
Cooking a rabbit pie
 
High performance network programming on the jvm oscon 2012
High performance network programming on the jvm oscon 2012 High performance network programming on the jvm oscon 2012
High performance network programming on the jvm oscon 2012
 
Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new framework
 
Jvm tuning in a rush! - Lviv JUG
Jvm tuning in a rush! - Lviv JUGJvm tuning in a rush! - Lviv JUG
Jvm tuning in a rush! - Lviv JUG
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP Hooks
 
Do You Need a Service Mesh? @ London Devops, January 2019
Do You Need a Service Mesh? @ London Devops, January 2019Do You Need a Service Mesh? @ London Devops, January 2019
Do You Need a Service Mesh? @ London Devops, January 2019
 
Rails development environment talk
Rails development environment talkRails development environment talk
Rails development environment talk
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
 
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration DisastersBSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
 
Zero mq logs
Zero mq logsZero mq logs
Zero mq logs
 
Message:Passing - lpw 2012
Message:Passing - lpw 2012Message:Passing - lpw 2012
Message:Passing - lpw 2012
 
Software + Babies
Software + BabiesSoftware + Babies
Software + Babies
 
nodebots presentation @seekjobs
nodebots presentation @seekjobsnodebots presentation @seekjobs
nodebots presentation @seekjobs
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Car hacking 101 rev2

