CAR HACKING VILLAGE - Automotive Exploitation Sandbox: A Hands-on Educational Introduction to Embedded Device Exploitation

Video thumbnail (Frame 0) Video thumbnail (Frame 696) Video thumbnail (Frame 3838) Video thumbnail (Frame 4982) Video thumbnail (Frame 6872) Video thumbnail (Frame 9832) Video thumbnail (Frame 10747) Video thumbnail (Frame 11420) Video thumbnail (Frame 12210) Video thumbnail (Frame 12844) Video thumbnail (Frame 13332) Video thumbnail (Frame 14277) Video thumbnail (Frame 14787) Video thumbnail (Frame 15460) Video thumbnail (Frame 15963) Video thumbnail (Frame 16556) Video thumbnail (Frame 17396) Video thumbnail (Frame 18137) Video thumbnail (Frame 19952) Video thumbnail (Frame 20576) Video thumbnail (Frame 21265) Video thumbnail (Frame 21765) Video thumbnail (Frame 22283) Video thumbnail (Frame 23152) Video thumbnail (Frame 23755) Video thumbnail (Frame 24551) Video thumbnail (Frame 25471) Video thumbnail (Frame 25915) Video thumbnail (Frame 26590) Video thumbnail (Frame 27792) Video thumbnail (Frame 34117)
Video in TIB AV-Portal: CAR HACKING VILLAGE - Automotive Exploitation Sandbox: A Hands-on Educational Introduction to Embedded Device Exploitation

Formal Metadata

CAR HACKING VILLAGE - Automotive Exploitation Sandbox: A Hands-on Educational Introduction to Embedded Device Exploitation
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
The Automotive Exploitation Sandbox is a hands-on educational tool designed to provide stakeholders with little to no previous exposure to automotive security a hands-on experience with real hardware following a basic attack chain against a typical automotive development board. The attack chain provides instructions for the user to remotely exploit, escalate privilege, exfiltrate data, and modify memory using synthetic vulnerabilities placed on a remote test platform running an OS and hardware typically found in automotive systems.
Electronic data interchange Cellular automaton Authorization Information Technology Infrastructure Library Information security Exploit (computer security) Fundamental theorem of algebra
Web page Code Multiplication sign Real number System administrator Exploit (computer security) Chain Sign (mathematics) Different (Kate Ryan album) Hacker (term) Internetworking Computer hardware Operating system Office suite Information security Vulnerability (computing) Exploit (computer security) Software Computer hardware Internet service provider Chain Vertex (graph theory) Video game Whiteboard Information security Reverse engineering
Server (computing) Arm State of matter Software developer Firewall (computing) Analogy Arm Power (physics) Web 2.0 Duality (mathematics) Wave Software Computer hardware DDR SDRAM Quadrilateral Computer hardware Whiteboard Quicksort Booting
Server (computing) Injektivität Service (economics) Multiplication sign Data center Mikrokernel Web 2.0 Read-only memory Semiconductor memory Kernel (computing) Software Memory management Vulnerability (computing) Injektivität Operations research Server (computing) Memory management Mikrokernel Computer network System call Type theory Kernel (computing) Software Quicksort Whiteboard Multi-core processor Physical system Buffer overflow Booting
Server (computing) Computer file Multiplication sign Mereology Web 2.0 Medical imaging Fluid Root Semiconductor memory Computer configuration Kernel (computing) Computer hardware Gastropod shell Flag Installable File System Physical system Injektivität Demo (music) Cellular automaton Binary code Memory management Message passing Password Right angle Whiteboard Buffer overflow
Web page Email Demo (music) Software developer Whiteboard Information security IP address
Web page Injektivität Server (computing) Service (economics) Computer file Multiplication sign Memory management Instance (computer science) Exploit (computer security) Web 2.0 Software testing Escape character Buffer overflow Vulnerability (computing)
Service (economics) Computer file Electronic mailing list Instance (computer science) Directory service Resultant
Injektivität Type theory Videoconferencing Cuboid Office suite Information security
Chain Quicksort Physical system
Embedded system Open source Computer file Projective plane Information security
Computer file Multiplication sign Infinite conjugacy class property
Web 2.0 Server (computing) Computer file 1 (number) Right angle Whiteboard
Socket-Schnittstelle Internetworking Gastropod shell Computer-assisted translation Binary file Computer programming
Default (computer science) Server (computing) Email Multiplication sign Combinational logic Memory management Virtual machine Web 2.0 Radical (chemistry) Gastropod shell Right angle Computer-assisted translation Information security Proxy server Window Buffer overflow
Code String (computer science) Reverse engineering
System call Vulnerability (computing)
Embedded system Case modding Semiconductor memory Reading (process) Vulnerability (computing)
Mathematics Embedded system Hexagon Process (computing) Computer file Password Binary code Opcode Address space Usability
Web 2.0 Server (computing) Mechanism design Routing
Web 2.0 Server (computing) Embedded system Computer file Hacker (term) Gastropod shell Instance (computer science) Digital object identifier
