DEF CON 27 - Our Car Hacking CTF Experience

-
The Car Hacking Village CTF at DEF CON 27 was a fun, educational, and humbling event to participate in. We got 9th place, mostly due to luck and tenacity. Before this event, we have not tried to interface with, let alone hack, a vehicle. So, we spent the whole of DEF CON 27 in the CHV CTF to change that. Here's our story...

CHV CTF Final Scoreboard

Unfortunately, we cannot offer up a single write-up for the actual car hacking challenges as we were unable to complete a single one of them. However, there were a lot of trivia questions which sent us down multiple rabbit holes where we learned terms, concepts, and attack vectors that we had zero knowledge of before. The purpose of this post is simply to share our experience and touch on building the nano-can and using a HackRF One to replay a key-fob button press.

Overall, I'd say that going to one of the largest hacking conferences in the world to participate in a hacking competition against something that you have zero experience hacking on...well it is probably not the best way to devote your time. But, we did it anyway and the main takeaway/advice we have to offer for our fellow car hacking n00bs is to devote a handful of hours to it and at least look at the challenges presented, talk to the organizers and other participates, and plug in to some of the physical setups they have. I guarantee you will learn something new. 

I mean, check out this setup:

3PO (2012 Ford focus)

We were told that this was the most Challenging One

Tesla

And that wasn't even all of them.

Believe it or not, we scored the first flag, and lead the board for a hot minute.

First Place!

We knew we wouldn't hold first for long, nor did we care, but having been the first team on the board; we won the first drawing to roll the D20! Our lucky roll gave us 500 points. The D20 was rolled every hour by a team who's card got picked. They seemed to be handing out the cards to teams completing certain challenges and possibly at random. At one point we basically just asked for a couple and they obliged!

Team Details

Each number on the die corresponded to a positive, negative, or destructive event. Our first roll won points, in another roll we lost points, and I think our third roll caused the top 10 teams to lose points. Plenty of other teams rolled the die as well, and there was a quite a bit of aggression taken out on a brand new Tesla because the D20 demanded it. 

Look at that Beautiful WTG Sticker on the Frunk!

This prize was a bit of a head scratcher to most - but the idea, as I understood it, was that the first place team would win this car, it would be drivable but ruined, and so it would be better suited as a hacking platform than the winner's new daily driver.  The frunk took most of the hits, all of the body panels were keyed, and the whole car was covered in stickers and paint. Jayson Street even got weird with it. 

To prep for this event, I basically got a crash course from Adam Logue the night before it started.

Only WTG in this pic is Wearing Orange

He was also kind enough to loan us some gear:

Car Hacking Load-Out

I had a difficult time getting the ValueCANs to play nice with my VM. We had the 3 and 4. Ideally, I would have figured out how to use these with my setup before sitting down to any of the challenges but I got them the night before. As these were not mine and are out of my price range, I was thinking about what I could use to help me learn at home but not break the bank.

As luck would have it, @mintynet was sitting next to me at one point during the CTF and he handed me a board for his nano-can project. He told me that if I'm going to build it; use the official Arduino nano board as it wouldn't give me any issues with the CAN speed where as the knock off boards probably would. So picked one up ($20), as well as the MCP2515 ($11), and an OBDII plug ($7) and followed Ian's instructions and put it all together.

Assembled Nano-Can

Some tips on the assembly, the Low connection on the MCP2515 goes to OBD2 pin 14 and the wire has the stripe in the build pictures. High goes to pin 6 in the plug, and when you look at the google image search results to reference the pinouts on an OBD2 plug, you are looking at it from the back. I tested it with a multimeter to be sure but at the time it tripped me up for a few minutes.  I'd also recommend soldering the OBDII connections on the MCP2515 terminals because it's super easy to unplug while using it in a car. 

Loading the sketch was painless, I figured I'd start with the can-receive-all sketch and see if I could see anything. 

It Works!

I have big plans to mess around with the sketches in order to see if I can do anything interesting like unlock the doors, roll down windows, and pull the VIN. I'm still a noob in this space so it will probably be slow going. 

With Derbycon coming up, I'll have to return all the gear I borrowed from Adam. So, I figured I'd better play around with the HackRF One while I still had access to it. This particular one has the Portapack H1 installed and is running Havoc firmware. 

