 Hello, everybody. My name is Jay Turla, and I'll be talking about bug hunters guide to bashing for Car hacking bug bash or a contest Okay, so who am I? I'm Jay Turla or ship code Jetman and root con I'm a security ops manager from the Philippines at bug crowd and I'm a I'm also a root con good Which is a hacker conference in the Philippines and also it's CFP review board I'm not the author of Turla malware despite my Family name. I'm not even Russian. I'm Filipino So I'm also one of the main organizers for the car hacking village and root con and the Philippines or car hack village ph So I've also contributed to metasploit Some auxiliary and exploit modules. So from time to time before I contributed some modules and Actually, the last module that I've contributed is related to car hacking or The MSF hardware bridge which you could use for you know hacking or car so About this topic It's actually not a mental health topic. So it's but The purpose of this is to encourage other bug hunters especially application security hackers or researchers To hack cars, you know to invite them that They are also welcome to try out car hacking even though They might only know web or mobile hacking So there are tips and tricks that I'll be showing showing in the presentation and also some preparations to do for day zero, which is A day before the event or the bug bash or the contest so there are also some tips and tricks to focus for the bug bash and Also to clear out misconceptions that car hacking bug bashes are not just for hardware and car hackers, right? Like I said, there are there are a bit tips and tricks, but there will be no demo for NDA purposes because Some of the demos usually for you know bug bashes Have NDA so and lastly It's more about my experience as a triadger for car hacking bug bashes so my experience really I've learned a lot from my experience as a Car hacker myself and as the one who triage Bugs that were submitted to a bug bash Where the company that I work with So yep as a summary, it's really how to succeed in in a car hacking bug bash phone to own Any hacking contest then wolves hacking cars and as what you can see from the picture you get specters and He and Sabor are a mints a net and some of the guys that you may be familiar with who are in the car hacking village or car hacking bug bashes and The guys that you can see in the picture are actually successful in being able to hack some of the components of the vehicles or some of the Scopes of the of the bug bashes. So The this picture tells Collaboration between teams real Alright, so this is a sample picture of the car hacking bug bash sample payout so two years ago, we've actually paid 224 hundred thousand US dollars and You can see some of the top car hackers the private user that you can see is rank one and He choose to be anonymous, but If you go to the car hacking village, you might be familiar with him I just don't want to you know spoil the fun of you know Challenging you who that guy might be or Maybe you want to guess him, but he's really a good car hacker and Then this is a sample flippings that I got from ZD that from the phone to own contest. So As what you can see a researcher duo who hacked Tesla car win the competition's overall standings They also get to keep the car. So imagine that Team Flores eight made up of Amat Kama and Richard zoo hack the Tesla car vx browser They use a jet bug GIT bug in the browser render process to execute code on the cars firmware and show a message on its Entertainment system or infotainment system as per the rules announced last fall the dough will now gets to keep the car So which is very interesting, you know, if you also get the car itself from the car hacking bug bash So they also receive 3,500 35,000 US dollars as a reward. So aside from the car. They also get 35,000 US dollars, which is really good So I guess this might you know encourage some other hackers To hack cars as well. So the question now is what if I am not a car hacker yet What if I'm still starting what if I want to start in hacking cars? So no need to worry about that. I got you, bud first of all my favorite book about car hacking is The car hackers handbook a guide for the penetration tester by Craig Smith You could also go to the online version, which is for free. But if you want to buy the ebook or the paperback It's on Amazon or other Bookstores that you could actually buy I got the paper back myself and It has a sign from Craig Smith So Craig Smith is really a good guy and in fact, I've learned a lot from his book itself There are also some good car hacking resources Which I want to reiterate if you want to start your car hacking journey or your if you want to prepare for bug bash The first one is of course the nano can which is you know a $5 car hacking or can bus hacking tool that you could actually solder or play with I actually got like a lot of PCBs of them and also I Also got my own which I soldered and also mints and it gave me the his version from a conference and Besides I forgot the name, but I got that one and then if you just go to his GitHub link you can see the Some of the sketches and also how to create the PCB or Replicate the PCB and then there's also a link from the car hacking village that calm about getting started with car hacking It's pretty much like how to Get started with the can utils and you know some techniques that you could use with the can utils like can't stop her Can Jen also some of the can util tools and then of course Another Tutorial by Ian some more on a conference Converse basics with hands-on fuzzing the reason why I reiterate this because Ian some were simplified it and also because he has a good hardware to practice with in that talk and and