Web page Web 2.0 Server (computing) Computer file Root Semiconductor memory Speicheradresse Spacetime Reverse engineering
Web 2.0 Server (computing) Hacker (term) Information security
Presentation of a group Computer file Root Flag Right angle Digital object identifier Information security
Web page Server (computing) Service (economics) Kreisprozess System administrator Patch (Unix) Multiplication sign 1 (number) Set (mathematics) Control flow Storage area network Power (physics) Web 2.0 Goodness of fit Root Software testing Office suite Information security Vulnerability (computing) Condition number Area Interface (computing) Software developer Binary code Planning Integrated development environment Vertex (graph theory) Video game Right angle Whiteboard
but I'm Nathaniel Boggs from red balloon security and this our talk on the automotive exploitation sandbox so red balloon security we do you know basically three things commercially we license our host based defense technology for embedded devices to large vendors we also do a lot of fundamental research and then thirdly we'd like to do a lot of talks raising awareness or educational giving back to the community and this is this is one of those so our goals here and this the for
the automotive sandbox is to educate all stakeholders about typical automotive attack chains and more generally embedded device attack chains and to actually provide hands-on experience with real Hardware to people so it was found or going to different industry verticals talking about security working with large vendors is a lot of people you know have lots of engineering experience but they really haven't learned about security before and they just read some articles have some buzzwords but they never actually like hacked something right which is always a fun experiment I'm you actually like hack something to face to webpage you know that you saw you know using a device in a strange way but one of our goals for this is we wanted to really make it hands-on so it's real Hardware realistic exploits you know real code running on you know typical operating system and then provide you know will provide the exploits but then talk through how and hacker would actually come up with those what kind of reverse engineering they would do and this is we wanted to actually have a lot of depth to it right we didn't want to just have a little toy exercise and a VM we wanted to have like a full software and hardware stack that then both as the amateur person who wants to just hack for the first time can enjoy it and have a walkthrough where as then more experienced people can also then actually have the depth to really play with the sandbox potentially write their own exploits etc so and accessibility so we wanted this actually be free publicly available so if it's not available you know if you oh you have to like come to us and like sign your life away and be like I swear I'll never do anything with it it's just nobody is nobody's actually use it right so we want to actually make it available on the Internet I'm gonna have really clear instructions right so we actually tested these instructions are like here here's our office ad administrator like can you get can you run through this thing tell us where we're too technical we don't explain it well enough and then remotely accessible so if we're doing real hardware it's really expensive to like hand out everyone at dev you know a few hundred dollar dev boards so we actually when I actually do
that remotely so the build this out
we you know obviously want to like segment this far away from any sort of internal network we want to have this completely isolated so that's what we did put a firewall in front of it and then you can see we have these Sabre light development boards which is what we use for this because this is a typical board for automotive and then we're like okay well people are hacking these we need a way to reset the boards periodically to a clean State so we put up Remo power that we can shrink control and reset the board have the board's boot off of the network off with TFTP server so I'm gonna actually reset these boards to kind of a pristine state so that other people can do it we have a walkthrough web server that has all the as all the instructions we've not wave my arms too much so the
hardware like I mentioned is the Sabre light board arm you know pretty typical here you know here's the breakdown we're
a little tight for time but you know you can take a look at it you know multi-core kind of typical features we
use the qnx 6.6 microkernel for this this is fairly common in automotive especially and gives you kind of that that depth when we just use the little simple web server so we you know any sort of embedded device is gonna have some exposed network service that may not always be a web server you know an automotive maybe something else sometimes oftentimes embedded devices will have web servers so for this just to make it easier for people to follow along we went with a web server and then we put in synthetic vulnerabilities right we're not gonna like find zero-days and port them here but these are inspired by you know very common vulnerabilities we've seen time and time again and embedded devices command injection a heap overflow for the initial remote exploit and then a kernel arbitrary memory modification via a vulnerable system call for a privilege escalation type of attack I mentioned before we wanted this to be ephemeral so that you know we don't have to manually like reset the board reflash them or something every time somebody walks through the sandbox so now I kind of go
