Tony Gee - An Automotive IoT Security Lesson

where is everybody come on so today's talks a little bit different to some of the other things I've seen face it they return to the park so we have a look at the fishing line so just the excavation of who I am my name's Gemma G and I work with repentance partners and so we did quite a lot of pen testing as you would expect we're also do a bit of research and at sparetime we have a look at the eyebrow now why did we look at the car well we need to be cautious there's actually quite a large attack service and actually it's not that complicated when you think a lot of people think I want you do you need to

understand about heck hiring networks work and do anytime so how do I need to use and actually it's not really that complex a lot of it is just a simple tax look with some of the previous attacks except they they simply need to be entertaining the system and that wasn't properly bridge or probably segregated between the the camp then if you look at Spellman Detroit once again what I find is such a simply through using wireshark they were able to identify these vulnerabilities the tester guys they did some work just looking at weak passwords what we find though is almost ever about the actual can excel might be used by the other stuff like the Wi-Fi and of

these because simply they are very huge attack sales so you've got the wireless networks that are coming in some you've got the entertaining systems you get juice and all these other things coming into the bank going home which you can look at so if there was a bit researching past we've done some research didn't really get as much publicity as we've got with the without man we looked at the i3 for example and the I promoting because we've got friends who've got one so it's quite easy to look at them it's not easy to go out and buy a car for research especially if you can't break it so what we found is that there's a number of issues with the

provisioning of the i3 around the connect is the mobile app says it'll app you can use to authenticate with the carbon and unlock it bits and pieces with it between those issues with that ultimately man should get those those fits and so if you know if you've got an i3 and you've got the connector that then yeah chances are those five minutes is going to be a lot more expensive car I could cut definitely would buy one if I had the money there we found there's a number of plate excommunications just simply between the car api upton services into the API was over HTTP and that's a lot harder to exploit in terms of hacking

the car because it's only talking out over GSM we were slated to enumerate the V from them if you have a quick look so we set up the the connected driver you sent me provide your first name last name is who user name in fact customer services BMW custom services actually recommend you use that and that's not very good really and our first name last name please guess specially if you know your mains name Whitey's guess her name and first thing last thing that's probably gonna be doing using me and then you can enumerate the villains are set through through the registration page but not only that you can then be put reset password and when you reset the password

just goes to a simple plus websites I easy to maneuver and user IDs who gets passwords for the connected driver and of course once you set drive up and then gain access to the car scary stuff we and that's all about previous research then quick and does it slightly differently when the outline that does it is they've got Wi-Fi connectivity on the device however wireless connectivity it's not for you know end-users to be able to use it's not a wireless access point in a car it doesn't talk BW there's a talk out with client mode as a tester does for example doesn't connect to your home Wi-Fi it is essentially one access point on the car so essentially the car has

its own once access point and then you use the remote you're doing the application on your phone to then connect to that wireless access point which is a really bizarre way of doing it it's also very cheap wedding which I guess is why they did it most people when they set up connected cars BMW for example they have an API the car torts do anything you talk to and in fact we talk to BMW being got meters deep car and so it's very hard to actually get direct access to the action cameras with this it's really easy to get direct access what can you do once you've got it set up well you can do

things like the air conditioning you can turn on the air conditioning so these systems arnold's in air heater so you're able and cool let's say you're able to use battery power to call your car or warm it up so that you know when you get into it in the morning it's the right temperature for you depend what I hear is yeah you can also turn on flashing the bug so when you're in a car park one find your car you're able to flash your headlights Wi-Fi range is not going on so you don't have to be near your car to turn on the lights which is a bit pointless back notice in our story you do things like

set the vigil schools for the charging it's an electric car the Outlander is a plug-in hybrid electric quick so you know you can charge it and set schedules for that charging so it does it in the middle nine seeing a little bit less that's bit on your electricity and you also turn off the alarm back up there well when it works when you buy one of these you get a manual as you expect and in the manual containing SSID and the password for the for the access point bizarrely namely the SSID you can't change the password really really the concept so you can effectively make it whatever you want but not change the password and

