 So yeah my name is Eric and yeah we'll get right into this basically we'll do a whole whirlwind tour of in-vehicle networks and how you can get on them and play around with them and then hopefully get you out of time for lunch so yeah that's the goal. So this is all gonna be about this thing called can bus what the heck is can. It stands for controller area network and it's pretty much just the networking that's used in all cars now. Why? Mostly because it's cheap and it's also really integrated into a lot of controllers out there so you can buy a microcontroller that has multiple controllers inside of it that actually do the physical air stuff and they're cheap. So the automotive companies like to shave penny so they've continued to use this can bus thing. It's also rather reliable you know there's a CRC built in at the on the wire so at the hardware level it's kind of nice. So there's a lot of types of can bus you'll see in automotive the main ones are high speed and low speed difference being high speed it's a differential signal so you get some noise immunity there two twisted pairs kind of like Ethernet and then the low speed is a single wire which is just one wire in ground and that's used for things that are even cheaper like lights and switches and things you don't really care about that much if they go wrong. Fault tolerant can is something that's kind of a neat hack it's basically the high speed one but if you cut one wire it becomes a low speed one that's used in airbags mostly and can FD is this new flexible data can that's going to address some of the limitations of can but nobody uses it yet so whatever the setup in a car looks something like this picture so you'll have multiple different buses chained off of each other for example you might have a high speed network with your engine control transmission body control anti lock brakes things that you really care about and then one of the controllers will act as a gateway almost like a router in a way to send messages back and forth to a separate bus for the lower priority things maybe your instrument cluster your door control modules and there really are this many controllers and cars nowadays like they pretty much are computers for all intents and purposes there's no mechanical linkage between the pedal on a modern car and the engine it's just all electronics so why might you care about can it's using a lot of stuff not just cars industrial control systems skater systems all that is often using can for just certain industries prefer it pretty much every car like I said and also apparently planes use it so I mean if you wanted to you know get on a 777 and plug into something under the seat maybe can maybe you'll find something I wouldn't recommend it though it's a direct interface with the controllers and this is really the key for the automotive world is there's not many other ways you can directly talk to a controller in a car you might have like some weird button press sequence that gets you to a maintenance like menu but that's about it so this is actually you know you're sending messages straight into a controller and it's actually an interport you're saying and it's pretty accessible that connector there plugs into a plug like this and on modern cars anything past 2008 there will be at least one can bus on that thing some manufacturers give you more which is nice to them so we'll just talk about the protocol itself so we understand this stuff basically you have a bus and this is just a bunch of controllers that are you know connected together usually it's high speed which would mean you know differential twisted pair and just whatever wire they had lying around in a wiring harness and then on that bus you'll have frames so these are sort of the lowest level packet of can and really they consist of three main things an identifier which is just you know what is this message it has an identifier a data length code which just says how many bytes of data are in it up to eight so zero to eight and then data which is actually your zero to eight bytes it's pretty simple it looks like that so the identifier again is some of this 11 or 29 bit ID data length codes for bits of zero to eight and then your data and that's really on the wire all that from a softer point of view all that it is it's nice and simple and this brings us to the first really easy thing that you can do if you're on a can bus which is a denial of service the reason being the way that can works and one nice thing about it is it's multi-master so if you take a controller off the bus it will still work there's no one master control so the arbitration is done at a hardware level and the way it works is whoever has the lowest can ID just wins the arbitration and gets to send their stuff which means that you can do something like this just you know for ever send the ID zero and in cars this will actually cause some pretty bad things to happen I've done it by accident once it set every single fault code on the car like all the lights just came up and the check engine service stable track service it's not a good idea I wouldn't recommend it but you know it's really the simplest thing you can do so it's fun to mention but some more useful things come into how cans actually use in a vehicle so when you're driving your car around there's just a bunch of these messages flying around all the time and we'll just take a look at one contrived message to get a feel for how that works and it's pretty obvious how this could expand to all the different things that need to be sent between controllers so in this case you have an engine control module that's going to be you know taking a pedal request figuring out what to do with your engine and all that stuff and also sensing everything from oil pressure to you know intake air pressure different exhaust stuff there's just a whole bunch of sensors in an engine it's nuts so from that it's going to periodically just be sending out messages and they're all broadcast so just whoever decides to pick them up gets them and in this case you know I said okay we'll send this ID 123 and we packed the first two bytes with some useful stuff and the rest is dead beef for fun and the whole idea here is that beforehand whenever you actually write the code that goes in these controllers you have to agree on what byte means what and you have a database file essentially that you know says what means what and you would kind of assign some bytes to values so in this case you might say okay bytes one and two the ending this is this way