through a high-level walkthrough and then depending on the time will actually take you through actually doing it on on a board so the stage one is where you know we're going to walk people through our initial remote exploit right so this is where they're going to connect to the web server there's a little file upload option even just to make it a little easier for people and you know which you do see sometimes somebody wants to upload their logo image or something to the device to like brand it and then there's two of ulnar abilities that you can choose from for the initial remote exploit you can do command injection or a heap overflow and then with that after you upload netcat you can then get a remote shell so you can actually then connect to the device have a user fluid cell and then you've you know gotten your first first foothold on on the device and then in stage 2 right we want to use now this user privilege cell to do privilege escalation to get you a root shell right so now you're gonna then run an exploit to compromise I use the vulnerable assist all to modify memory and the one that we used for this was okay you know you can use this vulnerable Cisco modify memory and we can just modify the SU binary to accept prompting for a password we'll just not bout that and return every password works even no password you know and then I can get you the full twofold root access here and then stage three which is you know the fun part or now you have root access now you can modify the web server we put like a little a little flag on the device that you know it's only readable by root that you can read as you know the secret file that have a fun fun message for you and and then anything else you can think of right so we'll walk through users on these two things but it's a full system so that's why we wanted to make it actually fleshed out real hardware so you can actually do do whatever whatever you like okay so now I'll actually go
through a live demo these is also
available online and if you got one of the Flyers it has the URL as well HTTP sandbox red balloon security comm I'm actually going to do this on this local board here just so no one hijacks the same board I'm using while I'm doing the demo and I know I know how you guys think so here I have this local board and this is you can see here there's a little saber light development board so I'm gonna
bring up my web page here so this is the this is a local copy but this is the same page that you'll see when you go to the to our sandbox URL you'll see kind of the overview of the sandbox and explanation of it support email and then you'll come down to these available endpoints where these are the actual you know publicly accessible IPs that you can go to so if you click on one of
those then you're gonna see you know a little mocked up web page of a typical embedded device web server where you might have some different things and often times they'll have a diagnostic page where you'll have like oh I can ping things or I can upload files for rebranding purposes or something or maybe there's some other service here so we put these vulnerabilities right so this one had the ping has the simple command injection the echo test has a heap overflow that then you can can use to go through the exploitation so then
the actual walkthrough is going to go through you know in great detail step by step so it's gonna discuss you know the stages kind of what I just told you and then it's going to come down to and actually give you you know example command so you could run so for instance here you know I have this semicolon which is the escape character for bash to run two commands and so just one so if this is going to ping something I
could ping something and run the LS command for instance so here you can see
the results of your ping command but then you can also see now the listing of the files in the local directory where this service is running for instance so
that's how you know we walk everyone through
like oh that's how an attacker would see whether or not this is vulnerable to this type of command injection and then will even have you know a little video playthrough typing it out just so you know right so in our office seven that
they're like ping was you know with box you know it's like no this is the actual box you type and this is how you do it so it's really gonna you know both hold your hand all the way if you need it which is fine you know we love to educate people who are new to security as well as kind of give you the highlights the commands you want to run if you just want to like bang it out real quick and explore it and do your own thing so you can also do so things
like this where you know an attacker is going to want to know what sort of system you know it's running they might
check and see and be like oh okay this is actually UNIX system it's armed little india and so now i know you know the sort of tool chain i might need to compile they attack for for this and
