The Hacker Mind Podcast: Hacking High-Tech Cars

The Hacker Mind Podcast: Hacking High-Tech Cars

Sometimes complex technology doesn’t necessarily raise the barrier for entry for cyber criminals. Sometimes, as with our cars, it does the exact opposite.

Vamosi: One of the unintended consequences of convenience is complexity. In order to make things easier to connect to more things, we must introduce complexity. There is no easy way around it. For example, a simple system that has only an on off switch. That’s not too convenient, right? Think of a mobile phone with just an on and off switch. If there were no volume control all the mobile phones today would ring at the same tone at the same decimal level. And there’d be no way to set the phone to vibrate during a meeting except by powering it off. Yet by integrating granular controls such as volume, we’ve just made the mobile phone a lot more complex. And that’s just one basic user interaction. Complex Systems are composed of individual parts. And as those parts interact, errors can multiply. Only one needs to fail to permit a cybercriminal entry. In defeating feature fatigue, researchers from the University of Maryland presented participants in a controlled study with models of a new audio and video player that differed only in the number of features offered. Overwhelmingly, the participants chose the most full featured gadget as the one that they would most like to own capability has a stronger effect on consumers than usability. A second study presented participants with a list of 25 features on a new audio or video player. Here the authors found that the consumer was like the proverbial kid in a toy store, choosing more features rather than fewer. This time, however, the participants had to pay a usability penalty for each feature chosen even so the participants chose 19.6 features on average. When the product arrived, however, the participants were not quite as satisfied with the result. Put simply the authors concluded, “What looks attractive in prospect does not look good in practice. Consumers often become frustrated and dissatisfied with the very cornucopia of features that they originally desired, and chose.” 

[beep, beep]

Vamosi: For most of us that familiar beep beep as we walk away from a parking garage is enough to assure that our car has been both locked and as safe. Often the tiny flashing light on the dashboard also alerts would-be criminals that the car is protected by the latest form of anti theft security. And for the most part, this is true. A sophisticated set of encryption and electronics is at work inside the vehicle. However, don’t be surprised to find your state of the art anti theft protected vehicles stolen someday. And in a moment, we’ll see how complex technology with more features doesn’t necessarily raise the barrier for entry for cyber criminals. Sometimes it does the exact opposite.

[-music]

Vamosi: Welcome to the Hacker Mind, an original podcast from ForAllSecure. It’s about challenging our expectations about people who hack for a living. I’m Robert Vamosi and in this episode I’m challenging the notion of convenience by using our cars as an example. Just because it has all the bells and whistles doesn’t necessarily mean it’s secure.

[-music]

