Introduction
Internet of Vehicles security is currently a popular development direction, but most people are stuck here because its entry threshold is too high (no real car). So I summed up the relevant information on the Internet and wrote this article so that students who study the security of the Internet of Vehicles can simulate what it feels like to control a car. This article uses Ubuntu to simulate the sending and receiving packets of the car CAN bus for operation. Learn, and then follow me step by step to open the door to the security of the Internet of Vehicles!
CAN
CAN bus, also known as Controller Area Network the abbreviation of CAN bus, is a feature-rich vehicle bus standard. It is designed to allow microcontrollers and instruments on the network to communicate with each other without the need for a host. It is based on a messaging protocol and was originally designed to use multiplexed communication cables in vehicles to reduce copper wire usage, and has since been adopted by other industries as well. Simply put, it is a communication protocol used to control vehicle functions, such as door unlocking, turn signals, brakes, accelerators, etc. Why use the CAN protocol? Simply put, it is cheap and easy to use.
CAN bus characteristics
Security:
CAN is a low-level protocol that does not support any inherent security features. There is also no encryption in standard CAN, which allows these network data to be intercepted. In most applications, applications need to deploy their own security mechanisms, such as authenticating incoming commands or the presence of certain devices on the network. Someone else could try to insert messages on the bus if proper security measures are not implemented. Although passwords exist for some safety-critical functions such as modifying firmware, programming keys, or controlling anti-lock brakes, these systems are not commonly implemented and the number of key pairs is limited.
Communication mechanism:
multi-master - that is, each node has the ability to access the bus.
Addressing mechanism:
Message distinction: No node address is set, and messages are distinguished by message identifiers.
Frame type:
a data frame, remote frame, error frame, overload frame, frame interval
Attack method:
Application packet fuzz testing
Dos attack test
Replay attack
Since the data packets on the CAN bus do not have any encryption, these data packets can be intercepted and eavesdropped. Since the vehicle network uses the CAN protocol for communication, we can think that the function of the Internet of Vehicles is also to send and exchange data through the CAN network. For example, if we turn on the left turn signal, the electrical signal will be sent to each device on the network through the CAN bus. Then the left turn signal will interpret the data packet and execute the instructions in the data packet.
Attack method
The CAN bus attack methods we wrote in the CAN bus characteristics above include application message fuzzy testing, Dos attack testing, replay attacks, etc. Next, letβs practice replay attacks. As the name implies, data packets can be intercepted and then resent cause The vehicle is under our control and not the owner of the vehicle.
Required Tools
Kali Linux
ICSim (Dashboard Simulator)
Socketcand (CAN network)
Kayak (a CAN bus analysis tool based on SocketCAN)
ICSim is an open-source vehicle instrumentation simulator. The simulator contains two modules, controls and ICSim. The controls are responsible for generating simulated vehicle data, which are sent to the virtual CAN interface in the form of CAN messages, and ICSim reads from the virtual CAN interface. CAN message, and update the status of the corresponding parts on the instrument, such as vehicle speed, door status, etc.
Install Dependencies
sudo apt install libsdl2-dev libsdl2-image-dev can-utils maven autoconf
ICSIM
git clone https://github.com/zombieCraig/ICSim.gitcd ICSim/
sudo make
Socketcand
git clone https://github.com/linux-can/socketcand.gitwget https://raw.githubusercontent.com/dschanoeh/socketcand/master/config.h.incd socketcand/
autoconf./configure
make cleanmakesudo make install
Kayak
git clone https://github.com/dschanoeh/Kayak.git
cd Kayak/
mvn clean package
At this point, all installation is complete.
Start Attacking
First set the vcan (virtual CAN) interface
sudo modprobe can
sudo modprobe vcan
sudo ip link add dev vcan0 type vcan
sudo ip link set up vcan0
Open the Dashboard Simulator
./icsim vcan0
Open the dashboard controller
./controls vcan0
Controls
Function control button
turn signal Keyboard left and right keys
speed Keyboard up and down keys
open the door Right SHIFT key + A
close the car doorLeft SHIFT key + A
open all doors Left SHIFT key + Right SHIFT key
close all doors Right SHIFT key + Left SHIFT key
Use candump to capture packets
candump vcan0 -l
See the captured package, because the CAN is constantly communicating, the package will be very large.
Next, we find the data packets controlling the vehicle on the CAN network to attack him.
Listen to capture packets, then open and close all car doors.
More than 10,000 packages were caught.
Next, we use the dichotomy method to delete half at a time to find the package that closes the car door.
Finally, the package that opens all the doors is found by dichotomy:
(1668507963.222323) vcan0 19B#000000000000
Among them, 19B is the device identifier, look for 19B in the data packet.
grep 19B candump-2023-03-22_052559.log
(1668507960.512530) vcan0 244#000000019B
(1668507962.233563) vcan0 19B#00000F000000
(1668507963.222323) vcan0 19B#000000000000
(1668507963.517110) vcan0 244#000000019B
(1668507964.208966) vcan0 19B#00000F000000
(1668507965.319056) vcan0 244#000000019B
We can see one of them 19B#00000F000000. If we get to 19B#000000000000open all the doors, then we also perform the operation of closing all the doors later. It can be guessed 19B#00000F000000that all the doors are closed.
As can be seen above, this data packet is controlled by the third byte.
(1668507962.233563) vcan0 19B#00000F000000
(1668507963.222323) vcan0 19B#000000000000
The packet that locks all doors will represent the nibble as a hex F. Breaking this down into binary yields 16 possible combinations of gates.
binaryhexadecimal
00000
00011
00102
00113
01004
01015
01106
01117
10008
10019
1010a
1011b
1100c
1101d
1110e
1111f
Try different car doors controlled by characters.
charactercar door
8right rear door
4left rear door
2right front door
1left front door
Suppose 1 is the action of locking the door and 0 is the action of unlocking the door. So when we identify our door, the identified door gets the command to lock it and the other doors get the command to unlock it. For example, the binary value of character 8 is 1000, so it means lock the door, open the door, open the door, open the door.
You can try to see if C has closed the two rear doors and opened the front two doors.
At this point, you can control the switch of each door. In the same way, steering and throttle are the same principles.
Top comments (0)