00:00:00.000,00:00:05.005
>>So, er, thank you all of you
for being today here with us.
We're gonna talk about, erm, car

00:00:07.007,00:00:12.012
hacking topic. And, let's go
fast because I think we made 20
slides, let's see. So, ja, who

00:00:15.482,00:00:22.422
are we? I'm Javier Hazquez. I'm
a hardware security specialist,
I work at Code White, a German

00:00:22.422,00:00:27.861
company. We pwn stuff. I'm from
Cadiz in Spain, I guess you can
figure it out already, I'm sort

00:00:27.861,00:00:34.635
of dark stuff. And, ja, I
reverse engineer stuff. Blah,
blah, blah. I like cake when

00:00:34.635,00:00:41.608
it's not a lie and barbeques. I
mean, who doesn't like
barbeques? So. >>So hi everyone,

00:00:41.608,00:00:46.980
I'm Henrik Ferdinand Nolscher.
Er, Ferdi for short. I also work
at Code White in southern

00:00:46.980,00:00:53.687
Germany and among many things I
also like barbeques, of course
and lasers. Lasers and like

00:00:53.687,00:00:58.692
lasers fun, right? So, er, we
had to decide between doing
stuff with lasers and car

00:01:01.828,00:01:06.833
hacking and I don't know,
[audience noise] maybe you can
imagine what we went for. >>So.

00:01:09.703,00:01:16.710
Car hacking status, what's going
on? So, ja, er buses remote
stuff because focus on the CAN

00:01:16.710,00:01:23.250
bus because they data blah blah.
We play a part, like ja, you can
recall and then replay like such

00:01:23.250,00:01:29.022
of some stuff like, ja, so some
researchers also found some
remote exploits er like slashing

00:01:29.022,00:01:34.528
wheel tyres and stuff, ja.
[audience noise, laughing]
>>Like real >>Ja, like hardware

00:01:34.528,00:01:39.366
stuff so. And there are also
some really awesome tools to
help understand the various

00:01:39.366,00:01:44.371
protocol, but, is there anything
else? So. >>Yeah, chiptuning, is
like its er own thing but

00:01:50.010,00:01:56.383
there's a lot in common with car
hacking actually. It is car
hacking and er there is USB

00:01:56.383,00:02:02.289
being cloned, cheats being done
and data being manipulated to
get more horse power or, yeah,

00:02:02.289,00:02:07.294
that sorta stuff. >>Yeah, also,
er, in the internal data
manipulation, er, chipturners

00:02:09.930,00:02:15.569
they often enable for some over
writing over DVD, that is to say
that's actually quite a hack. I

00:02:15.569,00:02:21.675
mean you have to bypass checks
and certain signatures, so,
that's a cool topic. And, ja, we

00:02:21.675,00:02:26.680
all know ORM diagnostics, right?
They can also do fancy stuff.
So, yeah, what's the secret? Er,

00:02:28.949,00:02:33.954
there my hat fell down so, EVS
is not only protocol, like
really there's also tunnelling

00:02:36.323,00:02:41.595
protocol which is the compass
portion of the keyword protocol
to fasten which was used on all

00:02:41.595,00:02:46.600
cars over KLAN and both of a
series of services, er , SIDs
which are like actually both

00:02:49.803,00:02:54.808
interesting, but people don't
care that much about them, and
ja, using this services you can

00:02:57.010,00:03:02.616
get a lot of fancy information.
Even many times. So, wanna
explain that? >>So, yeah, er,

00:03:02.616,00:03:09.556
let's compare the UDS on the
TP2.0 very quick. So, TP2.0 you
actually have to negotiate a

00:03:09.556,00:03:15.629
channel with the communication
will happen between the set
tester and the module. So, let

00:03:15.629,00:03:20.634
me see, yeah, first we have a
response, like 200 is always the
channel negotiation request and

00:03:25.205,00:03:31.545
like you can see the different
fields went up, and the bottom
one you can see the response.

