PACKET HACKING VILLAGE - Car Infotainment Hacking Methodology and Attack Surface Scenarios
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 322 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39925 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2657 / 322
18
27
28
40
130
134
164
173
177
178
184
190
192
202
203
218
219
224
231
233
234
235
237
249
252
255
268
274
287
289
290
295
297
298
299
302
306
309
312
315
316
00:00
SurfaceHacker (term)InfotainmentInfotainmentSurfaceTwitterCartesian coordinate systemInformation securityProcess (computing)Computer animation
00:26
Process (computing)Hacker (term)CodeRoutingMalwareGame theoryFamily
00:51
GodRight angleCAN busLimit (category theory)Flow separationService (economics)Keyboard shortcutSoftware bugInfotainmentHacker (term)VideoconferencingVulnerability (computing)Information securityCASE <Informatik>Musical ensemblePhysical systemModule (mathematics)
03:16
CausalityCAN busInstallation artService (economics)VideoconferencingFirmwarePhysical systemPoint (geometry)
03:55
Hacker (term)Service (economics)TouchscreenMusical ensemblePoint (geometry)Proof theorySurfaceVideoconferencingPlastikkarteFlash memoryStructural loadVideo game consoleCurveThomas BayesConnected spaceMappingComputer animation
05:30
Hacker (term)File formatNumberVulnerability (computing)Physical systemCrash (computing)WindowString (computer science)Stack (abstract data type)Musical ensembleAsynchronous Transfer ModeMobile appSystem callDefault (computer science)Right angleBit rateSemiconductor memoryVolumenvisualisierungExecution unit
07:46
File formatComputer configurationSign (mathematics)Integrated development environmentSoftware testingString (computer science)
08:37
Hacker (term)File formatString (computer science)String (computer science)Personal area networkPhysical systemTwitterFile formatSmartphone
09:20
String (computer science)Execution unitPhase transitionSoftware repositoryVulnerability (computing)Address spaceFile formatString (computer science)Computer worm
10:02
Hill differential equationElectronic signatureSoftwareValidity (statistics)File Transfer ProtocolIP addressFirmwareInterface (computing)Software testingService (economics)TelnetPasswordAuthenticationRouter (computing)Right angleVulnerability (computing)Spherical capSet (mathematics)Hacker (term)
13:00
Default (computer science)PasswordForcing (mathematics)Physical systemVideoconferencingOpen setComputer animation
13:43
Gastropod shellComputer animation
14:22
MiniDiscCodeDew pointGastropod shellAnnulus (mathematics)Clique-widthComputer networkTraffic reportingRootLink (knot theory)CASE <Informatik>WhiteboardSoftwareIP addressNamespaceNeuroinformatikExploit (computer security)ArmSpacetime
15:11
Mobile appRootConnected spaceEscape characterTelnetRight angleSoftwareHacker (term)PasswordTraffic reportingDefault (computer science)Computer animation
15:49
Hacker (term)Web browserKey (cryptography)Key (cryptography)Web browserDifferent (Kate Ryan album)Hacker (term)Computer wormRight angleWeb 2.0
16:45
Physical systemLimit (category theory)Mathematical analysisDevice driverTelnetSystem callAmsterdam Ordnance DatumAuthenticationSpherical capRight angleBitLogin
17:57
Mobile appRemote procedure callCodeCuboidNeuroinformatikUniverse (mathematics)Serial portFirmwareInstallation artCASE <Informatik>IP address
19:15
Mobile appPhysical systemInfotainmentSurface of revolution
19:40
WebsiteView (database)Flash memoryComputer file
20:18
LogarithmScalable Coherent InterfaceEvent horizonBinary fileInformationScripting languageNumberLine (geometry)Computer fileCodeGastropod shell
20:52
Computer file
21:19
View (database)Computer fileCNNScripting languageVideoconferencingGastropod shellFlash memoryComputer fileMusical ensembleComputer animation
22:12
View (database)Formal grammarGastropod shellSpacetimeScripting languageTouchscreenFlash memoryComputer fileMobile appCodeComputer animation
23:06
LogarithmScalable Coherent InterfaceEvent horizonBinary fileInformationComputer fileInformationScripting languageCASE <Informatik>TouchscreenGastropod shellComputer animation
23:36
EmailCASE <Informatik>Local ringCodeInformation security
24:08
PlastikkarteHill differential equationFirmwarePlastikkarteRight angleStructural loadCartesian coordinate systemSoftware bugSoftware testingFreewareMobile app
24:56