Vamosi: In my book from 2011 When Gadgets Betray Us, I profiled a young Czech born streetwise car thief, an unlikely example of a high tech criminal. He’s been stealing cars since the age of 11. Czech officials attribute most of the 51,000 deaths per year in that country to thieves who work in teams stealing cars, forging registrations and stripping parts. In other words, organized crime. The person I profiled, he worked by himself, quote, you leave your car, lock it and walk around it toward your house. That’s how long I need. To take it. He told the Prague post. As more and more automotive manufacturers start incorporating computer technology into their expensive BMWs, Mercedes Ferraris and Porsches. This streetwise criminal realized he could defeat the manufacturers’ anti theft software with his own. Lacking any formal computer training. He uses Internet provided software gangs often search for and steal a particular high end make and model of car. By specializing it’s possible for these gangs to guess through sheer trial and error the electronic anti theft codes found in the keyless entry fobs another possibility one that’s more likely is that they already know the vendors proprietary code algorithm because it was stolen or purchased or provided by an insider or someone within the car dealership codes used by these anti theft systems do not make us more secure. They make us complacent. We trust in them so much that we forget common sense lessons such as parking in a well lit spot hiding valuables or using auxiliary locking mechanisms on the wheel or the brake. We assumed the high tech solution is somehow better than past experience and we have become careless with our cars and our sense of security. So how hard is it to use a laptop to steal a new car. First, we need to understand what’s happening when we unlock the door. Cars today are using remote keyless fobs. In other words, you don’t insert a key, you push a button and the resulting radio signal either locks or unlocks the doors and in some models it opens the hatch or the trunk as well. Using a tiny battery, the fob can broadcast a coded signal up to 100 feet in order to make contact with the car generating that beep beep and the flash of headlights that audibly invisibly identifies your car in a crowded parking lot. The FOB and the car wirelessly exchange a series of nanoseconds of challenges and responses, and if the car receives the expected code, it performs the expected function. For added security these codes are rolling both keyless fob and the car uses the same pseudo random number generator followed by a proprietary algorithm. When you lock or open your car door, both the car and the fob store the memory of the next code. If you hit your key fob while you’re away from the car, the car and the fob will fall out of sync. The car receiver solves this by accepting any of the next 256 possible codes. It’s important to note that in this particular case, the key fob is only controlling entry into the vehicle. Once you’re inside a second anti-theft technology, a static vehicle immobilizer chip embedded in the plastic base of the key or the fob becomes important. Immobilizers in the United States have been cited for a sharp decrease in auto thefts in recent years. Once the chip is in the car and validated the immobilizer system unlocks the rest of the electronic systems in the car. Older cars use what’s called fixed keys, one code per vehicle, while cars today randomly generate and store new immobilizer codes after each use today. immobilizer systems are no longer separate components of the car, but bundled within the electronic subsystems. Even without validation of the immobilizer chip. A car can be driven a short distance without locking up. A valet key often provided by the dealer, as a third key lacks an immobilizer chip. The valet key exists to allow a valet to park the car a short distance away, not driving on the freeway.

[-music]

Vamosi: Manufacturers and insurers insist that these new purely keyless electronic technologies are equal to if not better than older mechanisms and entirely invincible to that world famous soccer star David Beckham might argue otherwise, Beckham holds the distinction of having not one but two very high tech keyless BMWs stolen off the streets of Madrid, Spain, when theft occurred in broad daylight, before he signed with the LA Galaxy soccer team, Beckham had played for many years with Manchester United in the United Kingdom, then Real Madrid in Spain. And living around the world, Beckham has taken his cars with him. Concern for his family safety however, Beckham bought the family armor plated vehicles while living in Madrid. One was a Range Rover with bulletproof glass. The other was a keyless BMW X five SUV. As long as Beckham had the original key fob on his person he needed only to lift the door handle to unlock the door. The door then queried the key fob in his pocket to arm and disarm the security system. Open the hatch, make minute adjustments to the seat positions, or allow the driver once inside to press a button to start the car. The convenience of operating a car without fumbling for your keys is a godsend to any parent. With small children in tow. Even for adults without kids the ability to walk up, get inside, tap the brake and simply touch a button to start the engine is pretty cool. But now we’ve gone from having two separate encrypted chips, the digital signal transponder and the ignition immobilizer to just one. From a security perspective, that’s not so good. Madrid, like Prague is a European hotbed for car theft, with an average of 50 luxury vehicles stolen every day in November 2005 When Beckham’s first BMW X five was stolen and associative Beckham’s had parked the vehicle outside the Grand Hotel where he was staying. The associate later told authorities that he forgot to engage the extensive anti theft security system. No matter the high tech solution. The security doesn’t work if you forget to engage it. The car missing for more than a year reportedly showed up in Macedonia along the border with Albania. Authorities in Spain speculate that Beckhams x five which seats up to seven was stolen by professional car thieves, perhaps without their knowing whom it belongs to and used it for human smuggling in and out of various European countries. By then Beckham had obtained another x five. One afternoon in the spring of 2006. While driving in suburban Madrid with his boys, Beckham stopped at a mall for lunch. Perhaps he thought that lightning would not strike twice or that one would be bold enough to steal this car from a crowded shopping mall parking garage. Upon returning from lunch however, the soccer star discovered that thieves had once again stolen his latest vehicle.

