notsurprisednotsurprised intro • uccu hacker • ais3 2016 trainee • hitcon defend 2018 3rd...
TRANSCRIPT
![Page 2: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/2.jpg)
https://speakerdeck.com/notsurprised/ithome-cybersec2020-chaos-of-vehicle-communications
![Page 3: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/3.jpg)
>
• Background
– Introduction
– Protocols
– ECU/Components
• OMA DM
– Parser problems
– Self-defined
– Inconsistency
• Summary
– Recap
– Suggestion
– Resource
![Page 4: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/4.jpg)
>
NotSurprised
Intro
• UCCU Hacker
• AIS3 2016 trainee
• HITCON Defend 2018 3rd (etc.)
• SITCON 2019 speaker
• MOPCON 2019 speaker
• Becks.io#5 speaker
• ITRI Engineer (serve my country)
• 5-years Bachelor & Master of NSYSU
Email : [email protected]
Skill
• Windows Kernel Driver (Minifilter)
• Penetration Test (Web)
• Malware Analysis (Ransomware)
• Ethereum Smart Contract (Solidity)
• Car Security (OMA DM)
![Page 5: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/5.jpg)
•
•
•
![Page 6: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/6.jpg)
>
Drone, IoT, AI Manufacture, AI Car(VANET)
sounds great, but…
Are They Secure?
![Page 7: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/7.jpg)
>
![Page 8: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/8.jpg)
>
• Charlie Miller Jeep Cherokee– Charlie Miller share series attack vectors
• Tencent KeenLab Tesla Model S
• ADCD Key Signal repeat– Proof that signals can be simply trigger and enhance to repeat received
signals
• PWN2OWN 2019 Tesla Model 3
• Car2go Auto Review Application in Chicago– This connect to server problem, review mechanism can be fraud and unlock the
car with fake person id
![Page 9: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/9.jpg)
>
• RFID
• CAN Bus
• Bluetooth
• Cellular Network (Internet)
• VANET
• OMA DM
![Page 10: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/10.jpg)
>
Car Internal Communication
Car external communication
KeyManufacture server
![Page 11: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/11.jpg)
>
![Page 12: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/12.jpg)
![Page 13: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/13.jpg)
>
![Page 14: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/14.jpg)
> • RFID(Radio Frequency Identification), radio also
• In vehicle, long distance, usually in high frequencies, UHF
root@kali:~# nfc-list nfc-list uses libnfc 1.7.1 NFC device: pn532_uart:/dev/ttyUSB0 opened 1 ISO14443A passive target(s) found: ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04 UID (NFCID1): 3c 3d f1 0d
SAK (SEL_RES): 08
root@kali:~# nfc-mfsetuid 3c3df10dNFC reader: pn532_uart:/dev/ttyUSB0 openedSent bits: 26 (7 bits)Received bits: 04 00Sent bits: 93 20Received bits: 0c 5c ee 0d b3Sent bits: 93 70 0c 5c ee 0d b3 5c c2
Generate fake RFID key RFID Reader with Arduino
![Page 15: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/15.jpg)
>
• Signal Amplification Relay Attack
• Original designed to copy for backup and become all in one RFID key in personal used
• Can copy 125 kHz (“low frequency”) RFID
• Can not copy 13.56MHz (“high frequency”) NFC
![Page 16: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/16.jpg)
>
![Page 17: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/17.jpg)
>
![Page 18: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/18.jpg)
>
![Page 19: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/19.jpg)
>
• Best way to get into CAN bus– Compromise the car’s mini computer ( OS: QNX, Win CE, Linux, Android, Green
Hills)
– As a component in car, mini computer connect to CAN bus and dash board
• Message on CAN bus system– CAN message format
• ISO 11519-2 / ISO 11898:1993 / ISO 11898:1995
• Make largest privilege code in your broadcast packet
– Diagnostic trouble code format• Sometime trigger automatic reaction
• Aircraft also use CAN bus– Same problem that microcontroller is the last defend line in simple aircraft
![Page 20: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/20.jpg)
>
![Page 21: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/21.jpg)
> • CAN
– ISO-TP (ISO 15765-4)– CANopen– GMLAN bus
• SEA J1850– PWN– VPW
• KWP– KWP2000 (ISO 9141-2)– ISO 14230-4
• LIN Bus• MOST
– Independent from bus line, for IVI, connect to speaker and cellular network.
