Jmaxxz - Your Car is My Car - DEF CON 27 Conference

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Really?!? SQL injections?!? Somebody had to have been fired over this.

👍︎︎ 143 👤︎︎ u/gbbas 📅︎︎ Feb 25 2020 đź—«︎ replies

Wow. Just. Wow.

👍︎︎ 27 👤︎︎ u/simondrawer 📅︎︎ Feb 25 2020 đź—«︎ replies

So, how does this happen? Obviously people who don't even know the basics of using a database did the SQL stuff. Forget parameterizing, they didn't even escape the input strings. Must have been outsourced to the absolute lowest bidder.

👍︎︎ 13 👤︎︎ u/heyf00L 📅︎︎ Feb 26 2020 đź—«︎ replies

Oh man, I love DEFCON talks. This was one HELL of a roller coaster.

👍︎︎ 26 👤︎︎ u/deadcell 📅︎︎ Feb 25 2020 đź—«︎ replies

What is a "direct object reference bug?"

👍︎︎ 11 👤︎︎ u/lordlicorice 📅︎︎ Feb 25 2020 đź—«︎ replies

At this point I'd be more surprised if it didn't.

👍︎︎ 5 👤︎︎ u/hbdgas 📅︎︎ Feb 25 2020 đź—«︎ replies

I was a professional installer for a couple years and I have looked into hacking these things myself. Unlike him I had full access to the proprietary documents for every vehicle and some protocol information along with an installer activation account. I can confirm the two leading brands Viper and Compustar( much better than viper) are fairly secure. The problems come into play when you start trying to make a cheap product cheaper. The reason they don't provide the information he was mentioning is due to the fact they have to pay quite a bit for that information themselves just to design the system if that information is even buyable from the car manufacturer. Not to mention there are a lot of people who will screw up their car and try to sue the company because they didn't know how to read a wiring diagram. So when you find a company willing to disclose this information and sell you a cheap product you should be skeptical. The moral of my story is get a professional to do it, trust them and you should not have to worry about a hackjob company.