[-music]

Vamosi: In 2015 Samy Kamkar debuted at DEF CON and attack he called a role jam attack. The idea is that when you push the unlock button on a key fob, it sends out a modulated radio signal that gets picked up by a receiver in the car. If the modulated code matches the cars then the door will unlock. Here’s the RollJam part: a hacker places a wallet sized device somewhere on the targeted car. And then when the owner tries to unlock the vehicle by pressing the unlock button on the remote, the device jams that signal so that the vehicle doesn’t hear it and at the same time intercepts that same code. When the owner of the car then tries to use the key remote a second time to unlock the vehicle. The device jams the signal and steals the second code but at the same time since that very first code to the car allowing the door to open. Now the hacker has a unique code in his back pocket that can be used at a later time because the car never really heard that second signal.

Herfurt: The catch was that he was blocking the frequency and was like collecting rolling key attempts like authorization responses in a way and he could later on use in order to unlock the car when the owner was not around. 

Vamosi: Here’s Martin Hurfurt from EP 48 of the The Hacker Mind. He talked about how Tesla was moving away from using a keyfob and simply using one’s mobile phone. Of course, there are problem with this method as well.

Herfurt:  So I thought about that. I really liked the idea but overall the way that Tesla is using the technology would make it really hard or it’s not even the same scheme so could not be easily replicated that way. But of course, recording authorization responses from the car was something that I included in the talk it’s a little more complicated because there’s more advanced cryptography at work. But yeah, maybe it’s along the same lines.

Vamosi: Just before CanSecWest 2022, a British security group NCC announced a Bluetooth BLE vulnerability that was very similar to what Martin was going to talk about. NCC one warned that the Tesla Model three and model Y employ Bluetooth low energy based passive entry key systems and this could allow a link layer relay attack conclusively that defeats existing applications. A proximity authenticate, and CC by forwarding the data from a baseband to the link layer. The hack gets past known relay attack protections, including encrypted BLE communications because it circumvents the upper layers of the Bluetooth stack and the need to decrypt that. This is very similar to what Martin was going to present. So there’s the replay attack. And then there’s the relay attack. One you’re simply capturing as with a semi can cars device and replaying it at a later time and date. The other you’re actively being a man in the middle and you’re relaying the data from one person to another.

Herfurt: So what the video that we published that shows the relay attacks so we just pass on the messages that we receive from the phone key and just give that feed it into the Tesla and Tesla doesn’t care so much and talks back to that feeding device, which then transfers all the messages back to the phone. So that’s a relay attack. The replay attack means that a pre-recorded message is just sent at a different time to the vehicle and would work in ways of unlocking it and so on. So I haven’t tried that activity but that was one of the observations I had during the talk because when I was programming or like developing the Tesla key app, I had a lot of messages going back and forth and that was just one observation that this token which is used for authentication requests. So once you approach your car, and you tap the door handle, this is a signal to the car that somebody wants to enter the car. And it would then ask for authorization and would find out well, is there a phone key in the area? Usually when the phone key sees the car, it’s connecting and says here, I’m key with that, that and that Id just for you to know the car and the car then knows right? So this is the right key material that this phone has to use in order to get authorized. But the key by itself is not enough. There’s also a challenge it’s it’s called an ID token in that context and this token changes over time and ascends together with that authorization request to the phone key. The phone key then understands that message and encrypts it back to the sender to the vehicle with that secret key, the car and the phone have that challenge token and only then the car would unlock. So the challenge token or the token that Tesla uses for that should change per request, I’d say. So it doesn’t even even better or even worse. It doesn’t change on a daily basis so much so I know I did that temporary tool and what that does is enumerates all the keys that are whitelisted in a car so you could ask the car so how many keys are in use in your database? The car would answer and would tell the other device that is questioning all the details about the crypto counter the session token. And that’s done because it could be that the phone key gets out of sync for some reason and needs a way to resync and that by itself is not a not a threat. But I saw that the crypto counter was not the issue but the token used for the challenges did not change. And even after using that token a few times for authentication responses, like positive, at least at that point, the car should go ahead and say alright, I do and I make a new token so that the next time the phone key has to respond differently. This token, if it’s not changing, enables attackers to record these responses of a phone key to authorization requests. I do not know how long this time frame is. But from observation. It’s a few hours maybe.

