th the fu futur ure is is he here e
play

Th The Fu Futur ure Is Is He Here e - Mode dern rn Attack - PowerPoint PPT Presentation

Jun 18, 2023 •466 likes •1.28k views

Th The Fu Futur ure Is Is He Here e - Mode dern rn Attack ttack Sur urface ace On On Au Automotiv omotive Lior Yaari 28/11/2019 Techy Trainer at DeepSec 7 Years In Cyber Security Vulnerability Researcher Sec-Dev CS Teacher

  1. Th The Fu Futur ure Is Is He Here e - Mode dern rn Attack ttack Sur urface ace On On Au Automotiv omotive Lior Yaari 28/11/2019

  2. Techy Trainer at DeepSec 7 Years In Cyber Security Vulnerability Researcher Sec-Dev CS Teacher Consultant Casual Cool Born In Studying Jerusalem German Hobby

  4. Building Security End to End Breaking through Bypassing ECU Products Security Testing the cloud or factory protections IDS IPS Automotive SOC Vehicle Security Research Prevention Concepts

  5. Disclaimer As part of our job with CYMOTIVE we are working closely with several automotive companies and because of that many of our findings are under NDA. We will not include ANY customer names and real issues which can cause any harm and focus more on the tech side * All photos in this presentation are from open sources found on the internet

  6. Progress Bar • Who I Am • Automotive Past & Future • Connected Technologies • Centralized Management

  7. Automotive Main Trends LiDAR NFC SLAM Wifi V2X PLC GPS Thermo Bluetooth Sonar 4G

  8. Who talks to my car? Year 2005~

  9. Who talks to my car? Bluetooth, Wifi Year 2015~

  10. Who talks to my car? OTA Cloud RF,BLE Year 2025~

  11. What does it imply?

  12. Changes CAN Bus Ethernet Mechanical Engineer Software Developer

  13. New Demands Vehicle Clouds Growing IT Department Tons of Infosec Jobs

  15. Some Terminology Original Equipment Manufacturer (OEM)

  16. Some Terminology Electronic Control Unit (ECU) Door Info Engine Radio Gateway Nav Airbag Body ABS Door Diag

  17. Some Terminology Infotainment (Information + Entertainment)

  18. Progress Bar • Who We Are • Automotive Past & Future • Connected Technologies • Centralized Management

  19. The new fashion in vehicle IoT are “Aftermarket Solutions” Which are also the solution for hackers

  20. Aftermarket Solutions Chainway TSP Viper Smart Start Samsung MYCAR Vinli OBD-II Drone Mobile Engie

  21. Hacking the: Server, Phone, Dongle -> Dongle Server Hacking the car

  22. Keyless Entry =< Car Sharing

  23. By Continental https://www.youtube.com/watch?v=vdnrr5i4naE

  24. Car2Go App MYCAR App - Found by Jmaxxz

  25. The Bluetooth Problem Hell2CAP (Cymotive) Infotainment, CVE-2018-20378 Dongles, Keys are all KNOB (SUTD) Bluetooth connected CVE-2019-9506 BleedingBit (Armis) CVE-2018-16986 CVE-2018-7080

  26. Hell2CAP Found by Barak Caspi at Cymotive State machine bug in BlueSDK L2CAP (~100 Million Devices) We Are Here

  27. L2CAP Channel Multiplexing PSM – “Protocol ID” L2CAP_Connect(PSM=0x1)

  28. L2CAP Channel Multiplexing PSM – “Protocol ID” DCID – channel identifier L2CAP_Connect(PSM=0x1) L2CAP_ConnectResp(DCID=0x41)

  29. L2CAP Channel Multiplexing PSM – “Protocol ID” DCID – channel identifier L2CAP_Connect(PSM=0x1) L2CAP_ConnectResp(DCID=0x41) L2CAP_ConfReq(DCID=0x41, …)

  30. L2CAP Configuration Can config: MTU, Timeout and more Minimal Bluetooth MTU is 48 - Bluetooth Specification Version 3.0 + HS [Vol 3]

  31. L2CAP Configuration Save MTU Pseudo code Set Invalid Check Size On Fail

  32. L2CAP Configuration Connect Channel 0x41 Valid – Yes MTU – 0x500

  33. L2CAP Configuration Connect L2CAP_ConfReq(DCID=0x41, Channel 0x41 MTU=0x200) Valid – Yes MTU – 0x200 L2CAP_ConfResp(DCID=0x41, SUCCESS)