Many of you may not know but the answer board is one of my mentors for car hacking as well And then next up we have a curated list of awesome resources books hardware Utilities tools people to follow in the car hacking or Automata automotive security field and then of course Because car hacking also made an inspiration to me to start car hacking To start hacking cars. I mean car hacking village videos. It's in YouTube as well so you could Visit that one and of course if you are in a hacker conference, please do visit It's car hacking village. There are a lot of hacker conferences right now that have car hacking villages in fact even in In my country, we started a car hacking village we started from start we've got simulators Some virtual Virtual boxes for running virtual cans and also some instrument clusters and some ECs that they could play with and In other countries as well, they've really beef up their car hacking village in fact some of the Conferences right now have their own cars that they want to show For car hacking or for other people to play with I myself I got to play I think that was like four years ago or three years ago with With a car that was presented in the car hacking village in Defcon before and And then there's also a good link adventures in building a can bus differ from tech maker UA my friends from theirs and The guys from tech maker UA. They are also very good Car hackers. I've seen them how they hack I've seen how they got Some good prices and rewards for their Hacks that they did on a car hacking bug patch and the technique is, you know Understanding the can boss and also it's all about teamwork and collaboration and then next is Really how I started back in the day the first thing that I did it's really about baby steps and I Think you can also do it as well first thing that That I did the first thing is Of course playing with my infotainment system of my car and I was able to you know Create my own POC and being able to execute command injection on the infotainment system via the Universal surreal bus or us report and then from the left side I started with playing with an instrument cluster, which was given to me by Internet and then I used Nanocan and other SL can devices to play with it Also, the second cluster that I played with was a mass the instrument cluster Which I myself and my friend, you know play with and it was really fun. So I Learned a lot from that experience. So I Know that a lot of guys started with virtual can based on the talks that I've seen from other countries. I Would I would really advise to start playing with an actual instrument cluster or you know Hook it up with an ECU or Play with your infotainment system but you must know the risk of it and Then of course like I said, there are some simulators that you could play with You've got the UDS simulator by Craig Smith, you have the ICM simulator by Craig Smith and also you've got There are actually hardware that you could buy for an ECU simulator, which you can see from the left side of the screen or the picture that you can see wherein it has Protocol and then You can see that the mileage is off. So this is actually a sample ECU simulator that I bought from Taiwan And I bought it from Cindy It's not really much of that you can play with but it's a good thing to start with So but if you want cheaper one, I would really advise instrument cluster which costs like $20 $30 or $40 and If you want to have your own ECU kit, it just costs like a hundred dollars or a hundred and twenty dollars in eBay There are a lot of things that you could buy in eBay. In fact, I've been collecting collect them some vintage computers as well from eBay UDS server is one of my favorites as well. It allows you to Understand if you try to fuzz the ECU so Craig Smith did a good one on this and also The instrument cluster simulator These are these tools are or utilities are available in GitHub for free. So You know, you might want to check it out. So like I said, my main inspiration really is the car hacking village and When I first went to Defcon, which was my first Defcon was actually Defcon 24 and Well, I was just amazed but this picture is actually from Defcon 25 or 26. I think I Took the picture myself and there are actually some good bench test bench that you can play with Setups that you can play with so it's it's it's really fun that if you visit the car hacking village and then My advice if you really want to start, you know, playing with the canvas network or the other protocols of the car I Would suggest to In bet invest or acquire some tools required for interacting with can so here are some of the samples that I have I have a value can I have the canvas differ by tech maker. I have Nano can and a P1 From machine a P1 so There are actually other tools that I have in my box. So I have my own box Which contains some of the tools I used for playing with my car There's also some open source tools that you could Start playing with so if you go to car hacking tools by J. Gamblin It's on github if you just clone it there are Some tools that you could use with it's a collection of scripts to help jumpstart car research and hacking and All the scripts are designed to run on Ubuntu, Debian and Kelly and then From the right side of the screen you can actually see some of the tools that are in there and then from what I usually see from Car hacking bug basher's These are the common enterprise tools on the block that they use so we have the vehicle spy and canoe right? I don't want to promote the product, but you know I For read these are also good enterprise tools and I've seen a lot of guys using them as well then like I said Car hacking bug bashes are not just for car hackers It's also for