Automotive Ethernet Fuzzing
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 85 | |
| Author | ||
| Contributors | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/62219 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 3072 / 85
24
28
29
47
51
53
59
60
62
70
72
75
80
84
85
00:00
CybersexInformation securitySoftware testingMathematical analysisComputer networkCoprocessorPhysical systemMobile WebSoftwareUltrasoundInfotainmentBand matrixDevice driverCommunications protocolControl flowEvent horizonTelecommunicationVideoconferencingUDP <Protokoll>Dynamic Host Configuration ProtocolVirtual LANScalabilityMiddlewareFuzzy logicCommunications protocol2 (number)CAN busPurchasingMobile WebLatent heatInfotainmentGame controllerSoftware testingSmartphonePhysical systemHacker (term)Integrated development environmentReal numberAdaptive behaviorCoprocessorRemote procedure callCybersexInformation securityService (economics)Level (video gaming)Open sourceSoftwareCondition numberEvent horizonMultiplication signVulnerability (computing)InformationProcedural programmingBand matrixElectronic program guideSoftware developerFunctional (mathematics)Panel painting
05:01
Finite element methodSystem identificationNumberOnline helpGoogolInformationDiagramExecution unitHome pageService (economics)MultimediaAnalog-to-digital converterService (economics)Software testingFuzzy logicPersonal identification numberNumberLevel (video gaming)DiagramConfiguration spaceLaptopEndliche ModelltheorieWebsiteSoftwareInformationHypermediaMereologyFigurate numberLine (geometry)Right angleIntegrated development environmentType theoryData conversion2 (number)InternetworkingNormal (geometry)Set (mathematics)Computer animation
10:01
Data conversionStandard deviationPower (physics)Analog-to-digital converterDigital photographyHypermediaPower (physics)Normal (geometry)Integrated development environmentElectronic visual displayTraffic reportingData conversionPersonal identification numberLevel (video gaming)Computer animationPanel painting
10:51
Personal identification numberElectronic visual displayMereologyPower (physics)
11:13
Personal identification numberLevel (video gaming)Slide rulePower (physics)Real numberStapeldateiComputer animation
11:44
Personal identification numberElectronic visual displayLaptopString (computer science)InternetworkingPower (physics)Computer animation
12:02
MultimediaHypermediaData conversionTelecommunicationPersonal identification numberLevel (video gaming)LaptopGame controllerWeb pageInternetworkingTranscodierungComputer animation
12:51
Computer networkVirtual LANLaptopInternetworkingSet (mathematics)FreewareSoftwarePublic domainDifferent (Kate Ryan album)Frame problemService (economics)TelecommunicationLogicVirtual LANComputer animation
13:36
Wide area networkArithmetic meanFrame problemInterface (computing)Virtual LANIPRevision controlUDP <Protokoll>Communications protocolLengthService (economics)InformationCompilation albumTelecommunicationSoftwareVirtual LANIP addressFreewareInternetworkingPlug-in (computing)Computer animation
14:31
Device driverAddress spaceServer (computing)Category of beingArithmetic meanPower (physics)Regulärer Ausdruck <Textverarbeitung>Virtual LANComputer networkPattern languageWeb Ontology LanguageCategory of beingLaptopInternetworkingSoftwareVirtual LANSheaf (mathematics)FreewareSet (mathematics)Configuration space
14:58
Communications protocolLengthService (economics)UDP <Protokoll>Interface (computing)Frame problemRevision controlIPFlagUnicastingverfahrenData typeMessage passingClient (computing)OpticsComputer configurationInstance (computer science)DemosceneService (economics)Message passingIntrusion detection systemNumberRight angleFigurate numberDifferent (Kate Ryan album)Flow separation2 (number)Type theoryData structureComputer animation
16:37
Message passingClient (computing)Computer wormVariable (mathematics)Service (economics)Error messageDependent and independent variablesFuzzy logicOvalStandard deviationState of matterLengthInterface (computing)Revision controlCodeData typeCommunications protocolMultiplicationMessage passingType theoryFuzzy logicComputer wormFlow separationTable (information)File formatStrategy gameConnected spaceData structureoutputSlide ruleService (economics)Client (computing)Interface (computing)Communications protocolRevision controlCrash (computing)Computer fileComputer animation
18:16
Form (programming)Service (economics)Dependent and independent variablesMessage passingCrash (computing)Code2 (number)Validity (statistics)CodeoutputFrequencyBroadcasting (networking)Fuzzy logicInformationSystem callComputer animation
19:06
