SYNOPSIS
As Electronic Control Unit (ECU) quantity and technology become more and more important in a car, with the advent of autonomous and connected vehicles, threats on these vehicles are growing accordingly. While car manufacturers are mainly interested in remote attacks, we will explain through this training that every bit of information can be useful to an attacker, and that both cars security/safety and users privacy could be affected.
The training will be organized around slides explaining the theory of each attack (how it works, how you can use it), and practical sessions to perform this attack on the demo ECU. Practical sessions should take most of the time of the training, and solutions will be provided during each session so that the attendees can learn how to perform each attack.
KEY LEARNING OBJECTIVES
This training presents common attacks against ECUs, as well as several ways to prevent them. This is a hands-on training, so the attendees should expect to perform the attacks by themselves.
We will provide the necessary tools and perform some attacks on a real car.
If most of the exercises will be focused on in-car networks, we will also cover ECU reverse engineering techniques and some radio-frequency flaws.
Special gift : attendees will be given a CAN transceiver and an OBD-II plug to be able to practice their new skills as soon as they come back.
TARGET AUDIENCE
- Security researchers
- Automotive manufacturers and suppliers
- Hackers interested in cars
DURATION
- 3 days
COURSE OUTLINE
- Anatomy of a modern CAN
- What is an ECU
- Attack surfaces overview
- The rise of connected and autonomous cars
- CAN Bus 101
- How the CAN Bus works
- Identifying a CAN bus and its parameters
- CAN Tools : slcan, can-utils, scapy…
- Reading, writing and replaying messages
- Fuzzing the CAN Bus
- Tips & tricks for quick identification of active payloads
- How a bad CAN implementation can affect privacy
- CAN attack / defense techniques
- Protecting CAN messages
- Ensuring sender authenticity
- DOS attacks on the bus
- The CAN gateway
- Ethernet automotive
- Network specifications
- Useful tools : wireshark, scapy…
- Common attacks
- Advanced protocols
- OBD-II
- ISO-TP
- UDS
- Protocol explaination
- UDS error codes
- Session control
- Understanding and cracking security access
- Reading ECU state with DID
- Diagnostic commands
- Firmware dumping / flashing
- Ethernet Automotive
- DoIP
- SOME/IP
- Manufacturer specifics
- Examples of various services over IP
- External API
- ECU reverse engineering
- ECU architecture overview
- How to get the firmware
- Finding the base address
- Identifying the CAN database and handlers
- Reversing specific functions
- Overview of firmware protection techniques
- Radio Frequency
- Embedded radio systems description
- RF fingerprinting
- TPMS spoofing
- Keyless and Passive Keyless Entry
PREREQUISITES KNOWLEDGE
- Basic knowledge of programming (C, Python)
- Basic knowledge of Linux
- Basic knowledge of firmware reversing is a plus, but not mandatory
HARDWARE / SOFTWARE REQUIREMENTS
- Laptop with Wi-Fi and at least 2 standard USB ports
- VMPlayer or VirtualBox to use the provided VM with all the tools pre-installed
RESOURCES PROVIDED
- Each participant will have access to a custom test bench, simulating a real car with various MCU and a real ECU
- Another test bench made from several real ECU will be shared amongst trainees for real cases practices
- A virtual machine with all the software needed during the course
- Lecture materials
- An USB CAN adapter
- Physical tools to perform exercices (Logic analyser, SDR dongle, RFID detector, UART adapter)