Hacking cars in the style of Stuxnet

Video in TIB AV-Portal: Hacking cars in the style of Stuxnet


Purchase DVD

Formal Metadata

Hacking cars in the style of Stuxnet
Title of Series
Part Number
Number of Parts
Buttyán, Levente
Szijj, András
Szalay, Zsolt
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
We believe that the most important impact of Stuxnet in the long run is that it provides a blueprint for carrying out similar attacks in different embedded computing environments. To demonstrate this, we started experimenting with attacking cars in the same style as Stuxnet attacked uranium centrifuges. Our experiments show that it is relatively easy to perform dangerous modifications to the settings of different car electronic control units. by sSimply infecting the mechanic's PC or laptop that runs the diagnostic software used to manage those ECUs in the car, and replacing the DLL responsible for communications between the diagnostic software and the CAN bus with a malicious DLL, that we can implements man-in-the-middle type attacks (e.g., replay or modification of commands). As a proof-of-concept, we managed to forge a message that switches off the airbag of an Audi TT without the mechanic noticing the misdeed.

Related Material

good afternoon everyone and thanks for staying for this last thought that this is the end of the conference and we really appreciate that you that you stay same you are interested in or or talk you so that there is another talking following downstairs in to be called which is also looks very interesting given by my colleague as well so it seems that the last 2 talks on the last 2 slots were given to decreases the so my name is love and that we can my colleague is on the city and the real give store them together so 1st I will present some introductory slides and then then we get to the technical details on the actual the causal and there is a certain person who was also involved in this work the residual solid and the are all from the but this University of Technology and Economics the 2 hour from the pieces love and these from the Department of Baltimore wise and the become manufacturing and we'll talk about hacking Garzon yesterday someone allows me literally will bring the car stage and I I thought him that no unfortunately not and maybe this is disappointing for you to but hopefully this is the only disappointing thing about this presentation so why we don't do that bring the car to the stage because we we are talking about hacking colors but in fact as you will see most of the verb to the deed was mainly on hacking and application on a PC that and that was to be seen in the each had some bad effect on the car itself as well but actually the bulk of the work was really the hacking the application on the PC and that's what the main mean infected stocks this type of attack but I explain this later in more detail so as you know the modern
cars are full of embedded controllers which are basically small computers inside a car which control different things in the car like the airbag which was mentioned but also in the engine of the car or they may be as break and and so on and all these electronic control units use are connected by an internal networks communication networks for example the can in addition the cars have different external interfaces like most of them are in modern cars might have the Bluetooth stack interface way which you can contact your hands free said uh some cars have a firefight was support some cars have some GPS receiver or a GSM model for some cars that have some so-called wireless tire pressure monitoring systems which also wireless interfaces that provide preventive virus interface to the car so if you put all this together you have computers connected and units and interfaces so there might be a text and the cyber attacks against these modern cars actually opposable so people started to consider that
and researchers started to work on that as early as early backing who doesn't then 2011 and some of the 1 of 1 of the landmark papers which had been published by a very well known conferences and security into it hasn't 11 it was written by a US based researchers from German universities and basically in their paper they show that
cost can be compromised remotely they're very very nice paper that goes through the systematically over you would the attack surface of the modern cock the identified there's 3 types of possible surface's physical access to the cops basically by a that will be the interface short-range wireless access such as a Bluetooth interface or by and long-range wireless access for example several so the interface so they systematically overview these interfaces and the development of practical aspects proof of concept attacks against each of these interfaces so for instance 1 of the the attitude of the developed was exploiting the vulnerability and immediately the cart there is a soft there which forces that the media file which is played and there was a body that sort of a buffer overflow vulnerability so they were able to construct a specially crafted music song 5 he put on a CD they put the seed in the media player and then the media player played the see the uh basically the block the problem was exploited in the in the sofa and they took over control over the media player they also demonstrated the exploitable it is in the blue blue 2 stack of the corridor the investigated or 1 of 1 of the the effects that they constructed was basically at the it was exploiting the body in the GSM model so the variable to call the card from remote location calling you know and the normal telephone number of the car and they played a specially crafted with your a game which explicated the body and and lower additional software modules on on the on that the GSM model and it was compromised and once these modules are compromise then you are already inside a car and on the can was there is basically no more protection usually so from 1 compromise you can jump to the next 1 and essentially you can take over the whole car that's could that's what they have shown and after that there were