8 (number)Link (knot theory)CuboidMultiplication signBuffer overflowMenu (computing)Right angleWindowIP addressRootIntegrated development environmentSurfaceInformation securityCartesian coordinate systemTouchscreen
26:27
VideoconferencingDeterminismInformation securityYouTube
27:19
NumberMobile app1 (number)Software testingUniform resource locatorComputer configurationMultiplication signSource codeConnected spaceReverse engineeringCodePacket Loss ConcealmentDrop (liquid)Cylinder (geometry)Key (cryptography)View (database)Computer animation
29:04
SineSoftware bugMobile appComputer programmingDependent and independent variables
29:45
Demo (music)FirmwareConnected spacePacket Loss ConcealmentComputer animation
Transcript: English(auto-generated)
00:00
My topic is car infotainment hacking methodology and attack surface scenarios. So it's IVI or in-vehicle infotainment or ICE also. In-car entertainment. So my name is Jay. That's my Twitter handle. I work as an application security engineer at BugCrowd.
00:24
Shout out to my colleagues also. I work as a, that's my day job. But my, in the Philippines, we organized RootCon, which is the hacker conference in the Philippines. We also, that also contributed some tools.
00:42
I love playing games. I'm not the creator of Torila malware despite my family name. I'm not even Russian, so you know. Yeah, so I love to party. Who doesn't, right, in DefCon? Yeah, so. Yeah, before anything else, we need an inspirational quote or whatever you think about it.
01:06
It's not about the ride, so it's the rider. So here's our scope and limitations so that you won't be disappointed with what this topic is all about. So first of all, IVI or in-vehicle infotainment, infotainment systems, what you call a shortcut.
01:26
It's what you have in your dashboard for modern cars wherein there's, it's anything that you can play with your videos. Also music. You don't need to touch your phone. You can connect to your phone with it.
01:42
And then call using that. So something like that. So it's purely infotainment bugs and it's attack services. So what are the common vulnerabilities for infotainment?
02:02
There's no CAN bus hacking. Sorry for that one. But if you want to learn that, there's also car hacking village. Yeah, methodology, security bugs, but not full takeover of the car. Because sometimes infotainment have limitation.
02:21
In some, there are some vehicles wherein you can control the steering wheel. But in some cases, it's in a separate module, so it's on a sandbox. It's different. In fact, there are also IVI, which are third-party add-ons for your car.
02:44
So it's very inspired with what Jason Haddix wrote in his GitHub and presented at DEFCON. It's the bug hunters methodology, but in my case, it's how to find bugs in an IVI.
03:03
So I'm going to probably miss out some attack services. So if you know anything, let's talk or maybe you can share it to the audience. So yeah, for the car hacking handbook by Craig Smith,
03:24
these are the common attack services that you have in your car. Those are the most common, the things that you can do to exploit your car. I mean, some of these entry points, you can use it to maybe take over the car
03:43
or play some videos on it or crash the system, something like that, or install malicious firmware on the IVI. But in this talk, these are the attack services that we have.
04:01
We have the Bluetooth. We have the Wi-Fi. USB ports because that's where you charge your phone or you play your music sometimes using a USB flash drive. So SD card ports to update the maps, the GPS, or load something, probably apps.
04:27
So the CD room or the DVD room, so that's also where you play some videos or maybe music or your DEFCON CD that you have to play that music.
04:44
And we also have the touchscreen, so it's not just, even though you have physical access to it, it's also an attack surface. It's an entry point for hackers. So it allows you to control the console, of course.
05:01
And there are things that you can do by just touching the touchscreen or the dashboard. So audio jack, I don't have any proof of concept for this yet, but probably short out something for the IVI.
05:22
And then we have the cellular connection, the GPS, etc. So for the Bluetooth, they say that everything's better with Bluetooth. Not really, but it's good. So for cars, for IVI, it's coupled with Bluetooth vulnerabilities.
