Alexey Sintsov discusses security issues related to backdooring a car's head unit. He outlines potential reasons for deploying a backdoor like monetization, targeted attacks, or government/police surveillance. Sintsov then describes various methods for gaining unauthorized remote access to a car's systems through vulnerabilities in wireless components, software updates, and exploiting interfaces between modules. He warns that with connectivity increasing, threats like car-infecting worms may become possible if networks are not properly segmented and isolated. Throughout, Sintsov emphasizes the importance of securing vehicles to prevent unauthorized and potentially dangerous access or control.

1. Alexey Sintsov
@asintsov
alexey.sintsov@here.com
DEFCON RUSSIA DC#7812
BACKDOORING A CAR
AND OTHER HEADUNIT SECURITY THINGS

2. # Why we are interested?
Let’s do it…
• Navigation for cars
• Maps
• REST API services
• Traffic
• POI
• Even road angle degree
• And more
• RDS traffic data supplier
• Embedded software
• Middleware
• UI Clients
• … and more
• 3D maps for self driving cars

3. # Why security?
???
• How OUR software can impact on car security?
vs.
• How other components affect our security?

4. # Backdoor?
???
Backdoor – unauthorized remote access to car’s headunit or other components
It’s what you want to do after exploitation of any vulnerability…

5. # Backdoor for a car
• Find a reason why you need a backdoor
• Find a way how to deploy a backdoor
• Find a way how to get control

6. # Backdoor for a car
Reasons
• Monetization?
• CC/Banking -- LOW
• BT Mining -- LOW
• Botnet -- LOW
• Thief Auto -- ???
• Targeted attack
• Police/Gov -- HIGH (Legal Backdoor)
• Spying -- ???
• Killing(WTF?) ???
We do not know, HOW to use it and WHY we need it

7. # Backdoor for a car
Reasons
• Monetization?
• CC/Banking -- LOW
• BT Mining -- LOW
• Botnet -- LOW
• Thief Auto -- ???
• Targeted attack
• Police/Gov -- HIGH (Legal Backdoor)
• Spying -- ???
• Killing(WTF?) ???
We do not know, HOW to use it and WHY we need it

8. # Backdoor for a car
Reasons
Backdoor is unauthorized remote access to HeadUnit:
• You know where is you target
• You can control some elements:
• Light
• Radio
• Door locks
• Navigation routes
• For self driving cars…
• Other – depends of internal network design
- ABS, Engine, etc  Easy! Easy!
• CPU usage
• Privacy and valuable data

9. # Break in
Car Security eq IoT Security?

10. # Break in
Attack surface – I/O
• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc

11. # Break in
Attack surface – I/O
• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc
Internet services
security

12. # Break in
Attack surface – I/O
• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc
… and even data/file format
Internet services
security
Client-side security

13. # Break in
Attack surface – I/O
• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc
… and even data/file format
Internet services
security
Client-side security
Spoofing/injection/sniffing and fuzzing

14. # Break in
Attack surface – I/O
• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc
Internet services
security
Client-side security
… and even data/file format
Spoofing/injection/sniffing and fuzzing
Also for LPE

15. # Car Security is like…
… MOBILE + SMART GRID/SCADA security

16. # Car Security is like…
… MOBILE + SMART GRID/SCADA security
… even with AppStore!

17. # Break in
Simple backdoor?
• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc

18. # Simple backdoor?

19. # Break in
Designed RA?
• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc

20. # Designed RA?

21. # BMW MiTM

22. # BMW MiTM

23. # BMW MiTM
Can we do the same without MiTM?
- No, we can’t…
© TRUE HARDCORE WHITE-HAT GUYS

24. # Automotive industry

25. # Automotive industry
Same story with
software… ;)

26. # More hacks…
Just use online search…

27. # Big world
One platform, different software…
• Windows
• QNX OS
• Linux
DEP? ASLR?

28. # With one rule them all…
WINDOWS
One platform, different software…

29. # With one rule them all…
HARMAN
One platform, different software…

30. # With one rule them all…
HARMAN
One platform, different software…
• ARM/Tegra
• QNX OS
DEP? ASLR?
Canaries?
- Yes and NO

31. # With one rule them all…
HARMAN

32. # HARMAN
Toyota

33. # Deploy a backdoor (as a binary)
Other vectors
• Vulnerabilities in software update mechanism
• Importing files from USB/SD
• Browser Client-Side RCE bugs
• Other components RCE bugs (RDS and etc)

34. # Deploy a backdoor (as a binary)
Tasks
• Penetration vector
• RCE bugs and etc
• Find a RW place on the HU
• Update services re-usage
• Bad mounted memory
• LPE bugs
• Find a way for auto-run
• How to change cron (or etc) jobs?
• DLL/SO Hijacking
• Find a way how to connect to C&C via Internet
• Local VPN configs/keys
• Route table
• Proxy settings

35. # Car WORM??
Is it possible?

36. # Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)

37. # Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)
• If you hack the Internet
Proxy? (Spreading)

38. # Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)
• If you hack the Internet
Proxy? (Spreading)
• If you hack ConnectedCar
API Server? (Spreading)

39. # Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)
• If you hack the Internet
Proxy? (Spreading)
• If you hack ConnectedCar
API Server? (Spreading)
• Car2Car, wireless (Worm)

40. # Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)
• If you hack the Internet
Proxy? (Spreading)
• If you hack ConnectedCar
API Server? (Spreading)
• Car2Car, wireless (Worm)
• Infected files for import? (File
infection)

41. # Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)
• If you hack the Internet
Proxy? (Spreading)
• If you hack ConnectedCar
API Server? (Spreading)
• Car2Car, wireless (Worm)
• Infected files for import? (File
infection)
Ahh… Comeon!

42. # LPE
Tasks
• Bugs in local service
• From user to root
• From HU to ECU
• Bugs in ECU
• Local services usage
• ECU control normal usage – sending commands
(like SomeIP)

43. # Hardening
Defense
• No RW places for backdoor
• Processes list and configs  control and integrity
• Encrypted storages (key chains) *
• Local network segmentation
• HU does not need access to some components
• Update mechanism/design for software (good example - BMW)
• 3rd party developers – need to know what they are doing*

44. # Security market
Defense
• IPS for CAN
• Trusted and hardened HU/OS
• Encryption for CAN/ECU/internal traffic
• IPS for internal wireless/network
• moarrr …
• AV for car?
….

45. # Future
Targets for future researches
• Remote exploits for Browser and car’s APPs
• Including attacks on ConnectedCar design/implementation
• …and Car2Car design and implementation… and etc
• Malware/Backdoor prototype and demo
• File infection and file format exploits (USB/SD card)
• Wireless radio exploits (short/long radio vectors)
• LPE exploits -from HU to ECU, from ECU to HU, from user to root)
• Self driving car spoofing and manipulation
• Fake signs
• Radar/LIDAR data spoofing
• All possible mixes 8)

46. # Future
Targets for future researches
• Remote exploits for Browser and car’s APPs
• Including attacks on ConnectedCar design/implementation
• …and Car2Car design and implementation… and etc
• Malware/Backdoor prototype and demo
• File infection and file format exploits (USB/SD card)
• Wireless radio exploits (short/long radio vectors)
• LPE exploits -from HU to ECU, from ECU to HU, from user to root)
• Self driving car spoofing and manipulation
• Fake signs
• Radar/LIDAR data spoofing
• All possible mixes 8)
And even more… it’s a BIG
area and a lot of things can
happened 8)

47. #FIN
alexey.sintsov@here.com @asintsov