 Hey, hello world. It's your boy Brent back with another talk on hacking cars Last time we talked about how we automate the hack this time. We're going to talk about how to stop the hack Automatically so without further ado. This does not reflect any opinions of the government the military and Any photos or cited papers that are shown in the talk those of course belong to their original copyright holder and So let's talk about the threat. All right, so if we spoof the acceleration brakes and the parking assist To control the steering we can get into a pretty dramatic situation where let's say a cybercriminal Starts a three-way call with the mother Their teenager is in the car and say mom the car won't slow down and all of a sudden There's a new strange voice. Maybe a computer automated voice says you have three minutes to send me $10,000 Using the link in a text message. I just sent you if you don't comply I will crash this car at 110 miles per hour the attacker disconnects leaving the scared mother On the line with their teenager who's about to possibly die from this exploit This is not necessarily a fictional scenario Surely you've probably heard of Chris Miller and ballastex hack of the Jeep So this is already something that's happened and as cars get more and more automated more and more connected to the internet This is a threat that will continue to happen. So how do we stop it? Let's use offense offense is the best defense We can specifically do bit smashing to stop the attacker in their tracks What it turns out is actually if you look at it These control protocols that are in cars while they may seem super insecure with a very small and inexpensive change We can achieve almost perfect security and I'll get into that understand It's a very bold claim to make but it's pretty surprising how elegant and well this Defense method would work So stop your denial service, which is typically thought to be unstoppable in these control network situations It'll stop spoofing And this will work for a lot of the control networks that are multicast Which means one sender sends a message and nearly all or all of the other devices on the network will receive that message And the ones that it's not intended for will simply ignore it while it's on the wire One other nice benefit of this particularly for cars is you no longer need an intrusion detection Works out that the way that this defense is implemented you achieve effectively perfect intrusion detection Without any sort of complicated machine learning or AI it just works All right, so what is bit smashing first of all? Let's say agency on the network wants to send a payload of hex a And they're the fraud they're the attacker trying to send some malicious Dad on the network now they're sharing a physical wire with all the other nodes in the vehicle or in the multicast Control network. So B is our our valiant hero who wants to stop this attack So B wants to stop C in their tracks What B will do is while the voltage is still going up and down on the wire as C tries to transmit their message B in real time can stop that transmission while it's in progress By putting extra voltage on the wire that C is not expecting and what this will do is essentially Smash the logic that C is trying to send and B will take over the communication on the bus C will stop talking and then the attack is stopped So as you can see here on the left see sending zero one zero one zero and by be sending that extra logical one That extra amount of voltage a certain time segment. They effectively stop C in their tracks So that's bit smashing Now, I'm not the chef here. Okay. Last time we talked the previous talk called reverse engineering 17 cars in under 10 minutes In that I was a chef and your waiter in here I'm not the chef this I did not come up with this solution and it's actually pretty well documented In particular this article you see in the green on the top right that 2017 academic proof of concept Which was in the IEEE vehicle magazine. I encourage you to grab a copy if you get a chance and check it out it's a very clear explanation of How the process works beyond what I'm talking about here and then also they show you the hardware they use to actually implement this proof of concept that way you can try this out yourself and Tinker around without having to burn any sort of custom hardware One part of this security that is not perfect is we're not getting confidentiality. Okay, this is still a control network We're still basically talking in an open room where each person is a member of that room And when they project their voice no matter how loud you want to talk you're not going to stop the fact that that other person is talking Everyone else will still hear them So you're not going to get confidentiality In an open room talking to other folks But what we do get is integrity and availability So integrity am I sure who sent this message is the person? I think it is and then is this the message that they originally intended to send me hasn't been modified There's no man in the middle business going on and then from availability That's your denial service. Can I talk in the network when I want to talk on it and is it behaving how I'm it's designed All right, so give a little bit more context we are not talking about general use networks and here what I mean like the Internet Wi-Fi Anything where you can add or remove endpoints and adjust the Structure and the number of participants in the network Dynamically and you don't need to make any adjustments. It just naturally works out. That's not what we're talking about here We actually gain a lot of benefit by not having this because here in the general use network There's no way of necessarily knowing How many participants are in the network? So when you see new data go on the network It's unclear whether they are a legitimate user and member of the network or not Additionally, there's tons of metadata for keeping track of which messages are where Who owns what and spoofing that metadata is just one more attack vector to make it even more confusing To know the origin of a message Here we're talking about control networks, okay? So medical electronics vehicles obviously in this case car hack village But planes trains automobiles factory floors you name it so control networks You're not trying to add and remove host very often You pretty much know the machines and components that you want to communicate and that's a fairly fixed number Maybe you might add one or two every couple years and you can document that it's a very deliberate process And you also lose metadata and so in this case it actually goes for a benefit here because now there's even less Information the attacker has a spoof. They basically