hardware hackers IOT hackers and If you're good in network pentas you could also bring some of the tools that we used for penetration testing and I would like to reiterate that you need to prepare yourself and bring some of your hardware hacking tools or Network hacking tools or pentas tools In fact, you can see from the box there that I have a pineapple. I also have the hack or F Alpha and also some con bus hacking tools and ZB device and also Some you know getting it getting with hardware hacking to interact with a UART and some other hardware You know insinces that you could play with These are the sample ratings or common classification from bugcrowd.com slash VRT or the vulnerability rating taxonomy My one of the guys who contributed to this one, which is actually open source this actually serves as a guide and for car hackers about the priority of the vulnerabilities that you can submit to a car hacking bug bash or a contest and So as you can see the first the first one that you can see there is the p2 leakage and Or the PI I leakage I mean, I'm sorry about p2 And it's under p1, which is a critical vulnerability and then if you have key fob cloning if you could clone the key fob on the From the RF hub we consider that one as a p1 and if you could execute command injection from the infotainment the radio head unit and then you are able to Go to the CAN bus you do a CAN bus pivot or pivot So that we consider down one as a p2 and if there's no CAN bus pivot just command injection it's pretty much like p3 and there are also some CAN injections that you could refer to take for example the battery management system the steering control The pyrotechnical device development tool the headlights the sensors It's pretty much like p3 if you could interact with it we used to have this as p1 but With that some classification we re-organized it with a classification together with our partner And we decided that it would be a p3 based on the tarot or You know threat assessment that we have But what remains is of course if you could you know Do key fob cloning OTA firmware manipulation that's p2 Do a code execution or a CAN injection from the RF hub that's considered as p2 so if you need to go to Bugcrowd.com slash VRT you are free to do so. It's free open source In fact any car hackers could also contribute to the github so that they can suggest Some of the attacks that can be done from the car next up is Wait, what's this class classification? So I want to simplify it the reason why we have those classification is because we want to assess That tax that are done of course we we used to have an incomplete task of prioritizing car hacking Bugs or automotive security bugs, but right now with the improvement for the VRT for automotive security bugs We've classified it based on The impact of the bug The exploitability of the bug the proof of concept that the hacker presented the proximity of The attack and also the CIA triad. No, not the mafia, but it's the confidentiality integrity and availability So we also consider that one take for example the PII leakage Of course the more ranking of confident confidentiality for that because those are personable identify identifiable information and This there are other things that we classify and it's part of our threat assessment and remediation analysis or Tara, so P1 is critical and P4 is low and if it's P5, it's pretty much not rewardable or out of scope for a car hacking bug bash Here are some some common checklist or a common bugs or common issues the recent way I Put this one on on the slide is you know to give some information about some of the common checklist or hacks The car hackers do first before anything else One of the things that they do usually is To send messages from the dirty side to the clean side and most of the these are ready to easy your reset Airbag deployment via the OBD to for example Infotainment radio control controls etc or radio head units So if they could send messages from the dirty side to the clean side, that's something that they usually look for because They just don't know maybe They will get rewarded and in fact Two years ago for this kind of hacks The rewards are pretty much like 25,000 US dollars just for this You never know You also Get to find these kind of attacks But the problem is in a car hacking bug bash. These are the most common ones that are found that means that It should be the first reporter who should be rewarded So the chances are if you are that fast enough to do this someone could get could beat you and Your bug will just get duplicated. All right, so it's pretty much like Always create a better POC and then Submit it right away. Okay, so you need to submit it right away with a good POC next is Injecting disallowed messages in the canvas. So these are also some of the common things that they do so they inject disallowed messages which Can or which can cause a denial service or interact with some of the Components or attack surfaces of a car and then of course that this one So far I've seen like two submissions on this or four submissions in previous car hacking bug bashes But these are actually known hacks and I've seen Some friends from China who have actually submitted this one as CVs for other cars and then in fact BMW has some CVs related to this one and it it's found by someone from I Forgot, I'm sorry. I forgot but it's a known company as well but format string vulnerabilities to the infotainment radio head units Via Bluetooth Wi-Fi or radio. These are some of the common bugs So and also are very easy to replicate and also very easy To conduct so or you know uses a proof of concept so if you take for example name your cell phone or your Wi-Fi to point 0.00 or Percentage X