>>You guys are at DefCon I
didn’t know if you know that, Uh
Saturday morning. Uh we got a fantastic talk. Uh this guy has
presented f- with us before. Uh
he’s coming back to uh talk to you about uh it’s a, remote,
hacking remote care starters.
>>Yep >>Perfect, uh so without further ado I will let J-Maxxz
get to it. Just let’s give him a
big round of applause. [applause] >>Thank you. How’s
everyone’s DefCon going? [low
audience cheers and applause] Really? Tr- let’s try that
again. How’s everyone’s DefCon
going? [audience cheers and applause] Okay. So my names
J-Maxxz. I’m a software engineer
by trade, hacker by passion. I pretty much like anything to do
with locks and um throughout
this talk you’re going to hear lots of opinions. Those opinions
are my own they’re not my
current employers, past employers or future employer’s
opinions. Louder? Okay. All the
opinions are my own. Summary of the last statement. Um if you
like what you see or you don’t
like what you see hit me up on twitter, um handle’s @JMaxxz,
I’ll try to get back to you. So
a little bit on the back story here. As you’ve probably figured
out this talks about cars. Um,
but it’s not about cars themselves, it’s about after
market uh remote starters and
alarm systems. And I think it’s important to provide a little
backstory here because we may
look at these devices and think they’re somewhat of a luxury
item, who would really want
that. Um and so I want to tell you how I got into looking at
these. So where I live, it’s
cold, um some would say really cold. And my girlfriend has a
condition called Raynaud
syndrome and what that is, is the blood vessels in her
extremities will constrict uh if
she gets cold and that can cut off blood flow to her hands for
example. If you go without blood
flow in your hands for a while you can end up with something
very similar to frostbite. Um,
and it's about November of last year and I haven’t figured what
I’m going to get her for
Christmas yet. And she comes home from the airport uh one
week after traveling for work
um, and she gets home and she’s very upset because her car never
warmed up on the way home. At
that point I say okay, I, I figured out, I know what I’m
going to get her. I’m going to
get her a remote car starter. And so I start looking around at
all the various options out
there for remote starters and there’s a lot of them and I
notice that quite a few of them
won’t give you the consumer information. They won’t give you
access to how to install it,
they won’t give you access to the tool chains you need um to
program the unit. Um and that’s
kind of a problem for me, it’s my car, it’s my remote starter I
should have access to those
tools. So I looked around a bit more and I find a company out of
Canada, Fortin who makes a
remote starter and they provide a documentation fairly
willingly, not only on how to
install the, the um, the unit in various cars but also the tools
you need to program the unit. So
I’m like, that’s perfect, um that’s what I’m gonna get and I
start looking around for
remotes. So with remote starters while you could use the factory
remote, your range would then be
limited to the factory remote. And you can get aftermarket
remotes with these units and
they’ll advertise ranges anywhere from a half a mile to a
mile and a half. Um but from the
reviews it’s apparent that those are advertised ranges and, in
the real world you see much less
than that and the problem is as I said she travels for work a
lot um, and my concern is um,
she, she’s not going to be able to start her car from a mile in
a half a way when she’s at the
airport, there’s a lot of concrete. So I’m thinking, ya
know what would be great if she
could just pull out her phone, open app on the phone and hit
start. Um and so I look around
uh Fortin’s list of third party vendors that integrate with
their system. And I find this
one called MyCar. And what it is, is a little cellular unit
with a GPS in it that you can
put in the car and you hook up to the remote starter and then
this provides the capability of
being able to pull up your car uh in an app on your phone as a
picture of what your car should
look like based on its make and model, you can start the car,
unlock your car, do anything you
can do with a key fob. I’m like that’s perfect, when the plane
lands she can start her car, but
they time she gets to it, it should be warm. So at this point
let's talk a little bit about
how remote starters work. In order to understand remote
starters we first have to
understand how cars start. Traditionally cars started off
of, using a keyed switch, It’s
just a keyed switch there’s nothing fence there. When you’re
putting the key in the ignition
you’re completely a circuit when you turn it so when you turn it
to the accessory position you’re
completing a circuit that will power up the in-interior of your
car, when you turn it to the
crank position you’re powering up the starter modem. And this
was true up until around the
mid-nineties, around that time vehicle mobilizers started to
become fairly popular on the US
marked an immobilizer will, ay sound fancy it’s just an
electronic lock. So you have the
mechanical lock that is the key and then you have an electronic
lock um that is a transponder
and something to read that. Um and if you don’t unlock the
electronic lock your car won’t
start. So in the slide here on the uh left side there’s a key
with a over-molding and there’s
on the right side there’s a key it’s just a medal insert. The
one on the right will just
actuate the mechanical components whereas the one on
the left can actually unlock
that electronic lock that allows your car to start. So why do I
mention this? Well remote
starters today have to bypass the immobilizer it’s necessary
for the remote starter to work
if you want it to work in a modern car. And so if we look at
how you could hook one of these
systems up to your car here’s an example from Fortin’s
documentation showing how the
unit I got, the EVO One gets hooked up so on the lower left
side there’s a couple lines that
are labeled IMO and those have to do with dealing with the
vehicles immobilizer. And then
if you go to the very top on the right side there’s a couple
lines labeled CAN high and low.