have to talk in the wide open and there's not a lot of extra Information that they can lie about they simply say I'm this person and send their information and If there's already someone that says hey, that's my name So who are you? It's becomes very clear and evident that that person is not who they say they are that note is not of legitimate So what does this look like in practice if a wants to send some information they send it over the bus again This is multicast so everyone gets a copy and if you look at this wiring harness from a vehicle It might look something like this where it originates at one point of that wire and then it gets sent out to multiple other endpoints Now granted in vehicles. There's a lot of things like gateways Which effectively create collision domains or if this term is more familiar to you subnets even though it's not strictly subnetting So sometimes these gateways you don't necessarily see the entire bus on the vehicle We'll get to that but that's not a problem matter of fact. It actually goes for a benefit even more So what is the problem? So because I have this multicast nature and let's say I've got my instrument cluster talking to some other piece of information I may also have a telemedics unit. I may have a Entertainment system that has a SIM card in it the where I pay for Wi-Fi connection to my vehicle that way I have in vehicle Wi-Fi I can update my maps whatever reason you want to be connected or for example the Tesla business model Which is instead of having to recall vehicles and it's a very expensive and time-consuming process I can do a lot of things over-the-air software updates to change the behavior of the car in which case a Data connection is mandatory to do that So again, we've got some sort of internet connectivity to the vehicle now these systems which were designed to be very pretty insecure There's no cryptology. There's nothing really no authentication But it used to be air gap. So it was okay now. It's no longer air gaps now We've got attackers that can reach these networks So let's assume the attacker has done so one way or another they've gone on toward our Control network and they can modify our brakes. They can turn off our accelerator. They can turn off whatever Possibly even take control if we have that power steering module and we're in a lot of trouble So we want to stop that from happening One thing the attacker going to choose to do was pretty dangerous attack Simply pick a high priority message identifier that no one else is using and just spam that as quickly as they possibly can Essentially you turn off all communications and now you've got no steering no acceleration. No brakes. You're just dead in the water So if you look at the wired article for when Miller and Ballasek did the G pack They probably did something similar to this the other situation is a little bit more nuanced is you've got a Specific packet you want to send to a specific location to fool that that part of the network? And you simply just say I'm this person and right now the way it goes even if be can see this happening Module be here. There's really nothing they can do about it. They just have to grin and bear it That someone else is using their ID that they know should not be used by anyone else And the attack simply happens be you can try to send messages all they want But now you just get into basically dossing the network all over again When you get into a fight of the legitimate be versus the attacker acting like there be So we want to stop denial service. We want to stop spoofing So here's the solution. We're gonna bit smash those communications So again bit smashing is adding that extra voltage on the wire physical layer in order to stop that communication or take it over So the way we're gonna focus on cars here obviously because it's car hack village But again, this is fairly generic process, but here we've got the machine and it's logic So in this case the actual physical break caliper There's going to be some internal wiring and control there to actually squeeze onto the disc brake and Slowly car down. Okay, that's part of the machine logic The vast majority of the cost that component is that machine in the logic Touching that is what's called a can controller. Okay, that's the piece of Little chip and or software within the bigger logical board That actually implements the controller area network protocol So what order do I send things? How do I interpret messages? How do I synchronize with the network clock, etc? And then separate and distinct from that once more is the can transceiver and that's the piece that actually implements the layer one Electrical electrical engineering to talk on the wire. Okay, so how do I actually make a waveform and create voltage on the wire to communicate? So in either case I can leave alone all the design that I'm doing for my main machine I could just modify that Commercial off-the-shelf products that can controller or the can transceiver or both if I modified one of those to implement bit Smashing then the manufacturer really doesn't have to care They could just buy that product off the shelf attach it to their existing product There's really nothing else that they have to do and you get the security. So it's extremely low-cost These can controllers and transceivers. We're talking less than a dollar most of the time if not pennies To do this and if we assume that that cost quadruples to add the bit smashing capability We're talking about, you know, 20 cents versus 80 cents to get a completely secure solution One way of thinking of this if you have any background in security is this is a doing intrusion detection and prevention Using a decentralized access control list So if every endpoint knows what their name is and they'll bit smash anyone else that tries to use that name Essentially, you get an access control this that way stopping any sort of traffic does not pass That check All right, so here I am Be our hero once more good boy and he's watching the bus and I'm watching the attacker send some information And the way I know he's an attacker is I'm watching him send bits on the bus over time I'm not processing this in real time. I see that. Hey, you just use my ID. That's not okay I'm the only one that gets to use that ID on this bus So now I've got a long time relatively speaking To react and actually bit smash There's about up to 80 or so possibly the more clock cycles or bus cycle should I say The clock going clock increments to have an opportunity bit smash So even if it takes a little bit of processing to actually decide, okay Yep, they use my D. I'm going to use this clock cycle to figure out. Yep I definitely want a bit smash and then in here either the CRC or the data I can