The rest of this tutorial assumes you are using a native CAN interface. To communicate with the device you need to install the can-utils package on your Linux machine. You can do this via by typing the following into the Linux prompt:. Can-utils makes it extremely easy to send, receive and analyze CAN packets.
These are the commands that we will use. This makes it easy to write your own additional programs. You can interact with the CAN bus in the same way you would interact with any other network i. Before you start reversing, you should have some understanding of how the CAN bus works. It consists of 2 wires and uses differential signaling. If multiple CAN frames are sent at the same time, the one with the highest priority wins. A CAN frame has 3 parts that are relevant to us.
The general approach to reversing the CAN bus is to generate the behavior you want to mimic and find the message that causes that behavior. In order for it to control the steering, you need to know what messages to send.
The way to figure this out is to turn on the original LKAS, monitor the CAN bus and identify the packets responsible for turning the steering wheel. In our case, we want to spoof the tachometer so we need to change the RPM by stepping on the gas with the car on and in neutral and then try to find the packet responsible for changing the RPM. Bring up the CAN interface by running the following in your Linux prompt:.
When the car is off, the ECUs are usually sleeping so you need to turn on the car or put it in accessory mode. You can look at raw CAN data by running this in your Linux prompt:. This prints CAN data to the screen as soon as it is received. This however is very unorganized and it is very difficult to see what packets correspond to a certain event.
To make the data more readable we use cansniffer which groups the packets by arbitration ID and only shows the packets that are changing. In order to start it run the command in your Linux prompt:.
It takes a few seconds to remove the constant packets. You should see something similar to the image below, though the numbers will probably be completely different. The first column delta shows the rate in seconds at which the packets with that arbitration ID are being received. The second column ID contains the arbitration ID. The remaining alphanumeric columns data … contain the data bytes.
There are probably multiple potential packets that vary with RPM, this is just the first one. There are 4 bytes that are changing colored red in this message but not all of these necessarily indicate the RPM.
The last byte 1B does. However, as soon as we take our foot off the throttle, it goes to This would indicate that it represents the throttle position and not the RPM. Finally there are the two bytes 21 C0 that do seem to correspond to a change in RPM. More so, it varies as a 16 byte integer i. Also it seems that 21 corresponds to roughly RPM. This is good to note when you will replay the message. The organization, which launched in from the Defcon and BSides security conferences, recently published a framework with recommendations for auto-makers from the computer security industry about how to detect issues, contain and isolate them and respond to them.
In part, it calls on car makers to publish policies that welcome interaction with the computer security industry. Because of laws like the Digital Millennium Copyright Act and the Computer, Fraud and Abuse Act, some researchers are hesitant to come forward with vulnerabilities lest they be accused of hacking and prosecuted, said Corman.
Remote attackers are able to bypass the secure validation approval of the VIN when processing to create it. Basically the validation does not allow to add an non existing number to the interface configuration to prevent different type of errors or issues.
In case of the adding procedure the request approve via action - add the context. Remote attackers are able to change with a live session tamper the action information to create or update. Thus allows an attacker to bypass the invalid VIN exception to add a new configuration finally. Thus interaction results in the takeover of other vehicle identification numbers to view or manipulate the configuration.
The security risk of the session validation vulnerability is estimated as high with a cvss common vulnerability scoring system count of 6.
0コメント