most people is you can imagine probably wouldn't bother changing SSID

it's relatively easy because there's a lot of commonality commonality with them so the SSID is as always remains an N two numbers and lowercase letters the password is always for lowercase letters and six numbers that's just not good enough when it comes to passwords for for wireless access points it's really easy we've got a great basic cracking room just for graphics cards to cover the base to crack that password now we've upbraided that we've got sixteen records card brick we're now I'm going to do it in about 12 hours in reality if we really wanted to gain access to one of these cars we'd probably use something like anybody west thousand dollars we haven't met to be able to crack it for

that thousand dollars you know you're able to gain access to a car and that cars worth like forty thousand planets so from that respect you know it's quite cost-effective it's not that bad what's your crab key of course we can then gain ourselves a management position so you know in the way we've set about attacking it with yet we can crack key okay that's fine but let's just set up a management position so that we can then start to have a look at what's being said for the bank to to the car and you know what we found is our autumn game get all ultimate goal was was to see if we could do away with the app and see if

we could ultimately crack a key and then issued can wants directly from our computer so first thing except they've got a management position next thing is set up our equipment as I said it's really easy when you starts to tell to start to attack cause it's not for next up strip were showing a caption here and so the recent capture just uses him in TCP

it doesn't really show a lot but click over to you hex starts showing us how to make a lot more sense now and so the red is obviously going to so what since the car is effectively a message so f6 the first part of the packet f6 defines it is actually a message so I want to do something to the car then there's a bit about the length of the actual packet saying hang on what's going to fit and then there's the actual commands that sent to the sense of car and then a parameter and the parameter defines me I wear it all the way Rizal for example and then all of that is checks on them and that's that's

that's the end of packet so settle the words for example you should mana 10 with the parameter 1 2 off the issue parameter table so let's have player on that so this is the command cell from the top right maybe the same top left so you can see come on sir so let's see what happens when we issue that command to the things I haven't got a car with me unfortunately so I can't actually do this line I can't sort of Park it over there to then say fortunately I've got some videos and sadly they are not of me they're my Connie can actually probably captain Rosa hopefully again so you might be out here I apologize you I

think it was five bits I got a few videos so that's cool but is there another way of doing it well there's another way of doing and simplest way

just look at me up if anyone that has looked at a lot another thing where any of you dudes and we're doing any kind of reverse engineering perhaps it's really really simple on Android so that little bit of math really simple so what do you do he's bad idea he's a db2 then go and grab the the apk from the device soon as you've got it then you can use something like this that's the job Jane X and then start to decompile that so let's how quickly that lives right well I've got a something up James running actually quite like James because don't have to do any anything before you view it you just open it straight away from jada so

let's open it up so all of the code for for this particular application is all sort of infinitely infinitely area animal living I know there's a lot of M bits we're concerned by is in the base structure so we've gotten here deal message and death message so the deal message bit kind of defines how a packet is sent to the car the it defines what you can actually do on the car so what messages can be sent it there's quite a lot of functionality in here that's not visible in the briefing settings if I just click back to presentations be easier to view some of the other bits so this is Beyonce that's kind of the the deal message bit and

this message what's interesting movie let's do it like this what's interesting since what I mean you can make changes to the staff the websites and some of these change motifs that change mindedness and other ones suppose one bag to the lights for example you've already seen and for the charging statuses and one of the other things as I said is the air conditioning so that's a good look at definition so again I'm sorry another video so obviously that's going to cause you a little bit of a problem if you've got an electric car someone turns on recording system overnight it's great yeah your car's gonna be cold when you get into it it's also gonna happen they've actually

saying I'm gonna be able to go and you might see you might after them yeah specially fill out a field or something like that so that's cool and whether or not we can make any changes to the alarm to turn it on or turn off so again sorry the video Ken it's a lot easier when you have the car I promise you all right well let's just play this one so this is just the alarm on it's just a demonstration that you know the alarm is armed so let's do