some follow-up work so 1 of the very around researchers who work on that over time that was Charlie Miller which is quality Chris 2nd they basically the idea was to repeat the the research that was done by these US based researchers I just mentioned because these guys these academic guys did did did not publish or the details of of the of the ethics that the did for good reasons but Charlie Miller and his friend had the idea of repeating all the stuff that was done and publish everything so basically they come up come out with a report that contains very detailed description of what they did and the was that the use this and then the in
fact some of you might remember that Charlie Miller gave a talk here detectivity 2 years ago but low disturbance so we had already a car hacking presentation 2 years ago and activity which is actually on youtube so you can you can watch it and they
continued to Burke and a very decent results you might have heard about that in June or July this year there was some news the hackers remotely kill the jeep on the highway and this was also the very core of Charlie Miller and his friend very recent and basically they exploited someone ability in a Wi-Fi hotspots on this modern G so they could remotely connected by the Internet because did you had of public IP address the remotely connected and exploited someone attributing the possible sulfur and promoted to pull over to the control of the car and
there are other examples so if you look at the literature there is an example of infecting the car Viet FM radio broadcast or viaduct I already mentioned violence tire pressure monitoring system for some have excellent communication between the the key you divide the sky over the car and and card and so on and all of those are remote attacks so basically did mean that you compromised apart remotely not being physically present or close to the car in in the car and they are in fact very intriguing and scary view really did that and they can attract of course a lot of media attention because it's always a good enough topic for a news that you to call the origin of the high remotely but there really risk that made is that in your opinion is quite unclear what what do you mean by this is that it is not so easy to do those kind of free water taxi effect so they need 1st of all and exploitable vulnerabilities in some of the interfaces or in 1 of the interfaces of the cart and there might be such a vulnerability but it's not so easy to find such a vulnerability so finding those vulnerabilities bitrarily exploit people are far the this is far from trivial Udinese reverse engineering and that its software which is difficult there is left very little information available about these and they did the city was because the car manufacturers typically don't share too much so very limited information from this you can start and there is a risk of breaking relatively expensive equipment so then you experiment's try to exploit buffer overflow you might actually be rendered device unusable and you have to the end by a 1 and this guy can be expensive so it's not easy and it may not scale very well because the vulnerability in 1 of the interfaces in 1 of the covariance might not be there in another carbon in the same interface on interfaces so basically we just want vulnerability ability you can maybe a compromise of the bond type of car and and and not the others so that's why I mean that's what we mean by not scalable and the question posed is there may be some have through its hanging lower so easier to do than these kind of free more context and that's what we mean by this Stuxnet
style at the so hold stocks that they're basically most of you should probably know about this and yesterday had a wonderful talk 1 attacking the chemical plants and the speaker there explained in fact what we show the video infectable postdocs were also so you probably know what the idea just to repeat the main point is that stocks never was that of warm at can be seen 1st before and then modified the PSC that control the uranium centrifuges but but if you look at what starts that this is really of against Windows-based PCs so the idea was that your 1st infected PC and took over the communication between the PC and the and then once you have that once you control the communication then you can modified the POC some parameters or even right some of the programs and then that has some effect on the on the quantal system and as I said the the exploited weaknesses in in in Advances in Windows and evaded toward a communication was basically just replacing the DLL which was responsible for the communication between the so called software used to manage the PLC and so this whole actually it's kind of a blueprint for similar attacks against similar type of system to you have embedded systems typically they are managed from PCs and so basically that's or idea to repeat exactly the same kind of logic in for cars so you have some DC which is a diagnostic PC used encourages the repair shops running some sulfur beach somehow communicates with the car for instance by that will be the interface and then there is the fact that PC that PC might change values or overwrite sings reading beating the car and that causes problems for the car so that's the that's the logical for for very so why