percentage X percentage X and then if you let your car connect to it and it costs the nail service So that's a sample of a format string vulnerability or attack and Then we have no authentication at services for telematics in what a month infotainment Radio head unit, so it could be that if you connect your car to the internet or to your router or to your ISP and then if you try to You know do a recon and use nmap to scan for the services some of the most common things that you could discover are No authentication when you do a telnet to one of the services they for example on board 23 which is of course a telnet and then there are also some ports wherein if you just use netcat You are taken to a shell right away. So Those are some of the common Common things that are found and if you're not fast enough your bug will get duplicated Next is denial of service on the canvas network using canvas floods The firehose attack so there are if you could somehow cause a denial of service It's also rewardable, but in some car hacking bugbashes or contests It could be out of scope. So you need to read the scope for that one Replay relay and roll jump attacks on the key fob in most car hacking bugbashes They are considered as p5, but you never know maybe in some Contests, they are considered as p4 or p3 So, you know, maybe you might want to try your luck, but be sure to read the program brief if they are out of scope and Then also a firmware manipulation. It's also one of the common bugs that are submitted key fob cloning source code source code dump not not just the ECU but of course some of the hardware for the infotainment system the radio head unit and other Hardwares that are in there, especially for example the security security gateway, which are considered to be firewalls You know for the cars Then Bluetooth stack buffer overflow, which leads to remote code execution. Oh, I mean to code execution Tencent security keen lab have a lot of proof-of-concepts on on this from their blog So if you want to visit their blog, they have actual good proof-of-concepts proof-of-concept about buffer workflows Related to the infotainment system and Other system as well and then code execution via the USB drive the SD card SD drive, etc So these are some of the common checklist or bugs Next up, of course, this is a sample tip if you can send any of these frames from the dirty side, so Take for example the OBD2 or the infotainment system if yes, it is considered as a P1 or considered as broken off or secure gateway Bypass if there's an SGW or secure gateway, and then these scan frames 7DF or 7E1 If you could actually do this and then how do you know if it's successful? This should be the positive roof life from the frame. So you have zero two five one zero one and the negative responses starts with zero times zero three and This actually allows you to do ECU hard resets on the car Yep, if we could do this on an OBD2 port that's something that we re-reward and Then if you could somehow interact with unauthorized scan access I get this picture from black hat and if you could actually find some of the things, you know unauthorized scan access and then you interact with it You may never know what you can discover as well This is a sample of a POC for a firehose attack. We're in a bash grip you send The arbitration ID zero zero and the Zero zero data so Maybe you don't know that you could also perform can injection or denial of service Next is one of the tools that I really like which I discovered from the car hacking car hackers handbook If you are sad or if sad with you The IDs that you found you could try or recon and do a UDS Discovery with carrying caribou. It's open source and you need Python 3 and make sure to install Python can Or Python 3 so that it will work If you have problems with making it work just message me on Twitter of I really like to play with it and you know, I fix most of Some of the people's problems with it, but it's really good. It's one of it's one of my favorite tools for UDS discovery and in fact there are some some of um Utilities you can do with carrying caribou, it's Car exploration tool so you can do hard. There's also a command that lets you do an ECU hard reset on it or interact with xcp so might want to clone carrying caribou right now and then of course People think that metasploit is you know Nothing that you could play with for car hacking, but people are wrong about it. Um, if you go to uh Automotive you use the command search automotive with metasploit. You will find some uh Eight modules that are written geared towards car hacking and of course you need the hardware bridge server for it and also the You know You need to interact with a can to play with it So there's the can flawed which can be used, you know to perform Uh denial of service on the can and then there's a module to probe different data points in a can packet um Get the vehicle information such as the vint from the target module uh scan bus for diagnostic modules and then there there are You may you may want to consider it as an auxiliary module that allows you to um Flood the temp gauge on a 2006 malibu and maybe you don't know maybe you could also cause uh DOS if you try to work it work on it on some some of the cars Uh that you can play with and then there's a math the two instrument plus direct accelerometer mover which I actually created and then um this The last one is The PDT module which allows you to check for prep the pyrotechnic devices the airbags battery clamps, etc And it allows you to deploy airbags if it's vulnerable to the simple algorithm It unlocking the airbags through the can so there's a good paper about it In fact, if you use the info from the module, you will see The actual