Vamosi:  So again, let’s take a step back a moment. I have a key fob that lets me in and out of my car. But it’s not a Tesla. If I had a Tesla, I would have an app instead of a key fob. And it’s that app that we’re talking about that allows you to open the doors and start your engine.

Herfurt: Right So the app is replacing the key fob. And that’s a very convenient thing because after all, it’s one piece less to carry around. So sort of synergy convergence however you want to call it. It’s I like it. And it’s an application on the phone that is making use of the Bluetooth Low Energy stack in order to send crypt encrypted and not encrypted messages to the car interface. Based on that protocol, which is called VC sec.

Vamosi:  Aha. So VC sec, that sounds very promising, particularly if you’re a researcher trying to figure all this out. So what is VC sec? VC sec.

Herfurt:  Yeah. I was wrong in the in the first assumption that this is vehicle control secure or security or something related to security. We see sec I found out later is vehicle control secondary. And yeah, makes a lot of sense, right? Because, of course it has to do with security in a way but it’s not its main purpose. 

Vamosi:  So what is the purpose of this vehicle control secondary in Tesla’s

Herfurt: started looking into that when I was finding out about that message format so I was able to be in the middle when the car talks to the phone and vice versa. So I was receiving these messages, which I was in the first sight not really able to make sense of them. I figured quickly that the first two bytes were length related so it would just tell the recipient of the message how many bytes are going to follow. And the rest was like a miracle to me first, but then I found a tool. It’s called PBT, K and I found out about protobuf, which is a binary version of JSON. JSON is a textual human readable format for data. And protobuf has initially been developed by Google and is shrinking that down by making a binary format from it. So text elements get replaced by numbers. Really small, small, small, really good fit for the Bluetooth Low Energy Technology because it’s less limited bandwidth there. And I found out that it’s really easy to extract the VC SEC proto file, which is exactly that vocabulary for that protobuf implementation. And having that and having the proto C tool enabled me to translate or to D serialize. All these messages I was receiving back to text format, which was really handy, right? Because then it made a lot of sense. What’s going on there, right? And with version or app version four, they switched it and the PB TK tool stopped working for me. So the PB TK tool is like on GitHub, and that was also asking, maybe they could extend that to square or square wire. So it’s another implementation for the same kind of thing. So it’s compatible with each other. But different manufacturers use different notations in the class files. That means I had to hack a script which is not as good as the PB TK tool. I just grabbed all the class files for certain annotations and scribbled them out and out comes a profile which is more or less to the original. Not the same, though, but works for me. And it’s also an indicator repository now for people to play with that. And that that’s the first step you need to do if you’re talking BC sag or you want to understand BC sag, you have to have that vocabulary, having that you can decode or deserialize the messages and then a little bit of guesswork has to be used as well are guesswork that is backed on the obfuscated code you have right. So for example, it took me a while to figure out when there are authorization requests. How would you answer it to that there is something which is encrypted which is like the black box of the message he would see its crypto counters such and such signatures such and such and, you know, array that has to do with that encryption, that I know how it works, but still, what’s inside that encrypted bid. That’s hard. To find out and you could look into the code and it’s really hard to trace back where the information comes from that is going into that crypto text. But finally, also with guessing there’s been this VC SEC message type it’s called authorization response, like in retrospect, easy, right? But also there there’s fields that I had to guess because I never saw an original message because an original message would only be available from the phone right and the phone. I did not succeed extracting the keys from the phone. Because I’m not good at that. I think it’s very doable. And I had I had a discussion yesterday as well. So I think dynamic instrumentation with Freda for the people who know about that could work there. And that’s also what I tried already, but I did not find the right places to set a hook. The hook means that whenever a certain function is called, you are able by dynamic instrumentation to tell what this function is going to return or you can see what it’s gonna return. And once there is a function, like get secret, or something along these lines, you would hook that and get the secret key which is somewhere buried in the device. So it’s not not just lying there. It’s using device encryption and it’s pretty good protected. So one of the ways you can unlock your Tesla is through an NFC Card that owners receive upon purchase. This is less convenient than the phone as a key option, which works on any Bluetooth enabled device as soon as the car driver approaches, but the NFC Card is supposed to clearly identify the owner and thus allows additional functions that the attacker might be able to use in order to steal. For example, there can be multiple owners of the card and in particular, what Martin found was that after an NFC card swipe, it is possible to store a brand new key for that car in the first 130 seconds after it’s swiped.

