Analysis and Defense of Automotive Networks

okay everybody let's get started today first we have samuel samuel is going to be going over analysis and defense of automated automate motive networks i'm gonna hand over control to him and he's gonna get started all right so thanks for waking up early with me guys my name is sam holyfield this is analysis and defense of automotive networks and uh that's my team just below my name i work with a talented group of individuals and we work with the cyber and applied data analytics division at the oakridge national lab and i can even show you my face

perfect so we're at the uh inside the national security sciences directorate at orml and um our primary project has been to try and develop some sort of vehicle agnostic way to defend automotive networks and um so my goal today is to tell you a little bit about the work we're doing at or and now maybe give you some breadcrumbs to be able to do some automotive analysis on your own and get you excited about acting on cars because it's something that's really blown up the last few years it's something you can do on the cheap and it's quite a bit of fun so i say that also with the preface of i've never bricked my car

um it would probably be a whole lot less fun if i permanently damaged it um so tell me a little bit first about the oak ridge national land so we started on the backbone of uh you know the manhattan project so back in like the 1940s there was a need for some plutonium to become enriched and build a big old bomb because we were in a serious war so uh oak ridge was chosen as the site for the very first national lab or what wasn't at that time but we ended up being the first and also being the largest there are about 17 national labs in the nation and uh i'm a little bit biased but i

think we're the best so of course you know the story the war ended and then we still had all these facilities that were used to produce nuclear materials and radio isotopes and a bunch of really nasty stuff so instead of going more toward like weapons grade research we went more toward the open community of science research and that we now had all these facilities to be able to develop some really cool like uh medical isotopes so we could be some cool cancers and then you know the the lab kind of exploded and i like to say if you can get the phd in the field then you can research it here so anything from uh

like advanced material design to biological studies chemical and you know of course my group we work in uh cyber security i'm in the cyber security research group and one of the main things that's interesting about working at a lab is that we're we're not really industry we're not really academia so i know a lot of folks are in industry you know how that works you're building tools either for customers or profit or for you know some reason uh academia whereas is more on like the highly theoretical side of things where you're the guardians of knowledge you know teach it discover it preserve it pass it on and national labs really exist to find problems that the nation's

currently having and figure out a way to solve those so we take a lot of problems from the very theoretical side and fundamental side to actually applying them and using them in some real world situations uh of course one of those things is vehicle security so we actually have a laboratory dedicated just for vehicle security and it's out at the national transportation research center in our hardin valley campus so we can put a car on a rolling dynamometer have it in motion in a safe environment and perform more or less like cyber evaluations to see if we can develop and tool and create some defenses for vehicles so this is one i like to show is uh so

our cars really truly uh hackable are they vulnerable this was a video of a gentleman we had there we go this is the video of a gentleman we had uh coming from the air force and he was a fighter pilot so he was actually our first guinea pig we figure if he can uh fly jets really really fast we probably put him in a car and hack it and he'll be okay this is just an arduino board with a can bus addition that plugs into the obd port of the car and he's going to accelerate to about 10 miles per hour the arduino is going to recognize the speed of the vehicle and then it's going to trigger an attack

and all this attack's doing is it's just sending like junk into the port and you see some like really scary flashes uh you don't get audio through the meeting but the engine revs like way up and then all the relays start clicking uh and this is like a dumb attack like you you just you plug in and you have like a random number generator that just sends a random payload across messages so what really allows us to do this kind of like scary uh infiltrating of the vehicle well it's uh it's a network inside of the car that's called a controller area network and uh i'll call it a can or a can bus interchangeably throughout the talk

but in a sense there are a variety of networks that actually exist on your car um from everything that handles multimedia to like your interior inside your like door panel will have its own little kind of network but the one that is really critical is the can and the reason for that is kind of twofold one is that this is the network that primarily connects all of the critical electronic control units or ecu's in your car and allows them to talk to each other the other problem is that it's actually mandated so any vehicle produced after 2008 has to have this thing called a can bus and the reason for that is largely like emissions purposes

