WS - 2
Reversing and The exploitation of Vehicle (CAR Hacking)
Workshop Objective:
Today all vehicles are connected through V2X technologies. All manufacturers are coming with new technologies which can be added technologies for Vehicle industries like Fleet management systems, diagnosis toolset etc. These systems are from third-party vendors which are still in the vulnerable state. So addressing their weaknesses requires specific skillset in cybersecurity of vehicle industries. In this course will provide real CAR to get Hands On the experience of CAR and their component security testing. "Reversing and exploitation of Vehicle" course targeted from Basic level to advance level. During the course will provide “State of the Art’ Virtual machine called “Khaleesi” which has an all necessary toolkit which can be used after training for Vehicle/ICS/IoT/Hardware etc. security testing.
Course Content (ToC):
-
- Briefing of ECU
- Briefing of Vehicle Protocols
- Understanding and briefing CANBUS protocol
- Briefing of CANBUS frame
- Briefing of CAR hacking Tools
- Eavesdropping of Canbus messages
- Reverse Engineering of CANBUS
- Identify the Arbitration ID of a specific vehicle event
- Attacks on cluster
- Replay attacks
- Sending Forged CANBUS messages
- DOS Attack on CANBUS network
- Introduction
- Recon of Key fobs frequency
- Reverse engineering of Key fob data
- Sending malformed key fobs request
- Jamming at RX and TX
- Defeating the encoding mechanism
- Replay Attack
- Attack on the key fob
- USB
- Fuzzing on USB stack
- USB interception for software update
- Introduction
- Recon of TPMS frequency
- Reversing engineering of TPMS
- Replay attack on TPMS controller - Spoofing TPMS sensors
Introduction of Vehicle (Vehicle network)
Key fobs
Infotainment
TPMS
Pre-requisite
- Basic knowledge of Linux OS.
- Basic knowledge of programming (C, python) would be a plus.
Participants’ Requirements:
- Laptop with at least 40 GB free space
- 8+ GB minimum RAM (4+GB for the VM)
- External USB access
- Administrative privileges on the system
Who should attend:
- People who are keen on understanding the Vehicle network
- People who want to be able to perform security testing of real-time vehicle network
- The Methodologies to Pentest Vehicle
What to expect:
Understanding of Vehicle testing and methodologies
What not to expect:
Zero to Hero in 2 days
All attendees should not expect to run the exercise and practical Labs on a live radio signal.
Speaker Profile:
Arun is a Founder and Director of Amynasec.io company which is specialized in Vehicle/IoT/ICS and he also Hardware, IOT, and ICS Security Researcher. His areas of interest are Hardware Security, SCADA, Automotive security, Fault Injection, RF protocols and Firmware Reverse Engineering. He also has experience in performing Security Audits for both Government and private clients. He has presented a talk at the nullcon 2016,2017,2018 Goa, GNUnify 2017, Defcamp 2017, 2018 Romania, BsidesDelhi 2017, c0c0n x 2017, EFY 2018, x33fcon2018,2019, BlackHat USA 2018, Defcon USA 2018, OWASP Seaside 2019 Goa. Also Trainer for Practical Industrial Control Systems (ICS) hacking training, delivered in x33fcon2018,2019, HIP 2018 and also delivered training for IoT hacking in HITB 2017, HIP 2017, BlackHat Asia 2018 and private clients in London, Australia, Sweden, Netherlands etc. He is an active member of null open community.
Nikhil is an Automotive expert in Safety and Security. His areas of interest are ECU security, CAN, LIN Network Security. He also has experience in Security Design, Implementation in Automotive products. He has 13 years of experience in Automotive product development. In his tenure, he worked with Hella, Tata Elxsi, Continental for many Car manufacturer BMW, Honda, VW. Currently, He is working with Lear Corporation. He also delivered a workshop at OWASP Seasides 2019 Goa on CAR Hacking.