And those are connections to the vehicle’s CAN bus, the reason
the remote starters connect to
the CAN bus is to reduce installation costs because it’s
few, it’s fewer connections your
installer has to make. So if they can read data off the CAN
bus or they can send commands
over the CAN bus they’re motivated to do that because
again it reduces installation
times. On the uh left side of the screen at the very top
there’s a bunch of GPIO these
are just related to controlling or reading information about the
car so for example uh when you
hit the lock button maybe you want the lights to flash and
horn to honk um that’s can be
controlled by these GPIO. And at the bottom on that side that big
clunky connector is the high
current interface and what that does is bypass the mechanical
side so as I said when you turn
your key you’re completing a circuit, um that big chunky
cont-connector there allows
those circuits to be completed with simple relays inside of the
remote start unit. So here’s
just a couple pictures from um installing the remote starter.
Uh basically it just consists of
pulling off uh the steering wheel column, making a couple
electrical connections in the um
footwell. Um it’s really not that complicated, it looks
fairly daunting but it’s not
that hard to do. The remotes themselves get hooked up over
what Fortin calls data-link. Um
it’s a proprietary protocol, um really it’s just five full UART
running at ninety-six hundred
BAUD and it just connects via a bus so these two remotes here
that I’m showing would be
connected to this same UART connection. So sometimes after
installing the unit it, I start
thinking, you know, I, I wonder how this affects the security of
that vehicle. Obviously, it has
to bypass the immobilizer but h-how secure is this um not only
the cellular side but the remote
start side. So I start looking online to see maybe Fortin
publishes the protocol for their
data-link um so I can start looking from that side. So I got
to the forums and people have
actually asked for the protocol and consistently they’re told
no. We don’t give out that
information. One of the more entertaining responses I saw
were, was this one where they
say, the EVO is not meant to be used as a hobbyist toy. It’s
meant to be used as a tool by
professionals. So, I’m a professional of sorts.
[laughter] I set about building
my own car on my workbench, so I got a second unit put together a
bread board that represented a
car, some switches to represent the ignition, momentary buttons
to represent the brake pedals
and a bunch of LED’s to represent various states. Um I
get everything wired up and I
hook up an FTI device to start monitoring the data link. And
I’m capturing data and at first
it looks something like this. I mean, okay it’s not really
apparent what’s going on here
but if you squint your eyes just right you can tell there’s
definitely some structure here.
Um paying a bit more attention I notice that whenever I press the
button on my remote the message
that is sent by the antenna to the remote start unit always
starts with zero C and ends with
zero D. SO if we just split what we’re receiving based on zero C
being the start and zero D being
the end, we end up with something more like this. At
this point it’s clear there’s
some structure here and we can figure out what’s going on. So
putting in a bit more time and
being a bit more diligent about keeping track of what button I
pressed and what message I saw
eventually I’m able to put together a spreadsheet where I
um figure out what each of the
commands and each of the messages look like. And so
here’s just a simple break down
of what a typical command looks like over the data-link
protocol. When you press a
button on your remote the antenna sends the remote start
unit a command that looks like
this. So you have a start sentinel that’s at zero C, you
have two bytes that represents
the direction or at least that’s what I think it represents up
that’s somewhat interesting
because UART is already directional there’s already a
transmit receive line um so
that’s why I’ve labeled it garbage, just treat it as a
constant. Um following that we
have a single byte that represents the command the user
would like to run so this could
be lock, could lock, could be start, stop panic, anything that
you can do from the remove um
will have a command associated with it. Following that we have
a payload, um in the case of c-
messages coming from an antenna to the remote start unit this
payload is almost always going
to be an address or ID that identifies the remote antenna
that the message came from. If
the remote start unit doesn’t recognize an ID it will ignore
the command. And to get a remote
start unit to recognize the ID there’s a multi-step procedure
that involves putting the key in
the ignition, turning it on or to the accessory position and
then hitting the brake pedals
some number of items pressing some buttons with remotes. Um
it’s ap procedure, doesn’t
really matter but it learns the ID at that point. And if we look
at the end of the message is
ends with a check sum and that end sentinel that um we
identified earlier. So now that
we understand how the protocol works, what can we do with it?