for for most of it and that's because you know prior to 2008 oems would kind of have whatever proprietary network that they wanted to have in their car and so it became kind of cumbersome to do testing when you had to have 15 different devices to speed the right language to be able to interact with the car um so the cam was mandated in 2008 it's got to be on every vehicle and in terms of electronic control units or ecu's your vehicle can have upwards of i mean 100 or more of these on a brand new luxury vehicle everything from like engine control module transmission control module like seat belt safety status control module you can

essentially take a noun and then stick control module after it and your car will almost certainly have it so now we have a ton of ecu's in your car and they're connected to a network but the kicker is this network has some inherent vulnerabilities uh so once it's an open broadcast bus network meaning anywhere you plug in on this network like the obd port you can see all of the messages that are being sent from everywhere else that that's on that same can there's also no way to really verify that who's sending the message is who they say they are like the attack on the previous slide we were using an arduino to spoof a

bunch of messages i mean randomly we didn't even know what we were sending and the car seemed to accept it as if it were absolute truth uh and it's super easy to actually identify a can bus and connect to it um so for one it's located in your obd port the onboard diagnostics port on your vehicle which is like right usually next to your steering wheel you may have had a mechanic hook into it or if you you're in a state that does emissions testing they may use that as well um more specifically it's actually located on these two pins so pick pin 6 and 14 on the obd port if you're looking at the little chart here and

this is where it's mandated to be on every car after 2008 so not only does the vehicle have to have can it actually has to exist on these two pins as well because that to the reason of you don't want to have 15 different tools to accomplish one task so at a glance you can say well i know where it's at i can connect to it and i can play around i will say this that maybe since um 2018 2019 automakers have been getting kind of hip to the fact that people are plugging into their obd ports and messing around with their cars and so a lot of a lot of oems have started putting like a filter

or a gateway on the other side of that obd port where you don't get all the raw data from the ecu's you can only request the specific things for like emissions testing or diagnostic purposes you don't get that that kind of unadulterated access um that's okay though because i said can exist on two wires i just wanted to show this little slide to kind of illustrate that that you have two wires on can one's called a can high and a can low and the reason for that is there a differential signaling bus so high will kind of move up in voltage and can low will move down and that's how you transmit your your ones and zeros um because the

vehicle is really inherently noisy like from an electromagnetic standpoint uh these guys are twisted together to try and do a little bit of shielding to avoid any sort of integrity loss from the messages so um kind of simply even if you have a car where the oem has disabled some of the access at the obd port you can maybe pull apart your dash or under your hood or inside of your wheel well and find a pair of twisted wires and typically the only pair of twisted wires you're going to see on a car are from this can bus so as an example of that we had a big bus we were doing a little bit of

evaluation on and this guy was actually filtered pretty heavily at the obd port so we couldn't plug in and get you know raw data we were only getting what the manufacturer wanted us to see um however this bus had a really nifty service port where you could just unlock and open up this big bay and then have access to all of the ecu so these are all easy to use inside of the right side of the picture and then all we have to do is take a pair of piercing alligator clips find the twisted wires clip into them and then we're getting every message on the network that we're not supposed to see or they don't want us to see they don't

want to see that um so that's kind of the physical side of your canvas now if you if you're interested in maybe interpreting data or looking at some of the logical stuff inside of cam this is actually a can frame so this is more or less what you're going to see once you you plug into your car and everything's running you're going to get a whole bunch of data that probably goes super fast and there's a lot that goes on inside of a cam frame but there are really two two really important fields that exist uh one's the arbitration field or the arbitration id or aid i might interchange that i'll try to spit it all the way out so i don't

have acronym soup everyone so the arbitration id exists to kind of give the message a name or an id and allows us to index and prioritize that message uh so in a sense an arbitration id kind of determines the priority of who gets to speak on the bus and a simple way to kind of think about that is the lower the arbitration id the more precedence they have to actually talk inside of the vehicle so a really simple dumb attack like the one i showed you earlier that could be accomplished by just spamming id 0 0 0 at a rate that every other ecu or faster than a rate that every other ecu talks at