00:03:31.545,00:03:36.550
Which is 200 plus the >>target
>>the target address. And then
you can communicate, so. >>Ja,

00:03:38.718,00:03:43.223
and then you have like the
transmission. The transmission
is just like the ID, which is

00:03:43.223,00:03:48.695
the CAN ID, you have the frame
counter, the frame type, the,
the, like data. Blah, blah,

00:03:48.695,00:03:54.367
blah, blah. We will share the
slides, so don't worry you're
not getting it this fast. Then

00:03:54.367,00:03:58.805
UDS, the only difference between
UDS and TP is that you don't
need to negotiate the channel

00:03:58.805,00:04:04.444
you just like broadcast, you
have your type of frames, the
first byte length and the sub

00:04:04.444,00:04:09.149
frame, but in the end, the data
that's in payload is what
matters. That's the SIDs the

00:04:09.149,00:04:14.621
firmware, whatever, so. They are
pretty similar. They are, both
are transport protocols

00:04:14.621,00:04:19.626
actually. And er, just to make
er effort some what visible, er,
that's the difference between

00:04:23.630,00:04:28.635
TP, KWP and UDS, just like some
services are like divided into
more smaller services, only like

00:04:32.372,00:04:38.745
we have communication control.
On KWP you have, for example
some start- on and disable on

00:04:38.745,00:04:44.417
message – all that is handled by
a single SID on UDS. You have
four on KWP, which is standing

00:04:44.417,00:04:50.891
protocol, so that's the only
difference on a protocol level.
>>So, er, here we will shortly

00:04:50.891,00:04:56.062
list of a couple of interesting
services, so the first one is
security access which is, er,

00:04:56.062,00:05:00.767
the way you authenticate the
tester against the ECU, right?
So the security access will

00:05:00.767,00:05:05.172
unlock the different levels of
functionality, it's like a
challenge response. Then there's

00:05:05.172,00:05:11.511
read memory by address, now you
give it an off-set and it will
return the contents, and often,

00:05:11.511,00:05:18.185
but not always er requires
security access. Er, read and
write data by ID is like for,

00:05:18.185,00:05:23.557
for example for getting the VIN,
the Vehicle Identification
Number, um, you give it

00:05:23.557,00:05:28.562
parameters, reduce the data. Er,
request upload, is like from the
ECUs perspective so don't

00:05:31.097,00:05:37.504
confuse the name, it's like to
retrieve the firmware from the
ECU and losing control of the

00:05:37.504,00:05:42.809
server , like customer teams for
example you raising the flash
and triggering also that sort of

00:05:42.809,00:05:48.215
stuff like... >>Like there are
some fancy routines like we
found in some vehicles. Wait,

00:05:48.215,00:05:53.220
ECU's actually not vehicles. Er
namely, er Bosch, er, that would
allow you to retrieve the er,

00:05:57.390,00:06:01.862
boot keys in DC17 and MED17 so
you like basically you just
trigger the routines, get the

00:06:01.862,00:06:07.968
key and then you can unlock the
boot lock mode. Oh, so ja, while
all this easy stuff? Because

00:06:07.968,00:06:12.973
CAMBadger. So, er a glitch is
still a glitch. [laughs]. So,
let's take a look at the

00:06:15.642,00:06:17.644
hardware overview. Er, it's
LPC1768, or LPCXPresso it has
external RAM 128 kilobytes to

00:06:17.644,00:06:19.779
speed things up 2DB9 for CAN 2
debug headers, SD card a ECU
Power control by software we

00:06:19.779,00:06:24.784
have UART, we'll see later why,
we have 4 GPIOs so if you want
fancy LEDs and it runs in three

00:06:40.600,00:06:46.773
different modes: stand- alone
USB, which is a CNC device or
serial over network. An yeah,

00:06:46.773,00:06:51.778
can be powered with power and
has a blinky LED. So, that's
really fancy and it's really

00:06:54.080,00:07:00.654
cheap to make. It's under 25
bucks. >>Yeah, and we made it
easy to solder, so this. It's

00:07:00.654,00:07:06.192
really easy to set up. So the
firmware considered a proof of
concept. Okay, their actions are

00:07:06.192,00:07:12.599
always handled by the CANBadger
itself, so it doesn't really
require a lap top or a computer

00:07:12.599,00:07:17.671
whatever to perform any logic,
it's all implemented in the
firmware. Like UDS GPS 2.0