So, to show this I have a couple
videos. Uh do we have sound? It. Let’s try this again. >>Not
found. Guys, anything? It’s
playing. Oh, uh, presentation view, got, Oh my God. God
dammit. Let’s do this. Ch, Ch,
Ch. [inaudible audio] [applause] Yeah. Okay. >>Okay. Let’s try
this again. Still no sound.
[inaudible] It’s plugged in. Okay guess we’re just gonna be
talking through this then. So
I’m showing you there, is the scrub back, okay so that white
box there is a development board
I have that’s running, is a particle development board is
running firmware I wrote that
understands the Fortin protocol it allows me to interact with
um, the Fortin remote start
unit. So what I’m showing here is I send an unlock command to
the car, um well you should have
seen the command in the previous one, the unlock command doesn’t
work because the remote start
doesn’t know about that antenna. So as I mentioned, it’s just
UART and one of the things with
remote start units is they’ll often support what’s called two
way communication. So they’re
able to tell the remote about the state of the car. For
example if the cars started or
stopped and to do this it actually set, the remove starter
sends a message back to the
antenna and when they do this they include the address of the
antenna they’d like to send the
message to. Uh the problem here is because it’s going over the
UART connection and it’s a flat
bus anyone on that bus can see that address being sent. So in
my firmware the capability to
clone an address. So if we turn on the clone mode at this point
I’d really like sound. Um, so
the, at this point we need to generate a message to generate a
message um we can just simply
open the car’s door. So by opening the car’s door uh the
car sends the remote starter a
message or sends the antenna a message saying that the door has
been opened. At this point in
the video the alarm is going off. You’ll just have to take my
word for it but it is, Um and
th- we’ve also match clones the antenna because it’s attempted
to communicate, or clones the ID
because it attempted to communicate with the antenna.
Now when we send unlock the
alarm shuts off and the car unlocks. So here. >>So here’s
sound settings in here, should,
audio settings, mouse. Yeah see you need to drag there.
[inaudible] >>Kay let’s try this
again. W- [inaudible video sound] It’s going, we don’t hear
anything. Okay so where’s my
mouse? >>Go into the sound settings. There we go. Sound
settings. Click. Try speakers.
That should do it. [bell ring] >>Hey. [applause] Okay what you
see the, so what we have here is
a Subaru Impreza, the alarm going off, one remote start
analog system installed and
plugged into the antenna delay but I have my particle board and
if we send an unlock command
from the particle, um we’ll send the command but nothing will
happen. What we can do then is
we can just clone th- an existing antenna so if we wanna
tell the firmware, hey we want
to clone um an existing antenna, now we just need to generate a
message that’s going to cause
the remote start unit to reach out to one of the antennas and
try to tell it something. So in
this case it’s as simple as opening the door [alarm sound]
now the alarm may be going off
but we’ve managed to clone the address. Now we can just send an
unlock command. And we’ve
unlocked the car and disabled the alarm. [applause] So at this
point we’ve managed to send the
c-command to the remote start system, get an alert, all
without the key. So now let’s
try starting the car. [sound] Okay now let’s say we want to
actually start the car. Normally
um, if we just type start and we try to run the start command it
won’t work and the reason is
this car is a manual transmission and remote start
systems um, will normally have a
special procedure when it comes to manual transmissions in this
case it’s you have to uh with
the key in the ignition um hit the remote start button while
the car is running and then you
can pull the key out walk out the side the car, when you shut
the door it your remote start
will shut off the engine and it will lock the doors. And this is
to keep the car from ever remote
starting while it’s in drive because that’s dangerous.
However, it’s not really a
security feature and to prove that it’s as simple as if we
take a look of one of these
remote start units, um what makes it um work in the manual
transmission mode is this loop
wire here. If you cut this loop of wire it switches to the
automatic uh transmission mode.