so the alarm Stephanie alright so obviously we could smashing windows can set down to gain access to it without self alarm enough my hello the owner so if we say in this command line and it's a recently announced a DEFCON because we kind of felt wasn't that wasn't good kind of telling it but he had unlocked people's Carter just telling us so let me zoom out such relatively new so once you send that command to the car so you can really easily just tell see along smash coming there Austin you know can't lock the window it uses carbon isn't one after take off the window every day so it's smashing even though you're in the

car you can handle this door doesn't seem to have any deadlocks properly applied so you can quite easily just I'm not defensive smash the window and then that one you can access things like other systems so like all good pen testers we find you know that's a bit annoying using them you know having to issue that command over time wouldn't it be much easier if we could just skip this so you of course know you've got some great up guys and then cycles let's go ahead and script it's actually there's an old place so essentially what we've got is we've hardly tell on the lights dimmed is that everyone else's lots like this piece of alarm off and

then also further up on medicine conditioning so the example we then just ripped it up in your time what we find that when we look to commanding is actually it's efficient you're not following their families they say in value then you should be able to do access asset that's in settings is whether that belies you shouldn't be able to access that unless you disable the alarm first but yeah you can which is not ideal it's almost well the thing I would say that what is really really good about this car is actually the the access point will go to sleep if you don't drive the car for more than 24 hours but most people I guess probably have a car and

drive it I don't most people do yeah maybe you don't but if you don't drive you for 24 hours the access point will turn off the mini tournament car particle z-axis will start up again and if your phone is River Range of course it'll get done so that kind of a bit of a fix of the issue really fix it well if you've got one of these cars so the best way to fix it is to just go into the app and cancel the big registration when you cancel the pin registration obviously do that every phone that has got it enabled what happen is the access point will effectively turn itself off automatically you can't extend remote pushes it back

on me to go she suggested that another options to turn it off and that's the press the remote button 20 times so I think you do ten times and then you do another 30 times it's ridiculous but that will ultimately deactivate everybody's face so if someone is connected to your car that you don't know you're not going to know someone accessed your car you can you can do that through through that same canceling so if you are selling the car that's something I would recommend you do the dealer will do it as part of the process of selling the car with the dealer but you know for your phone itself is long term to fix it it's gonna

need a firmware update to the device problem is whether that makes you because she expect you to update the firmware is through yeah through your phone through this wireless access point which is incredibly unstable that you need to be stood right next to then you also cannot have your fame run out of battery you cannot lose connectivity otherwise you're gonna break it up so it's a bit of a problem but there I shall show you the code actually they is actually in the app it's really easy I don't know if anything yeah one thing I one thing I would say it's quite useful to open up an APK in 7-zip because he kind of see all the stuff in

there and so pertain to in the resource file if you go into the rule there's a place so I think when we first learned to get those rob3 there's no wrong Fork why someone would update their thing I think they have three new mobile phone plans they're really for whilst nation

I suggest really they're gonna have to get some of these class back in yeah when they do a service then update the system at that point because reality is it's just too risky to do it through this unstable wireless access point you know you know how it's gonna take I could take ten minutes it could take half an hour to sit in the car for half an hour while you updating the phone so even though you've updated the firmware there are those attacks you can do this and yeah what else can you do well you can track them because it's a wireless access point remember and when the access points get discovered they get discovered wiggled on there so there's

loads of them say before we disclose those around 6,000 of these car so you could find so you can track them to people's houses or wherever they've been discovered on wiggle quite a lot of them are around Cirencester which happens to be where their leadership is or where where the cars built after we told me she fishing after the BBC published area from the nobility there's a further four hundred devices so what's going on why are people doing this enabling the wireless after we've told them there's a bloke who knows interestingly now if you go to wiggle you can't actually find it so what happened is wiggle have received some kind of a message from mr. Bhushan