00:07:17.671,00:07:23.310
processing, RAW CAN logging,
just as a start. We have a
man-in-the-middle mode where the

00:07:23.310,00:07:28.581
emulator modes and we also
mentioned that you can have
three different modes of er

00:07:28.581,00:07:34.954
operation. That is stand-alone
mode without anything attached,
and, UART mode, where you get a

00:07:34.954,00:07:40.894
CDC device on your computer and
connect with your terminal and
then there's ethernet mode which

00:07:40.894,00:07:45.699
we'll, we'll will go on to that.
Don't worry but, it's for use
with the CANBadger server so you

00:07:45.699,00:07:50.704
can have multiple CANBadgers in
parallel, yeah so, fancy stuff,
yeah. >> So just a quick look

00:07:52.839,00:07:57.811
beyond the protocol analysis.
Many servers are included in the
firmware, it's er, just switch

00:07:57.811,00:08:03.583
case, so adding support for the
additional ones is really a
piece of cake. It's extremely

00:08:03.583,00:08:07.921
verbose, it pass, it passes the
SIDs and parameters. Er,
everything is done by the

00:08:07.921,00:08:10.156
CAMBadger firmware so no need
for PC, just the serial pass.
You need a terminal and

00:08:10.156,00:08:13.159
everything is just thrown in the
SD of the CAMBadger, so you can
distribute later. And it works

00:08:13.159,00:08:15.161
with UDS and TP2.0. So, er, for
the interactive session, the
interactive session is er

00:08:15.161,00:08:17.163
interactive so it doesn't
require scripting and it will
ask you to perform actions on

00:08:17.163,00:08:19.165
the go. So, I don't know if guys
saw before we were starting the
presentation, I popped out for a

00:08:19.165,00:08:21.167
minute and was doing some stuff,
that was actually, er, the
interactive session, so you

00:08:21.167,00:08:23.169
start diagnostics session and
then you can think what's your,
what your next move is going to

00:08:23.169,00:08:29.809
be. You don't like need to write
a script or anything. You can
just try stuff, see what

00:08:29.809,00:08:34.814
happens, change something, try
again like with no rush. And
there are built in scanners for

00:08:37.617,00:08:42.622
SID parameters, so for some
people, or if you wanna go check
if there's any hidden type of

00:08:45.792,00:08:50.797
diagnostic session, or if you
wanna see what off-sets are
readable by read memory by

00:09:00.473,00:09:05.478
address, or whatever you wanna
check, there are er some built
in scanners for that to make

00:09:14.421,00:09:19.426
things easier and fast. >>Er,
let's talk a little bit about
the man-in-the-middle mode. It's

00:09:22.562,00:09:28.635
also, as I mentioned already,
already mentioned, er all
implemented in all firmware. So,

00:09:28.635,00:09:33.540
on the right hand you can see
the original traffic on the top
and on the man-in-the-middle's

00:09:33.540,00:09:38.044
the traffic on the bottom where
the payload has been changed.
And on the left brackets you can

00:09:38.044,00:09:43.817
see there's no delay added, so
it's pretty fast. And we tested
with a lot, like thirty or forty

00:09:43.817,00:09:48.822
routes and basically it will
match any incoming packet on
either port against your set of

00:09:51.124,00:09:57.931
routes, against C card and it
will like do basic operations
like dropping frames, er, doing

00:09:57.931,00:10:02.936
math operations or substituting
simple bytes, er, yeah. So, um,
we thought we could make it even

00:10:08.108,00:10:14.714
easier to use the CAMBadger so
we wanted to have CAMbadgers
talking over ethernet, so maybe

00:10:14.714,00:10:20.153
they could exchange some data ,
er, to each other or, just to
have multiple ones running

00:10:20.153,00:10:25.158
parallel and this is why we had
the CANBadger server, er, it's
written in Python and here's a

00:10:27.427,00:10:33.399
small snap shot, it's actually
not clean, it looks different
now. So, on the left hand you

00:10:33.399,00:10:37.670
can see the connected nodes, and
this is why you will switch
between different CANBadgers and

00:10:37.670,00:10:44.511
the GUI was really inspired a
lot by [inaudible] , so you can
have everything in one place and

