Herald: The second thing I wanted to
announce: there is no scooter sharing.
Which brings me to the next talk. We tend
to need kind of a security concept for not
scooter sharing. So the easiest way would
be to have kind of a scooter lock. But we
have the lock picking guys. So that won't
work. So the next option would be we can
have a GPS tracker, but we have the GPS
spoofing guys. Which isn't also that good.
A third option would be an immobilization
system. We have Wouter Bokslag. Thank you.
*applause*
Wouter: Hi. Thank you for the
introduction. Thank you guys for the warm
welcome. I'm really happy to see that
still some people have come together here
at this ungodly hour to watch my talk
about vehicle immobilization. Well,
briefly something about me. I'm a
Kerckhoff security master. And the
research I will be presenting today, I did
as my master's thesis. So I spent about
half a year analyzing various systems and
I wrote something about that. And if you
want to read the full story, you can look
at my thesis, which is public since some
time now. And there's more detail there.
I'm currently working as an automotive
engineer. And if you feel like asking me
questions besides the Q&A, you can always
contact me by mail. So first, responsible
disclosure. This kind of stuff is not a
joke. Automotive manufacturers think it is
very important. And, well, they have a
reason to think so. So naturally we
contacted them ahead of publication even
before my defense and we laid out the
findings and I had a couple of conference
calls with the manufacturers. And I even
went to one of them to demonstrate the
findings on premise. I need to point out
that the research that I did was on fairly
old vehicles like 2009 and around. But for
the three cases that I really went in
depth we have been able to confirm that
they are still in currently produced
models. So this in itself is kind of
surprising because you think automotive,
cars, electronics, security, it's a fast
moving industry, but well, no, not really.
So everything that was in cars in 2009, at
least regarding to these three systems,
can still be found in currently produced
models. I will disclose the vehicles that
I've been working on, because I think that
is relevant. I hope you can forgive me
that I'm not going to disclose the
vehicles that I have identified these
systems in that are still being produced.
I'm not really into facilitating theft and
I don't see what would be the added value.
So the talk will be structured as follows:
I will first introduce some standard stuff
about immobilization systems and about
computer networks inside vehicles. I will
tell you something about how I addressed
the challenge. So for all three models, I
kind of followed a similar approach and I
think it's more practical to lay that out
once and then skip the details later on.
And then I will present the three
protocols that I uncovered in a Peugeot, a
Fiat and an Opel vehicle. I will then
summarize the findings in a series of
takeaways and there will be some time for
questions. Right. So modern vehicles are
full of electronics and full of computer
systems. They operate largely independent.
They are all connected through a variety
of different buses that talk to each other
with different protocols. And there is a
plethora of different standards, ISO
standards, all kinds of standards. And
then the manufacturer wants a lot of
freedom to, well, do it in their own way.
So even if you read these hundreds of
pages of standards, still every vehicle
you will look at will be kind of
different. There are some practical
handles that you can use, and one of them
is that every car has a OBD-II port. Yeah,
this is required by law, both in the US
and in Europe for quite some time now. And
it needs to be conveniently located and
that is very near the driver's seat. So
this is a universal connector and all cars
with a combustion engine need to have one.
And cars with electronic engines also need
to have one. But the functionality that
has to be implemented is much more
limited. So in regular internal combustion
engine powered cars, you have to be able
to read out emissions data and that kind
of stuff. So many manufacturers felt this
was a very convenient thing to also use
for garage purposes, for workshops to read
out error codes, to perform all kinds of
routines on vehicles. You might need to
teach new keys to your car if you lost one
or if you just want a third one. If you
add a towbar to your car, you need to tell
a couple of ECUs in the car that it now
has a towbar. Depends on the vehicle, but
telling this to 5 individual ECUs is not
an exception. And since it is a bus, the
CAN bus, it can be directly addressed
through the OBD connector on many vehicles
and you can talk to a lot of different
components. So the ECM, the Engine Control
Module, is one, the body control module is
another. That one controls, for instance,
powered windows and all kinds of interior
stuff, but also the airbag, infotainment
system, fancy interior lighting, stability
control systems. Another feature of it
being a bus is that you can also see the
inter-component communication. So if the
instrument panel cluster, the dashboard,
needs to talk to, say, the body control
module, you can see that packet going over
the CAN bus. All my research has been
focused on this OBD-II connector and what
you can do and what you can see from this
perspective. Immobilizer systems are
nowadays required to be implemented in
vehicles. Since the late 90s, legislation
has been adopted in both the States and
Europe, mandating the use of an electronic
immobilization system. And the purpose, of
course, was to reduce the risk of theft.
