 Hello everyone. Welcome to the talk. Today I'll be talking about an industry finding that I found in one of the connected car and I could able to hack into the car and I could do whatever I could. So, the title of the presentation is remote exploitation of Honda cars. I know most of the speakers in hacking relationships going to talk about the Honda cars. So, it was an accidental vulnerability that I found and during my research. Okay, so before going to the presentation, let me introduce myself. My name is Mohammed Shain. I'm a NAPSET engineer. I'm from India. I'm also a occasional bug bounty handle. I have a hall of aims in top companies like Google, Apple, etc. So I'm also the chapter leader of ASRG Kerala. ASRG is a group that deals with automotive cybersecurity. So I lead the chapter in Kerala. And we have been like conducting webinars talks in conferences like cocoon for the past one year. I'm also a volunteer at Defcon to random. Then I'm also an automotive photographer. So you could see my photographs in my Instagram handle I have mentioned it here. So today I'll be talking about a vulnerability that I found in one of Honda's cars and the vulnerability was in its API with which which was connecting to the telematics controller on it of the car. And I could hack into the API and gradually into the car. So the car is Honda City fifth gen. Okay, before moving to the talk like let's talk about the attacks of a car like I'm not a car hacker, but it's my like I love what we're searching about automotive cybersecurity. So, most of the time I work on the application and road application or iOS vulnerabilities. So, considering car we could briefly what breakdown it in the attack services into the by fire related attacks, telematics attacks mobile mobile application attack the OB to do attacks. So today, we'll be talking about the app vulnerability that I found and I could able to hack into the car. So, what are the advantages of mobile apps in automotive industry. The best answer is like it is easy to use and it has a great interface so anyone who knows to operate a mobile phone can use the dashboard or the interface and the application. So, he, he or she could work in the back of the car. That's why most of the car manufacturers are now moving to the mobile applications for controlling the cost. So, so what is a connected car, a connected car is one and it has its own connection to the Internet. And that's like an IOT device so when you connect your car to the Internet, it gradually becomes an IOT device. So, we know that there are multiple devices that are connected to the Internet right now like the refrigerators even everything everything is connected to the Internet. So, the cost car industry is also moving to the IOT category. So, there's a funny story like I started before starting focusing on the Honda car or the automotive hacking stuff. This was an article by or this was a research by Josh Gallos and he claims that he could hack into Internet connected products. And I was like, I was very much excited about this and I read the article and it was like he used a short and the Internet connected devices like that. The search engine that can be used to track Internet connected devices, the short and site. He used it to find the trucks or the telematics gateway units of the trucks and it was using a vulnerable protocol and not so secure protocol and it was a telnet and he used those telnet protocol to hack into the trucks. So, I was pretty much amazed by reading this and after that I started researching about telematics control unit. So, before that telematics gateway unit was the one that the researcher used to hack. The telematics gateway unit has high performance than a telematics control unit. The telematics control unit is an embedded hardware that is used to connect your car to the Internet. So, after that I, most of the research was on the telematics control unit and I found that car can be connected to another car or they can communicate to each other or car can be connected to the Internet to mobile phones or etc. So, telematics control unit was the main thing that it does mean. I have also started researching about the Bluetooth related attacks, why related attacks but in India we don't have much hardware or there are problems while purchasing the stuff that can be used to hack. So, my research was taken on with the mobile applications. So, I recreated those attacks like it was simple, I used short end to search the vulnerable telematics gateway units and I got some and I was like I researched about it or I played it with. Then I was like, yeah, it's cool. So, then there's an interesting thing that happened to me. The next day when I opened my laptop, there was an interesting Google advertisement. It was like, it was about a connected car. Okay, sorry. So, I think I'm going to like I'm going to read a card. So, three, two, one. Hello, everyone. Welcome to my talk. Today I'll be talking about a vulnerability that I found in one of the connected costs and the title of my presentation is a remote exploitation of conductors. So, this would be a research about me that was conducted a few months before I was able to hack into a Honda car, and by its vulnerable APIs that was controlling the telematics control unit. So, let's begin. Okay. Let me introduce myself. My name is Mohammed Shain. I'm an application security engineer, and I'm from India. I'm also an occasional but boundary handle. I have all of these in companies like Google, Apple, etc. So, yeah, from this, you could understand that I don't work in the automotive industry. So, this is my first talk in automotive or something like something that that is related to automotive. So, I'm also the chapter leader of ASRG Kerala. ASRG is Automotive Security Research Group. It's a group that deals with automotive security research, automotive vulnerabilities, etc. So, I, I like started this group, and here you go and currently we have, we have conducted workshop, sorry, workshops, we have conducted three, two, one. Let me introduce myself. My name is Mohammed Shain. I'm an application security engineer. I'm also an occasional but boundary handle. And the, and also the chapter lead. Hello everyone. Welcome to the talk today. I'll be talking about remote exploitation of Honda cars. This was a recent vulnerability in Honda car that was found by me a few months before. I, I was able to hack into a car through its vulnerable APIs. Before moving to the session, let me introduce myself. My