In that case doesn’t require any special sets up, so just saw the
start didn’t do anything so I’m
going to do is I’m going to return on the dash, I’m going to
cut this in action, um to make
that easy for this demo, I can just install a switch on this
loop. Okay the connection’s been
cut, now if we re-run the start command [beep] this time the car
starts right up. S-so at this
point we have a car that we can start um we can add the remote
to it, we can start without a
key, um but if you have a remote start unit you know that’s not
everything you need to do,
there’s usually a key take over procedure, you normally well you
shouldn’t be able to drive away
on a car that’s remote start. But, let’s say we want to drive
away on a car that’s remote
started. [applause] How would we do that? One you send a video.
So to disable the wheel lock,
okay, um I’ve put a normal key in the ignition, this does not
have the transponder in it, this
is not, so it can’t actually be used to start the car. However
we have it in the ignition and
we actually only have it in the accessory position, this is a
different video, and that’s
enough to disable the wheel lock on the Subaru Impreza, um you do
have to go all the way to
ignition to get the wheel lock to cut off. Um, and now. Okay
sorry not my computer don’t know
what’s going on there. Okay I want this video. Let’s try this
again. There we go. So now that
we have the car started without a key let’s say we want to drive
off. This is where it gets a
little bit tricky because these remote start systems will have
some form of key takeover. And
what that means is we can the owner can put the key in the
ignition turn it to the ignition
setting and then transfer over to that. Um, but if we don’t
have the key, the moment we
press the brake pedal to drive off, the car will shut down. Now
if we want to get around that,
it’s fairly simple. We just have to figure out how the car is uh
telling the remote starter um
that the brake is being pressed, in this case that’s happening
over CAN bus and plugged into
one of these ports back here, and plugged into one of these
ports back here is the CAN bus
connection and if we just unplug that while the car is remote
started um it’ll no longer care
if the brake is being pressed. Now because that’s under the
dash what I’m going to do here
is I’m going to um, start and unlock the car. [beeping] So I
can get out and uh, get that
disabled, I’ll show you that in a second. Okay now we’re under
the dash here and I have my
remote starter um right down here and there’s a little white
connector here and that’s the
connection to the CAN bus if I unplug that you’ll see that the
car is still running and we
still do not have a key in the ignition and at this point if I
get in the car and hit the
brake, so if I press the brake, the car will not shut off and
that’s because it doesn’t know
that the brake pedal is being pressed so at this point we can
get in the car, we can put the
car in drive and we can proceed to drive off in the car. All
without a key. [applause] Okay
so there’s a, an important no- eh, bleh, an important note to
make there. Um and that was that
click you heard at the end. That was actually the wheel lock of
the car itself engaging. So the
wheel lock is entirely mechanical. So we can’t defeat
that electronically here um you
have to use something mechanical to get around that so, breaking
the cylinder, or something else,
something I really wasn’t interested in doing in her car.
So all the firmware for what I
demoed is available at GitHub it will be made public after this
talk, you just go to GitHub dot
com forward slash Jmaxxz open remote start. Um you’ll find the
fir- the firmware I was using
along with the, the schematic um for my little dev board there.
But now let's get on what you’re
really here for. Which is what happens when we, l- when we add
the internet to this system.
Because that should make it better right? Um, as I mentioned
the unit I got is the MyCar
unit. But MyCar’s sold under many different names and the
unit I got was branded LinkR LT
by Omega. But this isn’t the only brand name it’s sold under.
It’s sold under MyCar uh MyCar
Vision, Car Link, Link R. But also Kia. It seems for awhile
Kia dealerships in Canada were
installing this system or at least that’s what the MyCar Kia
app seemed to imply based on
description. Interestingly that application is no longer
available on the app store. I
also want to note that while I’m just looking at MyCar and Fortin
here um that doesn’t necessarily
meant that other systems are better at the same time I was
doing this research Cybergibbons
and pen test partners were looking at other systems with
similar capabilities. Um and
they found very similar issues with those systems as well.