This is proven to be effective: According
to one study, theft rates dropped by
almost 40% in, I think, a 7 year span they
based their data on. This is because car
theft used to be quite simple. You could
just put two wires together and you could
power the starting circuit and you could
actually start the engine. And the
immobilizer system adds another step to
that. The engine control module that
finally controls the engine wants to have
some kind of assurance that the key
presented in the system is actually valid
and does so by validating a security
transponder. First generations of these
security transponders have been widely
studied and often were found insecure. Of
course this is a problem because well, if
it's insecure, it doesn't add any security
and cars can be stolen nonetheless. So
there has been kind of an arms race in
this domain and we see that nowadays
security transponders have become a lot
better. Your car might even use AES to
validate that the key you're putting in
the ignition is an actual key that is
recognized by your vehicle. And this is
really necessary because car thieves have
shown to be able to wield quite high tech
solutions, procure them from shady
companies or just use official tools that
can be used in illegitimate ways. A nice
example of this is shown here. For certain
models of Range Rover, they have a blind
spot sensor, so you can see if there is a
car in your blind spot. And if you pop off
a cap, then you can connect a 12V battery,
power the internal ECUs of the vehicle.
Then you can access the CAN bus, put the
car into key teaching mode and hold a
blank key to the window and it will
program the key and recognize it as a
valid key. Well, needless to say, this was
not intended behavior
*laughter*
and this has had consequences for
consumers. Because insurance companies saw
a rise in theft for these models - these
are quite expensive cars - and they
started adding demands before they would
allow you to insure your car. So the
insurance would get more expensive or you
would not be able to get the insurance if
at least at your own home, you couldn't
park it in a secured area. There is a
common misconception about how immobilizer
systems work, and it's actually one of the
reasons I want to give this talk and
present this, because I think it's
important to realize that an immobilizer
system is a bit more complicated than the
single cryptographic step that seems
logical. So what you might think is that
the engine control module sends a
challenge to the body control module,
which communicates with the key. It
implements the radio layer and it can then
relay the challenge to the key. The key
can compute the proper response based on a
secret it shares with ECM, send back the
response, which the BCM will in turn
forward to the ECM. The ECM can verify the
validity, and if this seems to be the
right response, immobilization is
deactivated and the car can start. Sounds
good. Sounds easy, but this is in modern
cars no longer the case. 'course. What we
see is that there is a second step. The
ECM does an authentication with the BCM.
The BCM does an authentication with the
key. So if your key uses say AES for its
authentication, then this will be an AES
secured authentication between the BCM and
the key. The BCM, if it can validate the
legitimacy of the key, will then send the
correct response to the engine control
module. But this is a whole different
protocol, using different cryptographic
primitives, using different keys,
sometimes, often, don't know. And more
importantly, it has not yet been covered.
So in the scientific literature, I have
found absolutely zero reference of this
step being identified. And here and there
you find a reference that people know that
this happens, but no actual analysis of
the security or the cryptographic
primitives involved. Right. So that is an
open question then and asks for further
research. So how do you do that? You can
sniff CAN traffic from the OBD connector
with tooling. And by disconnecting ECUs
and placing yourself in the middle you can
also modify CAN traffic. You can analyze
this CAN traffic, see if you can find
immobilizer-related messages. And of
course, by the messages, you cannot deduce
the algorithm, most of the time. So you
will need a firmware image or something
else you can reverse engineer to actually
find the code that does the magic stuff.
If you have that and if you are able to
pinpoint where the algorithm is, then you
can start looking at if it's actually
decent. And once you are all there you
will want to test if all the assumptions
you've made on the way are correct and if
it's actually working as you think it's
working. So the first step, protocol
identification, is actually quite
straightforward because you have some
knowledge. You know that this is a message
exchange that happens when you switch the
ignition to the on position. And you know
that there must be at least two high
entropy messages because the challenge has
to be different every time. And the
response is the output of some
cryptographic function. So it may be
expected that that looks quite random,
too. Also, if you switch the ignition on
but no valid transponder is present, you
should be able to detect some kind of
difference. And it will probably be the
very first moment you observe a
difference, because before that point, the
car didn't know there was no valid
transponder. So with a bit of fiddling and
some patience and going through CAN
traffic logs, you can probably find this.