• FlexRay• Ethernet
![Page 22: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/22.jpg)
> credit :
![Page 23: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/23.jpg)
>
credit :
![Page 24: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/24.jpg)
>
credit :
![Page 25: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/25.jpg)
>
• FlexRay bus– Fastest
– Expensive
– Top class car
– Sensitive
• CAN bus– Good CP value
– Widely used
credit :
![Page 26: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/26.jpg)
>
• OBDII (On-Board Diagnostic System II) ft. EcomCat
credit :
![Page 27: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/27.jpg)
>
ECOM2 OBDII Cable
US $203.37ValueCan3 OBDII Cable
US $395.00
![Page 28: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/28.jpg)
>
ELM327 OBDII Cable
US $8.40~$2.50
![Page 29: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/29.jpg)
>
Expensive OBD2 Cable Cheap OBD2 Cable
Normal Limited
Usually not Sometimes
GUI / Auto Link Open Source / Self-defined
High Low (china copycat)
Yes No
Lots None
Yes None
![Page 30: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/30.jpg)
>
Some interesting tool:
• ICSim: Instrument Cluster Simulator– For Can
![Page 31: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/31.jpg)
>
• MyCar, CarDoctor, Car Scanner– Type of product connect to OBDII and APP
– Control your car’s status to prevent frauded by repair shop
– Usually Bluetooth(shorter distance, more secure), WIFI/3G/4G
– As IoT, default AC/PW remain problem
– Bluetooth default paring key: 0000/1234 (sometime even not give a request)
![Page 32: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/32.jpg)
>
• Using uuid and handle (company identifier) primary and characteristic command.
• Sometime you can brutal force it or OSINT for hint.
• MiBand2 no auth key, MiBand3 has breakable auth key.
![Page 33: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/33.jpg)
>
• Torque
• Car scanner
• OBD Auto Doctor
![Page 34: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/34.jpg)
>
• ELM327 OBD2 BLE
• Cannot change PIN
• Support several client APP
credit :
![Page 35: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/35.jpg)
>
• ELM327 OBD2 WiFi
• Default IP & Port
• Support several client APP
![Page 36: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/36.jpg)
>
![Page 37: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/37.jpg)
![Page 38: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/38.jpg)
>
credit : Semantic
![Page 39: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/39.jpg)
> • HTTP sniffer than you will get the AC/PW• Door seq. being shown on URL query as plaintext• Even you have no AC/PW, you can unlock most door remote by SQLi• There's a password to switch to setting mode on product’s user manual,
you can find it on internet. e.g. #123456#
![Page 40: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/40.jpg)
> • A human-readable JSON protocol “encrypted” with an easily reversible autokey (-85) XOR cipher
and a binary DES-encrypted configuration (AC/PW : admin/admin)
![Page 41: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/41.jpg)
>
• Not just Bluetooth, also using GPS and a cellular connection to extend their range to anywhere with an internet connection.