  34. L2CAP Configuration Connect L2CAP_ConfReq(DCID=0x41, Channel 0x41 MTU=0x10) Valid – No MTU – 0x10 L2CAP_ConfResp(DCID=0x41, INVALID)

  35. Hell2CAP Red flag – Values is stored (4) than checked (5) Can we restore channel to be valid?

  36. Hell2CAP Red flag – Values is stored (4) than checked (5) Can we restore channel to be valid? ConfigRequest Channel Invalid. Channel Valid ConfigRequest (FlushTimeout (MTU = 20) ch.MTU = 20 ch.MTU = 20 = 0x1337)

  37. Hell2CAP On upper layer – SDP there is fragmentation code MTU from L2CAP, we control it

  38. Hell2CAP On upper layer – SDP there is fragmentation code MTU = 48 -> availableSizeForFragment = 48 – 9 = 39 MTU = 8 -> availableSizeForFragment = 8 – 9 = 0xFFFF Integer underflow

  39. Hell2CAP Set Low Integer Buffer Profit MTU Underflow Overflow

  40. The problem with Bluetooth is that it is not the only problem V2X

  41. V2X – Vehicle to X

  42. By Autotalks https://www.youtube.com/watch?v=RRDiDPnv_b4

  43. V2X payload is ASN.1 based

  44. A fake V2X module could Create Force Generate False Emergency False Alarms Traffic Breaks

  45. Charging Evolution

  46. Charging PLC EVSE – Electric Vehicle Supply Equipment PEV – Plug-in Electric Vehicle EVSE PEV

  47. Charging PLC PLC – Power Line Communication EVSE PEV

  48. XML- Charging Protocol Stack EXI V2GTP TLS SDP Vendor SLAC UDP TCP Specific HPGP IPv6 Wired / Ethernet

  49. XML- XML Parsers Vulns EXI V2GTP Header Edge Cases TLS SDP Vendor SLAC UDP TCP Specific HPGP IPv6 Wired / Ethernet

  50. XML- XML Parsers Vulns EXI V2GTP Header Edge Cases TLS SDP Vendor SLAC UDP TCP VxWorks TCP/IP Stack CVEs by Specific Armis Labs URGENT/11 (19.7.2019): HPGP IPv6 IP RCE: CVE-2019-12256 TCP RCE: CVE-2019-12255, CVE-2019-12260, CVE-2019- Wired / Ethernet 12261, CVE-2019-12263

  51. EVSE! Use Buffer Overflow!

  52. Hackers Benefits Charge your credit card and not your car Hack other ECUs from PEV PEV EVSE

  53. Progress Bar • Who I Am • Automotive Past & Future • Connected Technologies • Centralized Management

  54. Hackers Benefits Vehicle EVSEs are Clouds all cloud connected

  55. The Magical The Vehicle Place Where Everything Is Cloud Possible (For a Hacker)

  56. The Vehicle Cloud Juicy Stuff Normal Stuff Private Information GPS Coordinates Credit Cards Remote Unlock OEM Secrets OTA Updates

  57. The Vehicle Futuristic Stuff Cloud Centralized Control for Shared Transportation Next-Gen Police The cloud is the limit…

  58. OTA – Over The Air Most modern cars receive software updates with 4G connection to the OEM servers

  59. The Vehicle Cloud Update Update Update Update Update

  60. The Vehicle Cloud Update Update Update Update Update

  61. ST STOP! OP! Pay 5000$ to unlock this car

  62. 4/11/2019

  63. The bright side OEMs invest Connected immense efforts autonomous in cyber security would be really great

  64. TL;DR Risks Opportunities Everything Is Connected Less Accidents New Attack Vectors – Life Changing BT, Wifi, NFC, V2X, PLC Technologies

  65. Ask Me Anything Lior.yaari@cymotive.com Lior@imperium-sec.com Twitter: @lior_yaari

  67. Hell2CAP Found by Barak Caspi at Cymotive State machine bug in BlueSDK L2CAP (~100 Million Devices) We Are Here

  68. L2CAP Channel Multiplexing PSM – “Protocol ID” L2CAP_Connect(PSM=0x1)

  69. L2CAP Channel Multiplexing PSM – “Protocol ID” DCID – channel identifier L2CAP_Connect(PSM=0x1) L2CAP_ConnectResp(DCID=0x41)

