Skip to main content
Ctrl+K
Knowledgebase - Home

HydraScope

  • HydraScope
    • Download
    • Support
    • Compatibility Matrix
    • Install USB2CAN-FD X2
    • Security Access
    • Vehicle-Scan
    • HydraScope Enumerators Documentation

Bootstrap

  • Python Introduction
  • Scapy in 15 minutes

Background Information

  • Hardware Reverse Engineering 101
  • Vehicle Networks
  • Popular Car Hacks

Media Access Layer

  • Controller Area Network (CAN) - Layer
    • Low-level Attacks
    • SocketCAN
    • python-can
    • Scapy CAN-Layer
    • DBC
    • CAN MITM Attacks
    • Message Authentication (AUTOSAR SecOC)
    • Fuzzing
  • CAN with Flexible Data-Rate (CAN FD)

Transport Layer

  • ISO-TP
    • Linux Kernel Module
    • Scapy utilities
    • ISOTP Scanning techniques
  • HSFZ and DoIP

Application Layer

  • UDS
    • UDS in Scapy
    • UDS Scanning
    • UDS Security Access Testing (in HydraVision)
    • Simulating ECUs and Security Functions
  • OBD

Bibliography

  • Bibliography

Popular Car Hacks

Contents

  • Koscher et. al: Experimental Security Analysis of a Modern Automobile
  • Checkoway et al.: Comprehensive Experimental Analysis of Automotive Attack Surfaces
  • Dieter Spaar: Beemer, Open Thyself!
  • Miller & Valasek: Remote Exploitation of an Unaltered Passenger Vehicle
  • Garcia et al.: Lock It and Still Lose It — On the (In)Security of Automotive Remote Keyless Entry Systems
  • Nie et al.: Free-Fall - Hacking Tesla from Wireless to CAN Bus
  • Van den Herrewegen et al.: Beneath the Bonnet — A Breakdown of Diagnostic Security
  • Cai et al.: 0-days & Mitigations - Roadways to Exploit and Secure Connected BMW Cars
    • Takeaway:
  • Wouter Bokslag: Vehicle Immobilization Revisited
  • Computest: The Connected Car - Ways to get unauthorized access and potential implications
  • Wouters et al.: Fast, Furious and Insecure — Passive Keyless Entry and Start Systems in Modern Supercars
    • Takeaway:
  • TBONE – A zero-click exploit for Tesla MCUs
  • Mercedes-Benz MBUX Security Research Report
  • SYNACKTIV – I feel a draft. Opening the doors and windows 0-click RCE on the Tesla Model3
  • SYNACKTIV – 0-Click RCE on the Tesla Infotainment Through Cellular Network

Popular Car Hacks#

The first notable academic publications related to security analyses of modern vehicles were published from Koscher et al. in 2010 [KoscherCzeskisRoesner+10], followed by another publication from Checkoway et al. in 2011 [CMK+11]. The whole research field received a broad audience after the publications of Miller and Valasek in 2013, 2014, and 2015 were they demonstrated a remote exploitation of an unaltered passenger vehicle [MV13, MV14, MV15]. The German car manufacturer BMW was targeted from Spaar who demonstrated a remote attack on the locking mechanism in 2015 [Spa15a]. The story continues with publications from the Tencent Keen Security Lab about a remote exploitation of a Tesla Model S in 2016 and remote exploitation of multiple BMW models in 2018 [Lab16, Lab18]. A smaller publication targeted the car brands Volkswagen and Audi in 2018 [BV18].

In 2016, Craig Smith published the book The Car Hacker’s Handbook [Smi16]. The book documents techniques and tools used by the Open Garages community which started a movement around all kind of software modifications of vehicles in 2014.

Since 2019 the Pwn2Own competition, hosted from the organization Zero Day Initiative, added a Tesla car to their targets for hacking [Ini0)]. Every year from that onward, attendees showed their abilities and successfully broke into the cars web browser, which rewards them with the ownership of the hacked car next to a cash prize.

These important publications raised public awareness for security in the safety-critical system, passenger vehicle. OEMs couldn’t ignore the necessity of security engineering and security testing for their vehicles, anymore. The effects of these publications are already visible in the electrical design of modern vehicles. Insecure network topologies were abolished and security measures for ECU software were taken. Nonetheless, the challenge to provide secure vehicles is immense. Over the years, security wasn’t a major part of vehicle engineering and the ecosystem that OEMs built around connected cars is huge and complex. The software and firmware management in a modern car, even in a single ECU is already a challenging task.