and because of zero zero zero is the lowest arbitration id you can have no other message will be able to actually propagate throughout the bus now the other important field is your data field and this is kind of as it as you would expect your payload or your actual your message contents and the data field is super small so it's one of the the real kind of handicaps of can is it can only transmit up to 64 bits of data so that makes it really hard to add any sort of like encryption schemes or ways to further obfuscate the data outside of just filtering firewalling and not providing access um there are some more technical

things that go on inside of here as well but we're not going to dive into that just for the purpose of this i want you guys to be familiar with the arbitration id in the data field um so now you kind of know what a message may look like we use a lot of tools on our day-to-day when it comes to uh reading can from the data like software tools and the most useful and versatile i would say is a linux tool called canutil so you can you know you can do like get install canutils and it's a tool that was actually made by volkswagen and was released to be open source and it works with

a lot of things so it works particularly with any linux based systems so say raspberry pi's beagle bones your own laptop so on so forth you can install canutels and use it to translate send receive data from your vehicle and this is just a screenshot of one of the tools inside of can utils called a can dom and this just like dumbly dumps all the messages as they come in on message receive print message more or less so on the left hand side you've got the timestamp and zero just denotes the interface and like wlan0 and then the actual message or frame is over on the right so you have the arbitration id and then it's separated by the pound

sign and then uh 64 bits or eight bytes of data in half so there are some nuances to can right like you can't just um expect everything to work the first time and i was told when i started on this project there's a steep learning curve and then after that it gets really easy uh so some of the nuances are that each vehicle's can will have a preset bit rate for all the messages that are probably ec used to talk to each other properly most modern cars it's a 500k but it can vary and that's important because if you get inspired after this talk and want to hack on your own car you can actually plug in with the wrong

bit rate and cause some pretty scary errors to pop up and interrupt communication between all the ecu's another thing is it's actually meant to be terminated with the 120 ohm resistor as well so practically a lot of times if you're just messing around in your garage that doesn't doesn't quite matter um but it's occasionally happened to me that i plugged everything in it's all working right i can't figure out why i'm not getting any messages and it's because this car is very finicky and it requires actual termination to work i also mentioned earlier that you can have upwards of say 100 ecu's in your car but you can also have like 200 or 250 arbitration ids on your car

so as a result that that simply means that each ecu may broadcast more than one arbitration id in fact one ecu may broadcast the bulk of the arbitration ids in your car meaning that many different messages types can come from one ecu another important distinction about can is that each vehicle from like year make model trim will likely have unique encodings for their cam messages meaning that um you know my my 2015 volt will not be entirely the same as a 2016 volt the reason for that is is partly just simply different devices and as vehicles get upgraded new you know messages are needed to support all the functions but another reason for that is that uh

automakers follow largely security through obscurity so they don't really want to broadcast or really enumerate and tell you what the encodings of their messages are you avoid a lot of intense reverse engineering efforts and you know of course the big ones like performance tuning you don't really want someone to break into your ecu pull out your firmware and have fun with it um another important thing to think of is that you actually may have more than one can on a vehicle so although in your obd port those two pins are mandated and legislated and required to exist like in my volt for instance it's got like four cans throughout it so each one of those has

its own separate uh stream of data and some of them are more important than others and of course you can't just like take a usb cable cut the ends wire it up and then expect everything to work when you have it plugged into your laptop so you do have to have a little bit of specialized hardware in order to talk in and uh at minimum you need like a processing unit like laptop raspberry pi uh you know like single board computer that that can support can and then you need some of the hardware that actually talks can so one of those is a cam controller so that actually uh take like sends to the processing unit the logical frame