👍︎︎ 2 👤︎︎ u/aeroverra 📅︎︎ Feb 29 2020 đź—«︎ replies

Love this talk

👍︎︎ 1 👤︎︎ u/crikeydilehunter 📅︎︎ Feb 25 2020 đź—«︎ replies

Your Car is My Car And My Car is Your Car

👍︎︎ 1 👤︎︎ u/leurak 📅︎︎ Feb 26 2020 đź—«︎ replies
Captions
>>You guys are at DefCon I didn’t know if you know that, Uh Saturday morning. Uh we got a fantastic talk. Uh this guy has presented f- with us before. Uh he’s coming back to uh talk to you about uh it’s a, remote, hacking remote care starters. >>Yep >>Perfect, uh so without further ado I will let J-Maxxz get to it. Just let’s give him a big round of applause. [applause] >>Thank you. How’s everyone’s DefCon going? [low audience cheers and applause] Really? Tr- let’s try that again. How’s everyone’s DefCon going? [audience cheers and applause] Okay. So my names J-Maxxz. I’m a software engineer by trade, hacker by passion. I pretty much like anything to do with locks and um throughout this talk you’re going to hear lots of opinions. Those opinions are my own they’re not my current employers, past employers or future employer’s opinions. Louder? Okay. All the opinions are my own. Summary of the last statement. Um if you like what you see or you don’t like what you see hit me up on twitter, um handle’s @JMaxxz, I’ll try to get back to you. So a little bit on the back story here. As you’ve probably figured out this talks about cars. Um, but it’s not about cars themselves, it’s about after market uh remote starters and alarm systems. And I think it’s important to provide a little backstory here because we may look at these devices and think they’re somewhat of a luxury item, who would really want that. Um and so I want to tell you how I got into looking at these. So where I live, it’s cold, um some would say really cold. And my girlfriend has a condition called Raynaud syndrome and what that is, is the blood vessels in her extremities will constrict uh if she gets cold and that can cut off blood flow to her hands for example. If you go without blood flow in your hands for a while you can end up with something very similar to frostbite. Um, and it's about November of last year and I haven’t figured what I’m going to get her for Christmas yet. And she comes home from the airport uh one week after traveling for work um, and she gets home and she’s very upset because her car never warmed up on the way home. At that point I say okay, I, I figured out, I know what I’m going to get her. I’m going to get her a remote car starter. And so I start looking around at all the various options out there for remote starters and there’s a lot of them and I notice that quite a few of them won’t give you the consumer information. They won’t give you access to how to install it, they won’t give you access to the tool chains you need um to program the unit. Um and that’s kind of a problem for me, it’s my car, it’s my remote starter I should have access to those tools. So I looked around a bit more and I find a company out of Canada, Fortin who makes a remote starter and they provide a documentation fairly willingly, not only on how to install the, the um, the unit in various cars but also the tools you need to program the unit. So I’m like, that’s perfect, um that’s what I’m gonna get and I start looking around for remotes. So with remote starters while you could use the factory remote, your range would then be limited to the factory remote. And you can get aftermarket remotes with these units and they’ll advertise ranges anywhere from a half a mile to a mile and a half. Um but from the reviews it’s apparent that those are advertised ranges and, in the real world you see much less than that and the problem is as I said she travels for work a lot um, and my concern is um, she, she’s not going to be able to start her car from a mile in a half a way when she’s at the airport, there’s a lot of concrete. So I’m thinking, ya know what would be great if she could just pull out her phone, open app on the phone and hit start. Um and so I look around uh Fortin’s list of third party vendors that integrate with their system. And I find this one called MyCar. And what it is, is a little cellular unit with a GPS in it that you can put in the car and you hook up to the remote starter and then this provides the capability of being able to pull up your car uh in an app on your phone as a picture of what your car should look like based on its make and model, you can start the car, unlock your car, do anything you can do with a key fob. I’m like that’s perfect, when the plane lands she can start her car, but they time she gets to it, it should be warm. So at this point let's talk a little bit about how remote starters work. In order to understand remote starters we first have to understand how cars start. Traditionally cars started off of, using a keyed switch, It’s just a keyed switch there’s nothing fence there. When you’re putting the key in the ignition you’re completely a circuit when you turn it so when you turn it to the accessory position you’re completing a circuit that will power up the in-interior of your car, when you turn it to the crank position you’re powering up the starter modem. And this was true up until around the mid-nineties, around that time vehicle mobilizers started to become fairly popular on the US marked an immobilizer will, ay sound fancy it’s just an electronic lock. So you have the mechanical lock that is the key and then you have an electronic lock um that is a transponder and something to read that. Um and if you don’t unlock the electronic lock your car won’t start. So in the slide here on the uh left side there’s a key with a over-molding and there’s on the right side there’s a key it’s just a medal insert. The one on the right will just actuate the mechanical components whereas the one on the left can actually unlock that electronic lock that allows your car to start. So why do I mention this? Well remote starters today have to bypass the immobilizer it’s necessary for the remote starter to work if you want it to work in a modern car. And so if we look at how you could hook one of these systems up to your car here’s an example from Fortin’s