then we're actually going to then upload a file so we actually have you know so you could as an exercise as a reader you can you know go out grab netcat open source you know compile it for this target and put it on there so that's going to be out of the scope of what you know a lot of people are going to want to do if they're very new to security that probably also don't want to compile for armed little-endian random open source you know projects so we actually have those files available
so we can actually just upload this and
then we can now pull it over so now this
has been uploaded as a very random file here I might want to say about that file
name because those are randomized each time and then we're gonna want to achieve audit so it's actually
executable because when you know most
web servers you upload a file they're not gonna just give you the full executable right away although Hilaire you know there's always the hilarious ones that just oh yes this
file needs seven seven seven permissions across the board so now we actually give
you a grant okay now you want to run that cat to listen to pipe you know the
shell so basically or just forwarding all of all of the you know the bin SH internet cat which just gives us this little network socket where we can interact with VIN SH now you can see oh it's webpage is actually hanging because now I've started a program that's not returning so now I can jump in here and
connect back to it oh if I get the right porch what port today one three if I get my right lead port combination and now now I have a remote shell on the device right so I can check what idea actually I'm so I'm running as nobody which is probably what you know the web server is running as presumably you know and then
we can continue on so we also have an in-browser terminal so we found very early on that you know a lot of these users who are new to security are running Windows they don't have that cat installed by default there's actually non-trivial installing that Kevin windows so like here we'll actually make a little JavaScript WebSocket proxy that you can connect back to one of our servers that will spawn up a net cat connect to it and then forward back you know the commands back and forth through your JavaScript so even on a Windows machine you can use you can actually use this headers walk to walk through the whole thing okay so we connected we check the ID so now here's the alternative stage one where you can do the heap overflow exploit I won't do that since we're running short on time and now here we don't want to do privilege escalation right now we're in stage two so we can if I try to do su right now it's going to say it's sorry I'm sorry - I'm still nobody this is very disturbing and then so we actually here have a walkthrough
of how an attacker would and you know kind of reverse engineer this so right here okay they know su says you know the sorry string when you're wrong so now I can you know look through the code find out where that actual final check is right look at the check and then just change this string compare you know it'll always return return true basically so it's like these basic
principles but we want to make it accessible as accessible as possible to people so now I'm going to upload we have another binary to upload here to
exploit the privilege escalation so again we write this one for you where as an extra side of the reader you could then use your users tell to like pull down things and try to explore and
actually write this exploit to exploit the vulnerable sis call that we injected
again we're gonna want to show mod this
and then and this is all these commands
I'm kind of breezing through we're all very detailed written out here so now
this little tool here basically is just a primitive tool to do arbitrary read and writes of memory using this vulnerability so if you Ryan the help on
it you'd see you know kind of the details what the twos gonna tell me to write you know at this address this this
binary hex which is going to be the opcode that's gonna just make this little change in the SU binary that's now going to remove the requirement to
have a password and now did not say sorry and now I'm rich right so it just walks you through like very step-by-step this process of having this visceral you know visceral reaction to being able to actually see what it's like to hack something so for ease of use you know now you can do anything for ease of use we added another file you can upload
that'll do like a large copy-paste so you can more easily deface the web server but you know your route now so
you can do whatever you want but this
one is a little easier for for the lay user to use so again we have to go through the make all the mechanics here or I could do this actually inside my
shell now that I have a shell in as well but this shell is just so more
convenient because it's on a web server so that's nice too so now right I can
put some text the famous your name here hacker for instance as he's really dastardly he's hacked all kinds of all kinds of things and then I can actually if I remember what file it was I uploaded now I can
run this and copy over this this file