Message passingCAN busCommunications protocolMeasurementComputer wormStack (abstract data type)Computer virusFuzzy logicImplementationSupersymmetryType theoryDifferent (Kate Ryan album)UDP <Protokoll>Structural loadMUDCrash (computing)ImplementationLibrary (computing)Doubling the cubeSoftware testingElectronic program guideResultantFuzzy logicService (economics)Disk read-and-write headPoint (geometry)Vulnerability (computing)InternetworkingLevel (video gaming)Crash (computing)Hacker (term)Computer animation
Transcript: English(auto-generated)
00:00
All right, so our next talk coming up is about automotive ethernet fuzzing from purchasing ECU to some IP fuzzing. Please help me welcome to our stage our next speaker. Thank you very much. Thank you. Hello, everyone. My name is Jong-Yuk Song, who is the first
00:21
source of this research. The title of this talk is Automotive Ethernet Fuzzing from Purchasing Issues to Some IP Fuzzing. In this talk, I would like to describe how to purchase automotive issues, how to set up them, and how to do some IP fuzzing. So, who we are? We are all,
00:43
sorry, we are all red team and blue team members in Autoclip. Autoclip is a mobility security company, and especially we focus on the automotive cyber security. We are conducting fantastic and fuzzing testing with automakers and tier suppliers. Also, currently we are developing
01:05
a forger for automotive specific protocols such as CAN and automotive ethernet. So, in this talk, I would like to share tips, know-how, and my experience how to do automotive ethernet fuzzing using your own ECU. But you know, 20 minutes is not enough to talk the details,
01:26
so please don't hesitate to contact me. So, this talk is trying to answer the following two questions. First, how to set up test environment with real issues? Second, how to do
01:40
automotive ethernet fuzzing on the ECU? So, this talk will be a practical guide to some IP fuzzing with the real issue. I hope that it will be useful for car hacking beginners. So, let's talk about first the development of automotive ethernet.
02:00
Recent vehicles are becoming more complex than smartphones, so they require higher data bandwidth for various functions such as ADAS and infotainment system. But CAN is not enough to handle it. So, automakers have started to adapt automotive ethernet. After PMW released their cars with
02:23
automotive ethernet, many automakers have released their car supporting automotive ethernet. Let's take a look at the automotive ethernet network layers. Automotive ethernet is based on TCP and UDP. There are two main protocols in automotive
02:46
ethernet. First one is 2IP. It's a diagnostic protocol. It's almost like UDS CAN. Second one is MIP, which will be covered in this talk. It's a control communication protocol between ECU
03:02
such as remote procedure controls and event notification. And actually there is one more, some IPSD, which is some IP service discovery protocol. It's a service discovery protocol. Using this protocol, ECU advertise their services
03:26
and can get the information about services running in other ECU. Sorry about bad condition. So, why we do automotive ethernet forging? As you know, automotive ethernet has adapted recently.
03:42
So, automotive ethernet has not yet been tested enough. So, there is not much research about, also there is not much research about it. So, let's try some IP forging with me. It will be fun. Then, should we buy a car? Is it essential? You know, it's expensive to buy your whole car for every single test.
04:09
This is why we cannot try car hacking. We cannot buy a car every time whenever we want to test. So, in this talk, we suggest that let's hack an issue first.
04:21
If you successfully find vulnerability in the issue, maybe you can exploit a real car. But how? Buying a car is difficult, but buying an issue instead of them is not also easy.
04:43
First, where can you buy the issue? And which issue is proper for test? Can you know the issue is supporting some IP or not? If we know that, how to set up the issue? How to connect and how to wire that with my PC?
05:05
In this talk, I'm going to tell you how to do that step by step. First step is selecting issue. Not all issues support automotive ethernet. So, we should buy an issue that supports automotive ethernet.
05:22
We can get this information in the wiring diagram of the issue. Second step is buying issue. You can buy the usual issue in eBay, but we bought the issue from BMW official service center. This is new one.
05:40
Third step is set up test environment. In this step, we wire and connect between my laptop and issue by replacing the diagram and pin map of the issue. Fourth step is network configuration for some IP.