OK. Next step is to get a firmware image
in which you hope to be able to find the
actual cryptographic protocol. So there
are several options. Of course you already
have the firmware, but it's in the
microcontroller in an ECU that is either
lying on your desk or inside some vehicle.
So you could try to get it straight out of
that device. Debugging headers are a good
option. You have JTAG, you have BDM, UART
occasionally can be used, but sometimes
these are deactivated. Sometimes it just
doesn't seem to work. Sometimes the
tooling is prohibitively expensive. So if
that doesn't work, you can always go to
the internet. Some manufacturers provide a
means to download a set of information
about the vehicle based on its VIN number.
You can find all kinds of configurations,
you might be able to find actual parts or
full firmwares, often encrypted, not
always. And then there is the tuning
scene. And while you might think of neon
lighting and stuff like that, these guys
are actually pretty knowledgeable about
the internals of engine control modules in
particular. And you might just be able to
find a full firmware image or parts of it
or some model that is highly related. And
this is kind of a viable approach to
getting your hands on the firmware. But
also very practical can be to just
leverage the functionality that is
implemented in the ECU. The ECU allows for
diagnostic commands such as read memory by
address and request upload, which from the
perspective of an ECU is sending new data.
And you might be able to just dump the
whole firmware or dump memory or dump at
least parts of the the internals of the
ECU. Then there is some kind of mechanism
that's called second bootloader. It's a
sort of standard. Not every manufacturer
implements it, but quite some do. That
allows you to actually send binary code to
the ECU. And it then jumps to it. So very
convenient functionality. It's maybe very
painstaking to get it working, but yeah,
it's basically free code execution. Except
for the fact that you often need to
authenticate before you're allowed to use
such functionality. So that might leave
you with some kind of chicken and egg
problem, because you don't know how to
authenticate, you don't have the algorithm
for this authentication. And lastly, there
are sometimes firmware updates for ECUs
and you might be able to use an official
dealer tool, you might be able to sniff
CAN traffic. Multiple ways of trying to
update the firmware on your ECU
reconstructed from the CAN traffic. Once
more, you have to go through an ISO
standard before you understand how it's
exactly chunked in 8 byte messages, but
you'll get there eventually. So once you
have this firmware, you have to pinpoint
the cryptographic algorithm and ECU
firmwares are typically between half a
megabyte and 2 megabytes. And that is a
lot, if we're talking assembly. And the
information density is extremely low. And
if you have to go through it line by line,
it's hardly doable. So you need to have
some tricks. I think we're at a conference
where we've seen a lot of reverse
engineering. So this is not going to be my
focus during this talk, but a couple of
pointers. Maybe someone is helped by that.
Of course, you know the protocol because
you have observed CAN traffic. So you can
search for immediate values, for numerical
values that are used in the protocol to
designate a packet type, for instance. It
must be in the firmware somewhere. Also,
you know that crypto usually uses XOR
instructions and you would be surprised
how little XOR instructions there are in a
firmware. Depending on the architecture,
you might immediately dismiss most of
those as a single bit flip or maybe
inversion of a whole register, and then
you will find some XORs with either weird
constants or variables. So those are
points to focus on. Lastly, you can make
some assumptions on the structure of the
cryptographic function, so it certainly
doesn't do IO, it will not invoke a lot of
other external functions, maybe some round
function once or twice, maybe some
initialization. It will probably have some
loops and you can sometimes recognize the
length of the challenge. You can sometimes
recognize the length of the response. That
being said, let's dive in the first case
study. So I reverse engineered the Peugeot
207, which is, as I said, not the most
recent of vehicles. And this was my test
setup. It doesn't look like much, but
everything that's relevant to me is there.