I heard that my vehicle has a vulnerable key fob, though it's not static, it is possible to replay the signal or even simply brute force it. 

As I only have the one device, I don't believe it's possible for me to jam the car, record two keypresses, etc...I will experiment with this later when I have two HackRFs on hand. But for the time being, I simply went out of range and recorded the unlock key press and then used the HackRF One to replay the recorded signal as seen in the video below:

Dude, Who Unlocked my Car?

The steps I took to do this were as follows:

1) Lookup my fobs FCC ID to learn the frequency range. Though the HackRF can find this too. 
2) Capture > defined the frequency and set the other settings to: 25K 0 16 32 500k
3) Went out of range of the target vehicle, recorded the unlock key presses.
4) Returned to the target vehicle
5) Go to Replay > press Open file > select recording BBD_xxxx.C16
6) Press Play
7) Profit!

I do plan on acquiring a HackRF One with the Portapack so I can look into these attacks a bit more. I understand it may be possible to brute force the code to unlock without jamming or having to go out of range. I also plan on borrowing a second HackRF One to learn how to do the rolljam attack.

When I get that far, perhaps I can do a guest post on doyler.net.  

Anyway, the Car Hacking Village was a lot of fun and even though I may have jumped into the deep end when I should have started in the kiddie pool, I'm glad I did it because I'm now well on my way to learn a whole new set of skills.   

Thanks for reading!
@strupo_

Find us on Twitter: @teamWTG











Popular posts from this blog

The Audacity of Some CTFs

-
Image
2021 Update : This is currently the most read post on our blog. Chances are that you are here because you are working on an audio challenge. If you see something looking like a digital signal, be sure to also check out our Radioactive Man write-up. I have stumbled across a few audio files while competing in CTFs over the last few years and I thought covering spectrograms would make a nice and quick blog post. Flags can manifest themselves in many ways when dealing with media files. One of the most common ways I have seen is by hiding them, or clues to find them, in the file's audio spectrogram. According to wikipedia: "a spectrogram is a visual representation of the spectrum of frequencies of sound, or other signals, as they vary with time." Basically, it is a method to visualize sound and signals. I first learned that you can embed hidden messages and images in a spectrogram when a friend showed me an image from an Aphex Twin song some years ago. Equation by
Read more

Code Name: Treehouse of Horror CTF

-
Image
A friend of mine asked me if I wanted to participate, on the sly, in an internal CTF that he put together for his employer. My score wouldn't be shown, and for all intents and purposes I did not compete. I figured I'd give it a code name incase I need to refer to this event. Let's call it the Treehouse of Horror CTF. The Treehouse of Horror CTF! The scoreboard appeared to be similar to the one used at the Defcon 26 IoT CTF, however this one was organized by challenge which made things nice for tracking your own progress versus one huge board of challenges.  I think this is called Jeopardy style. There were some odd moments at times because different challenge groups shared a target, so you had to identify which flag went with which challenge. Really not that big of a deal and I actually really enjoyed the format rather than just a single submit field like at derby or Eversec's CTF as it helped me track my progress with ease. The challenges were: FreePBX Re
Read more

2020 HTH CTF - Cloud Challenges

-
Image
Last weekend, @strupo_ joined team NiSec to participate in the HTH 2020 CTF  and together they got on the podium in third place! 2020 HTH CTF - Final Scoreboard The challenge categories included:  Cloud Crypto Forensics Kali 101  Misc Pwnables Recon Reverse Engineering Steganography Web Recently, strupo_ was fortunate enough to remotely attend  Breaching the Cloud Perimeter w/Beau Bullock . As cloud testing is still very new to him, and this blog tends to focus on introductory concepts and challenges, we thought it would be appropriate to try and tackle all of the cloud challenges in this post. Okay, let's get into it. The Cloud category had three challenges: BucketList (100) OhSnap! (150) Serving Less (250) BucketList Hey guys! I set up an AWS bucket for this year's hth that we can use to store our flags for the ctf. I think I made the bucket private but I'm not very good at this cloud stuff. Send me a message if I need to edit the permissions. Hint: Let's keep a flag
Read more