credit :
![Page 42: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/42.jpg)
>
• Acoount & Password is default in factoryBootstrap and popular
• User Guide which contain AC/PW public on internet– https://fccid.io/2AEB4AG21/User-Manual/User-manual-3104674
credit :
![Page 43: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/43.jpg)
>
• Such Vulhub website provide by MyCar Vendors
credit :
![Page 44: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/44.jpg)
>
• SQLi to other account and launch other’s car engine by web API
credit :
![Page 45: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/45.jpg)
credit :
BUG BUG
CVECVE
MyCar Vendor MyCar Vendor
MyCar Vendor MyCar Vendor
![Page 46: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/46.jpg)
![Page 47: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/47.jpg)
![Page 48: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/48.jpg)
>
credit : Automotive Electronics
![Page 49: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/49.jpg)
>
credit :
![Page 50: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/50.jpg)
>
credit :
LGACL Simulator
![Page 51: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/51.jpg)
Vehicular Ad Hoc Network
On-Board Unit, OBU
Road Side Unit, RSU
• On board device to receive/send message system
• Combined with sensors
• microcontroller, speed sensor, brake sensor, radar, GPS, etc…
• Road side sensor to receive/send message system
• Has computing abilities
• Co-work with OBU to make V2V communication happened
• RSU can connect to central control center to make road state under control
>
credit : yenchih.kuo@NSYSU
![Page 52: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/52.jpg)
• Communication between car:Vehicle to Vehicle, V2V
• Communication between car and road:Vehicle to infrastructure, V2I
• Dedicated Short Range Communications (DSRC)
• 5.85GHz~5.925GHz
• Infrared、RFID、IEEE802.11p、IEEE1609
• in IEEE1609.x Wireless Access in the Vehicular Environment (WAVE)
• Transmission Rate:3~27Mbps
• Most Range:1km
>
credit : yenchih.kuo@NSYSU
![Page 53: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/53.jpg)
>
• Every sec, car will delivered its own basic info. Including highway ID, delivered time,
position, speed.
• Attacker can overwrite Beacon info to make MDS make mistake.
• Therefore, vehicle need to confirm pkg from valid node, and check checksum.
VANET Attack can conclude into 5 phases:
• Abnormal Data Check
• Alert Check
• Node Oriental Detecting Method
• Data Oriental Detecting Method
• Privacy
![Page 54: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/54.jpg)
>
In next section →
![Page 55: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/55.jpg)
>
In next section →
![Page 56: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/56.jpg)
>
• JTAG– A kind of debugging protocol, can download and upload the
firmware, find the PIN on manual
• JTAGulator– A tool to help researcher find the JTAG PIN on chip
credit : attify
![Page 57: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/57.jpg)
>
• SWD (serial wire debug)– A kind of debugging protocol, support by STM32F4 series
(STM32F4 is the most widely used car chip)
• STM32F4 Discovery Kit– A debug tool provide by ST themself
credit : st
![Page 58: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/58.jpg)
>
• IVI (In-Vehicle Information System)
• MCU (Microcontroller Unit)
credit : iotm2mcouncil
![Page 59: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/59.jpg)
>
MobilePhone / Server HMI MicroController
HTTP Modbus Canbus
Device PLC ECU
No No / TLS1.2 No
Strong Normal Weak
Lots Few Few
*Public Private *Public
*Few *Few Lots
Remote / Extranet Remote / ExtranetPhysical / Short-dist /
Remote
![Page 60: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/60.jpg)
>
• Most are targeted attack
• Vehicle security base on close-source and inconsistency, just like OT
• Revenue is totally different class in IoT device, worth targeted attack
• As AI raise, automatous vehicle definitely need standards to connect to the road system and collect info for AI, therefore, it bring problems in security
![Page 61: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/61.jpg)
>
![Page 62: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/62.jpg)
>
![Page 63: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/63.jpg)
>
![Page 64: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/64.jpg)
>
![Page 65: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/65.jpg)
>
![Page 66: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/66.jpg)
•
•
•
![Page 67: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/67.jpg)
>
• OEM (Original Equipment Manufacturer) / ODM (Original Design Manufactures) try to add remote updating ability to the vehicle ECU
• There need a Update Solution standard to support several ECU vendors' remote updating requirements
![Page 68: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/68.jpg)
>
• Open Mobile Alliance (OMA) designed a protocol for Device Management (DM), to remote implement UPDATE, MANAGE, CONTROL and BACKUP. Car Vendors can use this protocol to remote control version update and retrieve data.