format that says this is an arbitration id this is a message now i'm going to dump it to your terminal the can transceiver passes the actual physical bits to the cam controller so that it can pack those into the right message structure and send it to the processing unit and uh vice versa the processing unit will say send this on the cam controller will pack it into arbitration id and message then send to the can transceiver which will turn it into physical voltages that will send over the two can wires and um i probably should have said this earlier um but it can be super dangerous to like just plug something up to your obd port

uh i gave a version of this talk at code match this year and i didn't put enough disclaimers into the talk itself so one of the attendees got really excited we built little devices for this talk based on a teensy and and they were actually like going out to the uh parking lot and plugging into their car and so one guy didn't cut all of the like wires that the extra wires that come from your obd port because we only need two but there's like 16 in there and so when he plugged into his obd port his wires crossed and touched and he had like really big sparks and it was kind of scary and i'm like oh man

can i be held liable for this um so as a result now i'm going to tell you all the way through the talk not to do anything i say and don't plug stuff into your car so now that we plugged into our car uh but so i want to demonstrate for you guys actually using the can util software to do a little bit of reverse engineering on your vehicle and so i'm using this tool called uh icsem or it's instrument cluster simulator it's written by uh craig smith so if you're familiar with the car hacker's handbook this is a hole he actually created and so what i'm doing here is i'm messing around without an actual car

so i'm bringing up what's called a v cam it's a virtual can interface so it allows my computer to speak and without any sort of hardware required and then i'm actually going to feed this this virtual can interface to the instrument cluster simulator and the instrument cluster simulator will transmit actual cam messages uh through the virtual can as if it were a car and it will allow us to practice some reverse engineering techniques before plugging into our own car which we shouldn't do anyway so that's okay you can use um like an xbox controller or something and get really fancy with it i was just using my keyboard but there's a lot of functions inside of

this tool that you can try to reverse engineer and what i actually want to try to work on uh is the uh we'll do the turn signal so this tool i brought up is called can sniffer it's another one of the tools that's inside of the can utils package and this allows us to see which messages are changing so there's a ton of messages inside of a can and it can get really messy to try and try to look through the manually this guy helps us out i'm gonna hit left turn signal and see if i can find a message that's changing based on the turn signal well i didn't hold right turn so i saw

arbitration id 188 there and kind of the middle is flashing 0 2 when i hit the right turn signal and i think 0 1 when i hit the left so it leaves me to believe this arbitration id encodes the turn signal i just want to double check that so i'm going to use can send which is also one of the utilities inside of the uh the can utils package and i'm going to send that one and see if i get a response okay cool so i'm getting some left turn signal uh for all intents and purposes right like this is a cyber attack right this is something that we probably shouldn't be able to do is

simulate the the turn signal so i'm gonna try o3 and then we get hazard lights which isn't even an option or a feature inside of icsun uh this was kind of a a simple attack it's an injection attack and it's really messy so what happens and the reason that the turn signal doesn't like stay lit all the time and i had to keep resending it is because the actual legitimate car is saying well my turn signal is off and it keeps repeating that message until you flip your turn signal switch and the legitimate ecu says well the turn signals so we're always fighting with the fact that the turn signal is physically off but it's still considered i mean for

intents and purposes and attack so i'm going to go ahead and accelerate my car up to 60. and uh what we're going to see is if we can figure out where maybe my speed is located inside of these messages and that's actually pretty hard so uh while it's easy well easier to identify these kind of binary messages like turn signal on turn signal off or hazard on hazard off or door open door closed locks on locks off that's kind of a scary one it's far more difficult to identify some sort of like time series dynamically changing value and you will spend a lot of time in your driveway messing with this just to figure out

where your odometer may report the speed so there are easy ways easier ways to go about analyzing some of the data inside your vehicle uh one way to do that is through the onboard diagnostic service so this is uh like i mentioned earlier you may have like a mechanic that will plug into your vehicle and do some analysis and this is actually the the kind of service they use in order to get ground truth or to get the actual happenings from your vehicle so you can request a whole bunch of information from the car and instead of trying to read some obfuscated cam messages you can enumerate and figure out exactly what it's doing so if you're like a