just start holding the voltage high. I will bit smash that transmission all of the Members of the network will throw out that message And they will even stored in memory They won't even transmit it up to that higher component that they're supporting Okay, it will stop at that can controller So one time I just want to emphasize if we're set trying to say spoof or attack that break The break won't even realize an attack is happening because it will stop at that controller Chip or logic and it won't even make it to the part of the Control unit that's actually working the break. It won't even realize it's happening All right So way that would look the telematics unit if we say that's the source of the attack Tries to send the message before it even makes it to a Troll module be our heroes as to bees. No way not to bees. They can only be one. Okay. I'm the only be We get this out of benefit. Okay with can in particular Any time that you an error occurs while you're trying to transmit by the way controllers are supposed to be implemented to meet the Can standard if a fault happens while I'm trying to talk I Essentially get a hit against an internal counter that I have We'll call that a fail state counter saying something went wrong Possibly me maybe I'm defective and I'm going to keep track. All right. I'm going to try again Well as be continues the bit smash me when I use its ID Eventually, I'm going to exceed that threshold and I'm going to go into what's called a fail silent state Which essentially means that I will continue to listen to the network, but I will not send Messages and so if you're the attacker and you're trying to communicate with this car through the internet And you've got some traffic and you're seeing the traffic go Even better is not only do I stop that attacker from physically being able to transmit on the bus? But the attacker may not even realize that they're stopped because they're still seeing the traffic come in and they cannot necessarily get acknowledgments that their transmission was successful or not depending on the logic between The machine and the controller that it's attached to So the controller may or may not actually communicate that it's gone into a fail-safe state because it's failed It's it's just not doing anything So not only do we stop the attacks whether that's the null service or spoofing But we've essentially done a DOS attack against the attackers node and turn them off for some period of time a Couple assumptions to actually make this happen So each endpoint needs to have a unique ID on this multicast network So if you have multiple possible people using the same ID, then that's a problem Because now it's unclear if I see that ID on the network should I bit smash it or not? So every endpoint needs to have a unique ID Gateways okay, so if I have everything in my engine compartment for example going into a single gateway and then that gateway talks to other parts of the Vehicle like brakes or something like that or you know your tachometer That essentially creates two different parts of the can bus and Nodes on either section may or may not be able to see traffic from each other So now you've got back into the same situation. Well if this node over on this section of the network is supposed to bit smash These IDs being generated on another section, but the gateway isn't forwarding that it's not being a transparent basically a bus Instead of a switch Then how do I stop that? Well, you just reverse the logic. So the endpoint logic is I'm gonna allow All traffic except my ID if I see my ID. I'm gonna bit smash it you flip-flop that logic for gateways I'm only gonna allow this set of IDs I'm gonna bit smash anything that doesn't make sense and that access control list if you want to call it that It could be specific for each Section of the network that it's physically connected to What that allows you to do is going back to the denial service attack example with can I could just pick the highest priority arbitration ID possible according to the protocol and More than likely there's not going to be a device on the network that's using that R by D So if the gateways weren't implementing this then they would just be able to toss in that work But by having these gateways looking to say I know what R by D should exist and you're using something that's outside of that list I'm gonna bit smash you and then again we go into all right now We've turned off the attackers can controller they can no longer talk It's not a problem and their messages never finished anyways So the over the overhead impose on the bus. It's really not that bad And then finally one talk if you if you watch a lot of their talks at Miller and Ballast that gave a couple years ago is a Lot of these ECUs the nodes on a vehicle will accept reprogramming commands while driving up freeway speeds There's really no logic to check Should I be allowing a reprogram to happen or not? They just simply accept it So one small tweak that would need to happen Either in the can controller or possibly that more expensive component The piece is to add just a little bit of extra on that state machine to say Hey I'm getting the signal or I'm seeing that we're not in park So I'm not gonna allow a reprogram to happen. You need to put the vehicle in park before that happens and then finally We gotta make sure that the controllers are just a not rewritable Chips okay, so that imposes some Recall issues if one of these transceivers is bugging out you will need to go back to the shop But this basically makes it impossible Just like we wouldn't want to reprogram the logic for the larger component if we have these very powerful bit smashing Controllers are transceivers. We do not want to open up the opportunity for those to get reprogrammed and then use to just hold the bus Hi, and then there's really nothing anyone can do about it. You just putting voltage on the wire And there's no work around for that So we don't want to be rewritable, but we do want them to continue to comply with that fail silent state All kind controllers should comply with that if they're compliant with the cam protocol And then again other multicast protocols Typically have similar fail states But I'm not going to speak up that I know for sure for every possible multicast ICS protocol Thanks so much just again references if you want to look into this deeper Please check out the IEEE vehicle technology magazine from 2017 go ahead and grab a copy off of IEEE Explorer And these guys did a pretty good job of really breaking it down and showing photos of how they created a Working version of this without any sort of special hardware or production manufacturing capability All right with that, I'll open up to questions. Thank you