  • 1. THE INFAMOUS CAR HACKING TALK AKA INTRO TO CAR HACKING SPONSORED BY MACCHINA
  • 2. WHOAMI • Zach Zaffis, Most of you know me, if not, hi I’m Zach • President of SecIC • Works for ProCircular doing security things • Has a friend named Will (@WillCaruana) who’s an “alcohol fueled high voltage wizard” • Who has spurred my cybering hardcore and should be an inspiration to us all • I am by no means a car hacking expert, despite anything you have heard. Seriously, Depaepe and I sat down at a table at GrrCon last year and bashed or heads against this shit writing shell scripts and what not till we won second place. If we can do it you can do it! And here’s how! @ZuluAlphaFoxTwo
  • 3. WHAT IS CAR HACKING? ITS KINDA LIKE OTHER HACKING, BUT WITH CARS….
  • 4. SO WHERE TO START THERE ARE MULTIPLE PROTOCOLS GOING ON IN THE CAR AT ANY GIVEN TIME A GOOD PLACE TO START IS THE CANBUS
  • 5. THE CAN BUS SO WHAT IS CAN? CAN is a simple protocol used in manufacturing and in the automobile industry. Modern vehicles are full of little embedded systems and electronic control units (ECUs) that can communicate using the CAN protocol.
  • 6. HOW IT WORKS Notes: CAN runs on two wires: CAN high (CANH) and CAN low (CANL). CAN uses differential signaling which means that when a signal comes in, CAN raises the voltage on one line and drops the other line an equal amount
  • 7. CAN PACKET LAYOUT Notes: Arb Id’s run from 000-7FF Data is sent in hex code so a single data bit length is 00 while two bit length is 00 00 with a maximim of 8 bits for standard frames you will have 16 digits. 00 00 00 00 00 00 00 00 00 00 00
  • 8. TYPES OF CAN FRAMES • Extended Packets • The ISO-TP Protocol • The CANopen Protocol • The GMLAN Bus • The SAE J1850 Protocol • The PWM Protocol • The VPW Protocol Notes: All of these protocols run on the can bus, We wont be digging into any of these till later sessions, But just note, that the canbus is just a carrier for multiple protocols. There are also much more than this list.
  • 9. RIGHT SO LETS CONNECT! • I advise moving in the digital realm first.
  • 10. OPEN THE VM! • If you are following along, here’s the vm specifics. • (adjust the cores down to one. Sorry I did ram but missed CPU before packing it) • U: carhacking • P: hackingcar • Open a terminal
  • 11. WHAT ARE WE USING? • SocketCan (CanUtils) • Set of open source CAN drivers and a networking stack contributed by Volkswagen Research to the Linux kernel. Formerly known as Low Level CAN Framework (LLCF). • ICSim • Instrument Cluster Simulator: A virtual cluster simulator by OpenGarages Craig, form about 4 years ago or so.
  • 12. LETS GET INTO IT • Cd into the ICS folder on the desktop • Run the Setup vcan script in the folder (sudo yo!) • This script sets up the virtual can interface • If config • You should see a vcan interface • Good to start the sim
  • 13. LET’S BUILD A CLUSTER • Run the icsim program (./icsim [options] [interface]) • -r randomizes, -s seed value, -d debug • No random for this round, Let’s learn together ./icsim –s 0 vcan0 • Now lets openup terminator • Single pane multi terminal
  • 14. YOU NOW HAVE A VIRTUAL CAR! • So now lets hack! • From here its basically a mix of RE and traffic sniffing.
  • 15. WHAT YOU’LL USE • candump • Dumps can bus to a file • cangen • Generate can frames based on inputs • canplayer • Replays candump files
  • 16. CANDUMP • candump –l to dump to file (that’s an lowercase ‘L’) • candump –c –c vcan0 in another window to watch active can traffic • There is none till we start sending because we are cheating.
  • 17. CANGEN [OPTIONS] [INTERFACE] • The basics of RE for this is to fuzz from bottom to top. • -I • I for ID/arb ID • -r for random (good for fuzzing or making the cluster dance and sing) • -i for increment, starts at 000 all the way up to 7FF • -g delay in ms • -D • Data to send -r for random, or define manually • -L • Length of the packet sent • Without it it will pad out
  • 18. SO LETS LOOK AT A BASIC START • cangen –I i –D FFFF –L 2 –g 20 vcan0 • This will send a can packet to the bus starting at 000xFFFF all the way to 7FFxFFFF • Now watch for a change • When we see a change stop down can dump and then the fun begins.
  • 19. GOT SOMETHING! • Once you have a change on the icsim virtual cluster, stop the dump, and stop the can gen • Run cangen –I i –d 0000 –L 2 –g 5 vcan0 • This will ‘clear the board’ and potentially reset the changes. Alternate is you can stop icsim and restart it with the same seed number • Gedit (if you have a mouse) the can dump file and we use the rule of 50% to start the RE
  • 20. RULE OF 50% • Rule of 50% is take any problem and find a logical middle point, then cut in in half from there. • Is the issue external or internal? Cut there and test. Is the issue system or user level? Cut there and test. So on and so forth. • General engineering technique to problem solve. • So in this instance we will look at line count and cut (yes cut) about half off. • Pick about half, ctrl+X then Ctrl+S
  • 21. CAN PLAYER TO THE RECUE! • So now pwe play the file back with can player. • Canplayer –i <candump.xxxxx> vcan0=vcan0 • Hit go and watch the icsim board, if the change happens then the arb Id lives in the packets in the file. • If it doesn’t change then pop back into the file and select all, paste the clipboard contents save and run canplayer again. • This is the process you will now follow until you whittle down the arb id to the single known value.
  • 22. ARB ID OBTAINED! • So with that arb ID we can now try and manipulate further. • Use cansend now to manipulate the packet as you please to see if there are other combinations of data that will work • cansend vcan0 arbid#Data • Try something like, just a single set of FF’s • Now try 01 • Now 11 • Now 02 • Now a0 • Go nuts
  • 23. SO THERE YOU GO THE UTMOST BASICS! • Lets add a little realism to it now. • The can is NEVER this quiet • ICS comes with a canbus emulator as well! Its an awesome tool!
  • 24. CONTROLS ABOUND Controls [options] [can interface] ./controls –s 0 –l 0 vcan0
  • 25. THIS IS MORE LIKE IT! • So the controller it brings up gives you the ability to play parts of the car • Capture RE and replay, all the same idea just much more convoluted.
  • 26. SO THAT’S WHERE I’LL LEAVE YOU • There will be more car hacking talks to come! (lots) • The 201 is all about how to connect on up to an actual car!
  • 27. RESOURCES • Macchina.cc • Great forums with plenty of help • Carhackingvillage.com • Has the car hackers handbook available and good resources (also on the OVF to accompany slides) • https://github.com/zombieCraig/ICSim • Icsim github page