name is Mohammed Shain. I'm an application security engineer and a bug bounty hunter. I do bug bounties occasionally. So, yeah, from my title you could understand that I'm not a automotive security engineer like I mostly work with work on the web application, mobile application security and automotive security is some kind of like part time or a free time job I research or I read about automotive security blogs. I watch videos in hacking villages. I love this stuff. So, then I'm also the chapter lead of ASRG KERLA ASRG is automotive security research group. B deals with automotive security research and the vulnerabilities that affects automotive components, etc. I'm also the volunteer at the counter and also an automotive photographer if you love car photos of motorcycle photos you could you should visit my Instagram profile. I have mentioned that. Okay, that's me. So, the vehicle that have that I have used for testing is a Honda city trip channel. It is a 2020 2020 model and the vulnerability was found three months before and now the vulnerability is completely fixed. So, this vulnerability was like, it's not a vulnerability that affects the hardware component it was a software related software in tissue. So it was very, it was a feedback. So, let's move. Okay. Before talking about the vulnerability, like, as a security or an app security engineer like we have multiple vulnerabilities like cross side scripting, SQL injections, etc. So, but when I moved to the automotive side it was not like that, you know, different cars have different components and previously we had work we didn't have much technology that were that was an automotive but now they are connected cause there are self driving cars, there are ADS, etc. So, breaking down the attack and surface. The thing that I like mostly is the telematics control unit and the mobile applications. There's a funny story behind that I will be explaining it later but these are the common entry points or the attack points in a car. So, mobile applications from those attack entry points will be like I'll be talking about the mobile applications, both iOS and Android. And why, why the car owners or the companies are adapting mobile applications to control their cars. The reason is pretty much simple. It's because it's easy to use. So, everyone uses a mobile phone or a mobile application everyone knows how to operate a mobile phone so it's pretty easy to handle a mobile application that has been connected to a car. So, this is the main reason why the mobile there's a drastic increase in the mobile applications or connected mobile applications to your car. Then, what is a connected car connected cars one it has on a which has its own connection to the internet so you could remotely control the car or you could remotely track your car, etc. This is a story behind my finding my finding is pretty much ready, you seem to find but this is where it all begin. I read an industry blog by Joe Scalos not day and he claims that he was able to hack into multiple trucks, the trucks through its vulnerable telematics gateway unit of the teachers. The reason or the vulnerability was in its protocol that is tell net and it was an unordinated telnet so he could have all the IPs and he could simply use the telnet protocol to hack into the truck. So I was like, wow, this is super and it's super cool because I know it's very easy to hack into a truck. Anyway, from that day on, I started researching about the word the telematics control units, or the mobile applications or the API is that are interacting with the telematics or the PCU. So, then, okay, the mathematics gateway unit is something that is a similar to PCU but it is what it handles much more throttle. And so I what mostly I used the Google or the session Google to search about telematics and the other stuff. And the reason why I'm telling him about Google is because there's a there's a thing behind it I'll show you. So, after that I recreated the attack from the blog I used short and to find the open ports and those telematics gateway units and I could able to work track those trucks like him. So I was like, wow, this is super cool. It's very easy to do a hack, because you know I have seen research and automotive research that is very complicated. Automotive security is something that it's not like web applications or the upset industries. It's, it's, it's little complicated due to the hardware level stuff so I was, I was like, oh, it's super cool and I, I was planning to do similar research on mobile applications. And that is that affects the mobile applications. Then, yeah, Google ad the next day I got a Google ad regarding any car that is found in my country. And this is a Honda city future. And this is the this is the first connected card and so I was like, well, it's cool. And I could see a mobile app that has been found in the app store as well as the play store. So I started reading about the cars and the car application. It contains more than 30 features. So, basically, the mobile application can be used to do anything to the car. So that means like you could start the engine, you could open the doors, you could what could open the boot everything. So I was like, wow, what if I hack the mobile application if I hack the mobile application. I could hack into the car as well. So that was my, that was the thing that was crashing my mind. So I started researching on the mobile application completely and these were the features of Honda connected you could see like there there's a entire deflation alert that means it contains a TPMS and it contains almost what everything that can be performed because and the interesting features where like we could like we could start the start the car. And the reason is like it is only possible in the automatic variant, you know, and you could unlock the doors, you could even open the boot, you could track the car, etc. So these were the four things that I was interested in. I went to about like I read about how the application controls the car just like it's there's a cloud server and that has been controlling the car and the request has been what going to be phone like so for example if you need to open the door of the car you could press the button in the mobile phone it sends an API request to the server and it what connects or the it interacts with the telematics control unit. So the first thing that I did was I downloaded the application and the mobile application and I reversed it, and I will be completed completely and