and it's going to mean engine rpm you could also say things like to get to the real world revolutions per minute you need to multiply by two and to the track six or whatever all that's set up beforehand by the manufacturer in these can database files and those are pretty proprietary they won't give it to you unless you're you know actually a vendor they work with and in this case you know they broadcast that message your instrument cluster picks it up and then it takes that and eventually converts that into a command for a little servo motor to move your rpm dial and that's a really simple example now it also leads to a really pretty simple attack which is these can buses are totally trusted if you send stuff on them everyone will just assume you're supposed to be there and all the traffic is visible to everybody it's all broadcast and also any controller can send any message with any ID kind of like a Mac address you can spoof you can still spoof any ID on cam however because the ID is directly correlated to what the data means you can do some intentional spoofing so if you had some rogue controller you might be able to say send a different value in this case 1f 40 which is 8000 rpm and we're using the same ID we're patting it with the same stuff and the key here is if you send it faster you'll probably win in most systems they do some filtering so usually whoever's faster wins if you send the messages at the same time it's it's actually sort of strange whatever mess or for every bit in the message if there's a zero the zero always wins so that's just this how the electrical level it works so you know you can inject stuff and if you have more zeros then you're the winner so you do something like this and you end up getting you know 8000 rpm on your cluster which is kind of fun by the way this car had no engine in it when we did this so clearly it's being toyed with now the injection thing it's this is a really simple example it's not terribly dangerous or anything I spoke with somebody from one major company that makes automotive controllers so the actual controllers that GM or Ford or whoever buy and put in their cars and we were talking about this injection thing and he goes yeah don't tell people to do that because it actually is possible to destroy your engine by just injecting the wrong stuff which I still haven't seen or believe but the guy from the company that makes the engine controller said that so I take his word for it so yeah that's that's kind of dangerous obviously you can change you know if one component is expecting an air pressure from something else and you fake that out you might be able to install the engine completely there's so many different things you can do once you're modifying these values which is why the injection thing is kind of dangerous so we've talked about two simple things you can do but how do we actually connect to this system you'll need some hardware and software hardware because no MacBook Pros don't have a can bus port on them so you'll need something to go to can and in this case most of them are USB to can some are Ethernet to can or even some ancient RS 232 to can which don't do that because RS 232 can't even do the full bit rate the can needs to work so those are terrible and they don't need some software obviously to do the send and receive and to encode and decode data in a way that makes sense and you know you stick these things together and you sort of get some toolkits that let you talk to cars hardware I did the sort of Yelp style breakdown of hardware vectoring Kavassar for example they're like the ones that target the automotive OEMs you're looking at a lot of money probably more than you'd want to spend unless you were doing this you know for some serious commercial reason the next level down you're looking at peak or grid connect it's literally the same tool with a different sticker on it or the ecom cable these are in the like couple hundred dollars range going down one more you have the open source stuff so there's the good thopter and the obduino these are both open source designs that are based on the one micro chip spy to can chip that they have the problem with these is you can't actually buy them you have to like you know have a board printed and then get it and then buy all the components and then like solder it together yourself so if you enjoy surface mount soldering then that might be an option for you if you don't I have actually worked on this contact thing which is a new open source tool I have one here that goes from USB to can and also is signable for pins so you can plug in this guy if I can figure out how a db9 connector works on stage and you plug straight into a car and you can get stuff right out of it it's kind of fun but if you want to just play with cars and like really invest zero time or money there's these things called the Elton 327 knockoffs basically this Canadian company Alan electronics made this really cool chip that does all of the OBD to which we'll talk about later protocols you can find them from China for like scary cheap like so cheap that you're probably going to go I don't know if I want to plug this into my car we're talking under $10 here from deal extreme like but there are some well-reviewed ones on Amazon stuff so for you know 1020 bucks you can get something that you can actually plug into a car and do some stuff that can actually save you money clear your fault codes read fault codes that sort of thing software side you have all the proprietary tools but we'll focus on not those so the main ones that are on Linux I guess are socket can this can-utils package and v can socket can is you know actually all of this is sort of now part of the Linux kernel and some kind of user space tools that let you work with it wire shark actually has support for can which most people don't know but it does so you can do all the pcap goodness and you show that and this canard tool I wanted to write a tool that made it easy to do stuff from Python I wanted a pun that involved can and something else but vector has already stolen most of the puns so I was left with a French word I guess so yeah the socket can is the first thing to look at here so basically this makes a Linux system look or any unique system look at a can device that's going to go USB to can or whatever to can and make it think that that device is actually a network device and at this point you can use like the standard socket API and everything you'd expect with a normal network device you can actually have like raw can