Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Complyify Car Hacking & Cyber Risk

20 views

Published on

Dallas CSNP - presented by Sean Bruton

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Complyify Car Hacking & Cyber Risk

  1. 1. We help mid-sized companies measure and manage cybersecurity risk
  2. 2. Car Hacking 101 No EE Edition
  3. 3. ODB-II Diagnostics USB Optical Disc KES Bluetooth TPMS LTE WiFi
  4. 4. CAN-L CAN-H
  5. 5. 0V
  6. 6. 9V
  7. 7. 9V +9V = Binary 1 0V = Binary 0
  8. 8. derp
  9. 9. DIFFERENCE IN VOLTAGE MATTERS
  10. 10. CAN BUS Advantages for embedded > ethernet • Simplicity • Reliability • Cost Disadvantages (opportunities to h4x0r) • Bus - all nodes get all traffic • Bus - common mode attacks • Bus - no network access control
  11. 11. EVERYTHING I’M ABOUT TO DISCUSS IS POTENTIALLY LIFE THREATENING DON’T MESS WITH 2-TON METAL MACHINES THAT CAN KILL YOU (i.e., please don’t sue me)
  12. 12. CAN BUS GETTING STARTED KIT RECOMMENDATIONS • USB-CAN Style Adapter • Isolation ideal for automotive applications • Get ODB-II adapter, not a fixed ODB-II interface • Make sure it supports at least 1Mbps CAN • Make sure it supports SocketCAN (Linux) • Stay away from ELM327 chips
  13. 13. SOFTWARE • Linux (VirtualBox works fine) • SocketCAN • CAN Utils • Wireshark
  14. 14. GENERAL TECHNIQUE • Capture • Fiddle • Identify Sender • Decode packet • Test replay with virtual CAN interface • Send packets for real
  15. 15. DEMONSTRATION • Already Done (not shown in demo): • Installing VirtualBox (or other VM host) • Installing Kali Linux (includes Wireshark, etc) • Installing can-utils: apt install -y can-utils • Compiling SavvyCAN (see GitHub README)
  16. 16. TRICKS & GOTCHAS • Sequence numbers in packets • Multi-sourced data agreement filters • Bus termination • CAN firewalls • Multiple CAN busses • Data recorders
  17. 17. Resources Car Hacking eBook http://opengarages.org/handbook/ebook/ Car Hacking Edu / Events https://www.carhackingvillage.com/ Community DBC Files https://github.com/commaai/opendbc SavvyCAN (not in vendor pkg mgmt) https://github.com/collin80/SavvyCAN Find Me sean@comply.cloud Twitter @seanbruton complyify.com Now Hiring Dallas or Austin • Security Product Manager • Security Assessor • Developers

×