documentation showing how the unit I got, the EVO One gets hooked up so on the lower left side there’s a couple lines that are labeled IMO and those have to do with dealing with the vehicles immobilizer. And then if you go to the very top on the right side there’s a couple lines labeled CAN high and low. And those are connections to the vehicle’s CAN bus, the reason the remote starters connect to the CAN bus is to reduce installation costs because it’s few, it’s fewer connections your installer has to make. So if they can read data off the CAN bus or they can send commands over the CAN bus they’re motivated to do that because again it reduces installation times. On the uh left side of the screen at the very top there’s a bunch of GPIO these are just related to controlling or reading information about the car so for example uh when you hit the lock button maybe you want the lights to flash and horn to honk um that’s can be controlled by these GPIO. And at the bottom on that side that big clunky connector is the high current interface and what that does is bypass the mechanical side so as I said when you turn your key you’re completing a circuit, um that big chunky cont-connector there allows those circuits to be completed with simple relays inside of the remote start unit. So here’s just a couple pictures from um installing the remote starter. Uh basically it just consists of pulling off uh the steering wheel column, making a couple electrical connections in the um footwell. Um it’s really not that complicated, it looks fairly daunting but it’s not that hard to do. The remotes themselves get hooked up over what Fortin calls data-link. Um it’s a proprietary protocol, um really it’s just five full UART running at ninety-six hundred BAUD and it just connects via a bus so these two remotes here that I’m showing would be connected to this same UART connection. So sometimes after installing the unit it, I start thinking, you know, I, I wonder how this affects the security of that vehicle. Obviously, it has to bypass the immobilizer but h-how secure is this um not only the cellular side but the remote start side. So I start looking online to see maybe Fortin publishes the protocol for their data-link um so I can start looking from that side. So I got to the forums and people have actually asked for the protocol and consistently they’re told no. We don’t give out that information. One of the more entertaining responses I saw were, was this one where they say, the EVO is not meant to be used as a hobbyist toy. It’s meant to be used as a tool by professionals. So, I’m a professional of sorts. [laughter] I set about building my own car on my workbench, so I got a second unit put together a bread board that represented a car, some switches to represent the ignition, momentary buttons to represent the brake pedals and a bunch of LED’s to represent various states. Um I get everything wired up and I hook up an FTI device to start monitoring the data link. And I’m capturing data and at first it looks something like this. I mean, okay it’s not really apparent what’s going on here but if you squint your eyes just right you can tell there’s definitely some structure here. Um paying a bit more attention I notice that whenever I press the button on my remote the message that is sent by the antenna to the remote start unit always starts with zero C and ends with zero D. SO if we just split what we’re receiving based on zero C being the start and zero D being the end, we end up with something more like this. At this point it’s clear there’s some structure here and we can figure out what’s going on. So putting in a bit more time and being a bit more diligent about keeping track of what button I pressed and what message I saw eventually I’m able to put together a spreadsheet where I um figure out what each of the commands and each of the messages look like. And so here’s just a simple break down of what a typical command looks like over the data-link protocol. When you press a button on your remote the antenna sends the remote start unit a command that looks like this. So you have a start sentinel that’s at zero C, you have two bytes that represents the direction or at least that’s what I think it represents up that’s somewhat interesting because UART is already directional there’s already a transmit receive line um so that’s why I’ve labeled it garbage, just treat it as a constant. Um following that we have a single byte that represents the command the user would like to run so this could be lock, could lock, could be start, stop panic, anything that you can do from the remove um will have a command associated with it. Following that we have a payload, um in the case of c- messages coming from an antenna to the remote start unit this payload is almost always going to be an address or ID that identifies the remote antenna that the message came from. If the remote start unit doesn’t recognize an ID it will ignore the command. And to get a remote start unit to recognize the ID there’s a multi-step procedure that involves putting the key in the ignition, turning it on or to the accessory position and then hitting the brake pedals some number of items pressing some buttons with remotes. Um it’s ap procedure, doesn’t really matter but it learns the ID at that point. And if we look at the end of the message is ends with a check sum and that end sentinel that um we identified earlier. So now that we understand how the protocol works, what can we do with it? So, to show this I have a couple videos. Uh do we have sound? It. Let’s try this again. >>Not found. Guys, anything? It’s playing. Oh, uh, presentation view, got, Oh my God. God dammit. Let’s do this. Ch, Ch, Ch. [inaudible audio] [applause] Yeah. Okay. >>Okay. Let’s try this again. Still no sound. [inaudible] It’s plugged in. Okay guess we’re just gonna be talking through this then. So I’m showing you there, is the scrub back, okay so that white box there is a development board I have that’s running, is a particle development board is running firmware I wrote that understands the Fortin protocol it allows me to interact with um, the Fortin