And you can toggle the ignition and lights
will show and all the ECUs are connected
through a CAN bus and an OBD connector
that you can see on the left side of the
instrument panel. And I investigated a
tool that had a kind of peculiar function
and that is that you could obtain the
vehicle PIN - some kind of secret you
needed to authenticate for diagnostics -
by connecting this tool and toggling the
ignition a couple of times. So that kind
of gives you a hunch that the
immobilization system might be involved,
because it's triggered upon toggling the
ignition, and that you can derive in some
way the vehicle pin from this. So for this
Peugeot and for most BSA vehicles in
general, the PIN is a four digit uppercase
and numeric code excluding the O and I,
because that would be confusing. So that
leaves us with roughly one point three
million keys, which is nothing in terms of
crypto. I finally reversed the algorithm.
It is obviously in the engine control
module and the body control module. And
the main part looked like, oh wait, wait
for it. And the protocol looks like this.
So if you observe CAN traffic, you will
see that some CAN ID 72. On that ID is
sent a message that starts with 00 and
then followed by a 4 byte challenge. And
if the BCM is able to verify that a valid
key is present, it will respond with 04
and a four byte response. So this is a
very small, straightforward protocol,
which, well, does the bare necessary. And
one of the first things I did was
injecting challenges. Just inject a
challenge, send it to the BCM with a valid
key and see what the response is going to
be. And if I replace the zeros by dots,
you see that there's an extremely apparent
pattern is visible. So the ideal case that
a single bit flip in a challenge leads to
a 50/50 chance of a bit flip in every
response bit is not exactly respected. You
see that the effect of changing the
challenge has a very localized effect on
the response. Another weird feature, which
is not very clearly visible here, but it's
visible in the last one, is that on
average, when you give average just random
challenges, 75% of the bits of the
response will be set. So that is a very,
very heavy bias. And it was quite puzzling
to me what kind of cryptographic primitive
would exhibit such behavior. And then it
became clear. this is the main function of
the algorithm and there is a transform
function that I left out, but it basically
does some multiplication, some division,
some modulo, mathematical operations, It
splits the challenge in two parts and it
splits the vehicle PIN, so the secret in
two parts. And the total of four parts are
all used as inputs for this transform
function and we obtain a challenge
transformed left challenge transformed
right and similarly for the PIN a left and
right transformed part. And then something
interesting happens because the left
transformed part of the challenge is ORed
with a part of the PIN. And an OR
operation will lead to a, well, on average
75% set result. So that kind of explains
the weird behavior we saw before. Strange
and maybe not so smart, because an
adversary will be able to either control
or observe the challenge that is used as
input for this algorithm. So if you know
the challenge, you know the transform
challenge, and if you know to transform
challenge, you know something about the
output. Because if the transform challenge
has a one bit, then the response will have
a one bit in that same position. There is
another property for the transform
function, and that is that if the input is
a zero, the further parameters of
transform vary a bit, but it doesn't
affect this property: if the input is a
zero, the output is a zero. So that gives
us that if you have a challenge of all
zeros, you will obtain a transform
challenge of all zeros. And that means
that when you're doing the OR you're ORing
with nothing and the response will be
entirely determined by the transformed
PIN. Then another property is that the
PIN, which is an alphanumeric PIN, is
invertable once. Let me restart.
Transform: If it takes a PIN as input,
then the output can be inverted. There is
only one PIN part input that maps to one
output of the transform function. So if
you are able to supply the vehicle with a
challenge of zeros, you will get one
response and you can uniquely identify the
secret of the car, the PIN. And this PIN
can later be used to, for instance,
authenticate for diagnostics or key
teaching or whatever you want. If you're
not able to control the challenge, you can
just collect a couple of random challenge
responses and you will still have the PIN.