• Automotive Grade Linux (AGL) is sub-org under The Linux Foundation which engage in cross industry requirements for internet of car. Recently, AGL try to defined OMA DM 2.0 to become car communication standard.
• Tesla convince that their protocol is too rough and their last line in security protection is Black Box, open source will make their products in risk.
![Page 69: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/69.jpg)
>
• OMA DM is a device management protocol for server to control the client device.
• OMA DM include following major phases:
– Generic device information maintain (DevInfoMO, DmAccMO, DCMO)
– Firmware maintain (FUMO)
– Software maintain (SCOMO)
• OMA DM now has two version release:
– OMA DM I (complete)
• base on SyncML (Synchronization Markup Language) data format, OMA also give a project as syncml rtk which plays as communication protocol of SyncML
– OMA DM II (uncomplete)
• base on JSON data format, it simply use HTTP as communicate protocol
• only main protocol update to version II, not FUMO, SCOMO, or any else
![Page 70: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/70.jpg)
>
• OMA DM 1.3 Communication Flow
SyncML
![Page 71: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/71.jpg)
>
• OMA DM 2.0 Communication Flow
JSON
![Page 72: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/72.jpg)
>
• How to Registration? How to identify response with Async Report?
![Page 73: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/73.jpg)
>
• First Time Package1 session establish:
• Else:
FactoryBootstrap
Device Serial Number
Match Server’sUnregister
DeviceAuth> > >
Some else RFC2617 Headers (e.g. Authorization)
![Page 74: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/74.jpg)
>
• That means registration key is store on microcontroller DB as un-encrypted state and can be inferred
• You can register a fake client just like which we infer door number that mentioned in Section 1 IoT part
![Page 75: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/75.jpg)
> • TLS/SSL is recommended in OMADM 2.0
• RFC2617 Basic Authentication Schema MUST be supported (newest: RFC 7617 (2015))
• RFC 2617 security options are optional. If Server doesn’t set QOP, Client will work as RFC 2069.
• Basic Authentication Schema is easy attack by MITM. Attacker can easily set OFF on QOP to let Client use RFC 2069.
• Moreover, there’s no mechanism to let Client check Server identification.
• RFC 2617 block user to use STRONG hash algorithm to store sensitive data like PSW, they defined as recoverable value.
HTTPPlainText
HTTPBasic and Digest Access
Authentication
HTTPS/SSLHTTPS/TLS< <
![Page 76: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/76.jpg)
We all know where recommends are going \̄_(ツ)_/¯
![Page 77: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/77.jpg)
>
• HTTP
Public
![Page 78: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/78.jpg)
>
• OMA DM Modules and Functions– Command Dealer
– Parser & Database maintainer
– Package Handeler
• OMA DM Data structures
![Page 79: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/79.jpg)
>
• Table Name?
![Page 80: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/80.jpg)
>
• Table Name?
![Page 81: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/81.jpg)
>
• Database type storage in OMA DM– Pros
• Insert / Update / Parse can easily use database schema mechanism to check DDF invalid
– Cons• Need more designing on table name also reach the consensus between Server &
Client
• XML type storage in OMA DM– Pros
• easily fit the document designing
– Cons• Insert a new MO tree will be hard to check if is valid DDF
![Page 82: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/82.jpg)
>
• Actually Usage of Value?
![Page 83: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/83.jpg)
>
• Cross Protocol Version:– DataBuffer stream boundary different in SML & HTTP (1st command result following with 1st
data /1st command result code with 2nd command result code)
– Command method not backward compatible (Ver2 not support REPLACE command)
• OMA DM NodeName & SQL Syntax conflict:– urn:oma:mo:fumo:1.0/<x>/update
• A lot of Extension in OMA DM tree: (there can not be multiple tables in same name)– urn:oma:mo:oma-dm-devinfo:1.2/<x>/Ext
– urn:oma:mo:oma-dm-dmacc:1.2/<x>/Push/GCM/Ext
– urn:oma:mo:fumo:1.0/<x>/Ext
• Result Code inconsistency:– Sometime diff MO module use same result code, sometime not.
