Car hacking is possible through several means:
- Gaining physical access to exploit vulnerabilities in components connected to the CAN bus, such as sensors or actuators.
- Attacking mobile apps that control car features if they do not implement proper security measures.
- Exploiting weaknesses in the backend infrastructure or APIs used to support connected car services and apps.
- Compromising the in-vehicle infotainment system if it has connectivity to the internet and CAN bus.
- Sending adversarial signals to fool advanced driver assistance systems.
- Intercepting wireless communication between key fobs and vehicles.
7. –Robert Bates, chief safety officer for automotive at Mentor, a Siemens Business
If I am the CEO of General Motors, five years
from now the last thing I want to see is an email
in my inbox in the morning that says
‘Pay me $2 billion or else all of your cars are
going to turn left.’
11. Domains
• Physical vulns
• Mobile Apps (car alarm/security, remote control, maintenance)
• Architectural
• Remote compromise via In-Vehicle Infotainment systems (IVI)
• ADAS
• Shaken, not stirred
12. Physical
• Jamming + stealing. Rule them all. (out of scope)
• Valuable parts are easily accessible
13.
14.
15.
16.
17.
18. Physical. But clever
• Find something connected to CANbus
• Actuators w ECU (autofolding wind mirrors)
• Sensors (radar, parking assist?, cameras?)
• Use workshop manuals
• Inject messages (impersonate ECUs, open doors)
19.
20. – Yes, suddenly you may need them to drive your car ¯_(ツ)_/¯
Mobile Apps
21. – Wired, 2015
Security researcher Samy Kamkar showed in 2015 that
he could use a small piece of hardware hidden on a car
to wirelessly intercept credentials from iOS apps like
GM's Onstar, Chrysler's UConnect, Mercedes-Benz
mbrace, and BMW's Remote. Kamkar's attack similarly
allowed him to remotely locate those cars, unlock them,
and in some cases start their ignitions.
23. – Researchers at UK-based penetration testing and cybersecurity firm PenTestPartners, 2019
An analysis of the APIs used by the Pandora and Viper
mobile apps revealed that they were affected by insecure
direct object reference (IDOR) vulnerabilities
24. – Marcus Aurelius, 150 AD
OBD devices w BlueTooth connectivity, default PIN and
sends custom CAN frames
30. Immo, $ecurityAccess
• Weak challenge-response
• JTAG enabled
• Secrets stored in unencrypted Flash/ROM (coz there is no other option)
• IDA, GHIDRA, radare
31.
32. RF hub in trusted zone
• Weak encryption (Tesla’s key fob with 40-bit cipher) — the KU Leuven team
discovered in the summer of 2017
• Weak PRNG
• Jamming the signal
• Relay
• Replay rolling codes
33. Key fob hack to unlock 100 million VAG cars
// 2016
• With only four unique cryptographic keys used by most of the 100M
cars, it means millions and millions of cars will be exposed once a
hacker will find one of the four keys.
• The research led by Flavio Garcia and David Oswald also refers to
the vulnerability of other cars from different automakers. Millions of
vehicles from Ford, Nissan, Mitsubishi, Chevrolet, and other marques
are vulnerable to a similar attack using a home-made device ($30
SDR).
34. Dale “Woody” Wooden could unlock a Ford vehicle,
interfere with its onboard computer systems, and even
start its engine.
The vulnerability affects the key fobs of 2019 Ford F-150
Raptors and 2019 Ford Mustangs, which use a radio
frequency in the lower 900MHz spectrum, and the key
fobs of at least one slightly older model, the 2017 Ford
Expedition, which uses 315MHz.
– https://the-parallax.com/2019/05/03/hacker-ford-key-fob-vulnerability/ May 2019
37. In-Vehicle Infotainment system
• Browser -> RCE -> CANbus
• Service @ 0.0.0.0:PORT -> RCE ->
CANbus
• Tesla 3 (Mar 2019, Pwn2Own)
• VAG: Golf GTE, Audi A3 Sportback (2018)
• FCA: Jeep Grand Cherokee (2014)
https://www.bleepingcomputer.com/news/security/volkswagen-and-audi-cars-vulnerable-to-remote-hacking/
38. Tesla… we need to talk
– https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla-From-Wireless-To-
CAN-Bus-wp.pdf
39. Designed by Tesla (2016-2017)
• Old QtWebkit
• Linux kernel 2.6.36 w known vulns
• Backdoors, hardcoded passwords (4 diag purpose, obviously)
• SGW boot.img w/o signing and checks
https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Research_of_Tesla_Autopilot.pdf
40. Designed by Tesla (2016-2017)
https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Research_of_Tesla_Autopilot.pdf