  70. L2CAP Channel Multiplexing PSM – “Protocol ID” DCID – channel identifier L2CAP_Connect(PSM=0x1) L2CAP_ConnectResp(DCID=0x41) L2CAP_ConfReq(DCID=0x41, …)

  71. L2CAP Configuration Can config: MTU, Timeout and more Minimal Bluetooth MTU is 48 - Bluetooth Specification Version 3.0 + HS [Vol 3]

  72. L2CAP Configuration Save MTU Pseudo code Set Invalid Check Size On Fail

  73. L2CAP Configuration Connect Channel 0x41 Valid – Yes MTU – 0x500

  74. L2CAP Configuration Connect L2CAP_ConfReq(DCID=0x41, Channel 0x41 MTU=0x200) Valid – Yes MTU – 0x200 L2CAP_ConfResp(DCID=0x41, SUCCESS)

  75. L2CAP Configuration Connect L2CAP_ConfReq(DCID=0x41, Channel 0x41 MTU=0x10) Valid – No MTU – 0x10 L2CAP_ConfResp(DCID=0x41, INVALID)

  76. Hell2CAP Red flag – Values is stored (4) than checked (5) Can we restore channel to be valid?

  77. Hell2CAP Red flag – Values is stored (4) than checked (5) Can we restore channel to be valid? ConfigRequest Channel Invalid. Channel Valid ConfigRequest (FlushTimeout (MTU = 20) ch.MTU = 20 ch.MTU = 20 = 0x1337)

  78. Hell2CAP On upper layer – SDP there is fragmentation code MTU from L2CAP, we control it

  79. Hell2CAP On upper layer – SDP there is fragmentation code MTU = 48 -> availableSizeForFragment = 48 – 9 = 39 MTU = 8 -> availableSizeForFragment = 8 – 9 = 0xFFFF Integer underflow

  80. Hell2CAP Set Low Integer Buffer Profit MTU Underflow Overflow

  81. Ask Me Anything Lior.yaari@cymotive.com Lior@imperium-sec.com Twitter: @lior_yaari

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Technologies : Retour sur le Futur ? Technologies : Retour sur le Futur ? Technologies : Retour

Technologies : Retour sur le Futur ? Technologies : Retour sur le Futur ? Technologies : Retour

Technologies : Retour sur le Futur ? Technologies : Retour sur le Futur ? Technologies : Retour sur le Futur ? Technologies : Retour sur le Futur ? FOURPOINTS Funds Info Tech November 4. 2014 Fund Managers: Benot Flamant Twitter:

642 views • 47 slides
Look Looking int ing into t o the he cr cryst ystal al ba ball: t ll: the he fut futur

Look Looking int ing into t o the he cr cryst ystal al ba ball: t ll: the he fut futur

Look Looking int ing into t o the he cr cryst ystal al ba ball: t ll: the he fut futur ure of ma of marine ine insur insurance ance CBMU Spring Conference May 2018 Andy Yeoman (CEO) Ex-Trimble Inc., and GM of Commercial

886 views • 51 slides
Industrie du Futur Industry of the Future ISIEM 2016 Padang, Indonesia, 21st September 2016

Industrie du Futur Industry of the Future ISIEM 2016 Padang, Indonesia, 21st September 2016

Industrie du Futur Industry of the Future ISIEM 2016 Padang, Indonesia, 21st September 2016 Milko Papazoff, CETIM Asia Pacific Adviser Industrie du Futur 1 transversal plan 9 thematic solutions Transports of tomorrow Smart objects New

576 views • 22 slides
9. Quand Je Serai Grand(e): Using The Future 9.1 Reminder: Le Futur Proche 9.2 The Future Tense

9. Quand Je Serai Grand(e): Using The Future 9.1 Reminder: Le Futur Proche 9.2 The Future Tense

9. Quand Je Serai Grand(e): Using The Future 9.1 Reminder: Le Futur Proche 9.2 The Future Tense (Regular and Irregular Verbs) 9.3 Interrogative Pronouns 9.1 Reminder: Le Futur Proche To express events that will happen in the near future,

493 views • 27 slides
ID 20 20 Investing in Idahos Futur e ________________________________________ ID 20 20

ID 20 20 Investing in Idahos Futur e ________________________________________ ID 20 20

ID 20 20 Investing in Idahos Futur e ________________________________________ ID 20 20 Why Idaho 2020? ________________________________________ ID 20 20 Our Process Business Leaders Input Data Driven World Class

827 views • 47 slides
Ho Hono nour uring ng The Sa he Sacred ed Fi First Nations ns &amp; the he Fut Futur