00:10:44.511,00:10:49.349
you can exchange data between
different modules. Like the
logger, for example send a frame

00:10:49.349,00:10:54.354
work from the logger to the
replay it will create a rule for
that. Er, yeah. >>So security

00:10:57.657,00:11:04.130
access hijack. Why? So, er , we
were talking about security
access and now it's starting to

00:11:04.130,00:11:09.135
be more known er so yeah, just
the test authenticate against
itself so it saves you. But you

00:11:11.304,00:11:15.742
need to know, obviously the
algorithm being used and the key
being used. Since it's random

00:11:15.742,00:11:20.313
you cannot brute force it, I
mean, the, the er challenge is
going to change every time and

00:11:20.313,00:11:25.485
after three failed, er,
authentication attempts the ECU
locks down for ten minutes to

00:11:25.485,00:11:31.591
thirty minutes so no brute force
in there. What's the other
solution? Hijacking security

00:11:31.591,00:11:37.397
access. So, you just need the
tool that is able to
authenticate, you don't need to

00:11:37.397,00:11:42.302
care about what the tool does,
it just needs to be able to
authenticate. So for that for

00:11:42.302,00:11:49.142
example we brought a cheap er
clone interface for tuning the
cars and every time we want to

00:11:49.142,00:11:54.714
have access to something, like
don't know, the restricted
diagnostics mode for example, or

00:11:54.714,00:11:59.719
reading some off-sets that are
not standard, we just hijack the
security access. And yeah, then

00:12:03.289,00:12:08.728
we have security access without
caring about that so, how does
it work? The come back gets into

00:12:08.728,00:12:14.701
a transparent mode er breach
mode so it waits for the
security access to happen, if

00:12:14.701,00:12:19.138
the security access succeeds, it
will disconnect external tool
and then it will take over the

00:12:19.138,00:12:24.143
session and give you a nice menu
with a lot of stuff to do. So,
ja, let's try the demo. We're

00:12:26.346,00:12:32.418
running a little bit bad on
time, but why not? Let's try the
demo. So, let's fire up our

00:12:32.418,00:12:37.423
super Windows XP. Yeah, because
why not. Er...ah, yeah, we all
love waiting, right? Yeah, okay

00:12:52.839,00:12:57.844
so in the mean time let word
sync, we're gonna do the demo in
a while. Let's light up the er,

00:12:59.979,00:13:06.786
because we're not that good on
time. So, er, let's travel to
the future on the nexus slide,

00:13:06.786,00:13:11.791
so yeah. >>So we, so hopefully
we survive the demo. So what
else can the CANBadger do? So,

00:13:14.260,00:13:16.262
another fancy thing is dumping
the TP and UDS transfers, which
are, which I use for firmware

00:13:16.262,00:13:20.867
update so let's see how this
vehicle gets an update so that
will be encrypted, signed, blah,

00:13:20.867,00:13:25.872
blah, blah, blah. But then it
needs to distribute the firmware
updates over the network to the

00:13:30.510,00:13:35.948
different modules so it does
that over the CAN, most of the
time, not every time. So, if it

00:13:35.948,00:13:40.953
goes that way and it decides not
to use encryption, which er we
have found some manufacturers do

00:13:43.356,00:13:48.361
then the CANBadger can just like
grab the whole transfer and dump
the data, so basically dump the

00:13:50.496,00:13:56.202
firmware, that was being
updated. It can also spoof OB2
data through the

00:13:56.202,00:14:00.873
man-in-the-middle and the
emulator, the emulator is like
some other fancy stuff, we will

00:14:00.873,00:14:06.679
explain later, and yeah, you can
use GPIO openings for boot
loading for tri- code for like

00:14:06.679,00:14:12.618
some people call it zero day,
it's just on the data sheet. We
call it like a function. And,

00:14:12.618,00:14:17.623
yeah, it come [inaudible] GPSing
and [inaudible] things. >>So,
why do we mention GPS? Hmm,

00:14:20.226,00:14:25.298
well, many of you guys might
know that those kind of
strongholds that give your

00:14:25.298,00:14:30.303
rewards, er, allow you to track
vehicles, for example from
insurance companies and they

00:14:33.005,00:14:38.010
turn your "safe driving" into
"savings". [audience reacts]
Hmm. Let's play a game.