whether it's a legal message or whether it's just you know please will you do this for the for the goodness of everybody somehow they've removed all of these from their database so don't prove that that does work and see now if you want to get your access point taken off wiggle you can either contact wiggle or you can just change your access point to remote and then numbers and then they'll get taken off so what are our next steps well yeah Wi-Fi has given us a way to get into the car that's great but actually when I were in the bath what we could do is we could start looking at our ID people see whether there's any

appropriate segregation between the graphs networks and this is the actual is if here's the actual that Wi-Fi module here so our next step is to kind of take that off of see if there's any vulnerabilities that would affect the separation between between the can which is obviously where all the important stuff goes on and the actual Wi-Fi and also continuing the application it's quite a lot of functionality I said is it about your on this block on traffic this this one place or what does literacy export made of novel or maybe that's one against two is denied but I know but I mean if these something with some guns not figured out on that gap so

does the dysplasia we contacted Mitsubishi as you would expect as responsible organization and getting all the information and ten bucks let's lean on this boss so we then contacted them again and said that you know what's going on we see this is a very serious issue and their response was well you know it's not really an issue we don't see it as a problem and and we're not going to bother fixing it we're not right okay but to be fair to them it wasn't the best day for them for us to contact them what's the day their emissions scandal broken guessing their PR department had a bit of a tough day that day anyway so we then thought well

you know we've got to do something about this we did awesome we did say to them well how would you feel if we went to the BBC and they said we'd say but say exactly the same thing to the BBC as we said to you so far enough so we went to the BBC funnily enough change their opinion suddenly they decide that the action it's a very serious issue information have set that for and now they are going to take it very seriously which is right and they did was yeah probably sort of press it it was taken seriously they are now talking to us and they are working on fifths and we are identifying the remediation for that

with them how should you really do disclosure well really in a sense so set up a public website or some kind of a page website or send out some kind of a buck fighting so see I'm using practical soccer and then once contacts have been made and listen to this listen to the researcher to tell me whether there is a vulnerability and if there is a vulnerability confirm effects back to the researcher and then once you've got your remediation planning process then only then can the researcher then start to think about their publicity most security researchers will find here that usually my attention I'm sure some of you are security researchers yeah most of you offering one attention other

movie so if you are manufactured one of these vehicles or you are doing any kind anything like this you know embraces security community several terms on what you wants to to get from them and what you will doing and credit then we are you know who do you think so that we can get a little bit of credit or further our knowledge as well one of the best ways that the credit in my opinion is to use a bug painting and so when you using bug by these make sure you know make sure that you set a good one now make sure it's cost-effective because community is a lot more cost-effective and having to do what we

call on hundreds of thousands i didn't publish some kind of a cute ah system or have to do some money for example that's one good way of doing it but still give them the car to play with and that sounds a little bit far-fetched but actually is it really manufacturers when they make these cars are selling what forty thousand pound car they've sold millions of them they're making a lot of money forty thousand pounds is not actually a huge amount of money to give to someone for them to be able to check that there's any more abilities and you can even after it back after a year if you really want to so you know

you've not lost any money we're going to sell that one for a relative costs yeah it's not going to lose a lot of money so I recommend giving the car especially if they happen to be Ferrari or something like that I'm definitely look forward to looking at one of their cars and cars you will look at some of the existing boat bags you say and actually there are comparing many more vehicle manufacturers test we've got one they will play up to ten thousand dollars pick my prank which is good but two thousand dollars for full remote compromise over one hundred thousand five thousand dollar car really I think that's a bit cheap so many times

beforehand then if we look at a Fiat Chrysler they've got lots and lots of different cars they'll pay fifteen hundred dollars building fifteen hundred dollars or compromise one of their cars this you know they make millions of millions and build and dollars a year Senate parties at GM they thanks bye see you know getting money just won't get suit by this fall yes we're taking security very seriously and we regularly review the security of the security environment saying they're not doing anything then and no one else does anything there's no other blood point is that I could find from car manufacturers and I think that's tragic because these things are some of the other attacks in

