Learn the techniques used by award-winning hacking teams (as well as in some real-world attacks) to identify and exploit vulnerabilities in OEM components and other automotive software. This presentation covers fundamental principles, as well as how to easily incorporate these techniques into unit or functional test stages - bringing an extra layer of protection to connected automobiles. We'll cover both how to best fit this type of testing into your pipeline to maximize speed and coverage, as well as discuss how to fit this offensive cyber security approach alongside your existing vulnerability scanning programs. Whether you're a vehicle manufacturer, integrator, or OEM - we'll discuss how to leverage hacking-based security techniques to improve protection across the supply chain and keep vehicles and drivers safer. What we'll cover: - Successful exploits of components and vehicles - what these attacks had in common - Layering offensive techniques atop existing security programs - what to do and what to avoid - How to test integrated systems with multiple components from different OEMs working in tandem - Integrating offensive testing into different stages in software development and component integration Originally presented at https://www.automotive-iq.com/events-automotive-cybersecurity

1. TEST
LIKE A
HACKER
AUTOMOTIVE CYBERSECURITY
MARCH 2023
FORALLSECURE.COM

2. ATTACKS & TECHNIQUES
ASYMMETRIES OF DEFENSE
OFFENSIVE SECURITY IN CI / CD
QUESTIONS
HANDS-ON (OPTIONAL)
01
02
03
04
05
What we're
covering
today

3. Introductions
Thanassis Avgerinos
CO-FOUNDER, VP ENGINEERING
FORALLSECURE
THANASSIS@FORALLSECURE.COM
Mayhem, by ForAllSecure, is a developer-first security testing
solution. Built by professional hackers, it automatically generates
thousands of tests to identify defects in your apps and APIs.
Josh Thorngren
VP DEVELOPER ADVOCACY, MARKETING
FORALLSECURE
JOSH@FORALLSECURE.COM

4. Introductions ☐Role
☐Company
☐Challenges
☐Goals

5. Application security is
critical for automotive safety

6. Nineteen vulnerabilities
that give attackers control
over engine, locks, and
more
2020, MERCEDES BENZ

7. Zero-click exploit gives
control over infotainment
and acceleration settings
2021, TESLA

8. Authentication bypass
allows access to location
and driver details
2016, NISSAN

9. Good work here (thanks ASRG!)
but still another layer of
complexity and friction
ADD IN NEW ISOS ON TOP
03
Infotainment, navigation,
subscription-based vehicle
features - constant need for
innovation
PUSH FOR NEW FEATURES
02
Multiple systems, layers, and
vendors - securing them and
enforcing this across poor
network conditions
DISTRIBUTED SYSTEMS ARE TOUGH
01
Automotive cybersecurity gets harder every day

10. Questions ☐How do you test today?
☐How do you prioritize fixes?
☐Where in the SDLC does this
happen?

11. KNOWN UNKNOWN
PATTERN MATCHING
BEHAVIOR
SCA
SAST
DAS
T
IAST
PE
N
FUZZ
SBO
M
Application security
landscape for defenders

12. HOW TO HACK A TESLA

14. TBONE Demonstrated First at CanSecWest
DJI Mavic 2 drone hacking a Tesla Model X (or Model 3/S)
How did they do this?
Ralf-Philipp Weinmann
Kunnamon
Benedikt Schmotzle
Comsecuris

15. NO CREDENTIALS THOUGH
NVM, WPA2-PSK CREDENTIALS
HARDCODED AND AVAILABLE IN THE
FIRMWARE
ACTUALLY, I CAN JUST COPY FROM TWITTER
Step #1: Connect to Tesla’s “service WiFi”

16. Step 2: Map the Attack Surface and Breach Perimeter
Checked for daemons processing network inputs - found ConnMan
• ConnMan is a lightweight network manager for embedded Linux
• Version 1.37 (latest at the time) with no active vulns
Dead end? Nope! Let's attack it with fuzz testing!
It crashes in seconds….that's a zero day!

17. How hard is it to find a zero-day in
ConnMan?
Let’s find out!

18. char *uncompress(int16_t field_count, char *start, char *end,
char *ptr, char *uncompressed, int uncomp_len,
char **uncompressed_ptr) {
char *uptr = *uncompressed_ptr; /* position in result buffer */
debug("count %d ptr %p end %p uptr %p", field_count, ptr, end, uptr);
while (field_count-- > 0 && ptr < end) {
int dlen; /* data field length */
int ulen; /* uncompress length */
int pos; /* position in compressed string */
char name[NS_MAXLABEL]; /* tmp label */
uint16_t dns_type, dns_class;
int comp_pos;
if (!convert_label(start, end, ptr, name, NS_MAXLABEL,
&pos, &comp_pos))
goto out;
ulen = strlen(name);
strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
Step #3:
Map back to
the code

19. Step #4: Create a Weaponized Exploit
Standard workflow in the technical report
although MCU escalation redacted

20. Meet Ryan
● One of our hackers-in-residence
● Has won Defcon CTF the top hacking competition
in the world 5+ times with PPP
● Their team develops ~50 weaponized exploits in under
48 hours when in crunch mode

21. My Interactions with Ryan
Hey Ryan, we got a crasher on bosch/atftpd - can you build a PoC?
ok, with ASLR/PIE/Canaries?
yes
... 2h later ...
pushed under atftpd/poc/exploit.py
Awesome, thank you!