A new ISO/SAE standard, ISO/SAE 21434 Road vehicles – Cybersecurity engineering, which enforces security engineering and penetration testing during the development process of any vehicle for the European market will be valid in November 2020. This can also be interpreted as direct aftermath from the previous publications.

Koscher et. al: Experimental Security Analysis of a Modern Automobile#

[KoscherCzeskisRoesner+10]

  • Published: January 2010

  • Research Overview: Koscher et al. conducted an extensive experimental security analysis of a modern automobile, demonstrating various attack vectors on critical vehicle systems.

  • Key Demonstrations:

    • Exploited vulnerabilities in vehicle networks, successfully conducting remote attacks.

    • Targeted safety-critical systems like braking and engine control, showing how adversaries could gain control over vital functions.

This study was among the first to highlight significant security risks in modern, computerized vehicles.

../../_images/Koscher.png

Checkoway et al.: Comprehensive Experimental Analysis of Automotive Attack Surfaces#

[CMK+11]

  • Published: August 2011

  • Research Overview: Building on prior work, Checkoway et al. analyzed various attack surfaces in modern automobiles, demonstrating new remote and physical attack vectors.

  • Key Findings:

    • Attacks on telematics units, Bluetooth, and media systems that can be exploited to compromise vehicle control.

    • Showcased remote attacks on safety-critical systems like braking and steering, emphasizing the need for stronger cybersecurity in automotive design.

This research extended the understanding of vulnerabilities in vehicle networks and remote attack possibilities.

Dieter Spaar: Beemer, Open Thyself!#

[Spa15b]

  • Attack against BMW’s remote control features

  • Smartphone application to lock and unlock vehicles

  • Shared cryptographic secrets

  • Implementation flaws in the NGTP communication protocol

  • Spaar could open arbitrary vehicles through a malicious BTS

  • He managed to remotely change a victim’s car’s configuration to enable the required remote features

../../_images/ad-789adb42f0c8aba1.jpeg

Fig. 9 Attack overview#

Miller & Valasek: Remote Exploitation of an Unaltered Passenger Vehicle#

[MV15]

  • Full control over a vehicle through a remote attack

  • Vehicle exposed highly sensitive services on various ports

  • Accessible through the vehicle’s IP address

  • Absence of an APN

  • Connection to vulnerable cars over the Internet

  • Exposed software update services of arbitrary ECUs

  • No firmware signature mechanisms in place

  • Remote CAN bus access through malicious firmware modifications

  • Cyber-physical functions could be triggered by silencing ECUs with safety functions (steering, breaking)

  • Re-call of 1.4M vehicles

Garcia et al.: Lock It and Still Lose It — On the (In)Security of Automotive Remote Keyless Entry Systems#

[GOKPavlides16]

  • Published: August 2016

  • Research Overview: Garcia et al. exposed critical vulnerabilities in the cryptographic systems used in Volkswagen remote keyless entry (RKE) systems.

  • Key Findings:

    • The researchers demonstrated the ability to clone VW key fobs by exploiting weaknesses in the cryptography used for RKE.

    • Some technical details were redacted from the publication at Volkswagen’s request.

This research raised significant concerns about the security of automotive remote entry systems, particularly in high-volume car models.

../../_images/loseit.png

Manufacturers without an OTA (Over-The-Air) update process can take one of two actions when vulnerabilities are disclosed: either rely on “Security by Obscurity” (keeping the vulnerability details secret) or address the issue through repairs in workshops.

Nie et al.: Free-Fall - Hacking Tesla from Wireless to CAN Bus#

[SN17]

  • Remote exploitation of a Tesla Model S

  • Attack chain to compromise the entire vehicle, based on an already known browser exploit (CVE-2011-3928).

  • Local privilege escalation bug in Linux allowed full control over MMU (central component in Tesla’s architecture) (CVE-2013-6282)

  • MMU can provide software-updates to other ECUs

  • No firmware signature for vehicle gateway ECU

  • Full control over all vehicle buses through malicious gateway firmware

../../_images/Screenshotfree-fall-hacking-tesla-from-wireless-to-can-bus.png

Fig. 10 Imporant components. CID (Central Information Display), IC (Instrument Cluster), Parrot Wi-Fi and Bluetooth module as part of CID#

A CID teardown was performed and documented by PenTestPartners [Pen20].