Which brings me to the real
question the thing I want everyone to be thinking about,
which is how does this happen,
how does a product with the issues I’m about to show you
make it to market um without
anyone saying anything? And if anyone here has an interest in
looking at remote car starters
there’s a couple things I want to point out. Um first as I
mentioned earlier if a remote
start system is mis installed in a manual transmission vehicle
it’s possible a car could start
while In gear. Um this means the car could actually start moving
and the engine could actually
start up and now you have a car that’s moving without anyone
behind the role. So that’s
obviously dangerous um but there’s actually a more subtle
and I think uh bigger risk and
that’s, if someone parks a car with a remote car system in an
attached garage and it’s remote
started um accidentally or without their knowledge carbon
monoxide can enter the home and
that could create a very dangerous situation. So if you
do have a remote start system
you should definitely have carbon monoxide detectors um but
also if you’re looking at remote
car start systems, just like with locks never start a car you
don’t own and you don’t know
where it is. Um because the consequences could be dire. So
looking at the MyCar Unit it’s
this little black box with this eight pin header, two of those
pins are actually for a debugger
interface. Um, connecting to this debug interface it’s
obvious the unit is running
Linux a fact which is as far as I can tell the manufacturer does
not disclose. Um if you want to
drop into the Linux shell the passwords uh actually O U Linux
one, two, three, uh so if you do
get one of these there you go. Um but without logging in you
can use s-something they call
the AT engine and this let’s you run AT style commands on the
command line so you can do
things like change the IP address the unit is talking to.
And if we look at the diagram at
the bottom where it says IP this is actually the server that
MyCar unit talks to, to
communicate updates. Um and just under that there’s an L Port,
that’s the port that this is
listening on to receive commands. Uh using the AT engine
and changing the IP this was
talking to, changing it from one that my car controlled to one I
controlled, I was able to
determine that this device is talking via unencrypted UDP. Um,
I didn’t do much looking into
that but I thought that was fairly um significant and
interesting. So here’s some more
information on this if you wanna pick one of these up. Um couple
things to note uh voltage kind
of matters on that UART and well also on the documentation seemed
to imply could be tolerant of
much higher voltages. Next year I’ll tell you if I chose that,
you gotta be a bit more careful.
So as I said where I live it gets cold and ab- about a month
after I gave this system to my
girlfriends my curiosity got the better of me, when I installed
the system I had a nagging issue
that I was opening her up to some security risks. But I said
you know don’t look at ignorance
as bliss just don’t think about it, just don’t think about it,
just don’t think about it and I
was able to do that for about a month and after a month I pulled
the c- the cellular unit out of
her car, put it on my bench and started playing with it. And the
forecast the next week was cold,
negative thirty Fahrenheit um and ya know I was able to
connect to the shell, get it
working and the cellular reception in my home lab is not
that great, um so some point I
decided I wanted to work on it with a different computer and
the FTDI device I’m using
doesn’t have particularly long cords so I go find a different
one plug in to my computer, plug
into my remote start unit, power everything up and all the magic
smoke leaves the unit and she’s
flying out tomorrow. Um so at that point there’s a lesson
learned there. Um if you wanna
do any type of hardware hacking and you can’t afford to lose the
unit always have a spare. Um but
if you ask, ask my girlfriend the moral of the story maybe if
your significant other is a
hacker don’t let them play with your Christmas presents. So now
let’s look at the software. Um
no chance of magic smoke here I hope. Uh the, I, I fire up man
in the middle proxy I disable
SSL validation on my phone, I begin sniffing what traffic is
being sent by the application to
the back end. And during the registration process I notice it
takes my email address, sends it
to a web service to check to see if that email address is tied to
an existing account. And it’s
using basic authentication, which is interesting because I
haven’t created an account yet.
So I don’t really know what to do with that and I kind of file,
file it away in a notepad and
move on. I create my account, I log in, and one of the first
things you do, the application
does when you log in, is it calls a webservice to check who
the current user is. So I just
call that web server with the credentials that I saw earlier
that were used to check to see
if my email address exists and the response I get back is MyCar
Admin. [laughter] Now at this
point I really don’t think this is the admin because this has to
be a low privilege account with
a really important sounding title after all we all know
people like this. So I create
another request to start my car using this account, I hit send
and I get back two hundred OK.
And about three seconds later my car starts right up. So it turns
out that the MyCar admin account
was an admin account. Hardcoded into the mobile application. But
it doesn’t start there, in the
previous response you may have seen this thing called API key.
