Aaron Cornelius - Intro to UDS video - DEF CON 27 Car Hacking Village

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

my name is Aaron or a corn and I'm seeing a security researcher with grim and I've played with cars and I'm gonna tell you about what UDS is and why can help you hack cars and whoo let's get moving so what is UDS I'm not going to go through all this detail because it's really boring and a bunch of standards but basically the UDS is a higher level protocol that lives on top of can can itself for the for the purposes of this particular talk you can think of can as about kind of old-school 10100 Ethernet you can have a bunch of things on the bus and they can talk to each other these the MAC address to figure out what messages are meant for them right so keep that in mind that's basically can UDS itself is then a higher level protocol living on top of that as you may know can it has a limit of 8 bytes per message and so if you want to send anything bigger than 8 bytes like you want to send firmware to an ECU on a car you're going to need to use a higher level protocol to segment that up into multiple messages so iso TP is a segmentation layer kind of like IP and then you have UTS itself which you can think of like I mean the analogies break down at this point but you can go with maybe UDP TCP whatever you feel like like I said the analogy does break down at that point but there's the ISO standards if you feel like looking at it one quick mentioned obd2 Oh buddy 2 is a little bit different standard it's not really living on top of these things as well it but it's meant it's very specifically a single purpose meant to talk to the emissions related equipment for scanning codes so it's not really the same thing but sometimes the ECU's which do talk obd to also talk UDS sometimes not so can you have a message ID arbitration ID it's what identifies what message is meant to go on the bus the if you have standard at can is 11 bits only for the message ID the arbitration ID in standard for UDS is 7 X X is going to be the request and then 7 xx plus 8 is going to be the response ID this will make sense and I promise the twenty nine bit which or the extended can is a little bit different where it uses two different you know two different bytes as kind of the sender and receiver who makes a little bit more sense Oh buddy - there's a specialized set of ID's that me aren't meant for obd2 online so you don't know in so going back to the Ethernet and IP example we don't have routers here we don't have a switch we don't have DNS to tell us what's on the bus so the thing is we need to figure it out but right here we've got a very it's a pretty limited subset of ID's that we can scan to figure out what's on that bus it's like a maximum of actually a little bit less than 255 256 so real quick iso TP there's a couple different frame types it's not really important at this point but basically the first nibble of the can data frame indicates what type of message it is since it's a limited subset of values it can make it really easy to see large data transfers and which is one of the things that is nice about UTS that makes it easy to just visually take a look at it and see that something is happening a couple different UDS services to take a look at this and you say what do I want to do to a car you can say that you're downloading and uploading things to the ECU's does some interesting transferring data security access this is there's a lot more than this if you want to know you can go look at the standard or actually the Wikipedia page for UDS is pretty good and so you can go take a look at that there's a lot of things in here that are custom per automaker which means to figure out what is actually supported for an ECU you need to either have the design documents or you need to figure it out so that's kind of the goal here so let's take a look here's a couple different ECU UDS responses the whole idea is you've got a request so in the very first message here we've got a request ID of seven for a and the response here is seven B for and you'll notice that that's not actually what I said earlier said it should be eight more than that well that's the standard just because it's the standard doesn't mean it's actually what has ever done because nothing's ever actually done standard Leon passenger automatic your vehicles so here we see the message the very first you see the first nibble of the data is zero which means it's a single frame message again it's very obvious what's going on second nibble is the length and then after that we see 1003 ten is the diagnostic session request three is just a session ID what does that session mean well again it means whatever the automaker wants it to me so the only way to figure out what that means is if you can start actually taking you know querying what functionality is available in that diagnostic session you might have some simple Diagnostics in session two you might be able to reprogram the ECU's in session two maybe session three lets you do things like disable the brakes or something like that you know so maybe it's some debugging or implementation some of the engineers we're doing it's not really meant for general consumption well if you can figure out what that is if you can get in there and scan what's going on then it allows you to get access to what that type of functionality is so other than another one the second UDS request here again we've got 700 a so the response itself so we have zero six so again it's a single frame message six bytes fifty so the first byte here is iso TP that's kind of the encapsulation layer UTS itself is then the actual the remaining bytes right then ring and