Van den Herrewegen et al.: Beneath the Bonnet — A Breakdown of Diagnostic Security#

[VdHG18]

  • Published: August 2018

  • Research Overview: Van den Herrewegen et al. presented an in-depth analysis of vulnerabilities in automotive diagnostic systems.

  • Key Findings:

    • Documented attacks on real Electronic Control Units (ECUs) from various manufacturers, including Ford, Volvo, Fiat, and Audi.

    • Demonstrated code-execution attacks on ECUs, showcasing how diagnostic protocols can be exploited.

This research highlighted significant vulnerabilities in widely used automotive diagnostic systems, emphasizing the need for better security measures across the industry.

../../_images/herrenwegen.png

Fig. 11 Attack overview#

Cai et al.: 0-days & Mitigations - Roadways to Exploit and Secure Connected BMW Cars#

[CWZ19]

  • Remote exploit of an unaltered vehicle from BMW

  • Two very complex attack chains were used

  • Attack chain 1:

    • Web browser exploit on the MMU as a remote entry

    • TOCTOU attack against internal diagnostic services allowed them to send arbitrary UDS messages

    • Implementation flaws in the UDS protocol of the CGW allowed the escalation to all internal communication systems

  • Attack chain 2:

    • Buffer overflow in the provisioning feature of the NGTP protocol for RCE on the TCU

    • A vulnerable diagnostic service allowed them to send arbitrary messages onto the vehicle’s CAN bus

    • Implementation flaws in the UDS protocol of the CGW allowed the escalation to all internal communication systems

../../_images/ScreenshotBMW.png

Fig. 12 Attack Chain#

Takeaway:#

BMW and Keen Security Lab agreed to delay the public disclosure of vulnerabilities for over a year. During this time, BMW was able to fix many of the identified weaknesses within two months through OTA (Over-The-Air) updates and configuration changes.

Wouter Bokslag: Vehicle Immobilization Revisited#

[]

  • Published: December 2019

  • Research Overview: Wouter Bokslag conducted a comprehensive analysis of vulnerabilities in electronic immobilizer systems.

  • Key Findings:

    • Detailed attacks on immobilizer systems in various car models, including the Peugeot 207, Fiat Grande Punto, and Opel Astra H.

    • The research demonstrates weaknesses in these immobilizers, showing how they can be bypassed to gain unauthorized access to vehicles.

This research highlights important security flaws in the immobilization systems of popular car models.

../../_images/wouters.png

Fig. 13 Attack Chain#

Computest: The Connected Car - Ways to get unauthorized access and potential implications#

[BV18]

  • Open ports on the MMU of Audi and Volkswagen vehicles

  • QNX vulnerability allowed them to open a shell through a WLAN or mobile data connection

  • Presence of an APN depends on the country the vehicle is operated

  • Local privilege escalation vulnerability in QNX made further MMU services accessible to them

  • Through a firmware modification of the CAN MCU inside the MMU, they obtained arbitrary write access to the vehicle’s CAN bus

  • They stopped their research here

  • An attack of the vehicle gateway ECU would have been necessary to compromise the entire vehicle

../../_images/ScreenshotComputest.png

Fig. 14 Attack Chain#

Wouters et al.: Fast, Furious and Insecure — Passive Keyless Entry and Start Systems in Modern Supercars#

[WMA+19]

  • Published: 2019

  • Research Overview: Wouters et al. demonstrated vulnerabilities in Tesla’s passive keyless entry and start system, showcasing an attack that granted unauthorized access and enabled engine start.

  • Key Findings:

    • Attack focused on Tesla vehicles, allowing vehicle entry and starting the engine.

    • Mitigation measures suggested include disabling passive entry and activating a PIN code requirement.

Takeaway:#

Tesla addressed this hardware-software vulnerability in 2018 with an OTA (Over-The-Air) software update.

../../_images/teslahack.jpg

Fig. 15 Attack Chain#

TBONE – A zero-click exploit for Tesla MCUs#

[WS20]

  • Research for PWN2OWN 2020

  • Tesla vehicles connect automatically to the Tesla Service SSID

  • ConnMan 1.37 was used inside Tesla vehicles.