So that's bad. What's worse is that there
are a lot of collisions because the bits
that are set in the challenge transformed
will hide the bits that are set in the PIN
transformed. So a challenge transformed
with a lot of ones set will accept a lot
of different PINs as proper input and
result in the same response. So there is a
quite simple attack we can mount here and
that is that we get a challenge from the
car without a valid key present and we
then compute for that challenge for all
PINs what response it would yield. And you
will see that some PINs, sorry, some
responses are generated by a lot of
different PINs. It could easily be two-,
three thousand PINs resulting in the same
challenge. So you choose the most probable
response and you send it and either the
ECU accepts it and disables immobilization
or it doesn't. And if it doesn't accept
it, then you know for three thousand pins
that it was not that. In general this
takes far less than 4000 attempts and and
far less than 15 minutes. I don't know
exactly. I've tried it a couple of times
and I've been able to deactivate
immobilization, I'd say, 3 minutes once,
maybe 10 minutes once. And after that, if
you toggle the ignition switch, the car
will actually start without transponder
present. So. That was not so good. Next
case is the Fiat I investigated, the
Grande Punto and I reverse engineered the
BCM. It's based on the NEC V850
architecture, which is a nice 32 bit RISC
architecture, pretty readable, pretty fair
information density. But still, I couldn't
really figure out what the actual crypto
part was. So I also investigated an engine
control module. Surprisingly, I was able
to find it there. And then I immediately
went back to the V850 because that at
least is readable code. Protocol is as
follows: It has a 32 bit challenge, then a
4 bit - sorry - 4 byte challenge, then a 2
byte proof of knowledge. And that's an
interesting feature, because that way the
engine control module proves to the body
control module that it actually has
knowledge of the key. So you can not just
spam a challenge and get a get a response
for that. You have to prove that you know
the secret. And then you get back a 2 byte
response. And if that is correct, the ECM
accepts it and the car can start. And this
very well, seemingly nice security feature
that there is a proof of knowledge of the
key is actually the flaw in this system,
as it turns out. The cipher is a linear
feedback shift register based cipher. It
initializes the states with the key, XORed
with the challenge, XORed with some
constant. And then it does 38 rounds. If
you don't know what an LFSR is I'll tell
you in the next slide. Then it generates
the proof. That is 12 rounds, actually 12
bits output. And if you look back in the
protocol, you actually see that the first
nibble is indeed a zero. So it's not 16
bits, but it's only 12 bits. After
generating the proof, it loads an
additional 16 bit constant and then
generates the 14 bit response. This is a
very standard construction in crypto and
there is a fairly standard attack to it.
So what you see here is an LFSR, it's a 32
bit register and it operates in ticks. So
it is loaded with this initial secret
state at the beginning of the algorithm
and each tick it takes 4 bits and they are
XORed together. Then the whole register
shifts one position to the left. So bit 0
goes to bit 1, 1 to 2, etc. Bit 31 shifts
out and the previously computed XOred bit
is shifted in in the 0 position. So that
way it cycles and continuously updates its
internal state. And then there is an
output function that takes 8 bits of input
and each tick it computes one bit from an
8 bit input, and on the lower left you can
see the output generation table. So it
kind of just counts through this. And if
the eight bits together add up to say A2,
then you pick bit position A2 in this
table and that is then the bit that is
being generated as proof or response bit
during that round. Now what we see here is
that there is actually 8 bits of the LFSR
that determine the output bit. And of
these 8 bits they generate 256 different
values. Now there are 256 different
combinations and only half will generate
the observed output bit. So that means
that 128 different options may be valid
options for these 8 bits to generate a
response or a proof that we have observed
earlier. And that is pretty interesting.
And you can use that to construct a guess
and determine attack. Which means that you
make an assumption on the internal state.
We have 128 candidate internal states. And
then we do a round. So we shift the
guessed bits one position to the left. We
do the feedback function and then we are
going to evaluate the second bit that was
generated. For the second bit we already
have some knowledge, because we made
assumptions earlier. So the green squares
designate the bits that we already know.
And you see that throughout the rounds,
each round you can eliminate half the
candidates, because they generate the
wrong output bit. And you need to guess
less and less bits in order to to fill in
the state. And this continuous elimination
of half the candidate states makes this
far more efficient than just a brute force
attack. The total complexity of this
attack is 2^21, which is orders of
magnitude less than mounting a brute force
attack. Right. So that's OK. That is
fairly standard stuff in crypto. Now,
there is a big problem in the way they
implemented this, because they did some
secret reuse. And the secret that is being
used to generate the proof is in some
mangled way the vehicle PIN. If you take
this 32 bit secret input value and you
take the 5 rightmost nibbles and then
transform the letters into numbers and
then replace the zeros by sevens, then you
get a 5 digit number and that number is
the PIN. So what we have now is an attack
that observes a couple of challenges
together with their proof of knowledge,
which is always there, and you get it for
free when you just power the ECU, and you
run an attack on that. That takes, well,
my not so optimized implementation takes 6
seconds on a single core. You can probably
do better. Runs in seconds. And what you
get is the PIN. So you can still not
authenticate towards the ECM, but you do
get the pin which you can then use to
authenticate for diagnostic services, you
can, maybe, read memory, you can, maybe,
reprogram stuff, you can, maybe,enter key
teaching mode. There is absolutely ways to
leverage this and, well, get the car to
start. The 3rd case I investigated was an
Opel Astra H. And I've decided to skip the
crypto parts in this one because I
couldn't break it and I wouldn't want to
bore you with a fairly complicated
algorithm and then not present an attack.