seven bytes of this message the requests sir is the service ID which was ten the response if it's a successful response is then hex forty more than the request these all seem incredibly arbitrary I know and basically it's because people who wrote the standard did it that way it's actually it's similar it's based on of older standards so what you're seeing here is kind of the illusion of a lot of things based on a lot of things based on a lot of things which is basically how all technology in computers has ever worked because it's all based on well we did it this way so let's do it this way now that's why it's this way so you just got to take a look at it and look at the standard and you eventually figure it out so 50 I mean successful because it was 40 more than the request if then then the next thing is going to be 3 which is the diagnostic session that was requested there's length of six which means there's three more bytes of data here I'd have no idea what they mean but usually it doesn't actually matter much what they mean but they're here in case you want to refer to it layer if you're actually implemented this or doing something with the dealer tools it might be meaningful I don't know so if it's 40 more that's a successful response what happens if it's an unsuccessful response that's the next example I've got here got 0 to 10 4 so it's slightly different session session ID I'm looking for the response itself then is 7f that means it's a negative response and then you have the error code here which so it says after the negative response the next byte is the service ID that caused the error 10 and then it's the error code well the error code itself is 12 that is thankfully a standard thing in this and 12 means the sub function not support it so what basically is somebody telling us that we don't know what this means so this is again this is the way that the UDS protocol is allowing us to enumerate what functionality exists on an ECU the last one here is a read message so it did in UDS speak is a block of data if you want to find out what Vin is in a car you read a particular data identifier and in this case data identify our F 190 that's part of the standard there's a range of these different dibs which are standard for the iso standard there's then there's a bunch of other stuff which automakers or suppliers do because they feel like it I'll probably really to put in information that they feel is necessary what version of software do we have in here what version of the hardware is this who compiled it maybe so here the response was there's a couple two things I want to point out about this last one you can see that the error is we have a 7f which means error but the era's code is 78 error code 78 means that it's a whole lot let me look let me read this properly request correctly received response pending so basically means hold on a second and this is one that always annoyed me a little bit because if you take a look at the time stamps it didn't actually take that much longer for the actual message to come back first nibble is one which means it's a first frame of a multi frame message and then again like I said three is the flow control so it's saying here's it's the person who's receiving the data telling the other end if it has any restrictions and the block sizes right so if you can think of this again in terms of Ethernet it's just kind of like a handshake working out like MTU sizes or something like that right again these these analogies are a little bit strained but you know is it's a way to think about it but then the first frame is 2 2 means it's a multi frame message and this is really good if you're like looking at the dealer tools for taking a look at if you use the dealer tools and look at the can messages that are happening while the dealer the tools are like programming the ECU it makes it extremely obvious when there's a block of data going to a particular location because it's all starts with 2 and the message ID is all 7 something or other in this case the actual response doesn't matter too much it was just because of those two things I wanted to point out there alright so that's the basics of UTS I could go in for quite a long time going into detail VDS which should probably bore everyone more than you're already bored unless you're a standards nerd you don't necessarily like looked in this standards but it's useful to see that raw level of things tools can usually can easily abstract what's the important stuff that's going on and the scenes that helps you have a deeper understanding of what the how the computer is behaving so a couple useful tools I'm going to point out here first one is canned cat I work the gram we've we like can cat we use it it's not there's a it has a lot of libraries for allowing you to do with low level canned stuff which is what we demonstrate over at our booth but we also have class in there for UTS it allows you to interact with ACU if doing UTS functionality and what I'm gonna show here in the second half is taking a look at a tool I wrote on top of the can get stuff that allows you to essentially do an map style scanning on a car there's a two other ones I'd like to point out here that are capable of doing UTS things first one is carrying here carrying caribou which I have a hard time saying it works pretty well it works with standard Python canned stuff if you have a socket can capabilities like a can't act this will work well with it it also does UDS scanning escapee can also do this as well as much as I love scape II it's not the interface is a little bit harder to use and let's say you're familiar with how its work in this particular case so can utils the raw low-level socket