terms of you know cars have to be about stealing the car putting mud somewhere on a car no signs of being that weird far-fetched thing I guess it probably is a little bit we've not seen ransomware or anytime soon but you know the potential is there to illustrate that it's how come open cars influence that map so we presented this at DEFCON certain you may have seen a bit burnt but essentially those that I can't tell you who it is because we agreed not to your disposal name but if you made the thermostats I'm sure you'll probably recognize it and we find that it's an ARM based system you can find that really easily just going to the FCC website search on

their on their site there you can find a lot of information found including reports of reaction hardware and including photos of the actual cartridges are really cool thing so I recommend you do that if you want to find information about devices you know when we felt you could almost certainly based on the stuff at the FCC be able to get root on the device and from that point what game could be missus improve the concentrations of us don't just think though it's part of these modern IOT devices there are now just search any car manufacturer you want on anything that's sold in America has wireless communications has to be in this database so you click learn to

notice enough so that officially there's some kind of a remote sensor for the party I think this is an Akita sentry this is a keyless entry module for for any Mitsubishi and that's some kind of blue six module on the car as well see I see detailed descriptions of the hardware before we start pulling it pass that's quite useful we kind of get in a view on whether or not you're going to be successful in terms of getting more abilities so if we have a look at the so so I mentioned it's an ARM processor it's also got some memory or nestling 28 maybe of memory and it's also got a gigabyte of storage on their Wi-Fi module as well bizarrely

there's an SD card on the device which is little bit weird you can't think why this of them suddenly didn't s become about why in a second there's also some serial light on that so there's a 6 pin see I couldn't find any J tab which is I guess good but you know playing another way to answer the phone application saying you know take the air so you download these windows at our application the thermal is embedded in there so if you open up that verification just unzip it you can view the third one and there's the firmware just open it with bit walk and you can view the phone itself once you do that

you can kind of virtually make the fastest and then you can see ya fastest which is quite cool and all that stuff so once we had a look at the firmware what we find is actually the the stuff which manages the thumb size is essentially a junk oil and sent on a very large gels go far single jars with part and there was any use of validation on that or any input validation on so what you could do is you could load some images onto the into the instant binary and then but wherever you want into it because certain activity you can start pending that stuff too so there's they are busy application PC Windows application and writes for the

SD person that's why you've got the SD card so you know end-users demanded the ability to set that screen cycle on their on their thermostat obviously that's a very important functionality I think for my thermostat never mind the heating and controlling of my house I like to have a right picture of my recent holidays and also things like the settings updating firmware as well obviously you know sets a screen saver set so in terms of taking control of this that's what we wanted to do is wanted to find out where the anchors were and so it's quite simple really I'm effectively just appended that a simple thing to it to the to the image and then like that and then essentially

whatever came out with you next are targeting once we got that we were then able to eject other content stuff like telnet for it up so that gave us a remote consistency on the place and of course you have a routes they were able to labor whatever we want on there so you know it's very simple they have to start locally things like that somewhere so you're a man just simple stuff just change your screen saver shirt so it shows you ransomware picture yeah lots in device and using a pin so we can code and so changes that pin frequently safer than that respects you know me and users never going to be able to guess why it's only for did you can

but you know it's the wannabes yes I'm happy best thing what we can stick an annoying buzz no unnecessary constantly puzzled them that's going to really annoy them change the iPod so the heating and the cooling outputs as well one thing that we do is rather than just making it really really cold in winter a really really hot summer is to put both on so its maximum on both so the system does between you know was going to do and ultimately gonna have a really large electricity bill so you know the incentive will be there too it fixed so what can you do if you've got rats and we're robbing your thermostat granted this is a bit fear it