is this worrisome because species in shorts and carriages are probably vulnerable probably they are connected to the Internet very likely that they date will also connecting USB devices and mechanics probably connect all kinds of USB devices to tuples species and they are probably poorly maintained and understood because that's not their main job they're the guys there to to to maintain their PC and probably they are also used for other purposes not just running the diagnosis of so if you put all this together it's relatively easy the believed to infect them there the known or unknown model and most of them the mother infected the PC than the mother can compromise the diagnostic application running on the PC and then implement Stasi status functionality for example and this is also what we're aiming for you can implement a man in the middle of the contact between the 2 diagnostic software and the car and then we have almost direct access to the car by having deal with the interface and this not only needs the standard standard in in the course of course uh at reverse engineering of PC-based software and not not very special knowledgeable them but the system and then we also believe this gives better than more that because the same sulfur is usually used to do diagnostic Europe 1 on multiple types of cars multiple brands and every car is taken to the carriage at least once a year or more or regularly so that any any car could be affected in this way so for a proof of concept we decided to demonstrate that it is indeed easy to do in practice so in order test environment we had access to an node because that's a test car that's the Budapest University of Technology and Economics is using for teaching that he can engineers can we haven't had had access to that car for some time and so we have chosen a widely used so far to diagnostic sulfur which basically is compatible the disk or a or you or for or the cause the 4 in the 4th line in group and he tried to make modifications in these diagnostic application to it all for men in the middle attacks between the the application and the car which allows us to use all being or find messages on the fly we make the assumption that the PC already infected by moderate so we did not want right a model for this work but actually the part presentation in the room downstairs is feasible to the type of sample that he wrote for for bypassing different security and protection mechanisms but this work was not about writing model we assume the model is very infected the PC and the model can carry out all the modifications and applications that need do because basically the very basic modification OK so the outline of the rest of the talk will be that of you represents you would do a little bit more detail about the system which we which we investigated and some of the protection mechanisms that we discovered that the application developer putting them in the application but as you will see it there are not so effective to say data that they did not prevent us to to understand and engineered and the application and the protocols and then we'll go into the details of the techniques so we'll show you how we replace 1 of the most of these applications will be into a very similar kind of attack that stocks that did DLL which is responsible for the communication between the application and the according to diagnostic cable so how we did this replacement then we explain you how we get engineer the protocol because there is a proprietary protocol between the application and diagnostic cable and you have to understand the message formats there's also a check some computation the head to the figure out how it serves because modify messages we have to recompute the checksums and there is something cryption scheme involved as well so messages are encrypted you know certainly and that you have to figure out whole whole descended from Brooks and once we did all this then we can then implement a man-in-the-middle attack and so on actually explain how we do looking and replaying sessions and holding modify messages on the fly and then we'll mention some of the experiments in real experiments we did including this the jingle the error rate and you come to the conclusion and and some of
OK so let's start with the system model so we have a diagnostic PCV have a value equal and they are connected via the special so so-called diagnostic cable uh on the PC have a soft perspective we have these the diagnostic application running the diagnostic application in fact is the the component which was the necessary keys and the protocol implementations for for communicating with the with the cable and the car and its amendments certain diagnostic functions which basically means that each reads and sets values inside the car in in the in the selected ECU and the communication also so that the software uses a number of dealers and 1 of those dealers the is of allow which is responsible for the communication between the diagnostic sulfur and the cable and the car and of course at the lower level our drivers which implement would deliver communication functions we have this cable which is in fact not a simple contact or but inside the cable that is microcontroller so there is a small piece the the microcontroller and other components and these microcontroller is basically functions as a gate to the so called the application in fact that the application communicates the the cable and the end is geared the the microcontroller in the cable then translates the messages and sends them all relate them to the all OBD interface all of the car so and we have the had to vertical and this communication between the application and this gage the effect uh to modify and the user messages and we have done on on the card you will be the OBD infects stands for on board diagnostics and most modern cars has this it's it's it's a mandatory interface that common effectors putting the cart for diagnostic purposes to blue sticker on the car and behind all BD then there is the canvas uh which is connecting the different EC use and essentially what OBD is not equal to can look essentially then you have access to the OBD interface you have almost direct access to the can and you can send messages to the EC used inside the car so the application