can they fee if you're running Linux you've got sake cam you've got kin utils they're installed by default pretty sure on most distributions but the thing is they interact with raw hand messages they don't necessarily give you the UDS capabilities the what we demo over our booth for just recording and replaying messages you can do that with can dump and can player can sniff is also a really useful tool unfortunately can't sniffer isn't actually support 29 bit messages there's a pull request that's been open for like a year for it you can go and look at the full request if you want to go and see it you can go find a particular pack and download it and compile it so it's useful for low-level things but once you start getting to higher-level protocols you need to usually need to step outside of something like socket camp and here like I said you can use the can message can utils for doink an injection and here's just a simple example you don't really see it interacting with the vehicle at this point but what I did was I hit can dump I started logging I hit the unlock button and then I can tie a control C to kill the can down then I take the can dump that was generated and I run it through can player and you I watched the car unlock itself right so this is again a simple example of message injection with can utils can sniffer is another useful one and this allows you to do like an interactive viewing of the messages that are going on the bus you hit the pound sign and then it will slowly shrink the window like notches the messages its receiving and then it highlights if you give it the dash C flag it'll highlight the new messages it receives so in this particular case what I did was I started cans sniffer and then I was periodically hitting the lock/unlock button and if you got a sharp eye you might notice what message ID is actually doing the door unlocking in this case or if you already did figured it out when you were taking a look at it on our booth but anyway so again hit the lock hit the unlock message unlock button on the key fob and the message popped up here highlighted with the changed bytes in red can't escape E again so there's the there's the incantation for doing it you can go on the ski keys read the docs page and it whoa there's a good lot of there's a lot of information there about using escapee for automotive testing and you know this is just a simple example again you can do can't stiff this again records all the messages and you could it's a Python interactive shell and you can interact with them using all the different Python tools escape he presents curing caribou again this is uh doing an ECU scan so this is starting to get into more of what I was talking about how you can use UDS capabilities to identify what's on the bus so this again was looking I was scanning 3p oh and I did UDS discovery this is just using they can cannibal I was a little ten dollar piece of hardware and it's fine going through all the different ECU's to find out what's present on the bus and you can see here it's finding different things it's finding some things that are standard it's finding some things that are not standard the particular results in this case don't matter too much as it's nicer to have something animated on the screen so UDS one of the nicest Malcon the functionality and not the nicest but one of the nicer things about UDS is the error codes they're extremely verbose this is one of those things we take a look at a protocol and you can tell it was written by an engineer because they say well I want to know why this didn't work I don't know what went wrong and so there's well there's a byte for the messages so you've got a couple of hundred possibilities of what the error code is they're not all valid but a lot of them are valid and then here's some of the common ones service not supported conditions not correct which is an interesting one security access denied invalid key exceeded number of attempts so exceeded number of tenths for example is one where if you're trying to do a security access well it should happen if you do it wrong as you're supposed to then get an error message back saying that you ran out of attempts well sometimes it happens sometimes it doesn't condition is not correct is a good one because what it's saying is I can't do the thing that you're asking for but I am capable of doing it if the conditions were correct so then you got to figure out what those conditions might be again it lets you start narrowing down the type of functionality you're looking for there's also a really for both section of errors like rpm to high rpm to low engine is running engine is not running throttle pedal too high too low transmission not in neutral transmission in gear and not all of these different error codes are things that all automakers implement but when you see them it allows you to know that well great this thing I've almost gotten to the ability to activate this function all I have to do is change the conditions that the car is in so again this is why we need to scan the functionality you don't have any knowledge of what's going on and it's allowing you to figure out what is going on so UDS so because I can't help myself I named it can map because it's based on can cat and it helps you do n map into the car right that's the theory anyway so there's there's my there's my car my own test subject that I tested this on to try and figure out what's going on and so again when you're taking doing a pen test right and if you're doing a pen test you want to figure out what's on this network what services are available on this network you run nmap with a different range of IP addresses and you come back with there's a