I could see some API endpoints. So after the static analysis, I couldn't find anything interesting. There were some API keys that was not useful. So I what I free like I have sat for two days for finding some person and I didn't get anything. The static analysis part. And then I moved to the dynamic analysis and I personally love dynamic analysis dynamic analysis is where when we run the application and find the vulnerability. The application had some security controls like road detection and SSL pinning. So it's like you can't run this mobile application on a rooted or a jail broken device. It's a security control by the Honda team, but it is easily bypassed. So the reason why they did this was like, no, most of the security researchers or the attackers use router devices for testing the these applications so they, yeah, they by default place this as a security control. So then SSL pinning is a client side security control that that is used to pin certificates and while running the application, the certificates were checked with the certificates that are placed in the server. So this doesn't allow what manage the middle attack so you can't intercept the traffic of the application. So these were the only security controls that were placed in this mobile application. And tools for the trade for bypassing this you, you can use a router device or or emulators like Jenny motion or and tools. Trita for bypassing those controls like road detection and SSL pinning and both suite or HTTP toolkit can be used to analyze the traffic. So, then I won't. I opened the application via Frida like I injected a script that can be used to bypass the SSL pinning as well as the road detection. So now the application is all ready to to be performed a vulnerable to SSL. So I like this is the front page of the Honda Connect application and then there were there was a field for mobile number. So this is how the mobile application work. First, you are the user uses phone number. And he will get an RTP. It's a one-time password and he should enter it. He or she should enter it and then it moves to the M pin M pin as a second layer of protection that can that uses the biometrics of the phone or a four digit number that is created by the user. So this is how the app functions. So I, yeah, then I, I gave my number and I didn't get the award in the OTP or something. So I was like, why, then I contacted the Honda showroom. So I asked them about the application, like, actually, I, I didn't tell or I didn't tell them that I'm a security research. I, I call like a regular customer and I asked them and I understood about the application. So this, this is how the application performs. When you purchase the car, they will set all the, they will what configure all the number, the car, everything and they'll give you. So only thing the user need to know is like to log in with the OTP or the M pin. So, you know, the OTP, the M pin and he could use it to control the car. So the next thing I did was I conducted any of my friends who owns Honda cars, but most of them had a non-connected car that means it's not connected so can't perform any attacks there. So, after that I got a friend who, who gave me his car to test. So that was a connected car. So I was like, I was happy and I, he gave me this number and I, I used what I bypassed the OTP thing. So this was the first thing I done I use Freda to bypass it, then I, unless the traffic. So I was analyzing the traffic you could see the proud API Honda API. So this is the response. The response contains a generator OTP. So that is a vulnerability. That was, that's easy vulnerability by the way. So when you give the number, the OTP is, OTP is to be sent in the mobile, but here the OTP was reflected in the response. So it was very easy vulnerability. So this was very easy. I have what I did was like, I used 5613 OTP that's seen here. And I ended there. The next thing was the M pin. And since I used an emulator, it doesn't pop out the biometrics option. It asked me for the number. So there was an option for for God and when you give the for God and been option, it will ask for the phone number. And I gave the phone number. Like again, the OTP was leaking in the response. So I could use this to reset the empty and I gave a symbol or I gave a number like 12342 reset it. Then I could get into the car. So this is how this was very, this was pretty much simple exploit and I could hack into the car easily. So the next thing was like, I was like, wow, this is super cool. And I created some Python scripts. And I don't even need what complicated the Jenny motion stuff or a phone. I created some scripts and I gave the phone number and I could just click enter and I could start the car. I could unlock the boot and I could unlock the toss everything. It was really easy for me. And I was like, wow, super cool. Hi, from an abstract engineer. I moved to the site of the automotive industry, like kind of stuff. Nice. During this search, I could, I could understand many things that is going behind the car, how the car controls or sorry, how the app controls the car or how it communicates. It was a funny process, learning process. Then disclosure, I reported this bug to auto ISAC first. When I checked auto is like it was the Honda was listed in their partner partnership. So I reported to auto is that but I didn't get any response for today. So I contacted Honda in getting after contacting them. They, they call me and they call me and they asked me about the vulnerability or how I found the ability. I took a call, I scheduled a call with them and I demonstrated it and I basically I showed everything that I found and they were happy. They, they are, they thank me and the vulnerability was fixed within two or three hours, I guess. So, and I could, I should also speak about the disclosure process, you know, most of the automotive companies doesn't have a responsible disclosure process or in India. So that's the main problem, that's the main problem that is faced by security researchers here. So when we find the vulnerability, they don't know where to report it and how to report. So, but Honda team doesn't have a responsible disclosure program, but they, they were very cooperative, cooperative with me. They, they sat with me for hours to fix this vulnerability and now the car is totally safe. And thank you. This is a, I hope this was an interesting talk and if you, if you have any doubts or clarification, you can contact me. This is my tutor handed. Thank you so much.