performance tuning guy or like i had an older car that didn't really clearly enumerate like my actual miles per gallon over the lifetime so i wanted to figure that out i just use these services to do a little bit of math to figure out my fuel consumption versus my distance ribbon now the uh the actual onboard diagnostic service it fits on top of cans so if you're familiar with the osi model it's closer to like an application layer whereas the actual can protocol is closer to our like network down to physical layer so there are actually some other things that i'm not going to get into but there are some other kind of additions to can that are built on top

of it and can is largely just a network and you can do a lot of things with it including retrieving diagnostics um so there's a really cool wikipedia article here and if you don't want to remember it i know it's kind of hard to click from a powerpoint uh you can actually just google like obd two pids stands for parameter id and those are the enumerated values that we can actually request from a vehicle and so the way that it works is you must figure out what sort of data you want to ask for and then you just ask the car and the car will immediately shoot back and say well here's the info so because this is all standardized and

it's used by you know emissions testing and mechanic shops this all works on a standardized arbitration id scheme so you don't actually learn which raw arbitration id is transmitting this data so instead you learn what the data actually is and then maybe try to match that or find that elsewhere and how it works is you send a request on arbitration id 7df and then many other ecu's will reply to this broadcast for diagnostic queries most commonly just as a tidbit your engine like main ecu will live on 78 and that'll tell you a whole bunch of data and then you just parse the data that's given back from the standardized message structure and you can get a ton of data from this

this is just pulled from the wikipedia article current data you can get stored diagnostic codes you can get some test results you can like request sorry reset your check engine light so you don't have to buy like a fancy tool or like go to advance or something and have them do it and this is just a quick snapshot of kind of all the information that you can ask from your car so there's over 150 possible parameter ids and there's no way that one car will support all of these for no other reason then a lot of these are specific for like electric cars or um maybe not electric cars maybe more like gas cars versus diesel cars like you

can't have both types of fuel in one vehicle that i really know of um and so you can actually ask your car which messages it will reply to that's one of the the standardized parameter ids that you can request that's available in that wikipedia article so you just send the request at the start and you say hey what will you reply to it'll shoot back a whole bunch of hex and you just parse that as binary uh you know one means yes i support it and zero means no i don't and then you can build a list to request from your car based on that um so once we discovered that this kind of onboard diagnostic

service exists we realized that we were going to waste a lot of time trying to understand cam data from the driveway when maybe we could leverage some of these diagnostic queries in order to automatically look at the encodings of messages and that's really important because can inherently has like a tokenization and translation problem so i mentioned earlier that all the networks are obfuscated so you don't know what is being said by each message further than that it's not really clear when you're getting bytes back where the actual functional message happens so this one kind of makes sense you have a can signal of engine rpm this is a an 8x8 grid layout of a 64-bit

cam message so the bytes go all the way you know from seven to zero there the engine rpm takes up the first two bytes so that kind of makes sense right like takes up two bytes then in the next fight down you have battery voltage takes up the first five bits of the third byte and then the current gear is the last three bits so there's not a clear separation when you're reading in hex where these different message encodings are or i'll call them signals now where these different signals will be split and where that byte boundary exists uh and further than that so you can run into issues of like is this also a sign

number does it include negatives and the most like frustrating thing is that your indian-ness can actually switch mid-byte too so you can go from reading five bits little ndm and then you have to switch your order ring and read the next three as a big endian and there's no real you know cohesive way to be able to understand that um or i should say that there used to not be up until maybe a year or two ago so we developed this pipeline it's called uh automotive and tokenization and translation we call it and this tool allows us to leverage diagnostic queries in order to automatically extract these signals from a car without spending time in our driveway