remote start unit. So what I’m showing here is I send an unlock command to the car, um well you should have seen the command in the previous one, the unlock command doesn’t work because the remote start doesn’t know about that antenna. So as I mentioned, it’s just UART and one of the things with remote start units is they’ll often support what’s called two way communication. So they’re able to tell the remote about the state of the car. For example if the cars started or stopped and to do this it actually set, the remove starter sends a message back to the antenna and when they do this they include the address of the antenna they’d like to send the message to. Uh the problem here is because it’s going over the UART connection and it’s a flat bus anyone on that bus can see that address being sent. So in my firmware the capability to clone an address. So if we turn on the clone mode at this point I’d really like sound. Um, so the, at this point we need to generate a message to generate a message um we can just simply open the car’s door. So by opening the car’s door uh the car sends the remote starter a message or sends the antenna a message saying that the door has been opened. At this point in the video the alarm is going off. You’ll just have to take my word for it but it is, Um and th- we’ve also match clones the antenna because it’s attempted to communicate, or clones the ID because it attempted to communicate with the antenna. Now when we send unlock the alarm shuts off and the car unlocks. So here. >>So here’s sound settings in here, should, audio settings, mouse. Yeah see you need to drag there. [inaudible] >>Kay let’s try this again. W- [inaudible video sound] It’s going, we don’t hear anything. Okay so where’s my mouse? >>Go into the sound settings. There we go. Sound settings. Click. Try speakers. That should do it. [bell ring] >>Hey. [applause] Okay what you see the, so what we have here is a Subaru Impreza, the alarm going off, one remote start analog system installed and plugged into the antenna delay but I have my particle board and if we send an unlock command from the particle, um we’ll send the command but nothing will happen. What we can do then is we can just clone th- an existing antenna so if we wanna tell the firmware, hey we want to clone um an existing antenna, now we just need to generate a message that’s going to cause the remote start unit to reach out to one of the antennas and try to tell it something. So in this case it’s as simple as opening the door [alarm sound] now the alarm may be going off but we’ve managed to clone the address. Now we can just send an unlock command. And we’ve unlocked the car and disabled the alarm. [applause] So at this point we’ve managed to send the c-command to the remote start system, get an alert, all without the key. So now let’s try starting the car. [sound] Okay now let’s say we want to actually start the car. Normally um, if we just type start and we try to run the start command it won’t work and the reason is this car is a manual transmission and remote start systems um, will normally have a special procedure when it comes to manual transmissions in this case it’s you have to uh with the key in the ignition um hit the remote start button while the car is running and then you can pull the key out walk out the side the car, when you shut the door it your remote start will shut off the engine and it will lock the doors. And this is to keep the car from ever remote starting while it’s in drive because that’s dangerous. However, it’s not really a security feature and to prove that it’s as simple as if we take a look of one of these remote start units, um what makes it um work in the manual transmission mode is this loop wire here. If you cut this loop of wire it switches to the automatic uh transmission mode. In that case doesn’t require any special sets up, so just saw the start didn’t do anything so I’m going to do is I’m going to return on the dash, I’m going to cut this in action, um to make that easy for this demo, I can just install a switch on this loop. Okay the connection’s been cut, now if we re-run the start command [beep] this time the car starts right up. S-so at this point we have a car that we can start um we can add the remote to it, we can start without a key, um but if you have a remote start unit you know that’s not everything you need to do, there’s usually a key take over procedure, you normally well you shouldn’t be able to drive away on a car that’s remote start. But, let’s say we want to drive away on a car that’s remote started. [applause] How would we do that? One you send a video. So to disable the wheel lock, okay, um I’ve put a normal key in the ignition, this does not have the transponder in it, this is not, so it can’t actually be used to start the car. However we have it in the ignition and we actually only have it in the accessory position, this is a different video, and that’s enough to disable the wheel lock on the Subaru Impreza, um you do have to go all the way to ignition to get the wheel lock to cut off. Um, and now. Okay sorry not my computer don’t know what’s going on there. Okay I want this video. Let’s try this again. There we go. So now that we have the car started without a key let’s say we want to drive off. This is where it gets a little bit tricky because these remote start systems will have some form of key takeover. And what that means is we can the owner can put the key in the ignition turn it to the ignition setting and then transfer over to that. Um, but if we don’t have the key, the moment we press the brake pedal to drive off, the car will shut down. Now if we want to get around that, it’s fairly simple. We just have to figure out how the car is uh telling the remote starter um that the brake is being pressed, in this case that’s happening over CAN bus and plugged into one of these ports back here, and plugged into one of these ports back here is the CAN bus connection and if we just unplug that while the car is remote started um it’ll no longer care if the brake is being pressed. Now because that’s under the dash what I’m going to do here is