If Smart TVs were the hardware hack highlight of Breakpoint Day 1, then hacking highly-computerised cars was most certainly the highlight of Day 2 of this information security conference in Melbourne on Friday.
In a presentation entitled “Hot-Wiring of the Future: Exploring Car CAN Buses”, Ted Sumers and Grayson Zulauf outlined the work they did on the Controller Area Network (CAN) protocol with Chris Hoder at Dartmouth College — essentially the same the presentation they gave at RECON 2012 (PDF).
Cars are now highly-networked devices, with CAN bus signals controlling everything from the engine and brakes to lighting, door locks and the entertainment systems — as well as the dashboard displays that tell the driver what’s happening. But the digital protocols are optimised for speed and reliability, not security.
While you can’t buy high-end CAN protocol analyser hardware without a license from the vendor, it’s reasonably straightforward to build your own tools — as happened with this project. All the hardware designs and software used in this project are open source.
Using these tools, the research team reverse engineered the CAN bus commands, first by passively watching the data stream, then by seeing how that data stream changed by operating functions in the car, and then by sending their own commands down the CAN bus to see what happened. They referred to these stages as “sniff”, “poke” and “write”.
“You might want to use someone else’s car for this… I’ve broken two cars and it’s hard to explain,” one said.
Sumers and Zulauf showed how they could, for example, rev the engine to 4000 rpm while the dashboard tachometer show it running at a slow idle, or send nonsensical error messages to the alphanumeric display. “Let me tell you about air bags some time,” Sumers said.
Many of the car’s operations, such as choosing the fuel flow and ignition timing for different engine speeds and other conditions, are done using look-up tables, and other researchers have shown how these can be changed even while the car is running.
Given the system’s poor security, all this opens up some interesting possibilities for attackers. If the drive has paired their smartphone to the car using Bluetooth, for examples, an attacker could infect that phone with malware and control the car remotely — and some work has been done on this.
“Personally I’m waiting for ransomware for cars,” said one audience member, where the car is disabled until the attacker is paid the unlock fee.
In another presentation, French researcher Paul Rascagneres described how he penetrated the command and control infrastructure of the systems running APT1, the alleged state-sponsored Chinese hacking group.
Rascagneres monitored the group’s activities and fund that they were well organised, worked during office hours, and used custom-made malware. They had more than 300 servers, one per target, which connected via proxy servers to hide their true location.
On one server Rascagneres found a database of administrator-level passwords for sites including a dozen Australian sites.
Rascagneres says he confirmed with each site’s owners that the login details were genuine, or at least had been at some stage.
In yet other presentations, John Butterworth, a security researcher at The MITRE Corporation who specialises in low-level system security, demonstrated a technique by which malware inserted into a computer’s BIOS firmware could survive attempts to remove by re-flashing or upgrading the BIOS, and Dutch researcher Jeroen Domburg discussed how the firmware of a hard disc drive could be hacked so that data could be hidden between the “official” places to store data on the drive.
Domburg demonstrated how the drive could be hacked so that it worked perfectly normally except in certain specific circumstances — such as when accessing particular files or at certain times, when it could change the data being stored or return false data.
[Photo: Part of an equation from Silvio Cesare's presentation, "A Whirlwind Tour of Academic Techniques for Real-World Security Researchers" Available for re-use under a Creative Commons Attribution-NoDerivs license (CC BY-ND).]
Corrupted Nerds coverage of Breakpoint is made possible by Extra Special Supporters Adam Thomas, Justin Warren, Andrew Zammit, Sean Richmond, Cunning S7Unt, Peter Williams; Special Supporters Christopher Neal, Glen Roberts, Johan de Wit; and many others.
Headlines from Breakpoint Day 2 by Corrupted Nerds is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
Based on a work at https://corruptednerds.com/blog/breakpoint-2013-day-2/.