  • They fuzzed a DNS handling function, offline

  • Finally they obtained RCE through a stack overflow

  • This research only targeted the MMU of Tesla vehicles

  • Bonus: This attack was launched from a drone, 100m above

Mercedes-Benz MBUX Security Research Report#

[Lab20]

  • Very detailed research on Mercedes-Benz vehicles architecture

  • Head-Unit was attacked via a browser exploit

  • Some but very limited vehicle functions could be triggered from the Head-Unit (ambient light, reading light, and sunshade cover)

../../_images/ScreenshotMercedes_Benz_Security_Research_Report_Final.png

Fig. 16 Possible attack chains. Airbag Control Module, Electronic Iginition System#

SYNACKTIV – I feel a draft. Opening the doors and windows 0-click RCE on the Tesla Model3#

[BD22]

  • Research for PWN2OWN 2022

  • TBONE 2.0

  • Tesla Model 3 Infotainment: Intel Atom A3950 SoC with Linux-based OS (customized Buildroot).

    • Interacts with LTE connectivity card and WiFi/BT chipset.

  • Vulnerabilities:

    • CVE-2022-32292: GWEB HTTP parsing OOB byte swap.

    • CVE-2022-32293: WISPR double-free in ConnMan causing heap reset.

  • Heap Shaping: Controlled allocations via g_hash_table.

    • Precise buffer placement for controlled exploitation.

  • Infoleak: DHCP hostname string modification to leak libc pointer, bypassing ASLR.

  • ROP Chain: libc hook (realloc_hook) leads to arbitrary code execution, followed by stack pivot.

  • CAN Injection: Gained control allows crafted CAN messages to manipulate vehicle functions.

  • Fixes: Vulnerabilities patched (CVE-2022-32292, CVE-2022-32293), libc hook removed in future updates.

../../_images/ScreenshotTesla2022.png

Fig. 17 Could only sent “allowed” CAN messages.#

SYNACKTIV – 0-Click RCE on the Tesla Infotainment Through Cellular Network#

[BD24]

  • Research for PWN2OWN 2024

  • Target: Tesla’s infotainment system via cellular connectivity.

  • Vulnerability: Command injection in the LTE modem (Quectel system).

  • Firewall Bypass: Exploits a race condition during boot where the firewall may not activate.

  • Reboot Mechanism: Force multiple reboots by disrupting network checks, causing firewall deactivation.

  • Exploit Execution: Once the firewall is inactive, an attacker can inject commands remotely via AT commands.

  • Next Stage: Gain root access to the infotainment system from the compromised modem, leading to full control.

../../_images/ScreenshotTesla2024.png

Fig. 18 Could only sent “allowed” CAN messages.#

previous

Vehicle Networks

next

Controller Area Network (CAN) - Layer

Contents
  • Koscher et. al: Experimental Security Analysis of a Modern Automobile
  • Checkoway et al.: Comprehensive Experimental Analysis of Automotive Attack Surfaces
  • Dieter Spaar: Beemer, Open Thyself!
  • Miller & Valasek: Remote Exploitation of an Unaltered Passenger Vehicle
  • Garcia et al.: Lock It and Still Lose It — On the (In)Security of Automotive Remote Keyless Entry Systems
  • Nie et al.: Free-Fall - Hacking Tesla from Wireless to CAN Bus
  • Van den Herrewegen et al.: Beneath the Bonnet — A Breakdown of Diagnostic Security
  • Cai et al.: 0-days & Mitigations - Roadways to Exploit and Secure Connected BMW Cars
    • Takeaway:
  • Wouter Bokslag: Vehicle Immobilization Revisited
  • Computest: The Connected Car - Ways to get unauthorized access and potential implications
  • Wouters et al.: Fast, Furious and Insecure — Passive Keyless Entry and Start Systems in Modern Supercars
    • Takeaway:
  • TBONE – A zero-click exploit for Tesla MCUs
  • Mercedes-Benz MBUX Security Research Report
  • SYNACKTIV – I feel a draft. Opening the doors and windows 0-click RCE on the Tesla Model3
  • SYNACKTIV – 0-Click RCE on the Tesla Infotainment Through Cellular Network

By dissecto GmbH

© Copyright 2023.