image image
guillaume-heilles

Practical Car Hacking

23rd - 25th September 2019 | 3 Days


TRAINER

Guillaume Heilles


OBJECTIVE

In the last few years, we have seen many new attacks on cars, but this environment is still hard to get into mainly because the tools are different from classical reversing or hacking tools.

In this training, the car hacking tools will be presented along with many practical sessions to make sure the attendees will be able to redo the attacks later on. We will provide the necessary CAN tools and perform the attacks on real cars. We will also cover the basic theory about the CAN bus, so that the attendees can understand what is going on.

*Special gift: attendees will be given a CAN transceiver / controller and an OBD cable to be able to replay the attacks using any microcontroller, as soon as they come back. They will need to bring a microcontroller board of their choice during the training to connect to their free CAN transceiver / controller. Any SPI enabled microcontroller should be compatible, but the faster the better! The microcontroller may or may not have a CAN interface, we will handle both cases.

COURSE OUTLINE

  • Introduction to Car Hacking
    • Overview of this training
  • Locating the CAN bus
    • What is the OBD-2 port, locating it
    • Finding a CAN bus right on the ECUs inside the car
    • Practice: using a diagnostic device
  • CAN bus overview
    • Architecture of a car: multiple CAN busses
    • The gateway, a CAN firewall
    • Electrical implementation of the CAN bus
    • OSI Layer architecture
    • CAN messages: understanding the format
    • ISO-TP
    • UDS
    • Practice: Reading the Vehicle Identification Number, reading the DTCs, clearing the DTCs
  • Architecture of an ECU
    • Hardware: identifying the main components
    • Software
      • Autosar: what is it, where does it come from ? Presentation of its architecture
      • The security modes of an ECU
        • Normal
        • Security session
        • Factory session
    • Practice session: understanding an ECU's PCB
  • Breaking into security sessions
    • Brute force
    • Side channel attacks
    • Reverse engineering
      • of the ECU's firmware
      • of a diagnostic software
    • Practice session: write a brute-forcer
  • Discovery of CAN messages for your car
    • Understanding UDS standard messages
    • Discovering proprietary messages
    • Practice session: capturing CAN messages from a professionnal diagnostic device
  • Replay attacks
    • Replaying CAN messages
    • Practice session: open the doors of your car
  • CAN spoofing
    • Is there a message integrity?
    • What are message counters
    • Practice session: modify the speedometer
  • CAN fuzzing
    • Disclaimer
    • Analyzing captured messages
    • Custom fuzzer
    • Practice session: fuzzing a specific ECU
  • ECU reprogramming
    • Dumping the firmware
      • JTAG, UART, SWD, ICSP, SPI
      • Flash resoldering
    • Quick analysis of a firmware
    • Reprogramming the firmware
    • Practice session: dumping a firmware
  • ECU firmware reverse engineering
    • Architecture of a legacy firmware
    • Architecture of an Autosar firmware
    • Finding the right entry points
    • Practice session: reversing a firmware
  • Opensource tools and references
    • Candump
    • Canmonitor
    • Where to find other tools
  • Other busses
    • LIN
    • FlexRay
    • Ethernet
    • WiFi
    • USB
    • 3G
  • Firmware Reverse Engineering: Methodology
    • Finding the base address
    • Identifying code and data
    • Checking the cross-references
    • Static resolution of function pointers
  • Firmware Reverse Engineering: dynamic analysis
    • What do we know about the firmware ?
    • Collecting information
  • Firmware Reverse Engineering: Identifying known assets
    • UDS / KWP commands
    • UDS / KWP error codes
    • CAN database and handlers
  • Reversing a specific function
    • Security Session Algorithms
    • Firmware upload/download
    • Others
  • Learning a new CPU architecture
    • Basic concepts of assembly language
    • IDA helpers
    • The different kinds of datasheets and what to look for
    • Practice, practice, and practice
  • Real world case studies will illustrate the previous points
    • ECU on Tricore architecture
    • ECU on PowerPC architecture
    • ECU on v850 architecture
    • AUTOSAR ECU
    • Non-AUTOSAR ECU

Who should attend?

  • Security Researchers
  • Car equipments designers
  • Hackers interrested in cars

Prerequisite Knowledge:

  • Basic knowledge of programming (C, python)
  • Basic knowledge of Linux
  • Basic knowledge of firmware reversing is a plus, but not required

Hardware/Software Requirements:

  • Laptop with WiFi
  • SSH client
  • A reverse engineering software is a plus
  • A smartphone with Torque Free installed

ABOUT THE TRAINERS


Guillaume Heilles is a security engineer at Quarkslab. He's mainly focused on hardware attack s on IoT devices, but also on reverse engineering and exploitation. He has presented the Hardware CTF at hardwear.io in 2017, 2018 & a talk on How to drift with any car at 3r4th CCC 2017.