Learn the techniques used by award-winning hacking teams (as well as in some real-world attacks) to identify and exploit vulnerabilities in OEM components and other automotive software. This presentation covers fundamental principles, as well as how to easily incorporate these techniques into unit or functional test stages - bringing an extra layer of protection to connected automobiles. We'll cover both how to best fit this type of testing into your pipeline to maximize speed and coverage, as well as discuss how to fit this offensive cyber security approach alongside your existing vulnerability scanning programs. Whether you're a vehicle manufacturer, integrator, or OEM - we'll discuss how to leverage hacking-based security techniques to improve protection across the supply chain and keep vehicles and drivers safer. What we'll cover:
- Successful exploits of components and vehicles - what these attacks had in common
- Layering offensive techniques atop existing security programs - what to do and what to avoid
- How to test integrated systems with multiple components from different OEMs working in tandem
- Integrating offensive testing into different stages in software development and component integration
Originally presented at https://www.automotive-iq.com/events-automotive-cybersecurity
2. ATTACKS & TECHNIQUES
ASYMMETRIES OF DEFENSE
OFFENSIVE SECURITY IN CI / CD
QUESTIONS
HANDS-ON (OPTIONAL)
01
02
03
04
05
What we're
covering
today
3. Introductions
Thanassis Avgerinos
CO-FOUNDER, VP ENGINEERING
FORALLSECURE
THANASSIS@FORALLSECURE.COM
Mayhem, by ForAllSecure, is a developer-first security testing
solution. Built by professional hackers, it automatically generates
thousands of tests to identify defects in your apps and APIs.
Josh Thorngren
VP DEVELOPER ADVOCACY, MARKETING
FORALLSECURE
JOSH@FORALLSECURE.COM
9. Good work here (thanks ASRG!)
but still another layer of
complexity and friction
ADD IN NEW ISOS ON TOP
03
Infotainment, navigation,
subscription-based vehicle
features - constant need for
innovation
PUSH FOR NEW FEATURES
02
Multiple systems, layers, and
vendors - securing them and
enforcing this across poor
network conditions
DISTRIBUTED SYSTEMS ARE TOUGH
01
Automotive cybersecurity gets harder every day
10. Questions ☐How do you test today?
☐How do you prioritize fixes?
☐Where in the SDLC does this
happen?
14. TBONE Demonstrated First at CanSecWest
DJI Mavic 2 drone hacking a Tesla Model X (or Model 3/S)
How did they do this?
Ralf-Philipp Weinmann
Kunnamon
Benedikt Schmotzle
Comsecuris
15. NO CREDENTIALS THOUGH
NVM, WPA2-PSK CREDENTIALS
HARDCODED AND AVAILABLE IN THE
FIRMWARE
ACTUALLY, I CAN JUST COPY FROM TWITTER
Step #1: Connect to Tesla’s “service WiFi”
16. Step 2: Map the Attack Surface and Breach Perimeter
Checked for daemons processing network inputs - found ConnMan
• ConnMan is a lightweight network manager for embedded Linux
• Version 1.37 (latest at the time) with no active vulns
Dead end? Nope! Let's attack it with fuzz testing!
It crashes in seconds….that's a zero day!
17. How hard is it to find a zero-day in
ConnMan?
Let’s find out!
18. char *uncompress(int16_t field_count, char *start, char *end,
char *ptr, char *uncompressed, int uncomp_len,
char **uncompressed_ptr) {
char *uptr = *uncompressed_ptr; /* position in result buffer */
debug("count %d ptr %p end %p uptr %p", field_count, ptr, end, uptr);
while (field_count-- > 0 && ptr < end) {
int dlen; /* data field length */
int ulen; /* uncompress length */
int pos; /* position in compressed string */
char name[NS_MAXLABEL]; /* tmp label */
uint16_t dns_type, dns_class;
int comp_pos;
if (!convert_label(start, end, ptr, name, NS_MAXLABEL,
&pos, &comp_pos))
goto out;
ulen = strlen(name);
strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
Step #3:
Map back to
the code
19. Step #4: Create a Weaponized Exploit
Standard workflow in the technical report
although MCU escalation redacted
20. Meet Ryan
● One of our hackers-in-residence
● Has won Defcon CTF the top hacking competition
in the world 5+ times with PPP
● Their team develops ~50 weaponized exploits in under
48 hours when in crunch mode
21. My Interactions with Ryan
Hey Ryan, we got a crasher on bosch/atftpd - can you build a PoC?
ok, with ASLR/PIE/Canaries?
yes
... 2h later ...
pushed under atftpd/poc/exploit.py
Awesome, thank you!
22. Summarizing the TBONE Tesla Hack
● 4 steps: (1) access, (2) attack surface identification and breach, (3) root cause analysis
and (4) weaponization/escalation
● Demonstrates common patterns found in automotive:
○ Security spans across multiple layers (network, application, MCU/subsystems)
○ System includes multiple software components not owned by the manufacturer
○ Open-Source Components are part of the stack and affect analysis
○ Barrier of entry matters (copying creds from twitter vs breaking crypto keys, finding
zero-days in seconds vs fuzzing for hours with no findings)
23. More Ryan Facts
● Finds and writes exploits for previously
unseen software composed of millions of
lines of code within hours
● Likes low-effort - "lazy" - solutions
How does he do this?