• Same MO module, different DDF
![Page 84: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/84.jpg)
>
• Request Launching in different way
– Server use method commands
– Client use Generic Alerts (the one they usually used is to respond the results of async commands like EXEC)
• Alert Type
– urn:oma:at:dm:2.0:BootstrapComplete
– urn:oma:at:dm:2.0:ClientInitiatedMgmt
– urn:oma:at:dm:2.0:ServerInitiatedMgmt
– urn:oma:at:scomo:1.1:UpdateUserRequest
– org.openmobilealliance.dm.firmwareupdate:update
– org.openmobilealliance.dm.firmwareupdate:downloadandupdate
![Page 85: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/85.jpg)
>
• urn:oma:mo:moid:1.0//– Cannot resolve, there’s two MO instances.
• urn:oma:mo:moid:1.0/left/Data/1/Value– identifies one nodes; the moroot1/Data/1/Value
• Ellipsis: Usually use on MIID, this regards as only one node/value come up as result.
• Real Name: The actually node name.
![Page 86: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/86.jpg)
>
• urn:oma:mo:moid:1.0/(x)/Data/*/Value?nv=(x)/ID:GPS– identifies two nodes; the moroot1/Data/1/Value and moroot1/Data/2/Value node
• x-name: the DM Client MUST resolve only one node that satisfies all corresponding nv fields for this x-name component; if multiple nodes are resolved, an error code MUST be returned
• Wildcard: the DM Client MUST address all nodes at the specified location
![Page 87: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/87.jpg)
>
• In fact, Client and Server should share same MO trees (even though Server will manage lots of Clients, but server should sync every Client)
• This over-freedom parser should only implement on Server backend control panel, or better not exist
• Server and Client should send what they exactly needed rather than making parser more complicated
• It is strongly suggest that not to allow # ; = > < this kind of SQL symbol as valid characters in every node in URI
![Page 88: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/88.jpg)
>
• Too complicate for Developer to implement property
– With dynamic-changing table schema in SCOMO
– Apply to self-defined table schema with different Vendors’ clients
• SQLinjection with PlainText HTTP body (especially URI)
• Sometime Vendors’ clients simply send sub-tree in it’s own style. (e.g. strings in integers, arrays in different JSON objects)
![Page 89: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/89.jpg)
> &
• There’s no token designed(relative key in OMADM1.0, but not in OMADM2.0)and authenticate mechanism(registration) in this protocol.
• MITM still problem here. (RFC2617 doesn’t work to prevent this link attack.)
• There’s no checksum confirmed mechanism for FUMO,(firmware update module) client cannot even check if it is runnable or not before it exec the binary.
• There’s checksum confirmed mechanism for SCOMO (software update module), however, download source URL still can be a trap. (Server not even going to auth or check Remote Repository Server status and give a valid token let client to confirm source)
![Page 90: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/90.jpg)
> &
ServerClient
Hacker
Un-encrypted DB
Fake RequestHacking Payload
Responsee.g. DevID (API key)
![Page 91: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/91.jpg)
> &
Benign ServerBenign Client
Hacker
Request Update
Fake Command
Fake Request
Response
![Page 92: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/92.jpg)
>
Hacker
Request Update
Malicious Server
Benign Server
Benign Client
Compromised Switch
Hack
Request Update
Malicious Payload DownloadURL
Malicious Payload DownloadURL
![Page 93: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/93.jpg)
>
HackerCompromised
Remote Repository
Benign Server
Benign Client
Hack
Auth Sync????
