Software defined murder

Transcript

1. Software Defined Murder

2. Why this talk? • Hollywood plot? • Lack of security

   • Attacks are pretty easy • CIA #vault7 leak • Real threat may not be state actor • Stops being funny in a hurry

3. Appeal to authority • 20 years IT experience • Worked

   in private/public sectors and academia • Usually talks about anonymity/crypto/privacy • Car modding enthusiast • Been tuning cars since 2011 • Plenty of crash experience

4. What's an ECU? • Engine Control Unit • Often made

   by Denso or Bosch • ROMs are mostly just large lookup tables • ECU security is non-existent • CRC32 checksum only • Everything is trusted • Very few companies sign roms
5. None

6. How does an ECU work? • Single control loop •

   Reads from sensors • MAF or MAP • Crank position • Calculates required timing advance/fuel • Either open/close loop • Knock sensor • Front oxygen sensor • Other tasks like boost control, cam timing

7. Table definitions

8. Drive by wire • Historically cable given • Entire industry

   has transitioned • Advantages • Allows driving modes • Less moving parts • Gas pedal connected to a sensor • Lookup table
9. None

10. Throttle lock open attack • We can alter throttle tables

    • Set values to 100 percent above a certain RPM • We can alter idle targets table • Set values to max rpm above a certain temperature

11. How to flash an ECU

12. None

13. Software defined grand theft auto • Power ECU directly •

    Can write to ECU without key • Immobilizer key IDs rewritable

14. Kill map video demonstration https://youtu.be/-5fGYfKrMdM

15. Basic, anyone can do it. • No programming skill required

    • Possible threat actor list • Dozens killed yearly by floor mats • Basic remediation • Turn off your car • Shift into neutral • Using brakes? • We will get to more complex attacks

16. No, it's not just Subaru • EcuFlash; Mitsubishi/Subaru • HP

    Tuners; GM/Ford/Dodge/Chrysler/Mercedes • Cobb ATR; Subaru/Ford/Mazda/Nissan GT-R/Porsche/VW • And many more I’m missing

17. Has this happened before? • Michael Hastings • Died in

    a car crash in June, 2013 • Noted journalist, covered Iraq War • Witness description of crash • Vehicle was a Mercedes C250 • “consistent with a car cyber attack” - Richard A. Clarke • Within realm of possibility
18. None

19. ECU assembly language • We don't have source code •

    No attempt at obfuscation • IDA pro very helpful • Different instruction sets between mfg'ers • Typically • Straightforward RISC model • Single thread • No memory protection • Static addresses

20. SuperH architecture • This is not a talk on assembly

    language • 16-bit fixed instruction length • 16 general purpose registers • A number of timers to control duty cycles • Status register controls interrupt masking • Adding code usually means jump’ing to unused memory

21. Cruise control pseudo code cruise_control_change_state() if set memorized_speed unset memorized_speed

     change to noop else memorized_speed = current_vehicle_speed  max_int

22. Launch control video demonstration https://youtu.be/Z9PdUNPBNWY

23. How traction/stability systems work • Variety of algorithms • Input

    from various sensors • Wheel speed sensors • Lateral G • Commanded torque • Observed versus expected behaviour • Basically two tables • Threshold table • Correction table • Remediation • Reduced throttle • Apply brake to specific wheel

24. Proof people do this

25. Transmission control systems • Increasingly, no mechanical connection • We

    can ignore driver inputs • Mask interrupt for position change in status register • Can change personality/handling characteristics • AWD / Computer controlled center diff • 2D MAP

26. What about brakes? • Not as fruitful as you'd think

    • Most systems are still mechanical • Master cylinder runs off engine vacuum • ABS computer often not flashable/separate • Trigger emergency braking • Adjust threshold to reduce braking • Electronically controlled brake • Lexus/Toyota hybrids • Sensotronic Brake Control (SBC) • Mercedes

27. CAN bus • Controller Area Network • Multi-master serial bus

    • Significantly reduces wiring • Frames • 11bit identifier • 18bit extension • CRC check • No authentication

28. Infotainment systems • Just like internet of things, but in

    your car • Almost always on canbus • "nmap -sV" mobile hotspot gateway IP, cry • Usual IoT type vulns • Default login creds • Poorly configured services • Out of date daemons • Auto makers have become software companies • Over the air updates
29. None

30. Remote attack vectors • Where everyone gets nervous • We

    can pivot into canbus • PoC by Charlie Miller/Chris Valasek • Harman Uconnect running QNX • WPA PSK generator seeds with epoch • D-Bus daemon bound to all interfaces • Bluetooth OBD2 dongles • Hyundai Blue Link

31. Tears of nmap • 2014 Jeep Cherokee • 2017 Corvette

32. Commercial/fleet vehicles • All the fun, more mass • SAE

    J1939, much more standardization • Fleet management systems • Only place ransomware really works • Could be done subtly

33. So what's the fix? • Disclosure needs to be easier

    • Code signing • Right to repair • John Deere • Verification done on driver key • Vehicle kill switch • The cost of doing nothing

34. Questions? • Most interesting questions get asked later • Follow

    me on twitter @jzsavoie • Email me at [email protected]