05:47
So I think two weeks ago there was a new Bluetooth vulnerability. You can jam, so most of the IVI have Bluetooth, right? To connect your phone to your car.
06:03
Then play some music or call someone, anything, GPS also. So you can jam the Bluetooth to render the owner of the car not be able to play his songs or Justin Bieber's songs.
06:23
So there's also code execution. You can execute arbitrary commands on a car, on an IVI for Bluetooth. But I haven't seen a PLC for this yet. Maybe it will come out with other hackers in the car hacking village.
06:45
And of course, the default pairing numbers for Bluetooth. We have the 0011, 1234, or whatever. So those are the things that you can do, right? Pairing numbers. Or malform or format string vulnerabilities.
07:03
With this kind of format, you can actually break the system or crash the system, or probably take you to the desktop mode of the IVI.
07:20
For example, if it runs on Windows ME or Windows whatever it runs. So it could take you to a desktop because, for example, if it's a sandbox app only. So there's also memory corruption. Send malform packages to the head unit. So you can crash also the Bluetooth stack.
07:47
This one, you have format string specifiers and a device name. You can rename your phone with this percentage sign.
08:02
It's a format string. A CV 2017 9212 was assigned to a BMW 330i 2011 car. The researcher was from IO active.
08:25
Like I said, test at your own risk. Like I said, what if it takes you to the desktop environment or debug options of your IVI? So this guy, he tweeted it in Twitter.
08:42
So basically set your smartphone's name to %x, %h, or %c, anything. Format string and connected devices. So here's a 2011 BMW 330i.
09:00
So what it did is that he was able to crash his car and break his system. So you have badges, right? You can go to the people who are having their cars there right now to connect it to Bluetooth.
09:21
And yeah, if you don't know some, you can go to the seclist, which is a GitHub repo where you can get some payloads or you can fuzz, you can rename your phone, address book,
09:41
or the song, the song of your MP3, something like that. I just need to go to this repo. So fuzzing for format string vulnerabilities or strings. This is by Jason Haddix and Daniel Missler.
10:03
Wi-Fi. So after Bluetooth, we have Wi-Fi. When Wi-Fi is down and all you have is imagination. So if there's Wi-Fi, of course, common Wi-Fi vulnerabilities, right? So you can be off the device so that he will be able to connect to the Wi-Fi.
10:28
For example, if there are some IVI wherein it allows you to connect to your Wi-Fi. And you know what happens there after? You will have an IP address and you can do something with it.
10:46
And we'll talk about that later. So there is also a way for you to update your car wherein it's in one of the settings, update your firmware, right?
11:01
So if it's connected to your own network and you press the update, so why don't you try to sniff the packet and check the firmware, where the firmware came from. And you know, you can also change the firmware if it doesn't have firmware signature validation.
11:23
So you can reverse the firmware that maybe send a backdoor firmware to someone's car. So you can also connect to the Wi-Fi, fetch the IP address, then... So if it's in your network now, what are you going to do?
11:42
You just need to scan your network, or if you own the network, you can see it in the router, the host name. So just scan the port of the IP address that you have, and then what services does it have? What services does your car have for the IVI? Does it have FTP? Does it have telnet? Does it have SSH?
12:05
Okay, so we have, if it does have telnet, and the guy that owns the car is also a hacker, or maybe an attacking person, but you know, he tried to log in his credentials,
12:24
so you can actually sniff the credentials, because it's insecure, telnet and FTP for example. So some of these interfaces have no authentication, okay? They don't have authentication, some have authentication, but have weak passwords.
12:42
So yeah, Netcat is your friend. So exploit, if there are other services, try to check if it runs on older services. So pretty much like the penetration testing methodology that you have, that you learn.
13:00
So this is from my car. So if it has a weak password, so try brute forcing the credentials, right? For example, there's SSH. Try to brute force the credentials, or if you know the default password, you can try it. So get to know the default password of the system.
13:21
This is from MSDA 2017, and yeah, it has a SSH open, and that's the default password. So there's a video on it, just to prove that I'm not, there is, so it's not complete,
13:42
it's just like, it's just the shell, yeah. So I'm kind of slow in typing because I was holding my camera. Runs on Linux, CMU, and yep, didn't continue from there, just to let you know that there are things under the JCI.