service there that gives you a successful or an error some error responses it allows you to know that that IP address is valid and allows you to know what services may or may not be present on there it can allow you to detect if there's a firewall present so nmap is again a blind tool that lets you go through it figure out what's going on can wrap is pretty much the same thing and of course caring Caribou does similar things as well but I had the I I felt like doing it on my own I don't really like using tools that i'd not wrote because i don't actually ever understand how the tools work until i play with them myself with my own hands i might be the only one who ever uses a tool but the whole point is it's helped me learn about home how UDS works it's written on top of can cat so it's an example of how you can use can cats existing API to interact with the bus so use it as a way to learn how we can catch stuff works use it as a tool standalone tool by itself whatever you use this as an example or a chance to explore other new tools as long as people are going out and learning new things that's my goal so first thing the tool has right now because it's brand-new is it allows you to scan for ECU's right here and it'll start over in a second so it allows you to the first thing I'm doing is scanning for EC is there's a couple different ways you can do this any functionality you can send to an EC any function you can request so the things I pointed out earlier redid diagnostic session control data transfer ECU reset there's all these things that you could send that would allow you to detect if an address is valid in this particular case the one of the default modes is just reading and it's so it tries to read the VIN out of a vehicle and you can see a bunch of things coming back here so it's detecting that that if there's a non-standard response and it logs it in different ways there's different this is this the way that I had figured out how I want to do it I want to talk a little bit too about how the scanning works UDS works UDS is the basis of all the different functionality that like the dealer tools use when the dealer goes and interacts with an ECU if they need to reprogram it they're going to use the UDS protocol to get this to happen well one of the things that's being happy that's happening on newer vehicles is there's a can gateway sitting on the obd2 port that's supposed to only let the certain things through that are allowed to go through to the rest of the vehicle one of the things that by design it has to allow through is the UDS messages that allow the dealer tool to interact with the ECU's which means that you using the UDS will help you find things even getting through a gateway it's essentially using a firewalls capabilities to allow you to go through it on its own you don't have to break through it as long as it lets you through and a nice and friendly manner so here's the results the results of my scan or output into a gamma file I'm not a fan of gamma but it does work well and then the ELMO file has the interest the list of like what are the transmit IDs where are the response IDs and eventually what are the actual values of different did now what is the bus feed that I use for this and then this gamma file can be used in future scans that will allow you to not worry about scanning for the ECU's because you've got them already saved in the file and then you can use those and go on and scan for other things there's also got the notes there indicating what the actual command you ran was the idea being that I should help you find out how long did the scan take and what actually how did you actually invoke the command that generated the results you see there so here again scanning for goods I'm not gonna show you an animated one for that because it's just a ton of output but I want to point out a couple things here again looking at the ISO TV frame IDs if you take a look at the bottom one you'll see you've got the zero one three and a bunch of two's again that's very in that's very classic it's an easy way to see looking at the raw can messages that you're looking at a nice OTP block transfer and then you can actually see the read did result there in this case it was one of the application identifiers F 182 whatever this one of the things I also want to point out about how UDS is useful in this case is by taking a look at the contents that you can get out of the different data identifiers on the different ECU's once you have extracted the firmware for the ECU they can act as good signposts because it allows you to have this particular string search for that string in the firmware somewhere and then once you find it you can start finding the references and you can you know that the references are going to be related to this particular can function out so it can allow you to go from unknown in from set of information in the software that will allow you then figure out how you get back there to the canned stuff and once you take a look at the cam functions you can see what other functionality might be available through that can interface one of the other things that is nice about that I like about the tool can cat so it allows you to do a save session file you've recorded all this information all these can message has been saved you've been doing hours of testing well there's a function called save session to file you can just type it interactively on the ipython shell that's a normal way or what we can do here is if you pass the - C flag - can map it'll save the session file for you also it's just a pickle a Python pickle if you know how those work yes they're insecure so don't unpack all other people's pickles that they