27. MONDAY
Costly Incident Response
Pushing vendors for
patches, triaging impact,
containing breaches
WEDNESDAY
TUESDAY
CYBERSECURITY ASYMMETRY #3
Defenders can't stay ahead of attackers
Attacker finds 0-day
Fuzz tests, reverse
engineers - now an
exploit is out in the wild
You do everything right
Clean SBOM, audit, third
party pen testing - and a
successful release!
Defender process today is reactive!
30. Introduce proactive practices to
find flaws before attackers do
DEFENSE IS REACTIVE
03
Introduce automation (scale)
and continue to shift left (turn
developers to Defenders)
DEVELOPERS OUTNUMBER SECURITY
02
Not a lot - this is just a basic
security principle.
ATTACKERS ONLY NEED ONE WEAKNESS
01
What can defenders do?
32. Automotive Development
Create
Model
Generated
Code
Link External
Code
System
Hardware in
the Loop
Test Model
Software in
the Loop
Test in CI Test on
HW
Test complete
vehicle
Opportunity: provide automatic security
feedback solutions (proactive and reactive) for
the development team and make it a build gate
Automation is key: team velocity and responsiveness defined by iteration speed
Write
Requirements
33. Automotive Development
Create
Model
Generated
Code
Link External
Code
System
Hardware in
the Loop
Software in
the Loop
Opportunity: provide automatic security
feedback solutions (proactive and reactive) for
the development team and make it a build gate
Write
Requirements
Gotcha #1: Findings should be actionable / verifiable or you get developer frustration
34. Example SCA Report #1: CVE-2021-26675
• A stack-based buffer overflow in dnsproxy in ConnMan before 1.39 could be used by
network adjacent attackers to execute code.
Hmm, we have vendored ConnMan with
local mods, are we really affected? How
can I know? Can I backport changes?
35. Example SCA Report #1: CVE-2021-26675
• A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered
in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA
ciphertext across a network in a Bleichenbacher style attack. To achieve a successful
decryption the attacker would need to send a large amount of specially crafted messages to
the vulnerable server. By recovering the secret from the ClientKeyExchange message, the
attacker would be able to decrypt the application data exchanged over that connection.
Well ... I guess the pipeline's blocked ...
Time to catch up on my netflix shows
37. Example SAST Report
Library X that you are linking against and was provided by a vendor has an unacceptable use of
the unsafe function strcpy.
Do I modify the vendored library? But I
am not even using the function that's
calling strcpy. Is this even relevant?
42. 42
Design and
Definition
Stage
Write Code
Security
ISO 21434
Safety
ISO 26262
6-9: Software unit testing
Replace existing basic test generation
with Mayhem’s intelligent algorithms
6-10: Software Integration &
Verification
Mayhem helps build code coverage
security and editable coverage tests
V MODEL
10/11: Security Hardening
Verify every release has ASLR, DEP,
and other code hardening enabled
10: Security Testing
Satisfy adversarial testing
requirement with automated,
advanced fuzzing and testing.
11: Production Validation
Mayhem for API checks deployed
APIs in addition to CI/CD integration
Automation to Meet ISO Development Standards
44. Integrates into software-in-
the-loop build and tests
using docker
Downstream hardware-in-
the-loop tests can use
results if needed
Findings are actionable -
runnable test cases
Test cases are vendor-neutral files which
can be replayed in existing test and
coverage runners
45. THANK YOU
Get in touch with us
THANASSIS@FORALLSECURE.COM
JOSH@FORALLSECURE.COM
Learn more
FORALLSECURE.COM
Or stick around…
WE CAN HELP YOU GET STARTED NOW…
We can try to reproduce their steps ourselves and it will get fairly technical. Could walk through all the details, but this is mostly if you are interested in exploitation research. At this point, as Defenders we already validated the finding and understand impact.
However, it is important to understand the attacker mindset and also capabilities.
Mayhem plugs into your existing development process where-ever you are doing software tests already. In cyber-physical systems this is typically in the software in the loop testing process (SIL).
The advantage of plugging in is that all your existing processes, including tracing results back to requirements, don’t need to change. Mayhem outputs the equivalent of a new test case, either for new code coverage or an actual exploit.
Mayhem plugs into your existing development process where-ever you are doing software tests already. In cyber-physical systems this is typically in the software in the loop testing process (SIL).
The advantage of plugging in is that all your existing processes, including tracing results back to requirements, don’t need to change. Mayhem outputs the equivalent of a new test case, either for new code coverage or an actual exploit.
Mayhem plugs into your existing development process where-ever you are doing software tests already. In cyber-physical systems this is typically in the software in the loop testing process (SIL).
The advantage of plugging in is that all your existing processes, including tracing results back to requirements, don’t need to change. Mayhem outputs the equivalent of a new test case, either for new code coverage or an actual exploit.