Car hacking is possible through several means: - Gaining physical access to exploit vulnerabilities in components connected to the CAN bus, such as sensors or actuators. - Attacking mobile apps that control car features if they do not implement proper security measures. - Exploiting weaknesses in the backend infrastructure or APIs used to support connected car services and apps. - Compromising the in-vehicle infotainment system if it has connectivity to the internet and CAN bus. - Sending adversarial signals to fool advanced driver assistance systems. - Intercepting wireless communication between key fobs and vehicles.

1. Car Hacking: Yes, you can do that!
Andrey Voloshin
CTO @ Théa
Alexander Olenyev
Hardware Engineer @ Théa

2. https://techmaker.ua
info@techmaker.ua
https://fb.com/techmaker.ua
@techmakerua
Andrey Voloshin
twitter: @anvolhex
telegram: @anvol

4. Safety
• Eat
• Move (vehicles are here)
• Rave
• Sleep
• Repeat :)

5. Why you should care
• Better place to live
• $$$
• Fame
• High risk

6. – Anonymous Volunteer
Car hacking is about seeking for
unusual behaviour

7. –Robert Bates, chief safety officer for automotive at Mentor, a Siemens Business
If I am the CEO of General Motors, five years
from now the last thing I want to see is an email
in my inbox in the morning that says
‘Pay me $2 billion or else all of your cars are
going to turn left.’

10. Bring some juice plz

11. Domains
• Physical vulns
• Mobile Apps (car alarm/security, remote control, maintenance)
• Architectural
• Remote compromise via In-Vehicle Infotainment systems (IVI)
• ADAS
• Shaken, not stirred

12. Physical
• Jamming + stealing. Rule them all. (out of scope)
• Valuable parts are easily accessible

18. Physical. But clever
• Find something connected to CANbus
• Actuators w ECU (autofolding wind mirrors)
• Sensors (radar, parking assist?, cameras?)
• Use workshop manuals
• Inject messages (impersonate ECUs, open doors)

20. – Yes, suddenly you may need them to drive your car ¯_(ツ)_/¯
Mobile Apps

21. – Wired, 2015
Security researcher Samy Kamkar showed in 2015 that
he could use a small piece of hardware hidden on a car
to wirelessly intercept credentials from iOS apps like
GM's Onstar, Chrysler's UConnect, Mercedes-Benz
mbrace, and BMW's Remote. Kamkar's attack similarly
allowed him to remotely locate those cars, unlock them,
and in some cases start their ignitions.

22. – https://www.troyhunt.com/no-vtech-cannot-simply-absolve-itself/ 2016
Troy Hunt and Scott Helme figured out that the Leaf’s app
interface (API) uses only the Vehicle Identification
Number (VIN) to control car features remotely without
passwords

23. – Researchers at UK-based penetration testing and cybersecurity firm PenTestPartners, 2019
An analysis of the APIs used by the Pandora and Viper
mobile apps revealed that they were affected by insecure
direct object reference (IDOR) vulnerabilities

24. – Marcus Aurelius, 150 AD
OBD devices w BlueTooth connectivity, default PIN and
sends custom CAN frames

25. Web attack vectors
1 2 3 4. Aftermarket
1. PKI, secure boot, source codes, backdoors, etc
2. OEM backend infrastructure (including app stores, connected car solutions, IVI
backend, databases, documentation)
3. Diagnostic equipment, engineer codes, key duplicates, etc
4. Control car, steal car, dump private data, etc

26. Backend
• Misconfiguration, dev/qa/staging env with weak security
• Ancient solutions/technologies
• Workshop manuals
• APIs without security assessments

27. – when something without attention goes wrong
Architecture

29. Dump it
Security Architect crying right now

30. Immo, $ecurityAccess
• Weak challenge-response
• JTAG enabled
• Secrets stored in unencrypted Flash/ROM (coz there is no other option)
• IDA, GHIDRA, radare

32. RF hub in trusted zone
• Weak encryption (Tesla’s key fob with 40-bit cipher) — the KU Leuven team
discovered in the summer of 2017
• Weak PRNG
• Jamming the signal
• Relay
• Replay rolling codes

33. Key fob hack to unlock 100 million VAG cars
// 2016
• With only four unique cryptographic keys used by most of the 100M
cars, it means millions and millions of cars will be exposed once a
hacker will find one of the four keys.
• The research led by Flavio Garcia and David Oswald also refers to
the vulnerability of other cars from different automakers. Millions of
vehicles from Ford, Nissan, Mitsubishi, Chevrolet, and other marques
are vulnerable to a similar attack using a home-made device ($30
SDR).

34. Dale “Woody” Wooden could unlock a Ford vehicle,
interfere with its onboard computer systems, and even
start its engine.
The vulnerability affects the key fobs of 2019 Ford F-150
Raptors and 2019 Ford Mustangs, which use a radio
frequency in the lower 900MHz spectrum, and the key
fobs of at least one slightly older model, the 2017 Ford
Expedition, which uses 315MHz.
– https://the-parallax.com/2019/05/03/hacker-ford-key-fob-vulnerability/ May 2019

35. In-Vehicle Infotainment system
• Connectivity (BT, GSM, USB, WiFi)
• QNX / Android / WinCE
• Connected to CANbus
https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2018-Dissecting-QNX.pdf

37. In-Vehicle Infotainment system
• Browser -> RCE -> CANbus
• Service @ 0.0.0.0:PORT -> RCE ->
CANbus
• Tesla 3 (Mar 2019, Pwn2Own)
• VAG: Golf GTE, Audi A3 Sportback (2018)
• FCA: Jeep Grand Cherokee (2014)
https://www.bleepingcomputer.com/news/security/volkswagen-and-audi-cars-vulnerable-to-remote-hacking/

38. Tesla… we need to talk
– https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla-From-Wireless-To-
CAN-Bus-wp.pdf

39. Designed by Tesla (2016-2017)
• Old QtWebkit
• Linux kernel 2.6.36 w known vulns
• Backdoors, hardcoded passwords (4 diag purpose, obviously)
• SGW boot.img w/o signing and checks
https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Research_of_Tesla_Autopilot.pdf

40. Designed by Tesla (2016-2017)
https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Research_of_Tesla_Autopilot.pdf

41. ADAS (advanced driver-assistance systems)

42. ADAS (advanced driver-assistance systems)
• Tesla autopilot fooled to switch lanes (2019)
https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Research_of_Tesla_Autopilot.pdf

43. What’s next? (2022)
• Advanced automatic emergency braking systems (AEB) (adversarial examples)
• Lane departure warning systems (adversarial examples)
• Intelligent speed assistance
• Alcohol interlock installation facilitation (integer overflow?)
• Driver drowsiness and attention warning
• Advanced driver distraction warning
• Emergency stop signal (adversarial examples)
• Reversing cameras or detectors (moar sensors sticking out)
• Accident data recorder (full access to all telematics)

44. Few more things…
• 4G / 5G / Narrow band
• V2V, V2X communications

45. Side-channel attacks

46. Car Hacking: Yes, you can do that!
Andrey Voloshin
CTO @ Théa
Alexander Olenyev
Hardware Engineer @ Théa

47. There is always a place where you feel safe