14:06
So this was reported, so if there's people from MSDA that don't sue me anymore, yeah, this is reported already. I value responsible disclosure, so yeah.
14:23
Right, so another case, Dan Keeper, and that just, I'll comment from Computest, gained access to the IVIs root account for Volkswagen and Audi. So this is the link to their report. They didn't give enough details or PLC for the attack,
14:43
but they have an exploit. So by just knowing the IP address, connected to the same network, they have their own exploit, SSH. So as you can see, it was able to execute uname space minus a,
15:01
and it's running on QNX. And look at the board, it's an NVIDIA TIGRA2 board's arm. Yeah, and yeah, there's also this one from one of their reports also,
15:21
so Telnet, and there's the default password. So yeah, if you also have access to the network, you can also sniff the credentials, because it's Telnet, right? It's from Audi, okay? Who owns Audi here?
15:42
Don't throw away, but just keep away from hackers right now. Okay, so key takeaways from Charlie Miller. They looked at 2015 vehicles. This is a big difference between car hacking and, say, browser hacking.
16:03
So 2015 is still a new, it's an old browser, but 2015 vehicle is still a pretty new car. In fact, if you own a Mustang 2015, that's still a pretty new car, right? Or if you own, like, 2010 something, and it's a very high-end car,
16:22
or like, for example, maybe Mercedes-Benz, so it's still a pretty new car. And for browser, that's very old. I mean, some of the XSS, for example, for XSS attack in the web, so if it's already that kind of browser,
16:40
so some XSS payloads won't work already, right? So this is another one from Ian Tomore. So he also showed an analysis of the IVI system within the 2015 DS5 1955 Limited Edition. So he was able to connect the device to the device over TCP port 23.
17:07
It's still Telnet. So the problem with this one, it doesn't have any authentication, right? So just maybe use Netcap or Telnet, and yeah, there you go.
17:20
You can already access the IVI. So the things that you can do there, call logs, data leakage, those are the things that you can do. What the driver has been doing, like where did he go, because of the GPS navigation, and also some call logs that they have,
17:45
pretty much like that. So yeah, even though it's already 2015, so some manufacturers have these kind of issues. So next we have the USB port, or the universal serial box.
18:04
So things that you can do, you can install malicious apps or apps with it. You can update the firmware via the USB, and you can do RC or remote code execution if it's vulnerable.
18:31
So killer USB. Have you heard of this USB? So if you plug it to your computer, it destroys your computer. So maybe if you plug it, it's possible that you can crash
18:46
or maybe erase the data on your IVI. So in some cases, if your IVI doesn't have Wi-Fi, but it has a USB port, so you can buy a USB to Ethernet adapters,
19:07
so it's another way for your car to have an IP address if the Wi-Fi is locked down. So in my case, this is what I did. So holders of Mazda have been modding and installing apps
19:23
to their infotainment system using the Mazda all-in-one. So it's all-in-one tweaks. It's in the Mazda 3 revolution. So I tried to check on what's with the app, and tried to look at how it's done.
19:42
So putting it all together from the documentation. Can you still hear me? Okay, putting it all together in the documentation, there's a documentation that allows you to update the CMU of the car.
20:01
So I tried to read it, and there's actually a website for it. And you just need to put what you can download from that website to a USB flash drive, and you can already retrieve the CMU details. So in one of the files of that zip file
20:28
that you downloaded from their website, there's actually a text file like this. So CMD, as what you can see in the last number,
20:44
it actually is executing a shell script. So yeah, I've put it all together to prove that this is what a valet parking can do to you.
21:03
Like, hey, can you park my car? And then the attacker has a USB. And yeah, that's what I did. So that's the PLC. So I created a PLC on the SH file. So this is one of the snippets from the shell script.
21:25
So that's what I did. I executed the uname A. And there's actually a video of this one.
21:42
So I apologize for the chicken in the video. Yeah, this is the one that I did. So you can see the files. Yep, so as far as you can see, there's a USB flash drive.
22:07
So I was playing music. So let's just try to fast forward. There. So I did, from the shell script, you have the echo command.