and the way that it works is first we just learn maybe where those probabilities happen so like going from the first five bits we try to learn that the next three bits are a separate signal then we try to determine if that ending in this problem does happen where we have to start reading the bits in the opposite order once we do that we can figure out if there might be some negative numbers that exist inside of here whether they need to be signed or unsigned and finally and the really cool thing is we leveraged the diagnostic services earlier but then find where those signals might exist like practically in the can and i have

just another quick demo so i'm using a raspberry pi here and i'm going to plug her into the obd port and then we're going to go for a short drive i'm going to record some data so the device is right there above my steering wheel the green light is flashing that means it's trying to determine the speed of the can so that we don't break my car um then the red light flashes with the drain that means we're requesting the vin of the vehicle and then we're trying to figure out which diagnostic queries it'll actually reply to when i press the button and the blue light starts flashing we're actually sending a ton of diagnostic requests to

this vehicle so i'm saying like what's your speed what's your rpm what's your mass airflow over and over and over at a really fast rate and so i'm just going to go on a short drive and this is actually my wife's car because one thing i learned early on working at the lab is that you don't want to break your own vehicle it's always best to break the lab's vehicle but can't go on campus right now because of the kovid situation and my wife's car's a little bit older so i told her i'd rather break her vehicle and then she got mad until she realized like oh that means i might get a new car

so i collected a bunch of diagnostic data here and then we're actually going to be able to uh parse this so on the back end that i didn't record i ran the act pipeline because it takes a few minutes on the raspberry pi they're not exactly like beefy processing units but essentially we've written a little tool that once we get the translated database file back from the vehicle that lets us understand the signals that are encoded inside of cam we can actually visualize these now in real time and so i've got a little screen there it is so i've got a little screen um and this guy's actually going to give us every arbitration idea that we see on the card

and then enumerate the extracted signals from act so that we can see this stuff in real time without requesting diagnostic data anymore and so there's like timing advance in here um then i think another one has vehicle speed engine coolant temperature rpm and of course i select rpm uh we get zero because the volts an electric hybrid car runs on battery most of the time but one thing i i figured out was if you pull your uh your hood latch actually then it will force the combustion engine to kick on and then we get the spike up to about 1 600 rpms and um that's just one signal we can also view like uh coolant temperature and see like what

it is right now um among every other you know the 150 possible parameter ids that can be extracted from arbitration ids in this car and then there are also some unknown signals and what the unknown ones mean are that we weren't able to find these messages inside of the known diagnostic queries but we were able to identify that they're a unique signal that's encoded within the message so we can still graph these as well and understand them and there's a big motivation for understanding this data uh so for one we're using this for intrusion detection systems because we want to extract signals turn them into a time series and tell when they're no longer continuous uh another thing

maybe after market understanding so as mentioned earlier if you're a car person and you want to figure out your fuel economy or you're like 0 to 60 time but you don't want to send stuff to your vehicle while it's driving well you can use this kind of tool in order to read dynamically from the bus so that you're not requesting diagnostic queries and then of course there's a big market for performance tuning where it may be valuable to understand which arbitration id and ecu are sending say the like the the throttle percentage and then figuring out an easy way to identify that and then manipulate it so that more power is going to the car

um so we're using it for intrusion detection so i gotta talk a little bit about that from a security standpoint um because hands limited in the amount of bits it can transmit it's very small it's hard to develop like i said some sort of encryption scheme so we're looking at more of a vehicle agnostic way to create an intrusion detection system and most ibs research so far has fallen into three categories where it's either physical so you're looking at primarily the voltage or the physical layer and that kind of has some drawbacks because each car can be really finicky and further it's a really noisy environment from an electromagnetic standpoint and so we don't really look

too much at physical so far at the lab we looked at frequency and timing based and this one really only uses like message headers and the frequency that each message is set and then the next uh kind of field of research is the data field inspection so that's where we're actually looking at the contents of each message and trying to determine if it's an anomalous or an attack and there are two ways to look at this one is like payload saying um our kind of treating each field is just a binary blob and then the next is our signal based idea where we extract a time series of data from the car and most research done so far in this