developers tried to put some protection mechanisms in the in the application to prevent readers engineering and and hacking the application so 1 of 1 of those is signing the deal was that the use other lauded by the application of digitally signed but for some reason they did not really check those signatures so he can in fact this looks like an ineffective protection or maybe they check what leave the did not find that the check it and they might check it some very silently or we don't know what was in fact the could you please follow the deals with the problem of the object there is some programme obfuscation only in the usual stuff they try to hide the function of the Programme Programme by by my office skating the meet some common and methods however then the obligation started an deal frisky itself in memory so if you attach to the applica running application that a debugger to attach a debugger to already running application that you then you can in fact investigated the memory and understand how the application works of course you only see the binary but but that's why we have on the last you know who can read the binary and and he understands how the application works and there is some license verification so you cannot use any any kind of cable the application checks that the cable is generally need you know origin but there are fake copies that you can buy and that's actually that's what we do need solely on almost on the water before and I think it was 15 dollars will be with this Chinese corpus of a genuine cable and very so the Chinese somehow managed also to get the license information and put the in in in the gateway or in in the form of the of the chain so we did not have to reverse the license verification mechanism and then uh if you wanted to do this is man in the middle so horrible was to really develop some component which can do we use being chemically messages or inject fake messages and and 1 natural idea was to somehow modified the DLL which is responsible for the communication between the application and car so we could for instance in our data binary because the source
code is not available of course and and some how best to binary at all the functions that we need money infected fluid even simpler to introduce that another fake DLL and load that video and then that's the idea of would lower the origin of 1 and use just the functions of the the original the allow for communication but seems the DL is lowered before you get all the calls before and we can do all sorts of modifications before the positive control to the to the origin of the arousal that's exactly the the idea that the that the implemented and no I
take I give the floor to 2 and actually then give you what because of all the technical part of the thank you and I would suggest to you that I am and you may know that's usually windows those little the nodes and application to the memory and after world through its import tables and get the necessary and shared libraries theaters etc. and holds down to the memory to so in this case being those older adults of other names as the origin of the year after the close to the others cause they there and and 2 point before passing the control to the origin of replication so obvious gets the control and extracts the origin of the other to the hard right and then reload back together so
that see change 1 of application create cause a read or write function then we could simply make a man in the middle of the and then and every day the called to the origin of function of the origin of life together and then the call returns the under the control again and we can talk return back to the origin of the patient path how could we improve our predictions about something it's the 1st thing you have to check you have to go and take care of your search party components to not just for your on compliance so as to check and see the idea that we know the others may be and so and data fires that are places in your program that your program notes so you have to perform the ghetto GB the digital signature checks and if checks before loading and finger and after loading anything and you should do this periodically during each of the program runs and should some order of all of these checks to your cup many of your copulations like when you're sending the request to disable the bag that you should play some empty holes in the message that we'll be replaced by it after the calculations of the protection of the CSC on digital succeeds rejects and of course you should use a proper crypt cryptography algorithms not just simple XOR evidence as you it to reverse engineer this application we use of course Figure of together these the yellows contains the Max-Forwards name lines in the origin of life to the idea of some of some of them we redirect with be data redirect some of them but some of them be modified to make clear to further functionality for example read of the region of the right we modify them and that we can capture or modify the communication and the application process of course the use of favorites the bank of the reverse the diagnostic application engineer for every scanning and freeware ages