Tweet
Tweet

Slide 1

Slide 1 text

Software Defined Murder

Slide 2

Slide 2 text

Why this talk? • Hollywood plot? • Lack of security • Attacks are pretty easy • CIA #vault7 leak • Real threat may not be state actor • Stops being funny in a hurry

Slide 3

Slide 3 text

Appeal to authority • 20 years IT experience • Worked in private/public sectors and academia • Usually talks about anonymity/crypto/privacy • Car modding enthusiast • Been tuning cars since 2011 • Plenty of crash experience

Slide 4

Slide 4 text

What's an ECU? • Engine Control Unit • Often made by Denso or Bosch • ROMs are mostly just large lookup tables • ECU security is non-existent • CRC32 checksum only • Everything is trusted • Very few companies sign roms

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

How does an ECU work? • Single control loop • Reads from sensors • MAF or MAP • Crank position • Calculates required timing advance/fuel • Either open/close loop • Knock sensor • Front oxygen sensor • Other tasks like boost control, cam timing

Slide 7

Slide 7 text

Table definitions

Slide 8

Slide 8 text

Drive by wire • Historically cable given • Entire industry has transitioned • Advantages • Allows driving modes • Less moving parts • Gas pedal connected to a sensor • Lookup table

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

Throttle lock open attack • We can alter throttle tables • Set values to 100 percent above a certain RPM • We can alter idle targets table • Set values to max rpm above a certain temperature

Slide 11

Slide 11 text

How to flash an ECU

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

Software defined grand theft auto • Power ECU directly • Can write to ECU without key • Immobilizer key IDs rewritable

Slide 14

Slide 14 text

Kill map video demonstration https://youtu.be/-5fGYfKrMdM

Slide 15

Slide 15 text

Basic, anyone can do it. • No programming skill required • Possible threat actor list • Dozens killed yearly by floor mats • Basic remediation • Turn off your car • Shift into neutral • Using brakes? • We will get to more complex attacks

Slide 16

Slide 16 text

No, it's not just Subaru • EcuFlash; Mitsubishi/Subaru • HP Tuners; GM/Ford/Dodge/Chrysler/Mercedes • Cobb ATR; Subaru/Ford/Mazda/Nissan GT-R/Porsche/VW • And many more I’m missing

Slide 17

Slide 17 text

Has this happened before? • Michael Hastings • Died in a car crash in June, 2013 • Noted journalist, covered Iraq War • Witness description of crash • Vehicle was a Mercedes C250 • “consistent with a car cyber attack” - Richard A. Clarke • Within realm of possibility

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

ECU assembly language • We don't have source code • No attempt at obfuscation • IDA pro very helpful • Different instruction sets between mfg'ers • Typically • Straightforward RISC model • Single thread • No memory protection • Static addresses

Slide 20

Slide 20 text

SuperH architecture • This is not a talk on assembly language • 16-bit fixed instruction length • 16 general purpose registers • A number of timers to control duty cycles • Status register controls interrupt masking • Adding code usually means jump’ing to unused memory

Slide 21

Slide 21 text

Cruise control pseudo code cruise_control_change_state() if set memorized_speed unset memorized_speed  change to noop else memorized_speed = current_vehicle_speed  max_int

Slide 22

Slide 22 text

Launch control video demonstration https://youtu.be/Z9PdUNPBNWY

Slide 23

Slide 23 text

How traction/stability systems work • Variety of algorithms • Input from various sensors • Wheel speed sensors • Lateral G • Commanded torque • Observed versus expected behaviour • Basically two tables • Threshold table • Correction table • Remediation • Reduced throttle • Apply brake to specific wheel

Slide 24

Slide 24 text

Proof people do this

Slide 25

Slide 25 text

Transmission control systems • Increasingly, no mechanical connection • We can ignore driver inputs • Mask interrupt for position change in status register • Can change personality/handling characteristics • AWD / Computer controlled center diff • 2D MAP

Slide 26

Slide 26 text

What about brakes? • Not as fruitful as you'd think • Most systems are still mechanical • Master cylinder runs off engine vacuum • ABS computer often not flashable/separate • Trigger emergency braking • Adjust threshold to reduce braking • Electronically controlled brake • Lexus/Toyota hybrids • Sensotronic Brake Control (SBC) • Mercedes

Slide 27

Slide 27 text

CAN bus • Controller Area Network • Multi-master serial bus • Significantly reduces wiring • Frames • 11bit identifier • 18bit extension • CRC check • No authentication

Slide 28

Slide 28 text

Infotainment systems • Just like internet of things, but in your car • Almost always on canbus • "nmap -sV" mobile hotspot gateway IP, cry • Usual IoT type vulns • Default login creds • Poorly configured services • Out of date daemons • Auto makers have become software companies • Over the air updates

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

Remote attack vectors • Where everyone gets nervous • We can pivot into canbus • PoC by Charlie Miller/Chris Valasek • Harman Uconnect running QNX • WPA PSK generator seeds with epoch • D-Bus daemon bound to all interfaces • Bluetooth OBD2 dongles • Hyundai Blue Link

Slide 31

Slide 31 text

Tears of nmap • 2014 Jeep Cherokee • 2017 Corvette

Slide 32

Slide 32 text

Commercial/fleet vehicles • All the fun, more mass • SAE J1939, much more standardization • Fleet management systems • Only place ransomware really works • Could be done subtly

Slide 33

Slide 33 text

So what's the fix? • Disclosure needs to be easier • Code signing • Right to repair • John Deere • Verification done on driver key • Vehicle kill switch • The cost of doing nothing

Slide 34

Slide 34 text

Questions? • Most interesting questions get asked later • Follow me on twitter @jzsavoie • Email me at [email protected]