I’m going to um, start and unlock the car. [beeping] So I can get out and uh, get that disabled, I’ll show you that in a second. Okay now we’re under the dash here and I have my remote starter um right down here and there’s a little white connector here and that’s the connection to the CAN bus if I unplug that you’ll see that the car is still running and we still do not have a key in the ignition and at this point if I get in the car and hit the brake, so if I press the brake, the car will not shut off and that’s because it doesn’t know that the brake pedal is being pressed so at this point we can get in the car, we can put the car in drive and we can proceed to drive off in the car. All without a key. [applause] Okay so there’s a, an important no- eh, bleh, an important note to make there. Um and that was that click you heard at the end. That was actually the wheel lock of the car itself engaging. So the wheel lock is entirely mechanical. So we can’t defeat that electronically here um you have to use something mechanical to get around that so, breaking the cylinder, or something else, something I really wasn’t interested in doing in her car. So all the firmware for what I demoed is available at GitHub it will be made public after this talk, you just go to GitHub dot com forward slash Jmaxxz open remote start. Um you’ll find the fir- the firmware I was using along with the, the schematic um for my little dev board there. But now let's get on what you’re really here for. Which is what happens when we, l- when we add the internet to this system. Because that should make it better right? Um, as I mentioned the unit I got is the MyCar unit. But MyCar’s sold under many different names and the unit I got was branded LinkR LT by Omega. But this isn’t the only brand name it’s sold under. It’s sold under MyCar uh MyCar Vision, Car Link, Link R. But also Kia. It seems for awhile Kia dealerships in Canada were installing this system or at least that’s what the MyCar Kia app seemed to imply based on description. Interestingly that application is no longer available on the app store. I also want to note that while I’m just looking at MyCar and Fortin here um that doesn’t necessarily meant that other systems are better at the same time I was doing this research Cybergibbons and pen test partners were looking at other systems with similar capabilities. Um and they found very similar issues with those systems as well. Which brings me to the real question the thing I want everyone to be thinking about, which is how does this happen, how does a product with the issues I’m about to show you make it to market um without anyone saying anything? And if anyone here has an interest in looking at remote car starters there’s a couple things I want to point out. Um first as I mentioned earlier if a remote start system is mis installed in a manual transmission vehicle it’s possible a car could start while In gear. Um this means the car could actually start moving and the engine could actually start up and now you have a car that’s moving without anyone behind the role. So that’s obviously dangerous um but there’s actually a more subtle and I think uh bigger risk and that’s, if someone parks a car with a remote car system in an attached garage and it’s remote started um accidentally or without their knowledge carbon monoxide can enter the home and that could create a very dangerous situation. So if you do have a remote start system you should definitely have carbon monoxide detectors um but also if you’re looking at remote car start systems, just like with locks never start a car you don’t own and you don’t know where it is. Um because the consequences could be dire. So looking at the MyCar Unit it’s this little black box with this eight pin header, two of those pins are actually for a debugger interface. Um, connecting to this debug interface it’s obvious the unit is running Linux a fact which is as far as I can tell the manufacturer does not disclose. Um if you want to drop into the Linux shell the passwords uh actually O U Linux one, two, three, uh so if you do get one of these there you go. Um but without logging in you can use s-something they call the AT engine and this let’s you run AT style commands on the command line so you can do things like change the IP address the unit is talking to. And if we look at the diagram at the bottom where it says IP this is actually the server that MyCar unit talks to, to communicate updates. Um and just under that there’s an L Port, that’s the port that this is listening on to receive commands. Uh using the AT engine and changing the IP this was talking to, changing it from one that my car controlled to one I controlled, I was able to determine that this device is talking via unencrypted UDP. Um, I didn’t do much looking into that but I thought that was fairly um significant and interesting. So here’s some more information on this if you wanna pick one of these up. Um couple things to note uh voltage kind of matters on that UART and well also on the documentation seemed to imply could be tolerant of much higher voltages. Next year I’ll tell you if I chose that, you gotta be a bit more careful. So as I said where I live it gets cold and ab- about a month after I gave this system to my girlfriends my curiosity got the better of me, when I installed the system I had a nagging issue that I was opening her up to some security risks. But I said you know don’t look at ignorance as bliss just don’t think about it, just don’t think about it, just don’t think about it and I was able to do that for about a month and after a month I pulled the c- the cellular unit out of her car, put it on my bench and started playing with it. And the forecast the next week was cold, negative thirty Fahrenheit um and ya know I was able to connect to the shell, get it working and the cellular reception in my home lab is not that great, um so some point I decided I wanted to work on it with a different computer and the FTDI device I’m using doesn’t have particularly long cords so I go find a different one plug in to my computer, plug into my remote start unit, power everything