the eggs they sought to viewing capture that and some honeyed to was for filtering that these are usually interested in the usual message that Peter consists of 3 bytes the 1st but mean the message direction now this means to the the message to get goes to the cable so sent by the original diagnostic application goes to the cable and of course for the means the application and gets the message and the cable answers after that you can see a sizable size bytes of the defines the size of the set of all of the message including checks on their minds after that and the type of the message in this case it's a request message and of course the 7 as you can see is response no after that you can see that the sum of the forces of some of the forces by force 1st bytes are part this kind of like target identifiers after that there is a DataLens identifier followed by a single that's that's saying but comes from the origin of application was the developer as Leavitt's in the application as a simple string so we names like this because the named like this laughter and you can see the action that of the data look in that field the identified target received we discovered in
these checksums of our to compute this check some of these installed 2 cards so you can just simply X so for all of the bias of the message and you will get the chance of if you
against a simple acknowledgment message is usually counsel comes from the cable and the and that means the cable has done successfully in operation for example of course is a type identifier that this is an acknowledgment message here is the key message used to initialize utilize the encryption infection this thing and B 6 is this is the piece that professors and the key message for some bites these by setting the existence static tables that diagnostic applications and the cable both and
this stable is static table consist of randomly generated by its and the and you and you know you also use that's always there to perform them groups and you can see in this example that you get the aspects or mass from the table with the help of the key and you just single X on the X. retweet origin of message and you will get the encrypted results and of course you down laughter and you have to recompute the checks here is the table as I said this is a static table and of course there are 2 key value is and you can get these are indexes and the you can get the real excellence bites from the table as the following OK so when the
application of cause or of the right function we of course need to back out of the buffer containing this function calls and then we can earn redirects the call to the origin of the other so that's how we make use of the lobbying and of course on the application for those function that we read that and the and then when the uh the original function as we can see that both of you can see the answer and can return to the application before any kind of those operations and the people needs to be initialized or test is a the cable and in during this initialization the cable procurement examines the capabilities of the cars and the cable to so if the software and examines the capabilities of the car and the cable speed limits license etc. and the story temporary files its source and temperate forests usually these tests are run before any media operation books OK uh and you can see here and the sulfur chose the license and if you if you want to perform a license that you have to call the the ability to connect order the color but you can divide as this protection the connecting the input of voltage to all the need to collect all been 16 for + NP for 4 months and that the world is the same thing here is an example of a log remains be slow contains the requests and the responses here can see feeders yes and
of course the looking we made over there and I said the initialization it's it's called in the benefits of transport test that we we performed for tests of those scans then the sulfur and of course the cable scans all DEC used in the car and of course the error control the and the baby is brakes like ABS brakes and the the last slice failed because made use of the application less functionality on the table as function the we don't need and and all that and the example for the bakery playing session these are messages only to write what's so we have a every player all will and be replaced these messages messages of it because he uh bones bites these bytes you find that you have to send out before any kind of operation this is a kind of cable installers in cooperation with operated by
alright or a plate a separate process so it is invisible for me and I'm acidification and if if we or if someone want to perform the the right of course by using ST-DNN they because already 2 will also uses the origin of the the allows to perform write and read operations you have to work I call these functions the the court para meters before any kind of writing or reading operation and so there are some hints that the US to rates after any sendHalt message so you have to write the late the late to the cable and will be perfect of course the joker bytes that you have to send me for anything and um yes we could easily replace the Arabic speech of standard messages because there is no to change anything coding or a data structure or anything you just replay about recorded so that for a simple process and as I said that this basically later was a separate obligations so it is invisible but to the diagnostic applications that and guess of our own biggest forgive together can modify also modified the communication as you can see here and there and applications has the message is in bicluster by style sold performance the right on each byte of the message yes and here's an example of for this is simple we want to match and that we want to replace for original message there we can find the match and that from the last byte of the match we can modify the data so and the others and of course we calculate the checksum
