00:00:00.534-->00:00:05.005 >>So apologies this will be a first for us, we are going to do a presentation without slides. 00:00:07.007-->00:00:12.012 The project doesn't seem to like neither our linux or windows laptop. >So first let me tell 00:00:14.314-->00:00:19.319 you that we are releasing a paper on this presentation. As you see we are going to miss the 00:00:24.558-->00:00:30.430 detail without the slides. We already lost some time so we won't miss any more detail. Go 00:00:30.430-->00:00:36.970 read the paper, there is a lot of information there. So basically what was this talk 00:00:36.970-->00:00:41.341 about. So basically we are releasing a tool to audit CAN all kinds of devices, and we are 00:00:41.341-->00:00:46.346 going to present why you need such a tool and what you can do with this tool. Okay okay. Um 00:01:04.531-->00:01:09.536 the very idea of this tool is to come up with a, one particular fact. When you want to edit a 00:01:20.814-->00:01:27.087 protocol, you have two options: either you reverse the whole protocol from scratch, need to 00:01:27.087-->00:01:32.092 understand everything or you let like for example http client do all most of the communications 00:01:34.695-->00:01:40.667 but because you are able to set a man in the middle configuration you listen to 00:01:40.667-->00:01:46.373 these http client doing the communication then at the right moment you start blocking 00:01:46.373-->00:01:51.378 packets, modifying packets replaying packets. The very idea of this mitm approach we let 00:01:56.950-->00:02:01.888 http client do all the heavy work, you don't need to reverse everything, and you start 00:02:06.293-->00:02:10.731 playing with data trying to find trying to exploit vulnerabilities at the right 00:02:10.731-->00:02:15.736 moment. The very problem with the CAN network is its a serial bus network, meaning that you 00:02:19.906-->00:02:25.045 cannot do this. For example if you do this for a web application you simply setup 00:02:25.045-->00:02:30.050 burp suite or zap proxy that kind of tool, you are in fact intercepting all information, 00:02:34.021-->00:02:39.026 you can modify them also. With CAN serial bus you cannot unless you physically cut the bus or 00:02:41.094-->00:02:46.133 insert yourself in between or you plug out on particular device, the one device that you 00:02:46.133-->00:02:49.936 want to audit. And again you build a CAN bus just for this device and you put yourself in 00:02:49.936-->00:02:54.941 the middle of these two bus and you start forwarding packets from these two buses then when 00:02:57.210-->00:03:02.149 you are ready, when you think its a right match you start modifying packets. >>So what was 00:03:09.189-->00:03:14.194 objective of our tools, there were other tools to work with CAN. They are mostly based on 00:03:21.234-->00:03:26.239 UART over USB, its quite slow. It cant indulge the full speed of CAN, which is 1mb and there 00:03:29.643-->00:03:34.648 are atleast 2 CAN interface so we cant just use two serial/usb tools connected to computer to 00:03:39.019-->00:03:44.024 do the man in the middle. We had to create a new tools called CAN spy. >>About CAN spy. We need to 00:03:51.898-->00:03:56.903 CAN interface two do man in the middle these are also to sniff and inject. We need to be able 00:03:59.139-->00:04:04.077 to forward frame from CAN 1 to CAN 2 and from CAN2 to CAN1. and we Also want to filter to trade 00:04:06.980-->00:04:11.985 a frame and change a value, because we want to pentest. And what we want to ethernet because 00:04:18.992-->00:04:23.763 we want to use standard tools like scapy or wireshark and ethernet is quite convenient and 00:04:23.763-->00:04:30.003 has the required speed for 2 or even more CAN interface. So our tool is based on ethernet. We 00:04:30.003-->00:04:36.843 also have a serial port so you can still get the frame on a serial port, but this is more a 00:04:36.843-->00:04:43.416 developer tool. We can also store the settings of the tools, in a SD card in order to be 00:04:43.416-->00:04:48.421 autonomous to put the tools in the car without