but you can you can be I hope you guys are more creative you're gonna have some cool ASCII art or something so again here right we're giving you this memory address which is actually the memory address of where the web server is storing and memory you know the text the web pages but that again right is an exercise to the reader you could show go through reverse engineer a search through the memory space now that you have root privilege and do that so that's passing everything in so now if
I'm lucky and sometimes you have to do a
hard refresh you know for these but I can actually have the experience of like hacking hacking in the web server so this may not seem you know those of you or more experienced in security this isn't anything new or like crazy but our main goal here was to really just detail
this walkthrough so that anyone can do it so then we also put a little secret flag here so if I look in the data folder there's a secret file right up here does not work here you know that you can see is only rewritable by root so but I'm not going to show you what that is you have to go and do it and do it yourself so that's the gist of it where's presentation it yeah so sandbox is
available here well maybe it's thinking about it well sandbox that red balloon security calm you know you're welcome to try it out show your colleagues send it to the
person who always like it's like what do you do you hack things how is that it's magical craziness be like no here it's actually not that hard you know experienced person will burn through this in like ten minutes we are office admin took like 45 I think you know but it's it's there for for a whole set of users so you have any questions it really okay well maybe it'll show I'll just keep saying it
sandbox the red balloon security comm any questions yep we have no plans to take it down if you all like break it horribly right now we have eight boards set up so if you guys physically destroy all eight of our boards will be sad and like maybe we'll bring it back up with bigger and better boards and more security or maybe we won't but no we plan to like keep this keep this online for people to play with and to use so you know now that it's set up it's all pretty automated and as long as nothing horrible happens to it you know feel free you know it's there you do it you do what you need to do but you know and they do power cycle periodically so we'll keep an eye on it but though the goal is to leave it up so every where I don't think we're gonna run out of people who want to or need to learn about security and new verticals and embedded devices anytime soon so yep so depending on the interest we're definitely considered you know adding you know kind of a multi-stage right off the obvious next step is to say okay well here's this little dev board maybe once you get rid on this you need to like go over can or something to some other device and like start building it out obviously I takes more effort so like if there's interest we'd love to hear about it you know be like oh this is really cool but can you add this cool thing and then yeah we've we've definitely thought about you know in the future we may continue to build this out you know especially as you know if we have internal things that we could just spend a little extra time and adapt it to this where we have little tests and things that we that we write for own you know for other purposes where there's research or commercial so yep well that's a very good question so we've thought about them we're like okay if people are gonna have some weird check out interface and like we're like no free-for-all you have more power to you hence why I have my board right here not not one of the ones online but realistically you can actually go through most of the same thing as long as I don't like really mess up the board if they're just following the instructions the only thing you're gonna notice is that one the webpage may already be deface but you could just deface over it and be like no your name here no my name here and then when if they already patched the SU binary you're gonna get root without having to patch it yourself but that's the only thing so you can actually still go through most of those steps but the boards do reset every hour and they're staggered so every 15 minutes you can kind of choose a board that has a little more life time in it but yes that is there is a race condition there that we're like well they can still go through most of it the other side of building all that out would be a lot more yeah yeah mm-hmm yeah sure so I mean yeah these are used actively in development so this is the kind of like kind of thing so you know this quick one of the issues you would see what's gonna make it you know very particular to a car is the you know user buying areas that you're putting on it right so obviously this little web server is not hopefully not one of those binaries you would put on it but you just if you wanted to make it more realistic you'd be like oh here's an old binary that was actually put on a car and you could put on it and then you'd have a more a more you know in-depth environment but the concept is the same you're gonna have some service there's gonna be some vulnerability yeah it might look a little different but it's the same it's the same thing yep so I had one question over there maybe No Oh perfect okay two for one any other questions I can end a little early and try to catch up on time all right thank you all [Applause]