sockets and yeah it's one of those things that people have played around with sockets a lot have never seen but it's there and it's included in the modern Linux kernel like if you install the newest Ubuntu it will have this and it literally works like if config can zero up that enables the device then there are the can you tools package if you're on Ubuntu like app get install can you tools and that gets you these things like can send which is a really simple way to send a message can dump which will just dump all the traffic to you and different formats or do a file can gen which lets you just generate random junk and can sniffer which is a neat tool that let's you like visualize a bunch of messages all at once and watch how they change so all those are pretty handy for doing some basic work with can wire shark yeah it actually does it the shows up like you'd expect but the really useful part of it is you can do all the normal filtering that you'd expect you can do based on you know ID or length if you're using a protocol that we won't talk about because it's not used in cars but one called can open it actually has filters for can open much like it has filters for HTTP or something and you can just save the whole thing to a pcap file you know send it to people whatever you want to do so wire sharks actually in some ways a better tool than most of the proprietary tools that do this even though it was never built to do can so that's it's fun and then there's the one that I wrote so this is can I add a python toolkit for can four main goals one is to sort of abstract away the hardware so you can plug in you know this or a vector tool or whatever you want and it doesn't matter it was work protocol implementation so we'll talk about the protocols at the end here basically getting those done for you so you don't need to reinvent the wheel every time you want to send OBD clear fault code request ease of automation so you know it's python you can script it to do stuff and hook it into all sorts of other things you want a web server that's gonna talk to your car sure whatever python's good for that and sharing of information the idea being if you write a script in python that can work with different hardware it should be easy for you to send that to somebody and they can then use that maybe with different hardware but on the same car so hardware abstraction really simple basically a hardware device that talks can is just a class and it's got four methods you start it you can stop it you can send a message or receive a message so really simple example we create a socket can device with the name can zero so we'll have already you know plugged in and loaded the driver for that and we'll have a can zero device start the device we'll create a can frame in this case we want to have ID 100 data length 8 and just 1 through 8 it's a useless frame then we'll send it that's pretty simple and then we'll receive a frame that's actually a blocking receive there so it's gonna wait for it to get any frame back and then it will stop really simple but that's those four functions are really all a hardware device actually needs to do so those that's the basics so from this we can go back to the denial of service attack and do it in real code that actually works in one slide which is nice so we import some stuff cool we create a device in this case because socket can is meant to be really generic it doesn't have support for some of the more advanced features that you'd expect to find on a can controller like hardware level filtering or acting in silent mode or it won't acknowledge anything it'll just listen passively so because of that I created a different class for this contact device even though it works with socket can you can just choose which one you want to use so we create that we start it cool then we create our payload frame which literally is just zeros it's got an idea of zero it's got eight zeros it's just a bunch of zeros and then while truth send it and your car will have check engine lights and probably different things dinging and all sorts of bad stuff don't do this by the way I don't recommend it but since you know breaking your cars only so much fun we should probably talk about useful things you can do and how you can actually fix it if you did not take my advice and run that code so there's two main diagnostics protocols used in cars today one is OBD two ones unified diagnostic services OBD two is actually a subset of unified diagnostic services but they're kind of separate OBD two comes from these folks at the California Air Resources Board the whole reason it exists is because they wanted to be able to smog engines and kick cars off the road for polluting too much that is the whole purpose of it so don't expect to get too much useful information that's not about engines out of it it will give you things like engine rpm map or math pressure vehicle speed throttle position all the engine things you'd expect and not much more the useful parts for you if you own a car is you can read and clear fault codes it's a little limited in what you can read and clear and you end up getting sort of a 16 or 2 byte code and then you go on Google and try to like figure out what that means but I have had cases where like someone's got a car that's not working and we run that and it says oh your mass air flow sensor needs to be replaced so we just plug in a new one and it works and save them like a thousand bucks and then clearing the fault code is kind of nice if you have that annoying check engine light that will never turn off I'm sure some people here have a car that has that lights like stuck on maybe you've put electrical tape over top of the dashboard so that it won't shine in your face at night so yeah you can clear those codes if something is still wrong with your car it'll turn on again so that's too bad but at least you can find out if something is actually wrong because some fault codes latch and I have to reset by a mechanic whereas other fault codes are just kind of temporal if it's happening it'll stay on if not it'll go away so clearing it can be handy that's all I can do with OBD2 it's only so much fun unified diagnostic services is where the real fun is I'm gonna call this UDS from now on because that's a really mouthful but this is an ISO standard which is probably why it has such a long name it's ISO 14229 if you care to go find the PDF and pay ISO a bunch of money for it but it allows diagnostic access to controllers and what this is meant for is everything OBD doesn't