up and all the magic smoke leaves the unit and she’s flying out tomorrow. Um so at that point there’s a lesson learned there. Um if you wanna do any type of hardware hacking and you can’t afford to lose the unit always have a spare. Um but if you ask, ask my girlfriend the moral of the story maybe if your significant other is a hacker don’t let them play with your Christmas presents. So now let’s look at the software. Um no chance of magic smoke here I hope. Uh the, I, I fire up man in the middle proxy I disable SSL validation on my phone, I begin sniffing what traffic is being sent by the application to the back end. And during the registration process I notice it takes my email address, sends it to a web service to check to see if that email address is tied to an existing account. And it’s using basic authentication, which is interesting because I haven’t created an account yet. So I don’t really know what to do with that and I kind of file, file it away in a notepad and move on. I create my account, I log in, and one of the first things you do, the application does when you log in, is it calls a webservice to check who the current user is. So I just call that web server with the credentials that I saw earlier that were used to check to see if my email address exists and the response I get back is MyCar Admin. [laughter] Now at this point I really don’t think this is the admin because this has to be a low privilege account with a really important sounding title after all we all know people like this. So I create another request to start my car using this account, I hit send and I get back two hundred OK. And about three seconds later my car starts right up. So it turns out that the MyCar admin account was an admin account. Hardcoded into the mobile application. But it doesn’t start there, in the previous response you may have seen this thing called API key. Again from monitoring uh traffic form man in the middle proxy I know you can use these API keys in place of a username and password if you use you fixed username API and one of these API keys you can authenticate SI user. So I copy and paste this, this string into the password string on postman sent my username to API and I hit send. And it doesn’t work, I don’t get back a response and I don’t know really what’s going on I’m a little confused. I share it for probably a good five minutes and it dawns on me I forgot to strip the quotes and coma from API key and looking at the response there is a sequel error. At this point it’s apparent that you could j- could of just used basic sql injection to bypass the entire login process and become the admin or any user you wanted. Like this is not at all complicated. So let’s have some fun with sql injection, I don’t think anyone’s every started a car with sequel injection before. So let’s try that. So I kept a sequel injection that targets my user account, skips the whole password thing, we’ll just use sequel injection for that, hit send I get back my, my status two hundred OK but this time I was smart enough to record a video. Now it’s a little, the video’s a little uh dark because I didn’t realize I was going to be doing this talk at that time so um, so if this works the car should start via sql injection. Sorry one of these times I’ll get this right. Okay where is the window. And, it, oh you have it here, and sent. So this is in my office looking outside. You can see the reflection of my computer screen there. And there the car is starting. Okay so there we go. We’ve started a car with sql injection. [applause]but it really doesn’t stop there they didn’t just have sequel injection in the login, they had sequel injection everywhere, whether it be the URL path, query string parameters bodies, it seemed like, everywhere you looked there was sequel injection. And looking at the error messages from the se- from looking at the sequel error messages we can see that what we are entering as a password is being compared directly against a column named password in the database. So what this means is they have plaintext passwords and sequel injection. As they say, not good, very bad. Okay so that’s enough with that sequel injection stuff, let’s see what else we can do so as, as I showed before here’s how you remote start a car, um you just post a command to this commands API saying your command type of engine start and you get back an integer ID representing the command ID, you can then pull service with uh, you can then pull service to get the status of that command. And it looks something like this and so ya know I get to thinking and I increment and decrement my command ID and I notice I get responses back seems to be pulling any command ID, try a couple more values and sure enough it’s pulling back any command ID in the sys- or any command that’s ever been sent in the system. Now there’s not really anything sensitive here so it’s not really that big of a deal but I get to thinking maybe there’s um a direct object preference that I can use to start my car. So I, take the start command from a legitimate user for my user account and try to call it via my second user account that shouldn’t have access. And I get back an error message saying four oh one unauthorized, account out of hierarchy. So maybe it won’t work. However if you look at that API there’s actually duplicate information. The user’s email address and their account ID are roughly corollary but specify a user and if you design API’s or rather if you pack API’s duplicate information is a source of bugs. In this case a developer could implement this in, these four different ways. So if we look at cases two and case three both highlighted in red, those will result in direct highlight reference both of those don’t properly check to see if we’re authorized to run the command so what we can do so we tried case two it didn’t work, what about case three? To try case three we simply have to change the account ID in the URL. Previously we were using the victims account ID let’s just use the attackers account ID. So I sent the account ID to be the attackers account ID rather than the victims, keep the device ID as the