06:00
We should configure our laptop's network setting to communicate with some IP services in the issue. And next step is discovering some IP services. We should find out the service ID and port number of the some IP services running the issue. After that, finally, we can do forging.
06:22
Okay, let's talk about how to select issue first. First, we should select issue. In this research, we chose a head unit issue of BMW iX model. The reason why we select a head unit is most head unit issues support automotive ethernet.
06:41
The reason why we chose BMW is BMW is automotive ethernet industry leader. As I say, BMW is the first automakers to release a car with automotive ethernet. Another reason why we chose BMW is BMW provides their issue information on technical information
07:01
site. So we can get the information about the issue such as wiring diagram pin map on the TIS. This is why we chose BMW. So now we have to check the wire diagrams to find out whether head unit issue really supports automotive ethernet.
07:22
These are some screenshots of the BMW TIS site. Actually, this is the paid service, so I should hide some parts of the screenshot. Please understand that. You can see the whole information on the TIS if you pay. In this slide, of course, there are lots of issue data, so you can search
07:44
the data by pin number to find what you want. So right figure shows that we found the wiring diagram of the head unit issue by searching. Maybe you don't have a BMW car, so maybe you don't have a pin number, but don't worry about that. You can find the pin number on Google.
08:06
So finally, we can get the wiring diagram in TIS. You can see that there is an internet line in the diagram. So finally, we can be sure that this head unit issue supports automotive ethernet. So let's buy it. In South Korea, some official BMW service center sells issue, but I don't know
08:28
the other country service center also sell issue. Anyway, we bought the new issue from service center. We just called to the service center and asked to buy the issue, and we visited the service
08:41
center to get the issue. Tesla also sells issue, but you should install the issue on your car in the service center. It means you cannot bring up only the issue to the out of the service center. In Hyundai case, you can get Hyundai's issue from the Hyundai Bobi's center.
09:04
Of course, you don't have to buy the new issue always. You can buy used issue from eBay. If you search the issue on eBay, maybe you can find lots of used issue, but I cannot guarantee that the used issue works well. Also, it's difficult to find
09:20
the latest model. Okay, now we've got the issue. Let's set up the test environment. This is the overview of our test environment. This is the issue. Above that, there is issue, and left side, there is my laptop,
09:49
and we connected the laptop and the issue using the media converter. The media converter is the essential device for testing automotive internet. Automotive internet is different from the standard internet used in the normal PC environment.
10:08
So, if we want to communicate with the issue using automotive internet, you should convert it. The media converter can do that conversion, and there should be power supply to supply power to the issue.
10:23
This is the report of the previous overview. There is the issue, and there is the laptop, and there is the media converter. Actually, we also bought the display because we expected to see something on the display,
10:40
but it was not that useful in this test. Anyway, there is a power supply to supply the power. Oh, sorry. If you want to connect like this, you will need a wiring diagram and pin map to know which port in the issue. Which port in the issue is for automotive internet,
11:04
and which port is for power, and which port is for display. I'm going to show in detail how each part was connected. So, let's connect power first. To connect power, you should find power pin, ground pin,
11:20
and internet wake-up pin in the pin map. If you find all of them in the pin map, you can match the batch with the real issues pin. Then you can connect them to power supply. I cannot show you the real pin map in this slide because that's not free data.
11:45
Then we connected the display by also referring pin map. Now let's turn on. The BMW string showed up on the display, so we can know that we successfully supply power to each device.
12:01
Now, let's connect the issue and the laptop to communicate the automotive internet. Also, you should check the pin map and find the automotive internet port. In this case, the lightest port of the issue is the internet port, so we connect it to the media converter.
12:21
Then we connect the video converter to the laptop. This media converter has two internet ports, SFP port and RJ45 port. SFP port is used to exchange some IP data between laptop and issue. RJ45 port is connecting control page of the media converter. Maybe each media converter
12:45
has different interface, so you should check the manual of your media converter. Now, connecting and wiring is finished, then we should configure our laptop's network settings to communicate some IP service.
13:03
Before that, I'm going to tell you about short land, which is free land. Automotive internet uses free land to separate in-vehicle network logically because they want to isolate the traffic from different domains. So anyway, if you want to communicate with the issue by automotive internet, you should know the free land ID of the issue's network.
