Formations

Objectives

  • Understand and execute several classical attacks on the CAN bus
  • Being able to understand the data circulating on the CAN bus
  • Have the basics to reverse engineer an ECU’s firmware

Synopsis

In the last few years, we have seen many new attacks on cars, but this environment is still hard to get into, mainly because the tools are different from classical reversing or hacking tools.

This training introduces the basic theory about the CAN bus and its communication so that the attendees can try their hands on a CAN bus. We will provide the necessary CAN tools and perform attacks on simulated systems as well as real cars. The attendees will be able to reproduce attacks like breaking a security sessions, fuzzing an ECU, spoofing messages, … Finally, the specificities of reverse engineering an ECU firmware will be addressed: the general methodology, how to handle Autosar firmware, where to start, what to look for, … These techniques will then be applied to an example of real-life Tricore firmware. The reverse engineering exercises will first focus on a simple ARM firmware to help everybody get to the same level.

In this training, the car hacking tools will be presented along with many practical labs to make sure the attendees will be able to redo the attacks later on.

Target audience

  • Security researchers
  • Automotive manufacturers and suppliers
  • Hackers interested in cars

Duration

  • 2 days

Prerequisites

  • Knowledge:

    • This is an introductory course, it does not require any prior knowledge of automotive systems.
    • Basic Python Knowledge
    • Basic knowledge of Linux
    • Basic knowledge of firmware reversing is a plus, but not required
  • Hardware / software:

    • Laptop with WiFi
    • SSH client
    • A reverse engineering software is a plus

Modules

Day 1

  • Automotive and CAN bus 101

    • What is a CAN bus
    • Communications on a CAN bus
    • Lab: Send / receive messages on the CAN bus
    • Lab: Writing a minimalistic ECU to communicate on the CAN bus
    • Lab: Sniffing and message analysis on a CAN bus
  • Diagnostic

    • What is an OBD-2 port
    • How to use it
    • Demo: locating a CAN bus in a car
    • Demo: using a car diagnostic device
    • Lab: sniffing, analysis and replay of diagnostic messages
  • CAN security

    • Practical point of view
    • Lab: spoofing and fuzzing CAN messages
    • Scanning the different ECUs of a car
    • Lab: replaying the fuzzed messages on a real car

Day 2

  • CAN security sessions

    • Protocols and algorithms
    • Lab: brute forcing a security session
    • Lab: reusing sniffed messages for security sessions
  • ECU architecture

    • Description of the different architectures
    • Lab: firmware dumping via the CAN bus
    • Lab: idem with breaking a security session first
  • ECU reverse engineering

    • Reverse engineering methodology for an automotive firmware
    • Reverse engineering 101
    • Lab: ARM reverse engineering 101
    • Lab: reverse engineering of an simple ARM firmware (Teensy)
    • Lab/demo: reverse engineering of the security session algorithm from an actual ECU
  • Autosar: a new way of developping firmwares. How to reverse engineer them ?

    • Reverse engineering methodology for an autosar firmware
    • Lab/demo: reverse engineering an Autosar firmware

Optional modules

    • Your own CAN device: build you own CAN device with a microcontroller and a CAN controller/transceiver
    • Bluetooth implant: build an implant and plant it on a CAN bus inside the engine bay of a car.
    • Tricore reverse engineering: analyse a real-life automotive firmware and break its security algorithm