victims device and send the command and sure enough, two hundred OK, I get back my command status and a couple seconds later MyCar starts right up. So what does this mean? So via three different vectors we were able to basically do everything a legitimate user could do. But let’s call out what that is, we can locate any car in the service, we can identify uh the type of vehicle it is, make and model, we can unlock the car we can start the car, um we can edit the car, we can do anything. And three, there’s three different ways of doing this. So obviously MyCar tried to fix some of this, um in the case of the uh, hardcoded passwords it seems they just put a reverse proxy out in front of the application to hide the credentials they were using. Well you see there’s a problem with this, reverse proxies aren’t magic and they don’t’ fix everything and it in this case they kept the sequel injection in the backing service and so while I no longer have the password I still have, had no auth- that I still with no authentication could do sql injection via the check user. So that was interesting and, at that point I decided okay let's see what else is here let see if, they, they left more and the device registration still seemed to have sequel injection and both of these things still seemed to be still seemed to be vulnerable up until about thirty-six to twenty four hours ago so um, yeah. So googling around you may have noticed all the URLs here are M to M suite dot com. And so I, I thought I would take google and search for M to M suite. I came up with this um site. This must be some type of back end interact for the MyCar system. And so obviously the only thing what you do when they see this is throw a couple single quotes in there and see what happens and of course what happens is you get sequel injection. [applause] And this is months after the initial disclose uh that they had a problem with sql injection. Um so if you have sequel injection you should really fix it as soon as possible. Um, but none of this is what I consider to be the most offensive bit of this all and that’s actually has to do with location. So MyCar has = GPS unit it can track the location of your car and in their application they will gladly show you your car’s current location and that’s the only way that this gets used in the application. Now if we look at their APIs it’s not just your cars current location. They seem to be storing a heck of a lot of information uh much more than what is needed to keep track of your car’s current location , In the case of my account over a span of thirteen days they have a little under two thousand data points about my vehicle’s location. None of this was disclosed in their privacy policy. But it gets worse than that. Maybe you can argue this was a development mistake make this is a, this is a side effect of the way the service is implemented There’s another API where they w- analyze your data and instead of just have a list of places you’ve been they identify top locations your vehicle has ben, frequent places you visit. Again to my knowledge this is not disclosed in the privacy policy I can’t find anything there that would um indicate they were going to do this. So maybe this isn’t that surprising though because after a bunch of searching I believe I found the parent company of MyCar and their company called Procon Analytics and I went to their site and I went to their frequently asked questions page. And, and looked at the question how do you secure data? And to this they said, unlike public cloud environments that battle for priority Procon Analytics uses virtual private cloud that supports only our customers and application with no interference from other users this dedicated highly secure environment ensures high availability, faster deliverability of service, when you partner with Procon Analysts you can be assured your data is secure and protected. I really don’t even know what to say to that. [laughter] But if we head over to their Facebook page, they say more. There they simply say, protecting vehicle data is vital. And to that I have to say, I agree. So back to the question that, that I said at the beginning of this talk. How does this happen? And maybe more importantly as an industry how do we stop this from happening again? And so that’s my talk and at this point I’ll take any questions you have. [applause] [inaudible audience question] Kay so the question is did they fix everything? At this point, I believe everything I reported is fixed on the MyCar side with the exception of the privacy stuff I mentioned at the end, last I checked that was all still the case. [inaudible audience question] I don’t know, I don’t have any vectors that I know of that generate sequel error messages though I haven’t looked too hard. [inaudible audience question] Could you come closer so I can hear you? [inaudible audience question] Sure um so I said I could edit the car, the question about was well you said you could edit the car could you edit the paraments in like the ECU. Um, what I was specifically referring to there was editing the car in the MyCar service so they keep a digital representation of your care, um and so that could have been edited via the direct object preference sequel injection or any of the other vectors discussed. [inaudible audience question] So the question was about do you have a push button start system will slow you to unlock the steering wheel to get around the steering wheel lock so my, may car has a push button and there is no steering wheel lock so I suspect if you installed one of these in a push button car you definitely couldn’t rely on a steering wheel lock. Cool, thank you. [applause]
Info
Channel: DEFCONConference
Views: 98,965
Rating: 4.8769231 out of 5
Keywords: hacker, DEF, hacking conference, conference speakers, CON, DEF CON 27, DEFCON, hacker community, security conference 2019, computer security, DC27, cyber security, hacker conference, hackers, DEF CON 2019, security conference
Id: w8SG2V3n4-U
Channel Id: undefined
Length: 41min 3sec (2463 seconds)
Published: Fri Nov 15 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.