If you're interested, it's in my thesis so
you can look it up. But there is still
some funny things to point out here. I
reverse engineered an ECM that was based
on a PowerPC architecture microcontroller.
And that is very nice because there is a
decompiler for that. And IDA Pro will
nicely transform the assembly into
somewhat accurate, somewhat readable C
code. That was good, but it was not
enough. So I purchased some tool to use
the BDM interface of this ECU which was
active and usable. And it took me a lot of
time to get the tools working, because
virtual machines were not okay, etc etc. I
installed Windows and did crazy stuff. And
then I was able to read memory, modify
registers on the actual ECU, and that
helped a great deal in debugging and
finding the actual functions. So this is
the protocol that I found. It has a 2 byte
opcode, then 2 bytes status data, then a 4
byte challenge. And similarly 2 byte
opcode for the response, 2 byte status
data, 4 byte response. No proof of
knowledge here. Just a 32 bit to 32 bit
challenge-response authentication. And
what was funny when I finally uncovered
the algorithm is that this is not an
algorithm that was designed by Opel. It is
an algorithm that is used by a security
transponder. It is used by the PCF7935
security transponder, which is the
predecessor of high tech II, which you may
be familiar with it. It uses a 128 bit
secret. So that is really, really big
secret, and a 32 bit internal state. When
I saw that 32 bit internal state, I was
like, OK, this is going to be doable. It
wasn't. Because it does a lot of rounds
between output moments. Not as in the FIAT
case, one round, one bit output. It does
34 rounds and then it outputs two bits and
then it does another 34 rounds and two
more bits. And during these 34 rounds, it
mixes the whole 128 bit secret key into
the state. There is so much distance
between these moments that it is very,
very hard to relate any of this
information or any usable assumption that
survives so much new mixing of
information. I did my best. I found some
stuff. Nothing that is usable to mount an
attack. You can read my thesis if you're
interested in the details. I found it
funny to find an implementation of a
security transponder in an engine. While
I, In the beginning of this talk pointed
out that the engine doesn't talk with the
transponder. So I went back in time and I
analyzed another vehicle, a Corsa Model C
and found that this was different. This
car had indeed an engine that talks with
the key. And what probably happened is
that they wanted to decouple development
of engines and development of cars so they
could upgrade security transponders
without replacing their engines or
replacing their engine firmwares. So I
think that is how this happened and why
they just decided to well, then implement
the security transponder and emulate it in
the body control module towards the
engine. It seemed like a convenient
solution, I guess. It is by far the
strongest algorithm I have encountered in
these three case studies. And while it is
out of scope because I limited myself to
the actual cryptographic primitives, I
felt the need to point out that the random
number generator is really not very good.
They use the tick counter of the CPU as
source of randomness and then they use a
couple of constants that, if you google
them, direct you to the Netscape random
number generator. So summing it up: We
found that Peugeot used a tiny key space
with only 1.3 million different possible
PIN codes. They leak a lot of information
in the response. If you can inject a zero
challenge, you immediately get the full
secret. It has a lot of collisions, which
makes it really not very robust against an
adversary. Fiat has a schoolbook algorithm
and it's vulnerable to schoolbook attack.
It's a nice idea to implement neutral
authentication, but it doesn't really work
in this context. And worse, they reuse
that part of the secret as the vehicle PIN
as opposed to using the other part of the
secret that is used to generate a
response. If that would have been the
vehicle PIN I would not have been able to
mount this attack. And lastly, Opel
decided to clone an obsolete security
transponder. The successor, high tech II,
was desperately broken. This one wasn't.