cover and that's everything from when the manufacturer sets your car up during like end-of-line manufacturing to when you take your car in for service and they may be on a reset that oil filter change thing that tells you how long it's been since you changed the oil filter and because it's an ISO standard we might not know all the details about how it works for a specific car but we can kind of generally get you know a framework for sending and receiving stuff over the standard it's really simple how it works from a kind of network perspective a client which is some device you plug into your car that is not normally there sends a UDS request and sends that to a server which this is their terminology not mine the server is the automotive controller so maybe an engine controller body controller whatever seat controller yes cars have individual controllers for seats then you get a response back either a positive response or negative response with either your data or a fault code or whatever it is and you take that and figure out what to do next there's a bunch of different services and these are just like the really cool ones there's there's a lot of different ones security access is one that's really broken they they use this to try to secure some of the more important features things like changing you know manufacturing stuff and bin numbers that kind of thing there was actually a talk or a paper rather back in 2011 from the folks at University of Washington's automotive security research group and they basically found that this thing is broken in every car and we'll see how in a minute but they were the guys who figured that out and it's bad but that's one of the services routine control this lets you do everything from like roll the window up and down honk the horn apply breaks in some cases just all sorts of different arbitrary routines it's it's super arbitrary you literally pick an index and something happens I've been told that this well I've never seen it but someone was daring me to do this on an airbag controller and like try every routine I don't have the guts to do it but maybe it would do something bad but the point is there's a lot of functionality that you can actually expose just by doing these routine retort the control requests so the read data by identifier and write data by identifier these are things like a VIN number and oil pressure both readable and writable stuff stuff that's going to be read only because it's temporal like an oil pressure other stuff that's going to be secured so that you can only write to it if the car is you know in security access mode and you have also read and write memory by address and apparently in some vehicles this is still enabled in production which is scary because you can literally just like get a memory map of the controller by running through every address so yeah that's that's a feature that I'm not sure exactly what the purpose of it is it makes sense in development but no shouldn't be turned on at the time where you're dealing with a car really so yeah this library is also going to provide you some help I guess for doing UDS still a little bit not as high level as I'd like it to be yet but we're getting there so we import some stuff cool and then we're going to set up a device in this case we're using sys.org v1 so that we can you know choose a device that we want to use at the command line we're going to set the bit rate to 500 K 500 K is what you typically see in cars for high speed can buses some are different but usually it's that if you really want to know you can like stick a scope on it and look for individual bits and figure it out and then we just start the device and then we're going to create this UDS interface this is going to essentially wrap around our device and just provide us with a request response and because all requests are initiated by the client which is whatever's running this code makes it nice and easy because we can just go hey I want to request and get a response so what we're actually doing in this example is pretty useful actually we're going to try to find all the controllers that will respond to a diagnostic request so that we can enumerate all them in the case where you're plugging into that OED port you might only be able to see certain controllers and other ones you might have to send messages that end up being gatewayed through various can buses to get to you know that final controller then the messages come all the way back so this lets you you know just run through and see who's out there and kind of knock on knock on the controllers and see if they respond. Pretty simple stuff we just go through from OX700 to OX7FF which is the last can ID then for each one we're going to do a UDS request this is the little bit of a cryptic part if you haven't seen the spec basically we're going to do a request on the ID that's I we're requesting service OX10 which happens to be diagnostic session control then we're going to send a payload of just OX1 just one because that is just put me in diagnostic mode one please and then we'll set a time out because we don't want this to go on forever if the controller is not actually responding and you do that and if you got a response back you know a valid UDS response back you know hey this is actually a controller that's going to be using this service and we can actually try other stuff on it I did this on actually my roommates car because I want something different he has a Honda which I haven't played around this much and I immediately was able to get out okay there's one controller that responds on the OBD port and it's OX740 and from there I could start doing like ECU resets and read data and fire all that stuff pretty simple example but it fits on a slide so and it does something useful so security access I like talking about this just because it sort of sums up the theme of security and automotive which is it's not great so this is done there's a number of reasons they do it this way but we'll go through how it works first so the idea is there's certain things that they really don't want you to do one of them is upload firmware to a controller because you know being able to modify firmware on a automatic on the engine seems to be a bad idea and modifying things like odometers vins other things that are probably protected even even engine calibration values maybe that would change the operation of your engine one thing that's worth noting automotive companies basically they optimize for emissions and only emissions performance they do in their