using a computer and logging the packet. About 00:04:51.792-->00:04:56.797 CAN spy hardware, we want to avoid any complex soldering for people so that anyone can use 00:04:59.633-->00:05:04.571 these tools. So the mainboard is a demo board/ demo shield you can find on the internet, so its 00:05:07.040-->00:05:09.042 on the slide so you will need the paper to find the reference and we use a shield that 00:05:09.042-->00:05:11.044 provides ethernet connector, sd card and serial. You can also find it on the internet on 00:05:11.044-->00:05:16.049 mauzer gdk. Both are less than at 60 bucks. But still you will need to solder a small shield as 00:05:34.634-->00:05:39.639 we could not find any shield that could interface, so we have to make it. But its very simple, 00:05:41.775-->00:05:47.581 its mostly jumper to setup serial setting, as if you are working on real car, working on 00:05:47.581-->00:05:52.586 bench. You have to setup resistors, power supply, etc. Everyone can solder it, its also 00:05:55.589-->00:06:00.527 cheap. Less than 30 bucks. So the complete tools is less than 100 bucks, depending on where 00:06:02.662-->00:06:07.667 you get everything. Actually if you dont want to solder the CAN shield, we have some spare 00:06:10.103-->00:06:15.108 shield for people who want to try it more quickly. Come at the end of the presentation. You can 00:06:17.677-->00:06:21.881 actually see the tool. We have two tool running there, we are going to talk about them. For 00:06:21.881-->00:06:27.387 example one is imitating the car, and the other one is doing the man in the middle setup. 00:06:27.387-->00:06:32.392 That is basically what you need to do emulate CAN device without emulating the whole car. you 00:06:35.428-->00:06:40.433 Either capability to emulate the whole car to make the device think its at home or you need to 00:06:43.503-->00:06:50.210 have a tool to do the man in the middle attack so that you can modify the packet on the fly. So 00:06:50.210-->00:06:55.215 we have here a bench with one CAN spy emulating the car and one doing the man in the middle 00:06:57.417-->00:07:02.355 attack. For example I have my phone with a diagnostic tool, thinking we are currently 00:07:04.691-->00:07:09.696 driving 15km/h. That is the first CAN spy doing the emulation. And at any moment at 00:07:14.868-->00:07:19.773 the end we are going to setup the man in the middle and to activate the internal filtering 00:07:19.773-->00:07:24.778 engine to modify the speed so that the tool thinks we are driving 255km which is the 00:07:27.514-->00:07:32.519 maximum according to one byte, one byte packet. >>Its a cheap ODB-II dongle connected to 00:07:37.023-->00:07:42.028 bluetooth with free application you can find on the store. >>I guess we missed a bit of 00:07:44.931-->00:07:49.936 interdiction, we are helping car manufacturers to help them find vulnerabilities before their 00:07:53.006-->00:07:58.011 onboard computer they want to put in car goes into market. That's why we build this tool. 00:08:03.750-->00:08:07.554 Like I said to do man in the middle you need to physically cut the bus or extract the 00:08:07.554-->00:08:13.059 device. If you do this at home this means you need to take apart your car. But we are 00:08:13.059-->00:08:17.797 helping car manufacturers so they give us access to integration bench, where it is 00:08:17.797-->00:08:23.236 easy to plug in or plug out the CAN devices. They can give us specifications so we can build 00:08:23.236-->00:08:28.241 car emulation software quite easily. But the reason we chose to today use the OBD 2KS is that 00:08:33.179-->00:08:39.486 it's easy for everyone to the same as we do, but at home. You don't need to cut anything or to 00:08:39.486-->00:08:45.859 unplug anything with the OBD 2KS. You just need your car the OBD device, cheap diagnostic 00:08:45.859-->00:08:50.864 tool for example. You can setup the CAN spy between your car and the diagnostic tool and then you 00:08:54.901-->00:08:59.906 can start playing with the device A little tip. If you want to turn around a security issue 