22:24
So I was able to execute uname space minus A. Yeah, it's shown in the screen. So those are one of the dangers, you know. So aside from you can install apps, you can actually execute some arbitrary commands
22:42
for your car. So yeah, that's the code again. So from the update file that you can just have on your flash drive.
23:02
So this is the, let's go back. This is one of the text file, on the text file of the update. This executes the info.sh. And this is the, what's inside the info.sh or shell script.
23:23
So I'm calling one of the JCI tools that allows you to show to your screen. And yeah, that's it. Just to prove that there's RCE. So also another case.
23:41
Researchers from Keen Security Lab also found local code execution via the USB through an update. They were not able to show a PLC for this one. Maybe because of like, they don't allow full disclosure, but just a PLC that, or an evidence of the attack that they did.
24:06
There's no PLC, so yeah. So still the same thing with an SD card slot. Basically, you load the same thing. So if there's an update for your car,
24:22
or you can update the firmware via the CD room or the DVD room, then you can load something, right? So for Mazda, using this non-CMU bug, you can actually deploy apps through the custom application SDK.
24:43
So yeah, you can create your own apps with this one. It's free. And yeah, you can just test it. And like I said, there's also touch screen as one of the attack surface.
25:03
So you just need to connect to Wi-Fi to establish IP address. So that's for another attack, which is the Wi-Fi attack. But for this one, if you just press anything, you try to rape the buttons of your car, you can actually cause an overflow with that one.
25:22
So picture below from my uncle, this is what he got. And yeah, the dialog box seems familiar, right? Yeah, so when you try to close that one, what happens is that it takes you to the Windows desktop environment,
25:43
and you can actually run CMD from there. So one of my friends from RouteCon also, he has a third party to his Honda car. He was not doing anything, but the application just crashed,
26:02
and it also took him to the Windows desktop environment, and there's a start menu, locate CMD, and yeah, do something like that. No POC because during that time, we were not yet interested with cars,
26:21
security during that time. So sorry, no POC for this one, but yeah, it happens. So have you seen this YouTube video? So how to mod your Porsche 911 or other car to run Doom in three easy steps. So is this true?
26:42
Nope, it's just a joke. So he has a lot of videos. So what he did is that he just insert a Doom, then the Doom played on his Porsche, but it's not true because he also has a funny video or a prank video wherein he was able to run Doom on his toaster.
27:03
That's the toaster there. He did a lot of prank videos, and other security guys thought that it was true, but it's not. So yeah, for GSM, solar connection, phone app,
27:26
they have an app that connects to your car. So it's time for some mobile testing for this one. So you're going to try to intercept the request,
27:40
or you can use Burp to test the app and see how it goes from there. So there is one finding from this one wherein you can test the URLs you intercepted while testing the app. And Troy Hunt, he wrote an article about this,
28:02
but he didn't specify the exact URL. So what it does is that from the mobile app, there's an API that allows you to control the steering wheels, and he was able to intercept that one, and if you know the VIN number of a certain car from Nissan LEAF,
28:22
you can actually control the steering wheels of another car. Okay? It's Nissan LEAF. So you can eavesdrop on the connections. So if you have a mobile app to your car,
28:41
you can reverse engineer the app, and if you reverse engineer the app or view the options there at the source code, maybe you can get the API key. So I don't have PLC for this one, but I was able to look into one of these ones
29:01
to destroy someone. So like I said, because I work in a company that does responsible disclosure, so that's why I don't have PLC for the other app to your phone. But here are some of the programs
29:21
wherein you can report some issues if you find bugs to your car. So yeah, earn money on some of the cars that you have there. So you have the FCA to mugra.com, and you have Tesla Motors, and also General Motors, JM from HackerOne. So yeah, it's not just XSS for reporting bugs.
29:46
So I already did a demo on the car. So yeah, that's from CSI whatever. CSI whatever. Oh yeah, it's, sorry.
30:03
Yeah, sorry. Okay, so here are my references to the talk that I have. So thank you Google for the memes, for some of the researchers that has PLC for the car.
30:21
So as much as you can see, it's really risky. Final thoughts on this one is that maybe limit the connectivity, and don't just leave your car alone to the one who parks your car. Maybe there's a bar that allows you to update the firmware and steal some of the data in your car.
30:43
Those are my references. And that's it. Just a short talk. But if you have any questions, let me know.