22. Summarizing the TBONE Tesla Hack
● 4 steps: (1) access, (2) attack surface identification and breach, (3) root cause analysis
and (4) weaponization/escalation
● Demonstrates common patterns found in automotive:
○ Security spans across multiple layers (network, application, MCU/subsystems)
○ System includes multiple software components not owned by the manufacturer
○ Open-Source Components are part of the stack and affect analysis
○ Barrier of entry matters (copying creds from twitter vs breaking crypto keys, finding
zero-days in seconds vs fuzzing for hours with no findings)

23. More Ryan Facts
● Finds and writes exploits for previously
unseen software composed of millions of
lines of code within hours
● Likes low-effort - "lazy" - solutions
How does he do this?

24. ASYMMETRIES
THE ATTACKERS' ADVANTAGE

25. Attackers need one weakness;
defenders must protect all paths
CYBERSECURITY ASYMMETRY #1

26. THERE ARE
570 DEVELOPERS
CYBERSECURITY ASYMMETRY #2
FOR EVERY
CYBERSECURITY
Build > Test > Secure
PROFESSIONAL

27. MONDAY
Costly Incident Response
Pushing vendors for
patches, triaging impact,
containing breaches
WEDNESDAY
TUESDAY
CYBERSECURITY ASYMMETRY #3
Defenders can't stay ahead of attackers
Attacker finds 0-day
Fuzz tests, reverse
engineers - now an
exploit is out in the wild
You do everything right
Clean SBOM, audit, third
party pen testing - and a
successful release!
Defender process today is reactive!

28. Question ☐How do these impact you?

29. KNOWN UNKNOWN
PATTERN MATCHING
BEHAVIOR
SCA
SAST
DAST
IAST
PE
N
FUZZ
SBO
M
Attackers have a much
simpler landscape

30. Introduce proactive practices to
find flaws before attackers do
DEFENSE IS REACTIVE
03
Introduce automation (scale)
and continue to shift left (turn
developers to Defenders)
DEVELOPERS OUTNUMBER SECURITY
02
Not a lot - this is just a basic
security principle.
ATTACKERS ONLY NEED ONE WEAKNESS
01
What can defenders do?

31. OFFENSIVE APPSEC
IN YOUR CI/CD

32. Automotive Development
Create
Model
Generated
Code
Link External
Code
System
Hardware in
the Loop
Test Model
Software in
the Loop
Test in CI Test on
HW
Test complete
vehicle
Opportunity: provide automatic security
feedback solutions (proactive and reactive) for
the development team and make it a build gate
Automation is key: team velocity and responsiveness defined by iteration speed
Write
Requirements

33. Automotive Development
Create
Model
Generated
Code
Link External
Code
System
Hardware in
the Loop
Software in
the Loop
Opportunity: provide automatic security
feedback solutions (proactive and reactive) for
the development team and make it a build gate
Write
Requirements
Gotcha #1: Findings should be actionable / verifiable or you get developer frustration

34. Example SCA Report #1: CVE-2021-26675
• A stack-based buffer overflow in dnsproxy in ConnMan before 1.39 could be used by
network adjacent attackers to execute code.
Hmm, we have vendored ConnMan with
local mods, are we really affected? How
can I know? Can I backport changes?

35. Example SCA Report #1: CVE-2021-26675
• A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered
in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA
ciphertext across a network in a Bleichenbacher style attack. To achieve a successful
decryption the attacker would need to send a large amount of specially crafted messages to
the vulnerable server. By recovering the secret from the ClientKeyExchange message, the
attacker would be able to decrypt the application data exchanged over that connection.
Well ... I guess the pipeline's blocked ...
Time to catch up on my netflix shows

36. Automotive Development
Create
Model
Generated
Code
Link External
Code
System
Hardware in
the Loop
Software in
the Loop
Opportunity: provide automatic security
feedback solutions (proactive and reactive) for
the development team and make it a build gate
Write
Requirements
Gotcha #2: Findings should be trusted - no false positives

37. Example SAST Report
Library X that you are linking against and was provided by a vendor has an unacceptable use of
the unsafe function strcpy.
Do I modify the vendored library? But I
am not even using the function that's
calling strcpy. Is this even relevant?

38. OPPORTUNITY #1
DEVELOPER-ACTIONABLE REPORTS

39. Example Mayhem Report
https://github.com/ForAllSecure/mapi-action-examples/pull/2

40. OPPORTUNITY #2
PROVIDE VALUE TO DEVELOPERS

41. Example Mayhem Report
https://github.com/ForAllSecure/mcode-action-examples/pull/3
Use automatically
generated test cases to
meet your coverage
requirements + save
human hours!

42. 42
Design and
Definition
Stage
Write Code
Security
ISO 21434
Safety
ISO 26262
6-9: Software unit testing
Replace existing basic test generation
with Mayhem’s intelligent algorithms
6-10: Software Integration &
Verification
Mayhem helps build code coverage
security and editable coverage tests
V MODEL
10/11: Security Hardening
Verify every release has ASLR, DEP,
and other code hardening enabled
10: Security Testing
Satisfy adversarial testing
requirement with automated,
advanced fuzzing and testing.
11: Production Validation
Mayhem for API checks deployed
APIs in addition to CI/CD integration
Automation to Meet ISO Development Standards

43. WHAT DOES THE
PIPELINE LOOK LIKE?

44. Integrates into software-in-
the-loop build and tests
using docker
Downstream hardware-in-
the-loop tests can use
results if needed
Findings are actionable -
runnable test cases
Test cases are vendor-neutral files which
can be replayed in existing test and
coverage runners

45. THANK YOU
Get in touch with us
THANASSIS@FORALLSECURE.COM
JOSH@FORALLSECURE.COM
Learn more
FORALLSECURE.COM
Or stick around…
WE CAN HELP YOU GET STARTED NOW…

46. Hands-on:
testing like a
hacker