[music]

Vamosi: So we’ve been hacking the fob and the app to gain access to the car. But what about direct access to the car? Before we can start to hack a car, we need to understand how a car works. With the exception of a Tesla perhaps not many are designed as a computer system on wheels. Rather, cars today consists of dozens of individual computers, actually embedded systems or microcontrollers that need to communicate and coordinate with each other almost instantaneously. So you don’t have one computer. You actually have many throughout the vehicle.

Leale:  Yeah, so they’re there, you’ll have individual controllers.

Vamosi: That’s Robert Leale, my car hacking instructor at BlackHat. He’s from CANbushack.com, and he’s also the founder of the annual car hacking village at DEF CON. Robert was a guest on EP 27 of the Hacker Mind.

Leale:  one might be attributed to the brake and the traction control system we like handles all of them at the same time and it because it’s connected to the braking system, it doesn’t necessarily apply the brakes, but it monitors the braking system but there’s any failures, where you might have one that’s connected to the engine it’s managing the engine. So if the engine needs to fire a particular cylinder it manages the fuel, the air fuel ratio, etc. So,

Vamosi: These individual microcontrollers are called Electronic Control Units or ECUs.

Leale: That’s correct: electronic control unit.

Vamosi: The first ECUs resulted from actions taken in the 1960s and 1970s by California’s Air Resources Board. Today’s ECUs are given specific tasks, such as controlling the antilock brakes, the lights, the volume of the multimedia player, warning signals, and the flow of fuel to the engine.] Features that we consider convenient require the ECUs to communicate with more than one system, and a controller-area network gives the car’s ECUs the ability to communicate with each other. For example, electronic stability control requires communication between the accelerator, the brakes, and the individual wheels. The exact number of these ECUs varies depending on the price of the car or the needs of the manufacturer.

Leale:  It just depends on what the goal is of the manufacturer. If that’s the best way to describe it. So for some cars, their goal is to sell them at a really low cost right so they’ll only put a few of these controllers in there to save on costs because they’re kind of expensive. Whereas some manufacturers are going for features that estimate costs, the more features, the more control there is you’ll typically have because the controllers kind of manage the features that are in the vehicle. 

Vamosi: Some of these microcontroller ECUs are binary, they’re either on or they’re off, although some have gotten to be pretty sophisticated over time.

Leale:  Yeah, so I mean they’re changing ever so slightly. You know with modern vehicles, they’re actually becoming like they’re running on bluetooth, they’re running the Android operating system. So, so some controllers are very basic engine controller, its job is really simple, fire some cylinders, it just, it does a lot of simple things, just hundreds and hundreds of simple things, whereas you think about, you know, on a Tesla, maybe your center display might have to display the map and have some apps loading, you got your, you got Spotify running, you know, all of those other things. So, those are more computers than what we’re used to the standard interface. So it just depends on what it’s, again, the goal of that particular controller.

Vamosi: What unites these microcontrollers is not an operating system, rather it’s a bus. What’s that? A bus is a communication system that transfers data between components. It does so by sending that data to all the CPUs at once. And if it’s meant for the brakes, then that ECU will respond. All the others will listen for the next packet, it might be for them.

Leale: I guess you know it’s funny, yesterday I was explaining that ..  I’ve got 10-year-old twins … and I was explaining this exact question to them. So I’ll pretend like I’m explaining it to my 10-year-old twins because I know how to do this now. A CANBus is a Controller Area Network, and essentially links controllers which are ostensibly computers that are in the vehicle to each other so they can all talk at the same time. But the unique part is the bus. So when one controller sends a message, because it’s a bus topology of a network, all of the messages are received simultaneously by all of the other nodes, which gives it a unique some unique features that maybe you won’t see in like an Ethernet style typical network

Vamosi: Ethernet is a wired network. You’re probably familiar with an Ethernet in an office network computing system where it is designed to route large amounts of data quickly,

