Car Hacking Introduction because of recent events (once again)
I took a quick look into the forum just now and couldn't find any particular article about it when using the search function.
In the beginning I just wanted to present an interesting news from a couple of days ago but I decided to give a little bit more background information now, since it'll be the first article about this topic it seems.
So why is this a topic we should discuss nowadays. That's fairly simple.
Since a couple of years ago a trend has developed:
Everything has to be connected to the internet and has to offer a big variety different connectivity ports.
From a user point of view this may bring a big leap towards 'better user experience' and 'easier coupling' of newly bought gadgets with already established/owned ones.
From our point of view it's a little bit different if I may speak for all of us.
For every new technology, every newly introduced connectivity protocol/port or just the fact that a GadgetXYZ offers 4 instead of 3 possible connection settings, theres a big chance it's getting more exploitable and hackable.
Exactly this is happening in the automotive industry as well with autonomous driving where the car is connected to some remote server or just 'smart interfaces' within the car to which you can connect your smartphone.
A bunch of more or less recognized research has already been done already on this.
Non the less, earlier this year another possible remote hack has been published.
So before we begin there are a couple of terminologies which are essential to fully understand what's going on.
What is 'OBD'?
OBD stands for 'On-Board Diagnostics' and it's a computer-based system originally designed to reduce emissions by monitoring the performance of major engine components or to diagnose engine problems.
Why should I care?
Since around the mid 90's the defacto standard here is OBD-II which is way more sophisticated and complex.
It provides almost complete engine control and also monitors parts of the chassis, body and accessory devices, as well as the diagnostic control network of the car!
Take tire pressure sensors for example.
New cars have multiple sensors and devices that are monitored by OBD-II.
From what I read in publications almost everytime is that every component is connected over a central ECU which controls/reads/logs.
I leave that up to your imagination for now. But just as a quick question: What could happen if someone gets control over a part of this debug functionality?
'CAN' is short for 'Controller Area Network' and it's a vehicle bus standard designed to allow ECUs and other devices to communicate with each other in applications without a host computer. CAN allows various electronic components such as:
- electronic control units
- other electronic components
It's a message based protocol, originally designed for multiplex electrical wiring within motor vehicles.
The communication speed is up to 1Mb/s.
Of course CAN is not the only protocol used but as I already stated above most systems are interconnected somewhere.
So if you get access to one it's more than doable to get access to others too
Bosch Drivelog Connector Dongle Hack
So what went down in this hack here. Basically it comes down to them finding the 'Bosch Drivelog Connector OBD-II dongle'.
Consequences of the hack
They could achieve two major effects from this hack:
- An information leak in the authentication process between the Drivelog Connector Dongle and the Drivelog Connect smart phone application.
- Security holes in the mssage filter in the Drivelog Connector dongle.
The first vulnerability, the security holes in the message filter allows an attacker with root privileges on the driver’s phone to send malicious CAN messages outside of the scope a small subset of diagnostic messages which can potentially have physical effects on the vehicle.
Through the second design flaw they could inject malicious code/messages into the CAN network.
The result of this were them being able to shut down the engine of a moving car.
The only limitation here was that they had to be in a certain range of the car
for the Bluetooth connection to work .
An attacker could easily implement other malicious code to attack and manipulate other ECUs on the network...
Attack flow to make this hack work
To make this hack work an attacker has to have access to a compromised phone.
Afterwards one can simply pair it with the dongle.
Interesting to note here is that the pairing process was quite complicated compared to the usual:
"user chooses dongle from the list of available Bluetooth devices in the area and enters a pin."
The pairing process implemented by Bosch was like the following:
- App connects to dongle via Just-works pairing and requests dongle certificate.
- App sends dongle cert and a PIN (user input) to a backend server.
- Server replies with a pairing cert.
- Dongle verifies that cert includes matching PIN. If yes the dongle sends it's cert and nonce to the app.
- Upon receipt the app verifies that the cert contains a matching PIN which was provided by the user.
- Upon successful verification of the PIN the app signs the dongles nonce.
- Once signed the app sends both the dongles nonce and the phones nones to the dongle to which the dongle responds by signing the phones nonce and sending it back.
- If everything went smoothly to here an encrypted channel is set up.
So in short:
- Attacker pairs with the Drivelog dongle and receives the dongle certificate.
- Attacker brute-forces the dongle PIN in an offline environment.
- Attacker connects to the dongle.
- Having completed steps 1 through 3, attacker is able to send malicious CAN bus messages.
For more information about the hack visit their blog
Automotive Attack Surfaces
Remote Exploitation of an Unaltered Passenger Vehicle
Adventures in Automotive Networks and Control Units
Remote Unlocking of cars
Fool Tesla S’s Autopilot to Hide and Spoof Obstacles
'Diselgate' TALK at CCC
Script your Car! TALK at CCC
If anyone is really interested in reading into this matter I can strongly recommend the publications of Charlie Miller and Chris Valasek!
(The first 3 links under Further reading for example )