Not by me. I have a master's degree, not
in cryptanalysis. I'm not convinced that
it's a secure transponder, but it is
certainly better than the other two I
analyzed. And also interesting is that all
these three systems are still around in
new vehicles. Maybe not all models, but
they're still being manufactured. So I am
curious to see how this relates to other
manufacturers, other models. And I think
it would be interesting to, well, do some
further research in this domain and see
what else is out there. So to finish with
a few takeaways. Don't do your own crypto.
It's often said and repeated. You are
going to mess it up. Just use standardized
cryptographic components and maybe try to
get people that are actually security
experts to implement it instead of hoping
for the best. Don't reuse secrets. These
two case studies revealed that reuse of
secret made the attack much more powerful
than it needed to be. Minimize the number
of cryptographic protocols and
cryptographic primitives that you're
using. The more different primitives, the
more attack surface you create for an
adversary. And lastly, as I mentioned
before, there has been an arms race in
transponder security. How is it possible
that a modern car key may be equipped with
AES or other fairly secure cryptographic
features, and these protocols that date
from 1995 and such are still there, not
replaced. Apparently no one either figured
it out or there are other very important
reasons to just leave them there. So I
hope that was interesting. Maybe
entertaining and I'll happily take any
questions you have for me.
*applause*
Herald: Bedankt Wouter Bokslag. Thank you.
You know the game if you have questions -
oh, we already have questions. There are
microphones, microphones number 1 to 7 and
2 to 8. And the Internet has questions
already. So we start with the Internet.
Internet, please.
Signal Angel: Why don't make cars more use
of rings of security or layers or
permissons system?
Wouter: Oh, well, this is embedded
security. This is not a PC or smartphone
security. It's embedded security. And I
think automotive manufacturers do their
best, but this is just not their game. And
yeah, there is plenty of ways you could do
this in a more secure manner. But they
didn't. I cannot really say, why not do it
better? Of course they should do it
better. But I think it's understandable
that they may be a bit behind on this game
that is relatively new to them.
Herald: Thank you. And microphone number
one.
Q: Hi. Amazing work, but I have a
question. Did you find any simpler, more
entertaining mistakes like storing the PIN
in the open, in other components in the
car?
Wouter: Well yeah, I did do some other
stuff besides the 3 cases I presented
here. I also investigated some
authentication mechanisms for diagnostic
functionality and I didn't put them in my
thesis because it's nice to have a clear
message and a clear line of research. But
I've seen authentications that are really
pretty hilarious, such as challenge -
secrets - subtract - response.
Herald: Answered? I think this is a yes.
Microphone number 2, please.
Q: Hey, thank you for the talk. Two short
questions. How did you specifically choose
those two cars, those three cars, and
which parts or are parts of these flaws
fixable in later firmware, bootloader,
software, coding, update, whatever?
Wouter: Yeah, Okay. I chose these cars
mainly by availability. I didn't really
cherry pick models. It was just that at
the place where I was doing my internship
then, I was, I had some platforms to play
around with. You have seen my very
professional PSA setup, that was the most
professional I had. So yeah, this is what
I had. And since I in the end found that
they are still relevant right now, I think
that wasn't really harmful in any way. It
turns out to be a good choice. Your second
question was?
Q: Can those flaws be fixed in an update?
Wouter: Oh yes. Well, in some sense,
except that there is no real
infrastructure to roll out updates. So all
the cars that are out there, I don't think
they are going to recall them to update
firmwares.
Q: But normal servicing...
Wouter: Yeah, yeah, you can do that. It
takes time. So it doesn't incur costs for
the manufacturer. But what you could do,
for instance, is just use timeouts in the
PSA case and make sure it's not too easy
to try lots of authentication attempts.
It's not a fix because it doesn't really
fix it. But well, it's certainly a
mitigation. It somewhat limits the impact.
In the Fiat case, it's a bit harder
because you cannot really change an entire
algorithm because there's different
engines. And yeah, I think that would be
quite a hassle. You really have to change
your protocol there.
Q: Thank you.
Herald: Thank you. Microphone number five,
please.
Q: Are the secrets unique per car? And if
so, how do you handle the case when one of
the units has to get replaced?
Wouter: Yeah. The secrets are unique for
car and replacement frequently involves a
procedure to couple the new ECU in the
current system. And you just have to put
the ECU there, connect to the ECU and
enter the vehicle pin. So that is quite
probably also the reason that they reused
a secret, because if you use a different
secret, you have to have some kind of
complicated secret sharing protocol that
well, brings the new ECU up to speed with
the key material that's being used inside
the vehicle.