Update Request
TargetURL Response
Download Request
Malware / File Name Command injection
e.g. Ruby,Net::FTP command injection
e.g. Unsnenitize file name donwload
![Page 94: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/94.jpg)
>
Hacker
Request Update
Compromised Server Client
Fake Command
Server Control Panel
Hack
ECU
1. Return shell with malicious update2. finding ECU ID from Brutal Force
OMA DM component dbinformation with GET cmd
3. Sending Canbus modified malicious component application
e.g. Node.js ft. misconfigure debugger handshakeAllow command injection
![Page 95: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/95.jpg)
•
•
•
![Page 96: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/96.jpg)
>
RDS
Bluetooth
WiFiSD
USB
GPS
Infotainment 3G/4G
OBD2
Physical Remote
Android Apps
Remote Repository
MyCar server
Update server
![Page 97: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/97.jpg)
>
• In IoT, OT, and Vehicle communication, plaintext and default AC/PW still make serious problems
• Latest Cross-Industry features (AI manufacture, AI medication, AI car) still not take Information Security as a serious problem, then come out with lots of vulnerabilities application
• In past, low revenues device (PC, IoT) can be find out exploit value by black industry. Apparently, vehicle with its high value deserve to own its targeting attack, and it’s worthy
• Vehicle security can be a research draft of aircraft, it’s really sensitive to country security
• OMA DM 2.0 is a protocol that need to harden. Should take serious concern on security issues on its document
![Page 98: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/98.jpg)
> • Supply chain attack make vendors pay attention on every third-party
libraries (& Remote Repository Server)
• Make sure to use BL/WL mechanism and Hash check
• Cipher and CA always enhance your communication, use them
• Physical attack cannot avoid, but take care every addon on your car and make sure to change your AC/PW
• Every remote access to CAN bus components (OBDII, MyCar, ECU update) should apply auth confirm & encrypted communication. Vendors’ Web should apply vulnerabilities scanning to fix bugs, avoid brutal force and information leak.
• Mini computer is the major component in all attack vectors, Application Whitelist can ease the lost after compromised by hacking
![Page 99: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/99.jpg)
> • http://www.openmobilealliance.org/
• http://illmatics.com/Remote%20Car%20Hacking.pdf
• https://ioactive.com/pdfs/IOActive_Adventures_in_Automotive_Networks_and_Control_Units.pdf
• https://www.sans.org/reading-room/whitepapers/threats/hacking-bus-basic-manipulation-modern-automobile-through-bus-reverse-engineering-37825
• http://www.aut.upt.ro/~pal-stefan.murvay/papers/dos-attacks-controller-area-networks-fault-injections-from-software-layer.pdf
• https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Jmaxxz-Your-Car-is-My-Car-Code-6e0e599/
• https://www.shs.edu.tw/works/essay/2012/11/2012111421572430.pdf
• https://hackaday.com/2019/06/10/takatas-deadly-airbags-an-engineering-omnishambles
• https://blog.avast.com/hacker-breaches-gps-service-of-27000-cars
• https://www.zdnet.com/article/dhs-warns-about-can-bus-vulnerabilities-in-small-aircraft
• https://www.outilsobdfacile.com/vehicle-list-compatible-obd2
• https://github.com/gmacario/easy-build
• https://www.st.com/resource/en/user_manual/dm00039084-discovery-kit-with-stm32f407vg-mcu-stmicroelectronics.pdf
• https://www.elmelectronics.com/wp-content/uploads/2017/01/ELM327DS.pdf
![Page 100: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/100.jpg)
>
![Page 101: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/101.jpg)
>
![Page 102: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/102.jpg)
![Page 103: NotSurprisedNotSurprised Intro • UCCU Hacker • AIS3 2016 trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • Becks.io#5 speaker • ITRI](https://reader035.vdocument.in/reader035/viewer/2022063022/5fea5c98c32d32707c351505/html5/thumbnails/103.jpg)