PDF file that contains the research about it. So If you want to try playing with it, you can fire up your virtual can and then, you know um Use the modules to see for yourself Some of the sample attacks, you know in the can bus network and here's a sample I used the uh Can but uh can flood and then Just a sample on a v can zero, which is a virtual can and When I tried can dump these are Some of the things that I can see from the dump of the can bus so you can see that There are a lot of arbitration IDs and then Some subsets of data or different kinds of data being thrown in so that's just a sample And you never know. Maybe you could use it There's also a good hardware hacking cheat sheet for hardware hackers are there It's made by m erin magesh. I saw this one in a sphere and I I decided to Place this one of course credits to him These are some of the things that you could play with um If you have some if there are some hardware that you could rip off during the car hacking bug batches Which is actually true. There are some hardware that will be given to you that you can play with So, you know fire up some of your hardware hacking tools with it And then um, there's a good guide for example um There's a link on it from the mass that weeks which is on a mass line footainment system uh We play with and getting a shell so You have the rxtx in the ground where to place it so uh This serves that you could actually play with some of the infotainment system because most of them are have a uart on it or other hardware hacking for referrals So this is one of the things that I would like to reiterate car hacking bugbashes It's not just about iot hardware radio and can bus attacks web and mobile hacking are also essential kills skills, I mean android and iOS apps connected through telemetry or for interfacing with an infotainment These are some of the things that you could hack update servers firmware updates cloud for example You need to think how connected is the car does it have api endpoints? So how do you do that if you want to try it? So you need to do a recon and identify attack services that have web servers and apis And what you're gonna do with it? Of course the oas top 10, right? Because the oas top 10 is everywhere. So Maybe there's a web server up or there's an api that your infotainment or one of the mobile apps that your car is connected to has It connects to a certain api Maybe you could do a skill injection on the update server as well or Maybe there are some things that you could do with the update server To command injections or they are somehow Could be part of this scope And then web web hacking essential skills. You have the oas top 10 vulnerabilities burp and oas top is a friend You need to you know, try intercepting requests from the mobile app the update servers in the pki bridge And I would highly recommend sqlpy burp extension. It's a good tool for automating your SQL injection attacks in burp and Another thing that you could do is if you could check if you can manipulate some vehicle functions with unprotected apis All right, so these are the reasons why web hacking Uh is essential Another thing is mobile hacking is also an essential skill so You have the apps that you could interface with You know your vehicle so Especially with the infotainment system or the entertainment system So you need to decompile the binaries the apk or the ipa And then I would recommend gini motion for android emulation And so that it's easier for you to intercept the request via burp proxy and then another thing that you could check with is To check for possible clear text database storage Like the sqlite database. So if you could find information That's actually one of the bugs we are looking for and then Yep, all was really applies to this as well because you can intercept the request from burp and then adb shell is love if um There are some android devices Connected to the core especially the infotainment system. So why don't you try to fire up adb shell? and then always check for hard-coded api keys when you have A decompiled binaries for apk or ipa. You never know what you can find really so The last one is To repeat and check how the app interfaces with the car And if this is not enough Go to the awas mobile checklist or top 10 There's something that you can learn for mobile hacking Especially for apsec hackers who are not into mobile hacking so Here's a sample for example I'm not sure if you guys remember the nissan leaf fiasco But the problem with that is the ven The ven was used for authorization purposes and controlling some of the features Take for example the check climate control So The whole api is authenticated and only required of been to target a vehicle. So The url or domain is redacted, but here is a sample Request a get request that if you have the complete ven of the car you can actually control some of the features of the nissan leaf which is a hybrid which is an electric car and This is a sample of being able to Do the check climate control and then you are given with a response And from this you can see that the whole api is unauthenticated Uh, if you go to the link below credits to treyhan You can see some of the things that were done in assessment of this So, yeah, web hacking is an essential skill Next up, what if you're in the event right now? Okay, what if you're in the bug mesh right now? It's day one. You're scared Okay, because you don't know some of the people but Really most of the car hacking bug meshes. They really know the people But um, it's just that maybe some of the people there are two or three or five people That are actually new to the car hacking bug meshes or new to car hacking. So but car hacking is a Is really a small world