Again from monitoring uh traffic
form man in the middle proxy I know you can use these API keys
in place of a username and
password if you use you fixed username API and one of these
API keys you can authenticate SI
user. So I copy and paste this, this string into the password
string on postman sent my
username to API and I hit send. And it doesn’t work, I don’t get
back a response and I don’t know
really what’s going on I’m a little confused. I share it for
probably a good five minutes and
it dawns on me I forgot to strip the quotes and coma from API key
and looking at the response
there is a sequel error. At this point it’s apparent that you
could j- could of just used
basic sql injection to bypass the entire login process and
become the admin or any user you
wanted. Like this is not at all complicated. So let’s have some
fun with sql injection, I don’t
think anyone’s every started a car with sequel injection
before. So let’s try that. So I
kept a sequel injection that targets my user account, skips
the whole password thing, we’ll
just use sequel injection for that, hit send I get back my, my
status two hundred OK but this
time I was smart enough to record a video. Now it’s a
little, the video’s a little uh
dark because I didn’t realize I was going to be doing this talk
at that time so um, so if this
works the car should start via sql injection. Sorry one of
these times I’ll get this right.
Okay where is the window. And, it, oh you have it here, and
sent. So this is in my office
looking outside. You can see the reflection of my computer screen
there. And there the car is
starting. Okay so there we go. We’ve started a car with sql
injection. [applause]but it
really doesn’t stop there they didn’t just have sequel
injection in the login, they had
sequel injection everywhere, whether it be the URL path,
query string parameters bodies,
it seemed like, everywhere you looked there was sequel
injection. And looking at the
error messages from the se- from looking at the sequel error
messages we can see that what we
are entering as a password is being compared directly against
a column named password in the
database. So what this means is they have plaintext passwords
and sequel injection. As they
say, not good, very bad. Okay so that’s enough with that sequel
injection stuff, let’s see what
else we can do so as, as I showed before here’s how you
remote start a car, um you just
post a command to this commands API saying your command type of
engine start and you get back an
integer ID representing the command ID, you can then pull
service with uh, you can then
pull service to get the status of that command. And it looks
something like this and so ya
know I get to thinking and I increment and decrement my
command ID and I notice I get
responses back seems to be pulling any command ID, try a
couple more values and sure
enough it’s pulling back any command ID in the sys- or any
command that’s ever been sent in
the system. Now there’s not really anything sensitive here
so it’s not really that big of a
deal but I get to thinking maybe there’s um a direct object
preference that I can use to
start my car. So I, take the start command from a legitimate
user for my user account and try
to call it via my second user account that shouldn’t have
access. And I get back an error
message saying four oh one unauthorized, account out of
hierarchy. So maybe it won’t
work. However if you look at that API there’s actually
duplicate information. The
user’s email address and their account ID are roughly corollary
but specify a user and if you
design API’s or rather if you pack API’s duplicate information
is a source of bugs. In this
case a developer could implement this in, these four different
ways. So if we look at cases two
and case three both highlighted in red, those will result in
direct highlight reference both
of those don’t properly check to see if we’re authorized to run
the command so what we can do so
we tried case two it didn’t work, what about case three? To
try case three we simply have to
change the account ID in the URL. Previously we were using
the victims account ID let’s
just use the attackers account ID. So I sent the account ID to
be the attackers account ID
rather than the victims, keep the device ID as the victims
device and send the command and
sure enough, two hundred OK, I get back my command status and a
couple seconds later MyCar
starts right up. So what does this mean? So via three
different vectors we were able
to basically do everything a legitimate user could do. But
let’s call out what that is, we
can locate any car in the service, we can identify uh the
type of vehicle it is, make and
model, we can unlock the car we can start the car, um we can
edit the car, we can do
anything. And three, there’s three different ways of doing
this. So obviously MyCar tried
to fix some of this, um in the case of the uh, hardcoded
passwords it seems they just put
a reverse proxy out in front of the application to hide the
credentials they were using.