Ho Hono nour uring ng The Sa he Sacred ed Fi First Nations ns &amp; the he Fut Futur

Ho Hono nour uring ng The Sa he Sacred ed Fi First Nations ns &amp; the he Fut Futur ure e of Water er Go Governan ance i in C Can anad ada A A presentatio ion by R. R.W. Sandf dfor ord Ch Chair ir, W , Wate ater

492 views • 34 slides
for or the the Futur Future(s) e(s) Gu Guidanc idance e on A on ACE CES S Consider

for or the the Futur Future(s) e(s) Gu Guidanc idance e on A on ACE CES S Consider

Planning Planning for or the the Futur Future(s) e(s) Gu Guidanc idance e on A on ACE CES S Consider Consideratio tions ns int into Lon o Long g Range T Range Transp anspor orta tation tion Plans Plans AM AMPO Conf PO

600 views • 21 slides
Th The Fu Futur ture e of f eConveyancing onveyancing Off ffice ice of the Re Registr

Th The Fu Futur ture e of f eConveyancing onveyancing Off ffice ice of the Re Registr

Th The Fu Futur ture e of f eConveyancing onveyancing Off ffice ice of the Re Registr trar ar-Gen General eral Se Session ion two wo the he cur urrent ent state ate Graeme Jackson Registrar-General Departme partment nt

611 views • 21 slides
Prepa eparin ing f g for or Uta tahs s Water Fut r Futur ure conservancy districts to

Prepa eparin ing f g for or Uta tahs s Water Fut r Futur ure conservancy districts to

April 27, 2018 | ULCT Midyear Conference Ron Thompson &amp; Richard Bay Prepa eparin ing f g for or Uta tahs s Water Fut r Futur ure conservancy districts to protect what by Utahs four largest water we have, use it wisely,

498 views • 25 slides
Fut Futur ure e of Ener f Energy gy in in So South uth Af Afric rica Stimula ulating

Fut Futur ure e of Ener f Energy gy in in So South uth Af Afric rica Stimula ulating

Fut Futur ure e of Ener f Energy gy in in So South uth Af Afric rica Stimula ulating ing Ec Econ onom omic c Gr Grow owth, th, De Devel velop opmen ment t and and Jo Job Cr Crea eatio ion George Njenga Ac Achi

743 views • 14 slides
Pa Partneri tnering ng fo for r th the fut e futur ure e .. ... . - Volume 2 Present

Pa Partneri tnering ng fo for r th the fut e futur ure e .. ... . - Volume 2 Present

Pa Partneri tnering ng fo for r th the fut e futur ure e .. ... . - Volume 2 Present Global Market Dynamics... Focus on Middle East and Africa ATM and EPOS market . Agenda Introduction Where we are Global ATM Market

711 views • 20 slides
te techno hnologi logies: es: le less ssons ons le learned rned and nd fu futur ure e

te techno hnologi logies: es: le less ssons ons le learned rned and nd fu futur ure e

IO IOT in T inter eroper operability ability us usin ing g web eb te techno hnologi logies: es: le less ssons ons le learned rned and nd fu futur ure e cha hallen llenges ges SCENE SETTING INTER net of things must be

454 views • 29 slides
Engineer ing your futur e Delivering Global Manufacturing Solutj ons Sylat ech is a gr oundbr

Engineer ing your futur e Delivering Global Manufacturing Solutj ons Sylat ech is a gr oundbr

Engineer ing your futur e Delivering Global Manufacturing Solutj ons Sylat ech is a gr oundbr eaking design and manufacturing business deli v ering precision custom engineering solutions for our cust omers. Oper ating from the UK, S ylat ech has a

547 views • 19 slides
SOFT FTWAR ARE- E- DE DEFI FINED-S NED-STORAGE AGE The futur The future of c e of cloud-

SOFT FTWAR ARE- E- DE DEFI FINED-S NED-STORAGE AGE The futur The future of c e of cloud-

SOFT FTWAR ARE- E- DE DEFI FINED-S NED-STORAGE AGE The futur The future of c e of cloud- oud- optimi ptimized Stor ed Storage age Tec Techn hnic ical al Pr Presen esentation tation Ivo vo G GomIl Ilek ek Sen

1.3k views • 104 slides
Building ng a stronge nger airline ne for the futur ure May 12, , 2016 016 Introduc ucti

Building ng a stronge nger airline ne for the futur ure May 12, , 2016 016 Introduc ucti