Leale:  So some vehicles are starting to add, and have been for a little while but it’s becoming more of a thing, they’re adding Ethernet. But not your typical Ethernet your four wire two pair or two or three pair, Ethernet, you’re getting a single pair so to wire Ethernet,

Vamosi: Apart from the brakes and lights and such that are needed to operate the car manufacturers have been investing more and more in interesting dashboards which require web browsers, which allow for apps to be downloaded and run from the internet,

Leale:  They’re using it to transfer data like it like reflashing controllers. They’re using it for media systems multimedia take data from the internet, like Spotify or things like that, and display and display information even newer 

Vamosi: Some cars have sophisticated crash avoidance systems that require active sensors throughout the vehicle, and that requires even more data available through the automotive Ethernet.

[-music]

Vamosi: Access to the CanBus through the port we know is the OBD two — or onboard diagnostics port two– located near or around the steering column. That means attacks such as these require someone to physically be inside the vehicle, a mechanic, a valet, someone you know. So Could someone outside the vehicle gain access to the OBD two port or the ECUs? No, the jury’s still out on that. A group of researchers who decided to see whether the adversary could take over a car central computer system was shocked to learn the ease with which they could disrupt the whole system. That said, I should stress that the risk to your car and my car remains relatively low. For example, an adversary would have to both gain physical control over the car’s electronics through a tiny port since 1996, all US cars have been federally mandated to have an onboard diagnostics port designed to give auto mechanics not just dealerships access to the data systems within the cars. Unfortunately, that same port might also allow a cybercriminal access as well. projecting forward However, researchers Stephen savage from the University of California San Diego Sid said the real concern is the wireless sensors on newer cars. Indeed, the separate research project used Tire Pressure Monitoring System TPMS to gain access to the car’s ECU in 2000. When low pressure Firestone tires were causing accidents in Ford’s Congress enacted a transportation recall enhancement, accountability and documentation Act, which led to the creation of the TPMS wireless sensors to warn of low tire pressure. The researchers at Rutgers University and the University of South Carolina use the wireless sensors to control low pressure warning lights on the dashboard of a car traveling at highway speeds more than 100 feet away. These wireless tire pressure monitors don’t use authentication, nor do they validate the input of new data. So rewriting is possible. What the researchers did trigger a tire pressure warning system may not sound like a lot, but manufacturers are building more and more wireless systems into their cars and increasingly researchers are sounding the warning about ultimate consequences. Fortunately, the auto industry seems to be listening so where does that leave us? I see two alternatives. The first is to recognize that the digital world will be one of ever expanding features and options of ever faster product releases of ever increasing complexity and of ever decreasing security. This is the world we have today. And we can decide to embrace it knowingly. The other choice is to slow down and to simplify and to try to add security wherever possible. Customers. They’re not going to demand this. The issues are too complex for them to understand. So maybe a consumer advocacy group is required. I can easily imagine an FDA like organization for automotive but that could take a decade to approve all the standards necessary to make our cars safe. Unfortunately, there are no easy fixes here. We must take the long view we need to start by understanding the underlying issues first, then we must start advocating for consumer regulations that will impact us in the future. The best scenario would be for all hardware manufacturers to use authentication for software updates and encryption when communicating between systems. Until such time it’s Caveat Emptor. 

Vamosi: Original research for this podcast came from my book  When Gadgets Betray Us, which is available on Amazon. I’d also like to thank once again, Martin Herford and Robert Liao for their original interviews on the hacker mind. My point here is to raise questions about increasing convenience brought on by technology. Hopefully these discussions and others like it will foster an environment where we can collectively work to improve the security of our vehicles and make things more convenient and safer. For both the driver and the passenger.  

Vamosi: Hey, I have so many stories about hackers who are making a positive difference in the world. I don’t want you to miss out. And be sure to check out Error Code, my new podcast that focuses on IoT and embedded security.  Error Code is available now wherever you get podcasts.  

Vamosi: Let’s keep this conversation going. DM me @Robert Vamosi on Twitter, or join me on Discord. You can find the details at thehackermind.com for The Hacker Mind I’m Robert Vamosi