field has been either frequency or payload based but our act tool has really allowed us to do some signal based research that a lot of people haven't haven't been exposed to um an idea of the timing based detection of automotive cyber attacks is here and the idea is that each hand message is set at a regular interval and so when you do a dumb injection attack like you're trying to you know turn the turn signal on or off that should be able to be detected because now you've added extra messages into this arbitration id so we really simply just look at a snapshot of time get some data and then if the timing of the message is off

by a certain percentage or a threshold then we alert and say that an attack has happened so this one requires very little overhead it's really easy to put on a raspberry pi and work but the downfall is that let's say there's like a poison the well attack and messages are being sent at the correct interval but they're not being like correct messages so we also look at uh payload base so the idea of a payload base is that we break each message into like uh bits so either zeros or ones and we try to determine the probability that the next message will have a zero or a one and so here's our here's a little illustration

of the predicted data and then an attack that had been sent to the vehicle and you see that like some of the bits i colored in red aren't the predicted value and we essentially just generate some sort of threshold saying if you know any number of bits are outside of the threshold then an attack has happened but it's still kind of difficult to determine how to glance like whether or not there's there's been an attack um which leads us to our signal based results so the idea here is that we can use our act pipeline to extract a whole bunch of signals from this vehicle and even if we can't translate them but we can identify that they're signals

we try to learn what maybe the next value will be here's a here's an example of like an engine rpm attack where we're trying to spoof the engine rpm you see this one at a glance is a lot more obvious like on data point eight it drops down to zero and then you know back up to like 2600 which really clearly demonstrates that there's been an attack launched on this car and so that leads us to believe that our signal based approach will be more effective but we're still in kind of the mid stages of this and we need to do a lot more testing to really verify that hypothesis um so here's a quick demo of

one of our detection scheme so this is a really simple timing based detector that will just count the number of messages an important thing to think of is we need to attack an attack on the car before the car physically reacts once the car reacts you know there's an attack so the device up on the top is actually the ids that's a raspberry pi and then the raspberry pi down on the bottom uh underneath the speedometer is our attack device it's got a button on it but when i press the button it's going to launch an attack for the car one of those dumb injection attacks and i want to catch it before the car

physically reacts so we're gonna launch the attack and then i want to see a red light on this ids oh perfect red light before the car reacts so there's not a whole lot of time i mean you know the attacks launched and the car reacts immediately the engine revs up it wants us to stop safely now we lose all power on the gas pedal we need to be able to detect that quickly and there's a lot of research going into this now so uh some of the recent work on this has really exploded since say 2016 but if you're interested in getting into this field it's it's brand new it's uh it's quite exciting to be working on

some like cutting edge sort of research because this is a field that's projected to grow and continue to grow and with the ultimate goal of making our vehicles more secure chances are honestly you might you probably won't get hacked yourself um but for someone who may manage a large fleet of vehicles or like rental cars particularly like rental car companies hate when they went to me because i i miss i mess with all those new cars um all right so we're about to wind down now and i just want to recap make sure we're all on the same page so we learned a little bit about candidate how to send and receive some messages how we can use message timing to

prototype a really basic but effective ids how the diagnostic service can be used to generate some ground truth from our vehicles and like to reiterate that you should not do as i say as i do and don't plug anything into your car at my uh my vision um so if you guys are interested in this research and want to do some more reading i'd recommend starting with the car hackers handbook it's fantastic and has a lot of good resources and a lot of good details on like can you tills and using diagnostic services if you want to get more technical into cam the kvaser education on cambus is completely free and it goes more into

like the protocol layer and the nuts and bolts of what a cam message is and how can network operates you want to spend a little bit of money to learn about it i really recommend the automotive electrics and automotive electronics this is like a textbook so it costs a little bit of money but the information contained there is i mean invaluable it goes very in-depth and of course it's not a good conference talk without a shameless plug so if you want to learn about some of the math that we use to create our act pipeline then that's available on archive and you can like i think just search and archive and go rnl for the pop-up