and so I give the word back to that answer and thank you so these are the technical details of how we can local and iris sessions how we can replace the message is from Member States separators application using to the to the diagnostic application and very importantly how we can modify messages on the fly using as you saw in the last example it was for many in the middle to running in the in the video and can change anything in a message which was sampled by the application or received from the cable and it all these tools that could then be made some experiments and this is just to show you some some of the the pictures and some of these things that he did so so here's the T on in the carriage of the of the university and this is on there are sitting here and having fun and in all these experiments were carried out during spring 2000 15
and so this slide shows you that the diagnostic application itself produces some lock find simple text look fires and he just wanted to to check that the the also see the same content in or on special fires that to make the
demand in the middle 2 and so here is that the original here here some parts of the of the logs that made and certain things you see that these values for sure what you mean all of so this was just to check off a full scan and the
replay off of the Arabic enable disable message is as the 1 where she explained it was just a very easy replay of previously recorded messages so these messages may fact differ only in these 2 bytes missing byte is also different but of what it is is not really cherry or we don't really know what it is what's the purpose of this by so it peak this 3 believer perfectly in half an hour and earlier recorded message B that earlier scene by that could have been so so it into it was able to replay it back successfully and all of the place that the that you're experimenting with very successful so the conclusion
so as we try to explain the cyber attacks on modern many because this is is a plausible threat but research has started to focus more on remote the text and the argued that there are easier ways and that's what we we mean by Stuxnet side effect where you don't really need to have a very special knowledge old cars and internal components of the course but you basically uh heck applications on normal PCs and we believe it has a much higher risk because it's easier to do and may be more scalable pencil and and the proof of concept that he that he made is is just simply replaying an Arabic enable or disable message doesn't look like very you know what was the heck so why why why is it interesting but this is just a proof of concept so as as we said we have a man in the middle 2 with which means that you can modify anything you want including maybe familiar object messages and another interesting thing is that you can also modify responses from the cable so you can hide from the diagnostic application if a value is set in a certain way because of and that's value is read from the from the car then you modified a response from the cable showing a different values so in this case the just the played back and Arabic speech off message now the mechanics coming to diagnostic sulfur and tries to read did this setting gold from the car and we can modify the setting that it still shows that it's used on so that the idea that means speech also switched off and the diagnostic application gets faking formation because of the men in the middle attack that he that he performed and that can be of course serious right because if you can speech of the air bags of thousands of cars and it's not visible to anyone than at any time and any of those cars have some accident and you might have some serious consequences of course and as I said you can also do maybe other things like just searching over the over so that a very
small to look to the future of the you know this is a new buzzword and Internet of Things these are and that basically embedded devices connected by the Internet and and if you connect these devices wired Internet then then you of course create more risk so but the point is that that's what a short East value also for these embedded devices of the future so basically you manage those devices from PCs you all know that when you configure your terror you connect your PC and you configure your router from the PC or venue I don't know if later in in the future you configure your refrigerator or whatever you probably will not have uh pretty user interface to configure but you reuse of PC and you will connect to the refrigerator and and configure that into pieces so this whole logic what we are advocating here with the Solbourne could PC and from the PC those embedded devices and what is maybe most carrying at least to me and I would like to you know just bring this up as a kind of a discussion topic now what if then else there's some point the infection disappears from the PC the mother actually these DDT itself for instance the whole whole whole uveal then detects that's those embedded devices are in fact infected already and you know I I I I don't have a good solution for that so I as I said just bring it up as a question what can you do about these we can really secured the Internet of Things then that you have still vulnerable PCs speech which are used to to modify or a managed to was devices thank you for
your attention be fair


  671 ms - page object


AV-Portal 3.15.0 (0adb9429a9b6d91003da50b8636c932b69ab95bb)