provide if that phrase makes diff that sentence makes sense but it's really useful because it allows you to take your logged output that you see here's the results I see here what's going on and you can take a look at the rockin messages themselves so if something has gone weird then it can all you to court find out exactly what's going on here in my limited testing leading up to this I didn't have time to go through every scenario to figure out what works but being able to go through and look at the raw messages helps you figure out what's going we're the last set of functionality I've gotten it is scan for diagnostic sessions I've got the warning here because when I started doing this things do start acting weird because it does involve putting the ECU's into different modes I set the immobilizer off on my car it did clear as soon as I turn the car on and off again off and on again but again this is one of those things or once you start messing around with different diagnostic sessions and ECU resets things can get weird on the other hand it can also help you identify which ECU does what on a car when I was doing the scanning for psych for sessions and I saw okay well here's the session ID and then I see my radio start rebooting I know that that session ID is my radio because just looking at the wrong message IDs you don't know which ECU those belong to you necessarily but when you start seeing the actual physical effects on the car then you can start correlating that to what you see you does what function again here's some results you can see some of the weird errors I started getting one of them was like what I go to a particular session after I start scanning long enough then it just it just kind of stopped responding in your friendly manner again I'm not entirely sure why but you're looking at the raw messages can help you dig know so what's going on and again this is the first version of it it'll get better it's still sitting in a pull request up to the main can cat so it'll get there eventually the no I must be a later site so real quick wrap up UDS helps you to enumerate the vehicles attack sirs lets you figure out what issues are present it lets you figure out what data is in there the data can then be used to more easily reverse engineer what's going on in the thing I do want to point out that UTS itself is not necessarily a vulnerability in and of itself there's simply a way to discover the functionality that's present on the vehicle the functionality itself might be the vulnerability right if I'm Allah if I can do things to a car that are bad if I can put my if I can unlock the vehicle from an external location that itself is the vulnerability not the fact that I found out I could do it with UDS if I can put an ECU into Diagnostics mode while the cars running and then impact the vehicle dynamics that is the vulnerability not the fact that I use a session control to do it this is again similar to the way different protocols work and in if you took you thinking about regular computers I could go on forever with these if I had time which I don't again the more tools better so I like can map hearing caribou escape the other options out there and lastly go out there scan be curious play with your own car and have fun that's it I know it was really quick and if you have any questions we don't have time right now unfortunately but please all stand around afterwards if you have questions let me know and I'll answer them or go into more detail if you wish a couple links here if you haven't yet read Kristin Charlie's paper it goes a lot into UDS and security access key the C key pairs that's very valuable go and look at it talked about reverse engineering those algorithms out of the dealer tools the dealer tools are always a valuable resource when you're trying to figure out what the capabilities of a vehicle are and again some links to the other different cam tools here that's it yes yeah question was if I've messed with the test of three I have not personally messed with the Tesla three anyway I'm pretty sure I'm out of time it isn't a pull request up on the can cat repo so if you go up to can cat you look for pull requests you'll find one of them that the branch labeled can map so it's working on it it was a lot of code changes so it is uh it was a lot of code changes so it's gonna take a little while to review and make and fix all the stylistic things that I've messed up alright question was about emulators so for messing amethyst if you play with the socket hand tools you can you create a virtual can device which will allow you to play back pre-recorded data I do did create a testing can interface for can map it's kind of limited at the moment though but it allows you to kind of fake out the high level stuff but not the low level ones so short answer is kind of right yeah and there's also tool we also do that so to link an cat now that allows to go between socket and dumps and P or P caps and hand cat sessions files so you can convert from one to the other to play with them if you want to but that is functionality I would like to do eventually but I'm now a couple minutes past time whoever's next is gonna need to get up here so I do need to shut down thank you everybody for being here and I'll be hanging around afterwards

Info

Channel: DEFCONConference

Views: 954

Rating: 5 out of 5

Keywords: DEF, CON, DEFCON, DEF CON, hacker conference, security conference, information security conference, information security, conference speakers, hackers, hacking, hacking videos, security research, car hacking, automotive hacking

Id: REpUPwHLYvk

Channel Id: undefined

Length: 29min 32sec (1772 seconds)

Published: Thu Dec 05 2019