because they're all um in a car hacking village I think most of the people that I met there I have seen in some of the Car hacking bug meshes as well or contests right, so the first thing that you need to do is You need to read the program brief or rules in the bug bash. All right take note of the scope of the program and then You need to focus on the scope and exclusion of the program Take for example, these are the common ones that are out of scope GPS poofing, uh, denial service via can injection No, I would like to reiterate that please don't Uh, submit out of scope bugs if it's in the brief No need to submit about it You could get penalized for it so um The program brief also contains some of the things that you may want want to look for So it could be that the program reef would say that we want to look for firmware OTA manipulation how you could uh Reverse engineer the firmware so somehow it also gives you An overview about what to hack. Okay. It also contains take for example We want our Gateway to a bypass. Here are some of the things that you could do So those are some of the things That you can read from the program brief. It also gives you somehow common attacks that you could do with a car And then check on what security bugs are of interest to the program So you have the authentication or firewall bypass can injection attacks code execution And again, what can messages can you send from the dirty side? So these are one of the common ones The program brief also has this kind of information So that's why always read the program brief for the roots So do you need more? Um, if you want more information, maybe you could ask the program owners or The ASC assigned maybe you could ask for dbc files Which are proprietary format that describes the data over a canvas known issues and vehicle network architecture So in some cases they would provide the vehicle network architecture And in some cases as well They could provide known issues that were submitted before and maybe you could Somehow create a bypass for it if it's fixed Maybe create a bypass for it or submit it again and check if you could do Another technique related to it Do you have friends in the event if you're in the event? How about team up or collaborate? One of the things that I notice is some of the most successful or Bugs were submitted Involved collaboration. All right There are in fact, there's There was a team before they were composed of I think more than five people and they submitted More bugs All right Than other uh than other um than other players or than other teams, but You know, it's really good because it has something to do with collaboration teaming up and then You know, they got some good rewards as well that they could you know, just split up So take for example uh They got a p1 and they're only two so So pretty much like what if they got 30 000 us dollars as a reward they can split it up for 1500s us dollars. All right, so it's all about collaboration. I've seen some good collaboration and If you if you have tools that are um That you don't have maybe you want to get that guy and collaborate with right and if you think that there's something that could be done with um the radio and you don't have much information about the radio, but you know a guy that Probably knows more about radio security than maybe you could team up with that guy. All right I've seen some people collaborating even though they don't know the person Or they just heard of the person or they've noticed That person playing or poking something during the car hacking bug pass. All right, don't be shy make friends So next up is how to write a good report. All right You need to to submit clear reproduction steps. This is a sample so you need to describe the vulnerability and you need to Enumerate the replication steps You need to make sure that it's easy To understand for the Tree adder or the one that will be handling the report. So They for example rename your phone to blah blah blah Connect your pair your phone to the infotainment via bluetooth Use the navigation buttons to control the infotainment and it should remain stuck with which means you were able to break the infotainment system and then Provide another information. I also tried restarting the infotainment And this does not resolve the issue. It only works fine After doing a hard reset Blah blah blah blah and then make sure to submit a screenshot or a picture of the buck. All right If there is a picture It's easier to reproduce as well If you have a video I'll touch a video. All right Don't let the tree adder Left in hanging when you submit a report All right, make sure you include all the poc steps easy to understand pictures and also Videos if you could reproduce a video all right, or Also provide can dump logs Okay Or logs for the attack right, so For anything else I would like to give a shout out and credits to the car hacking village community uh to justin To craig smith who has been my inspiration Ian sabore my mentor car fucker whom I met In a lot of events also a very cool guy will corona Frunders the guys from tech maker ASRG they have tons of good resources ASRG Singapore My friends as well specters I've met this guy and you know, he's a cool dude and he has a cool team too And then jammy who is my friend And also to sam prex the founder of root con who are my supporters in my car hacking village And of course to the zdenet.com where I rip off one of the articles for fonto so Shoutouts to the to these and I won't be in this industry Or I won't have this kind of resources Without these guys and the link that you can see from there So if you have any questions, um, let me know I'm in twitter You know I will be seeing you all in def con All right