00:14:41.848,00:14:44.417
[audience reacts, laughing]. So
the things with these
strongholds is that they

00:14:44.417,00:14:48.888
implicitly trust the data that
is coming from the car. It's
requesting data over like

00:14:48.888,00:14:53.893
diagnosis protocols and also
they're dependant on GPS so they
do have some cross validation or

00:14:56.028,00:15:02.402
some features that require that,
and by spoofing that OBD data
you can have your own driving

00:15:02.402,00:15:07.406
habits, er, yeah, well, and
maybe if you look spoof your
location too it's going to be

00:15:09.609,00:15:14.614
more money for you. Er, so here
we have an in truck radio that's
an unstuck radio, so basically

00:15:19.552,00:15:24.323
running an android app er
connecting to a Bluetooth dongle
that is plugged back to the car.

00:15:24.323,00:15:29.595
And you can like see that
there's like stuff going on, er,
RPMs going up and down but the

00:15:29.595,00:15:34.600
car is not really turned on.
[laughter from the audience].
Hmm, and now we can see we stop

00:15:38.638,00:15:45.011
the CAMbadger, the data will
stop changing. Ja, and there you
see the PG packet just control

00:15:45.011,00:15:50.016
it with a button, you don't need
to do anything. >>So ja, that
was the emulator we were talking

00:15:52.985,00:15:59.692
about. So how does the emulator
work? So, just set up a filing
so the CAMbager steer and tell

00:15:59.692,00:16:04.130
it to broadcast every 10 milli
seconds, whatever our request,
which is our request for RDP

00:16:04.130,00:16:10.770
which is the data used by this
insurance strongholds, So, it
just keeps on making those

00:16:10.770,00:16:17.143
requests as long as you want it
to, it could be like two hours,
er login all day, data that will

00:16:17.143,00:16:21.347
be use formulation which is
actually real driving, I mean
you just like go around in

00:16:21.347,00:16:25.852
circles for 1 hour. Log in the
data then you create the
emulators. Once you create

00:16:25.852,00:16:31.891
emulator you got the data then
you use the CAMbadger to get
emulation data so the CAMbadger

00:16:31.891,00:16:36.896
will look on which IDs were used
which PIVs were used, and like
just ask from which one do you

00:16:38.998,00:16:45.037
want to create the emulation
data. So, they way that the
emulation data is stored in the

00:16:45.037,00:16:49.675
CamBadger, because like we said
earlier, everything is running
inside the CAMBadger, no

00:16:49.675,00:16:56.082
computer needed for this, just
press a button. So, we created
the header that has the IDs, the

00:16:56.082,00:17:02.788
protocol used, erm the SID, the
PID and then the start- off set
and end-off set. So that sort of

00:17:02.788,00:17:08.861
look-up table. Underneath maps
everything else in the RAM so
when ever it gets sub framed, I

00:17:08.861,00:17:15.134
mean on every single frame it
gets, it will check the contents
of that frame against the whole

00:17:15.134,00:17:21.941
emulation data until it finds
data that can be used for that
SID, for that frame, then it

00:17:21.941,00:17:27.179
will provide the emulation data.
If it does not, it will just
forward the request as straight

00:17:27.179,00:17:32.351
forward, so the dongle, er the
insurance dongle really doesn't
know if there's anything in

00:17:32.351,00:17:37.356
between. It's getting all this
stuff. And, ja, it's a, it's a
store used in time stamps, so to

00:17:42.194,00:17:49.168
get stuff real, er, it will only
check for the data, or, change
the data when it actually

00:17:49.168,00:17:54.173
changes so it keep the emulator
[inaudible] so at, the thing is
that it, to reduce the size of

00:17:58.778,00:18:05.151
the emulation files, it will
only log the changes, using the
time stamp. And, er, yeah when

00:18:05.151,00:18:10.156
there's nothing left, then it
just starts over. So yeah. Now
we'll do the demo. Er, so yeah,

00:18:14.927,00:18:20.700
let's do the demo now. Hopefully
the... >>So, we'll be having a
workshop, unfortunately it's er,