00:09:07.147-->00:09:13.253 that uh is usually considered people try to attack a car. Why not attack tool that's 00:09:13.253-->00:09:18.258 connecting to car. These tool can be pretty sensitive for example if you are able to 00:09:20.627-->00:09:27.233 compromise diagnostic tool, the other car connecting to this diagnostic tool will be at risk 00:09:27.233-->00:09:32.238 also. One easy way to do this is to play with diagnostic requests which answers are fragmented 00:09:37.043-->00:09:42.048 over multiple CAN frames. Because the diagnostic tool usually defragment those frames 00:09:46.286-->00:09:51.291 to distract the payload that was initially sent by the car, and its quite easy to produce buffer 00:09:57.730-->00:10:02.735 overflows at this point. Tools always expect the car to be compliant with the norm, which 00:10:05.972-->00:10:11.411 is true, I have never found a car thats was not compliant with the norm. But if you put your 00:10:11.411-->00:10:16.416 mitm device at this point and force the for example vehicle notification number which is 17 00:10:19.486-->00:10:24.491 ascii character long, up to 40000 characters, you will cause a buffer overflow which can be 00:10:27.560-->00:10:32.565 exploited like any buffer flow. >>Yeah just a notice information, but everything is 00:10:34.801-->00:10:41.274 open source and open hardware. you can find it on our bitbucket. You will have to 00:10:41.274-->00:10:46.279 search on google. The firmware has been designed in order to simplify adding new 00:10:48.882-->00:10:54.287 functionality because maybe you want to add new function on the shell for example: we have a 00:10:54.287-->00:10:59.292 serial shell with its choose to change and manage settings but you can want to add new 00:11:02.829-->00:11:09.102 functionality. When designing the firmware we really think how we can add new function. >>A 00:11:09.102-->00:11:15.942 little word about this firmware. As you may have understand with the slides, we have two kinds of 00:11:15.942-->00:11:20.947 ICs, one internet device, one UART device, one SD card driver. In order to never miss a frame, 00:11:28.555-->00:11:33.560 that's really our goal, we want to forward the full data rate, that means up to 1mb/s from to 00:11:35.595-->00:11:41.801 CAN busses we want to forward frames between the two, we are dropping frames. We had to 00:11:41.801-->00:11:46.806 design the firmware with real time techniques to achieve this goal. If you add new 00:11:48.975-->00:11:55.481 functionalities to the tool, while complying to our abstraction layer ,you can add 00:11:55.481-->00:12:01.888 functionalities and be sure you are not impair the real time properties of our tool. >>So we 00:12:01.888-->00:12:06.893 skip a large part of the talk about where he was talking about CAN architecture. But without 00:12:10.663-->00:12:15.668 slide it won't be possible to explain I think. >>You can try >>Yeah so. Yeah let's try. So a 00:12:18.204-->00:12:23.843 few words about CAN architecture. So what you can find in a car. So the most basic 00:12:23.843-->00:12:28.848 one is one single bus with a ECU, which is a Electronic Control Unit. So in your car you 00:12:31.651-->00:12:38.358 have up to 70 control unit for controlling the dashboard, the brakes, the engine, etc. They 00:12:38.358-->00:12:44.263 are all connected. So if we think of the most basic architecture this is just one 00:12:44.263-->00:12:49.869 bus and everything connected. So as you can imagine you will have congestion issue, because if 00:12:49.869-->00:12:56.442 everyone is talking at the same time so no one or someone can not talk. So the mechanism is 00:12:56.442-->00:13:02.348 based on ID priority to select which one will be sent if two are talking at the same time. 00:13:02.348-->00:13:07.353 The lowest id is the highest priority. But as you can imagine, ECU with very low 00:13:14.661-->00:13:19.666 priority will never talk. So in the most advanced architecture and recent car you have several 00:13:24.003-->00:13:29.008 bus. So the points to have several busses is to segment for example with one bus 