type so if you want to get started with some hands-on tools uh i use the kvaser can to usb tools um i use one called the cave offer leaflight v2 it's a couple hundred dollars but you can plug it up to your laptop or you can run a vm and it works fine with linux and it's fantastic if you want to go to the cheap route you notice i mean throughout my talk that we use a lot of raspberry pi to do this stuff at the lab and pretty much any consumer level single board computer now can run cam with some really cheap add-ons if you need some more processing power like for some of the

like more in-depth machine learning stuff we do it to try and understand like time series detection the raspberry pi can't quite run that we have to use something like an nvidia jetson tx2 that has a couple of hundred dollars um but it has onboard cam and it works great for processing some models and of course if you want to you want to break the bank and go the professional route you can get something like vehicle spy uh which just it's a tool that has a nice gui and it supports a bunch of networks outside of can so some of the the other ones i mentioned at the beginning of the talk you can also read

with vehicle spy but it's quite expensive and then uh finally i do have a special offer for you guys so this might be alarm shot i uh i gave this offer when i did the code match presentation in january and that was like a four hour talk where we built tnc devices and then walk people through the like coding scripts and everything but i love my knoxvillians so if you want to not spend time wasting in your driveway to understand some signals and you have a car you can generate your own data meaning like i do love my knoxvillians but i can't like help you get started from scratch on getting diagnostic queries from your car

if you can collect the data augment it with diagnostic queries then get into contact with me through email or twitter or this board or however you can and we'll try to coordinate some of the analysis so we can run the pipeline on your car and get you some signals back and maybe get us some some good samples as well um but i appreciate you guys waking up really for this first talk today and i hope you were able to learn a little bit about cars and uh maybe you're you're a little bit more scared now to take a trip postcode thank you okay we do have a few questions for you first from heather white we have does

the national transportation research center work with the army ngcz in ng cv center in detroit i we i'm pretty sure we have in the past i'm not sure to what capacity we still do i was actually lucky to be able to visit that facility uh last year and we talked about doing some visits but due to the situation right now nothing's really panned out but there's a lot that goes on at ntrc uh outside of vehicle security um so it's on telling to be honest okay we also have mike who asked i heard that at one point in time the odb port was only active when the car was in park was that true i'm not sure about that one um i've not

i've not seen a case where that's explicitly true just yet but most of the cars that that i've worked on for 2015 are or newer and the biggest thing i've seen there is that they'll work all the time but a lot of them will only respond to the diagnostic queries so you don't get any sort of raw can data to be able to do analysis okay david asked have you looked at bmws how do their systems compare to other manufacturers and i'm able to use tools to modify i am able to use tools to modify many settings in my 2016. newer models have aftermarket software changes that are warranty supported so that is actually um one one brand

that has been elusive for me is i i've never plugged into a bmw so i can't really answer that um but if you're around knoxville kevin after the covet ends then then let me know and i'll i can give it a shot if you want me to samuel wants to know if you can fudge a legit message timed eg a timed one you know is coming by forcing bits high or low can you not bypass any ids in a seemingly unfixable way so that is a good example of how the timing based ids has some flaws because the the way the priority works on the can uh i said the lower arbitration id will win

the priority to speak on the bus um that actually works all the way through the message so if you have two messages queued up at the same time a zero will effectively overwrite a one and then stop that message from broadcasting but that can also get kind of messy um and that's why some techniques such as being able to extract signals and figure out the discontinuity between it could be really effective in finding some attacks and lastly we have alex asking have you tested any vehicles that can implement cam message authentication protocols what are your impressions um so i'm not sure i'm not sure what really constitutes a cam message like authentication protocol um we've seen a

lot of vehicles that will have like counters or um maybe some kind of bits appended at the end that are some kind of identifier and in a lot of cases those work but in some cases uh the vehicle seems to respond in kind even though there's not a correct counter or not a correct identifier all right thank you samuel