what can you do well you throw well and you want nothing only about $1 so yeah all right maybe a Bitcoin is a little bit steep to get access back to your thumbs like to buy a new one like people are paying ransoms they might bear at some point those are peanuts take a little bit theoretical app say the ransomware is certainly a really interesting space and could that mean a jump back to cancer you know way way putting ransomware my song as part where you're preventing someone from driving just simply through lights eventually we see you briefly touched on in see you happen and it's not typically something I put a huge amount of experience with so please

don't ask me questions after doing about in terms of easy is to really to you from HBS and so people are familiar with car jingle my garage ok so this is really old ECU and and I'll DC use were pretty simple and the world complex devices they had just a few numbers with a few microcontrollers didn't do a huge amount of stuff nowadays he's much more competitive because it did so much more stuff so we've got things like Wi-Fi for example we've got Internet map updates firmware updates v8 being off see all of the cool stuff as well all the other stuff is all in those new DC is how you know it won't really increase the security on they're

still the same thing 25 years ago and say attackers you know we've got a lot better at attacking systems in 25 years and so the security of them is not going to be that good in you know in the old days in terms of the attacking easy use all you were trying to do is effectively make me come here faster or perhaps you know claim your key so you don't have to pay extortion at Mountain and dealers again at new king nowadays you've got people who want to get stuff out of their past let me get out of it unknown functionality that perhaps is is something that as a paid option that you you know manufacturer charging couple

hundred hundred pounds for to be able to gain access to nowadays you just unlock it if you can happy to see you or perhaps you know miss Delf see the existing accessory going are some informants in the key play and perhaps my mother still class now if you if you move past things like p.m. detectors and the cars and looking in these systems there's no real security improvements in 25 years really that that's made it make these devices harder to be attacked but attacking them it's become a lot easier because we've got lots and lots of clever tools and new simple things like desoldering stuff and we give them a directive some systems have even got

jtag port some on there their systems this is actually another thumb expand over here this is a j-type board complete with inner-city connector so you can easily connect straight into it and read the so once you've got that what Sookie welcome they hopefully what phone work gives you lots and lots of important stuff gives us the other hand we're able to state things like passwords for example private Keynes wrote to view the code in item for example and understand how it works or even they need to get new which is a way this was a DVR that we looked at which developers it's complete disaster of assistance for another day that yeah we were able to get things that there

was a web shell on that you get move on also there's an app and show what these developers think the firmware is something which is hidden and actually it's not so you often find quite interesting and amusing things in fact I like someone unable to handle their SSL properly or perhaps this one gue sudden son-of-a-bitch thing whatever that's gonna be my remember what that does exactly so in terms of protecting against this or at the tap yeah it really needs simple careful risk assessment I would suggest it's very very water nowadays because of the way our researchers are looking at encrypted and to all of you debug stuff and all that stuff from from Europe from your

firmware when you when you package you add more with your scripts and don't trust anything that's bringing by the end user we saw this morning we walk Rick from this morning by a Wi-Fi SSID that happens of the particular screen know think about these privileges simple concepts that we've done for ages it turns at the car on the car it's actually really really hard to implement security on account because it needs to be incredibly fast you know if you've got a system that controls breaks you kind of want it to be fast but not to be checking assertive certificates or whatever it is whilst goes along suddenly stop you never break I think the most important thing is to be able

to update your phone yeah we had to do that over the yet so many manufacturers applying systems that they have no capability of being able to update which is congas absolutely bonkers and I think that's a main main issue in one night so what we do in terms of us well we're pen testers as I said there's been quite a lot of time looking and things like ICS and easy to use as well expect a lot of time in fact looking at star and got some really good guys there will sit in you know you'll see all the basic stuff as well lots and lots of IT most of the times we saw spawning as

some of the vulnerabilities again favorite variety kids kind of yeah I'm not going to get no it's not really high risk in terms of stealing stuff or potentially and potentially killing you grocery carts their car has has it we'll see what's that say no we saw Charlie minnows stopping a car and into the freeway caucus so yeah it sounds of fixing it yeah look at least privilege look at and at least functionality and encrypting you all your communication so keep message really that's it thanks for listening [Applause]