00:13:32.211-->00:13:38.084 entertainment and one for navigation, one bus for engine and the brake. So this was more 00:13:38.084-->00:13:44.724 thinking for safety than for security but its still good for security. You can have again two 00:13:44.724-->00:13:49.729 possibility, there are two bus for ECU on a bus and ECU that are connected to two busses. For 00:13:52.298-->00:13:57.470 example for the navigation system it is connected to the entertainment but its also needs 00:13:57.470-->00:14:02.408 speed and information from the car. And what we can think as state of the art architecture on 00:14:05.778-->00:14:12.018 modern car its with serial buses and gateway between these buses. So like network, and this 00:14:12.018-->00:14:17.023 gateway will filter the message based on the ID, but they can be a little bit smarter and use the 00:14:20.326-->00:14:26.833 state of the vehicle. If the vehicle is stopped, if its running, at which speed is it 00:14:26.833-->00:14:33.406 running, etc. and they will allow different ID based on state of the car. So we can see 00:14:33.406-->00:14:38.411 this is something with which we can play. >>The idea is that from it occur you are first 00:14:42.014-->00:14:47.019 exposed is ECU for example navigation system or telematic functionalities using broadband/ 00:14:49.689-->00:14:55.561 mobile broadband communications, and once you have compromised either one of these two type of 00:14:55.561-->00:15:01.968 ECUs, to really impact safety you need to compromise more ECUs. But usually these ECUs are 00:15:01.968-->00:15:08.875 not on the same bus as the ECU just compromise. So you need to move from one bus to the other, 00:15:08.875-->00:15:15.815 and the idea is to compromise a ECU that is either on multiple busses like the first case 00:15:15.815-->00:15:20.987 arnold presented, or when you have a situation with a central gateway, to compromise this 00:15:20.987-->00:15:25.992 gateway. And that is essentially the goal behind our tool, its not about auditing navigation 00:15:28.628-->00:15:34.867 system, comprising bluetooth,wifi, usb, mobile broadband. Its root for the 00:15:34.867-->00:15:41.574 second kind of defence, to audit ECU from the CAN bus. Idea is to craft attack from CAN bus. Not 00:15:41.574-->00:15:46.646 compromise ECU from bluetooth example and then reach the CAN bus. This is the first step and 00:15:46.646-->00:15:52.652 its important. We do that step 2 when we audit ECUs. Really there is nothing to add here. If you 00:15:52.652-->00:15:58.257 want info on bluetooth penetration testing, wifi penetration testing. There's 00:15:58.257-->00:16:03.262 already plenty of tool and plenty of literature to expand everything. >>On the broadband 00:16:03.262-->00:16:08.267 too you can find a lot of data on broadband pentesting, its not specific to automatic. >>Usually 00:16:11.871-->00:16:18.344 you will just end up building an MC(MZ) catcher to force the ECU to use your own mobile broadband 00:16:18.344-->00:16:23.349 and again you setup a mitm attack so you can try and modify the info coming from the car 00:16:27.086-->00:16:33.993 manufacturer infrastructure to see what happened to the car. Mitm is really the way when you 00:16:33.993-->00:16:40.132 want to find and exploit vulnerabilities very quickly without the need to really 00:16:40.132-->00:16:46.639 understand everything. This was something that was lacking to us from the CAN bus perspective, 00:16:46.639-->00:16:52.845 doing CAN attacks from the CAN bus. This is really why we ended up writing this tool. Im just 00:16:52.845-->00:16:57.850 looking at the time [Humming......] Is there anyone that has questions: >>We have a 00:17:06.425-->00:17:11.430 demonstration running here, so since we have time you can come and see the demonstration 00:17:13.900-->00:17:19.839 running. We have no camera to show this and the screen of the phone is not loud enough for 00:17:19.839-->00:17:25.811 everyone. And if you have question you can ask. And again we apologise for this issue, a 00:17:25.811-->00:17:28.214 Linux, a Windows. It was working in the speaker room.