image image
Guillaume Heilles

Connected Car Hacking

27th to 29th April 2020 | 3 Days


TRAINER

Guillaume Heilles


Overview

With the advent of connected cars, the threats on these vehicles are more and more important. While the car manufacturers are mainly interested in remote attacks, we will explain through this training that every bit of information can be useful to an attacker, and that local attacks should also be considered during the learning phase of the hackers, ultimately leading to remote attacks.

In this training, we will demonstrate several techniques that can be used to attack a connected ECU and compromise the entire vehicle. Each attendee will be provided with a demonstration ECU based on a RaspberryPi and a Teensy3.2 with a CAN transceiver. This ECU has the same architecture as a connected ECU, and contains several services that the attendees will attack.

The training is organized around slides explaining the theory of each attack (how it works, how you can use it), and a practical session to perform this attack on the demo ECU. The practical sessions should take most of the time of the training, and solutions will be provided during each session so that the attendees can learn how to perform each attack, and do it. In the end, a demonstration of each attack will be provided.

During each exercise, we will focus on why the attack was possible, as well as how to prevent this kind of attack. In the end of the training, we will present a global methodology to assess the security of a connected ECU and explain how to protect connected ECUs.

Who Should Attend?

  • Specialists involved in ECU developments (developers, architects, etc.)
  • Security researchers interested in car hacking

Key Learning Objectives

This training presents common attacks against connected ECUs, as well as several ways to prevent them. This is a hands-on training, so the attendees should expect to perform the attacks by themselves.

We will explain why connected ECUs are vulnerable to state-of-the-art attacks, and how to adapt common attacks to these devices.

Agenda Day 1

  • setup
  • analysis of an authentication system between the connected ECU and a client
  • getting a non-privileged shell on the ECU
  • analysis of a privileged service on the ECU

Agenda Day 2

  • exploitation of the privileged service, to get a root shell on the ECU
  • hopping on the legacy part of the ECU, connected to the CAN bus

Agenda Day 3

  • sending arbitrary commands on the CAN bus from the connected ECU
  • breaking the security mechanisms of the CAN ECU
  • installing a permanent security backdoor in the CAN ECU to control it remotely
  • debriefing, methodology

Prerequisite Knowledge

The attendees should ideally have notions of reverse engineering, or at least be prepared to learn them quickly.

The attendees should be familiar with C programming.

The ability to read x86/ARM assembly is a plus.

Hardware / Software Requirements

  • a laptop with an Ethernet port
  • the ability to install new software on the laptop (admin rights)
  • IDA Pro (not the demo) or Ghidra, or any other disassembler/decompiler for x86 and ARM
  • VMware Player installed

ABOUT TRAINER

Guillaume Heilles is a security engineer at Quarkslab. He's mainly focused on hardware attacks on IoT devices, but also on reverse engineering and exploitation. He has presented the Hardware CTF at hardwear.io since 2017 & a talk on How to drift with any car at 3r4th CCC 2017. Performing security assessments on connected ECUs is part of his daily work.