Well you see there’s a problem with this, reverse proxies
aren’t magic and they don’t’ fix
everything and it in this case they kept the sequel injection
in the backing service and so
while I no longer have the password I still have, had no
auth- that I still with no
authentication could do sql injection via the check user. So
that was interesting and, at
that point I decided okay let's see what else is here let see
if, they, they left more and the
device registration still seemed to have sequel injection and
both of these things still
seemed to be still seemed to be vulnerable up until about
thirty-six to twenty four hours
ago so um, yeah. So googling around you may have noticed all
the URLs here are M to M suite
dot com. And so I, I thought I would take google and search for
M to M suite. I came up with
this um site. This must be some type of back end interact for
the MyCar system. And so
obviously the only thing what you do when they see this is
throw a couple single quotes in
there and see what happens and of course what happens is you
get sequel injection. [applause]
And this is months after the initial disclose uh that they
had a problem with sql
injection. Um so if you have sequel injection you should
really fix it as soon as
possible. Um, but none of this is what I consider to be the
most offensive bit of this all
and that’s actually has to do with location. So MyCar has =
GPS unit it can track the
location of your car and in their application they will
gladly show you your car’s
current location and that’s the only way that this gets used in
the application. Now if we look
at their APIs it’s not just your cars current location. They seem
to be storing a heck of a lot of
information uh much more than what is needed to keep track of
your car’s current location , In
the case of my account over a span of thirteen days they have
a little under two thousand data
points about my vehicle’s location. None of this was
disclosed in their privacy
policy. But it gets worse than that. Maybe you can argue this
was a development mistake make
this is a, this is a side effect of the way the service is
implemented There’s another API
where they w- analyze your data and instead of just have a list
of places you’ve been they
identify top locations your vehicle has ben, frequent places
you visit. Again to my knowledge
this is not disclosed in the privacy policy I can’t find
anything there that would um
indicate they were going to do this. So maybe this isn’t that
surprising though because after
a bunch of searching I believe I found the parent company of
MyCar and their company called
Procon Analytics and I went to their site and I went to their
frequently asked questions page.
And, and looked at the question how do you secure data? And to
this they said, unlike public
cloud environments that battle for priority Procon Analytics
uses virtual private cloud that
supports only our customers and application with no interference
from other users this dedicated
highly secure environment ensures high availability,
faster deliverability of
service, when you partner with Procon Analysts you can be
assured your data is secure and
protected. I really don’t even know what to say to that.
[laughter] But if we head over
to their Facebook page, they say more. There they simply say,
protecting vehicle data is
vital. And to that I have to say, I agree. So back to the
question that, that I said at
the beginning of this talk. How does this happen? And maybe more
importantly as an industry how
do we stop this from happening again? And so that’s my talk and
at this point I’ll take any
questions you have. [applause] [inaudible audience question]
Kay so the question is did they
fix everything? At this point, I believe everything I reported is
fixed on the MyCar side with the
exception of the privacy stuff I mentioned at the end, last I
checked that was all still the
case. [inaudible audience question] I don’t know, I don’t
have any vectors that I know of
that generate sequel error messages though I haven’t looked
too hard. [inaudible audience
question] Could you come closer so I can hear you? [inaudible
audience question] Sure um so I
said I could edit the car, the question about was well you said
you could edit the car could you
edit the paraments in like the ECU. Um, what I was specifically
referring to there was editing
the car in the MyCar service so they keep a digital
representation of your care, um
and so that could have been edited via the direct object
preference sequel injection or
any of the other vectors discussed. [inaudible audience
question] So the question was
about do you have a push button start system will slow you to
unlock the steering wheel to get
around the steering wheel lock so my, may car has a push button
and there is no steering wheel
lock so I suspect if you installed one of these in a push
button car you definitely
couldn’t rely on a steering wheel lock. Cool, thank you.
[applause]
Really?!? SQL injections?!? Somebody had to have been fired over this.
Wow. Just. Wow.
So, how does this happen? Obviously people who don't even know the basics of using a database did the SQL stuff. Forget parameterizing, they didn't even escape the input strings. Must have been outsourced to the absolute lowest bidder.
Oh man, I love DEFCON talks. This was one HELL of a roller coaster.
What is a "direct object reference bug?"
At this point I'd be more surprised if it didn't.
I was a professional installer for a couple years and I have looked into hacking these things myself. Unlike him I had full access to the proprietary documents for every vehicle and some protocol information along with an installer activation account. I can confirm the two leading brands Viper and Compustar( much better than viper) are fairly secure. The problems come into play when you start trying to make a cheap product cheaper. The reason they don't provide the information he was mentioning is due to the fact they have to pay quite a bit for that information themselves just to design the system if that information is even buyable from the car manufacturer. Not to mention there are a lot of people who will screw up their car and try to sue the company because they didn't know how to read a wiring diagram. So when you find a company willing to disclose this information and sell you a cheap product you should be skeptical. The moral of my story is get a professional to do it, trust them and you should not have to worry about a hackjob company.
Love this talk
Your Car is My Car And My Car is Your Car