00:18:20.700,00:18:25.705
already sold out soet of, so we
gonna release all the code and
schematics on GitHub, there GPL,

00:18:29.542,00:18:35.047
um you're also welcome to go
hack this stuff, doesn't have
that much dependencies and if

00:18:35.047,00:18:40.052
you're like a better coder
anyway, we, will be really easy
to get set up for you. So. >>Oh,

00:18:45.491,00:18:50.196
yeah, fancy Windows XP machine
doesn't want to work because why
not, so let's show something

00:18:50.196,00:18:55.301
else instead. Er, we hope you
guys will like it. So, how much
time do we have left? Okay, we

00:18:55.301,00:19:00.139
have something. So are we
connected to the CAMBadger, yeah
that's actually... So, that's

00:19:00.139,00:19:02.141
the CAMBadger USB interface, so
right now we have um, an
[inaudible] 17 it's U connected

00:19:02.141,00:19:04.143
it's [inaudible] so, let's have
some fun with it. Just to
quickly show you all how it

00:19:04.143,00:19:09.148
works. So, yeah, let's just
start up that session so you
tell it your own ID, you tell it

00:19:32.872,00:19:37.877
your ECU ID so yeah, we got TDS
session established so then you
say okay, I wanna read memory

00:19:45.084,00:19:50.089
because I just want dumps. So
ja, let's try to read memory. So
you tell it the off-set, you

00:19:53.692,00:20:00.633
tell it I wanna read the fifth
bytes, whoops! We got an error,
service not supporting the app

00:20:00.633,00:20:06.605
this session, so okay, let' see.
Yeah I don't really know what
session they are, so let's just

00:20:06.605,00:20:12.745
come for session types. There we
go, so we have like different
session types can be

00:20:12.745,00:20:18.150
initialised. One or three hour
start-off, forty and for F or
not. Yeah, I'll share a little

00:20:18.150,00:20:25.091
bit because I already know it's
4F okay? So, let's try, 4F. so,
let's switch to our custom one,

00:20:25.091,00:20:30.096
let's go for 4F. So, it's
established correctly, okay
let's try to read again. So, ja,

00:20:35.334,00:20:40.339
read the same thing, yeah sure,
and FF. So damnit, now security
access required, okay so yeah,

00:20:44.043,00:20:49.248
again we already reverse that
issue, we already have security
access, so let's cheat again, er

00:20:49.248,00:20:54.253
okay so yeah, we're , oh there
was, it worked, awesome, so
yeah, double 3, so yeah, so, ja,

00:21:00.726,00:21:06.465
security access granted. Okay
lets see if it's true. Let's try
again. So read memory by

00:21:06.465,00:21:11.470
address, let try, blah, blah,
blah. And let's try FF, yeah so
this time it worked. So, and

00:21:16.509,00:21:21.080
we've got a lot of fancy ask
keys and stuff so. That's sort
of the way the CAMBadger works,

00:21:21.080,00:21:27.653
like, you can like you know,
interact, interactively try
stuff, you don't need to script,

00:21:27.653,00:21:32.124
you can like, okay let's see if
this works. It doesn't, okay,
let's try something else. So, so

00:21:32.124,00:21:37.129
it's something slow. And and so
let's show quickly because we
have to get out already. Blah,

00:21:40.499,00:21:45.504
blah, blah, blah, blah, blah
blah blah blah. So, ja. >>So
yeah, er as I mentioned earlier

00:21:51.577,00:21:56.081
code and schematics, our GPL
will be published on GitHub
like, give us one or two weeks

00:21:56.081,00:22:01.253
to clean it up just a little
bit, but er we're going to Tweet
about it as well so you might

00:22:01.253,00:22:06.258
wanna get out Twitter handle um
so yeah, we are very thankful
for you having us here um, also

00:22:09.228,00:22:15.434
we'd like to thank Code White
for, which have given us a lot
of support and trust, er time

00:22:15.434,00:22:21.207
especially and of course our
family and friends who've been
supporting all the way down,

00:22:21.207,00:22:26.145
even if we run out of coffee.
>>Er, yeah, thanks to everyone
for being here today with us, we

00:22:26.145,00:22:31.150
and I hope everyone enjoys
Defcon. [applause].