Herald: Thank you. Microphone number one,
please.
Q: Hello. So what I'm struggling to
understand here is why there was the need
to decouple the communication in the first
place and just split it in two. I can
guess that is so that the ECU can be
trained on new keys. But then isn't it
easier to just, you know, instead of
training like the ECU and telling it: Hey,
this is the new key's key. Just load the
ECU's key on the new transponder.
Wouter: So if I understand your question
correctly is that you wonder why we need
two different authentication systems, one
for the key to BCM and one for the engine
to BCM and not use the simple model of
having the key talk to the engine control
module.
Q: That's correct.
Wouter: All right. You have to understand
that engine development is done by
different companies and the same engine
may be used in various different vehicles,
maybe even from completely different
ranges. And it is complicated to give
these cars a different firmware. So it's
definitely possible. But they just want to
build an engine and build a car and have
it work together. And another car with the
same engine should also work. So it's, ...
it has to do with their process of
developing vehicles.
Q: But then shouldn't also, I mean, I'm
assuming that the part that talks to the
transponder and talks to the engine still
has to match the engine communication
protocol anyway. So, I mean, doesn't the
car producers still have to match the
engine protocol anyway at some points
anyway, so why just not implement it on
the key in the first place?
Wouter: Yeah. Well, this is all
speculation from my side as well. I have
no inside information as to why they did
this. But yeah, I can imagine ways that
they could fix this and they don't do it.
And my experience is that generally this
has to do with legacy and compatibility
issues. They could also just embed five
algorithms in the BCM or the engine
control module and just by configuration
choose the one that fits for that vehicle.
I have no idea why they don't do that. But
once again, these are not software
companies. These are automotive companies.
Q: Awesome. Thanks.
Herald: Thank you. Microphone number
three, please.
Q: Thank you for the great talk. Once we
have the OBD connected to the Internet and
do you see any other complication that
could prevent me to park the car remotely
from there?
Wouter: OBD connected to the Internet...
Now well, no. Why? Once you have OBD
access so you can use the OBD port you can
do a lot. There are cars that use a
gateway that is some kind of filter or you
have to authenticate towards it before you
can access the internals of the vehicle.
So it really depends on the model. It
depends on the manufacturer to which
extent you have room to maneuver there.
For some, it would be super easy, for some
it would be a lot of work. For some, it
might be impossible. But you certainly
have a very, very good starting point.
Q: Thank you.
Herald: Microphone number one, please.
Q: Hello. Did you spot any kind of anti-
brute force measures during your analyses?
That's the question number one. And
question number two is: Obviously you had
access to the internal communication
between the BCM and ECM, but were those
attacks successful on Fiat and Peugeot,
are they doable using just the OBD-II
port? Or do you actually need to see the
internal communications?
Wouter: I tried to point out in the
beginning of my talk that I carry out all
the attacks presented and I focused only
on functionality that is exposed through
OBD. So, yes, I did some stuff on the
hardware of the ECUs, but that was just
for research. So the attacks are
absolutely doable over OBD.
Q: OK, and the previous question there,
which was already partially answered.
Wouter: Yes.
Q: So no, like, locking out after five
failed trials?
Wouter: I did find something that was
peculiar in the PSA case, and that is that
if you... let me think. There is rate
limiting implemented in the PSA on the
engine control module. Is that right? No,
on the body control module. And that means
that if you spam challenges, it will at
some point no longer give you the
response, which sounds like a good idea,
right? Rate limiting. But they did it on
the wrong side.
Q: Okay, great. Thank you.
Herald: Thank you. Microphone number two,
please.
Q: Have you spotted some kinds of
relationship between this, like public
identifier of the car and the secret used
to authenticate in the service?
Wouter: Yeah, so if the VIN in some ways
could be converted in the secret, the PIN
code of the car. No, I see where you're
headed, but I haven't spotted anything
like that.
Q: Okay. Thanks.
Herald: Questions from the Internet?
Signal Angel: No more.
Herald: No more. In this case, ladies and
gentlemen, bedankt Wouter Bokslag. Thank
you very much.
*applause*
*postroll music*