Building ng a stronge nger airline ne for the futur ure May 12, , 2016 016 Introduc ucti tion Paulo Kaki kinoff CEO GOL Large gest t low-cost t airline in LatAm Am Standardized fleet of 143 Boeing 737-700 and 800 NG

432 views • 30 slides
ARS Research FO FOUNDATION FO FOR A A GROWI WING F FUTUR URE A GRICULTURAL R ESEARCH S

ARS Research FO FOUNDATION FO FOR A A GROWI WING F FUTUR URE A GRICULTURAL R ESEARCH S

ARS Research FO FOUNDATION FO FOR A A GROWI WING F FUTUR URE A GRICULTURAL R ESEARCH S ERVICE 1 USDA R Research, Education, and Economics cs ( (REE) EE) Dr. Sonny Perdue USDA Secretary Mission on A Area Dr. Scott Hutchins REE

515 views • 17 slides
Workshop on Active Internet Measurements Sam Crawford (sam@samknows.com) 9 February 2012

Workshop on Active Internet Measurements Sam Crawford (sam@samknows.com) 9 February 2012

Workshop on Active Internet Measurements Sam Crawford (sam@samknows.com) 9 February 2012 Background Company WAREHOUSE IN 2008 Regulatory work Since 2008 Since 2010 Since 2011 Since 2011 UK USA Europe Singapore United Kingdom United

268 views • 22 slides
Updates on Camera &amp; Ground Plane Monitoring System Heng-Ye Liao, Charles Cadeau, Francesco

Updates on Camera &amp; Ground Plane Monitoring System Heng-Ye Liao, Charles Cadeau, Francesco

Updates on Camera &amp; Ground Plane Monitoring System Heng-Ye Liao, Charles Cadeau, Francesco Pietropaolo, Stephen Pordes, Serhan Tufanli HV system consortium meeting 07/10/2018 Signal Readout Port Port Item Number 1 Ground plane

302 views • 6 slides
MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin

MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin

MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin Marc Newlin Security Researcher @ Bastille Networks ((Mouse|Key)Jack|KeySniffer) Wireless mice and keyboards 16 vendors

1.14k views • 86 slides
Video recording lectures: blending the quarantini. Matthew Jones &amp; Nick Sharples TALMO

Video recording lectures: blending the quarantini. Matthew Jones &amp; Nick Sharples TALMO

Video recording lectures: blending the quarantini. Matthew Jones &amp; Nick Sharples TALMO workshop: Engagement and Interaction. 3rd September 2020 October 2018 - maths stafg were issued with ipads, pencils + dongles. Workfmow: Prepare slides

750 views • 23 slides
Lazy-Mode RF OSINT and Reverse Engineering Marc Newlin | @marcnewlin | TROOPERS18 $(whoami)

Lazy-Mode RF OSINT and Reverse Engineering Marc Newlin | @marcnewlin | TROOPERS18 $(whoami)

Lazy-Mode RF OSINT and Reverse Engineering Marc Newlin | @marcnewlin | TROOPERS18 $(whoami) Red Team @ Snap Former Wireless Security Researcher @ Bastille Networks Wireless CVEs in products from 21 vendors Radios

755 views • 64 slides
REIMAGINING THE POLICE SCANNER IN THE ERA OF THE SDR Taking scanning to the next level using

REIMAGINING THE POLICE SCANNER IN THE ERA OF THE SDR Taking scanning to the next level using

REIMAGINING THE POLICE SCANNER IN THE ERA OF THE SDR Taking scanning to the next level using distributed RTLSDR receivers &amp; open source software PRESENTED BY GAVIN ROZZI Cyberspectrum #23 @ DEF CON 2018 August 9th, 2018 SDR HAS THE

985 views • 22 slides
Good Times with a Pile of GPUs Elizabeth Baumel About me Unity - DOTS Team Disbelief -

Good Times with a Pile of GPUs Elizabeth Baumel About me Unity - DOTS Team Disbelief -

Good Times with a Pile of GPUs Elizabeth Baumel About me Unity - DOTS Team Disbelief - Unreal games Gears of War 4 - D3D12 multi-GPU support on UWP Other, more exotic D3D12 multi-GPU stuff Sony - PS4 graphics dev support

744 views • 49 slides
Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume Bouffard Outline 1 Introduction Profiling step 2 Translation step 3 Binary Modification 4 Proof Of Concept 5 Conclusion 6 2 / 19

779 views • 40 slides

More recommend