performance vehicles but emissions is what they really care about because of some new requirements that the vehicles across their fleet maintain a certain level of emissions so yeah people want to reflash stuff because they want more performance and they know their cars been kind of nerfed a bit to meet the emissions requirements so they don't want you changing those things the way that this works it's like a really simple seed key exchange which you've probably seen before for stuff on not cars basically the client's going to request a seed the server will send one back and based on that seed it will generate a key it sends that to the server and it comes back with hey you were either allowed in or no that was an invalid key or you've tried too many times sorry don't try again doesn't look so bad at first but the problem is that the seed is fixed for that controller and so that's the first kind of red flag and that means that the key is also fixed now the reason that they do this is because or the reason that they say they do this is because they can't generate good random numbers on the controllers which is I guess fair I mean there's probably other stuff they could have done but that's their rationale but this in itself is even going to be like just a pain if you don't have access to the controller if you can't dump memory the real problem is that they're only 16 bits long so you can brute force the key space in not that long it ends up being you get locked out after a few tries but you can just reset the controller and continue trying because they don't have any non-volta storage for that type of thing they have a some controllers have a delay from the time where you turn the controller on to when you can start requesting this which actually if you read the guidelines like that's the recommended thing to do is just wait one second to prevent brute forcing but with 16 bits you can still do it in like a matter of days if you want to take over a specific controller so it's not great and then this sort of this is why it's a little broken but the really bad part is in some cases there's been like DLL files that come with upgrade tools from people like Ford specifically Ford that end up containing code that actually just generates the key given a seed so I mean you only need it once there's only one algorithm in there so once you have that you're pretty much good to go some people have been able to extract those types of things so that's also bad so the whole idea with this diagnostic stuff and we have a little bit of tools to talk to it now is we can fuzz we can do this automated controller discovery thing but it's hammering all the different IDs that's that's a start but we can do some way more complex mapping we can actually you know read all the identifiers and all the memory addresses it'll let us read we can try running every single routine which is the thing that would be scary on an airbag controller literally from zero to FFF do something and you'll find out when it happens we could dump yeah also get the memory permission so we can try writing and see if it fails and if it does we know okay that's only readable and obviously we can do things like brute force security keys and you know a lot of this stuff is just left open so pretty much anything you can think of you can write a quick script to be like hey I want to I want to read all this stuff out or I want to try to try to modify some values you may void your warranty I mean that probably should have been in my first slide but yeah the this stuff is it is meant to be accessed by a tool that's external that's the biggest differences there actually are tools you can buy that will plug in and do this the problem being that you know they're expensive and they only have a very limited subset of all the diagnostic actions you can do because you know Ford doesn't want to give every mechanic the ability to change the VIN number of a car if they don't have to so that's where it really comes in that you can start to reverse engineer these and figure out what they are so yeah the little conclusions on what we went over here and then we'll have some questions basically three simple things you can do to a can bus that all work pretty well as you can do a really terribly easy denial of service attack you can do injection on the car and you know change things that are running maybe destroy an engine according to some people and then you can do these diagnostic actions and that is a whole software stack that you know who knows what you'll find in there when you start to go looking you the you can access it and modify stuff as you're supposed to but who knows what else you'll find and another concern is that these attacks any device that's on your bus can do this so if you have one of those I think they gel day has the little device that plugs in and it records stuff about your driving and then gives them your data and return for lower insurance that's kind of concerning for a lot of privacy reasons like I won't even go into but potentially they could also take control of parts of your car so you're signing that over to and little concerning and then the other thing is you'll need a hardware interface and software tools I mean if you want to can I'm partial to my own this contact device but if you just want to play around for 10 or 15 bucks to buy one of those OBD album 327 things it'll work on any car past 91 so you can have some fun only thing about those is you probably don't want to buy the Bluetooth versions just because if you leave that plugged in you're sort of asking for it and then the software side you have all sorts of stuff but open source stuff there's library that I've worked on and also some other you'll there's actually a Ruby library as well if you prefer Ruby that does can there's a lot of different languages people have kind of hacked some stuff together can you tools if you want to play around with that you can actually install it on Ubuntu and using the vcan driver if the mod probe vcan but once you get that up and running you can send messages around in memory so you can play around with this these tools without actually having a car without having a hardware interface that's something you want to play with and wire shark you can also connect wire shark to anything that's running and just watch which is very useful I have no time up here so I don't know how I did but thanks for coming and hopefully it was an interesting thing to listen to and I think we'll have some time for questions we do have questions