13:26
The issue net, the free ID is in the free land tag. There is one more feature in internet frame with the free land tag. So to communicate the automotive internet, we should find out the free ID. In previous step, we connected issue and the laptop,
13:47
so we can see the some IP packets by using Wireshark. You know, Wireshark is amazing tool. There is already some IP plug-in in Wireshark. So we can see the some IP packets very comfortably.
14:02
As you can see, we can see the free ID in the packet, and of course, you can know the IP address of the issue. One thing you need to be aware is some USB to internet adapter doesn't show free land ID. I don't know why exactly. Maybe some adapter, network adapter, doesn't support
14:23
free land. Anyway, if you cannot see the free land ID, it's a good idea to change to another adapter. So now we can configure the network setting for laptop. In Windows, you can find free land configuration in internet properties. You should set packet priority and free land enable,
14:46
and insert the free land ID in the free land ID section. You should set IP address, which is in the same subnetwork of the issue. Okay, now let's talk about how to discover some IP services.
15:06
Usually, there are several some IP services running the issue, and each service are running on the different ports with different service IDs. So to follow some of the service,
15:21
we should know the port number and service ID. There are two ways to get the port and service ID. First one is checking offer message. Usually, most issue periodically broadcast offer message containing the service ID and port numbers. This offer message is the one of the some
15:44
IP SD message. It's a kind of advertising message. So we can know the port and service ID from the offer message. Second method is sending find message to the issue. Find message is also one of the some IP SD message type. If there is no offer message in the target
16:05
issue, you can use find message. If you send a find message to the issue with all possible service ID, the issue will respond with offer message only for the available service IDs in the issue. So from the response, we can know the available service IDs and port in the issue.
16:28
Right figure show that one of the offer message, as you can see, there are port number and service ID in the offer message. So now we are ready to force. This is a structure of some IP packet
16:45
to generate pausing input. We should know about it. First, there are service ID and service ID. I recommend that you use the available service ID and service ID in pointing data. If pausing input contains unavailable service or method ID,
17:05
the input will be filtered and issue will return unavailable service or unavailable method ID. I already described how to find the available service ID in the previous slide. You can find the available method ID using similar method. Next, client ID and session
17:24
ID is not important in my experience. Also, protocol version and interface version are fixed to always one. You don't need to pausing them. And there are several message types in some IP.
17:40
The message type of the pausing input should be one of the values in this table, right table. And last one is payload. It's most important. Each some IP service have their own payload format, so mutating normal packet is the best strategy. The way to get normal packet is just connecting several issues.
18:02
If you can connect multiple issue by automatically be generalized, they will exchange some IP packets. Then you can get the normal packets that can be used for a sheet of the pausing. Then how to monitor the issue state? How do we know whether the files are found, crash or issues?
18:25
We recommend the three method. First one is return call. In some IP message, there is return call. You can guess the issue state, but it's hard to know the detail information. Second is checking response to the valid request. After pausing input transmission,
18:43
you can send the valid message to the issue. Then if there is no response from the issue, you can guess that the some IP service is dead. Third method is checking periodic some IP message from the issue. If target issue broadcast some IP message periodically,
19:00
you can check whether the message is still transmitted after pausing. How to implement some IP fuzzer? Luckily, there are already some IP Python library in scapy, so you can easily implement some IP fuzzer using Python. Until now, we've tried fuzzing tests to the bm double head unit.
19:26
Actually, we tried many OEMs. We still keep trying to apply strategies, but we cannot find any issues from BMWL. We actually found some crashes from other OEMs issue.
19:42
I want to share it, but I cannot disclose it because of NDA. Please understand that. The point of this talk is describing the best sort, how to submit fuzzing using your own issue, not describing vulnerability that I found. Anyway, I conclude my talk.
20:00
In this talk, I want to tell you two things. First, you can do car hacking using ECU. You don't need to buy a car. I hope that you will try your car hacking by buying and setting up issues. Second, I enjoyed to see how to do fuzzing on some IP services of the real issue. I think fuzzing all over the internet has not been sufficiently studied in its early stage.
20:26
There is still much to fuzz, so I recommend you guys to try test the automated internet. This talk can be a good guide. In fact, recently, we are also trying to IP fuzzing. I hope that you can share some results soon. Okay, this is the end of my talk. Thank you very much.