DEF CON 27 - Our Car Hacking CTF Experience

The Car Hacking Village CTF at DEF CON 27 was a fun, educational, and humbling event to participate in. We got 9th place, mostly due to luck and tenacity. Before this event, we have not tried to interface with, let alone hack, a vehicle. So, we spent the whole of DEF CON 27 in the CHV CTF to change that. Here's our story...

CHV CTF Final Scoreboard

Unfortunately, we cannot offer up a single write-up for the actual car hacking challenges as we were unable to complete a single one of them. However, there were a lot of trivia questions which sent us down multiple rabbit holes where we learned terms, concepts, and attack vectors that we had zero knowledge of before. The purpose of this post is simply to share our experience and touch on building the nano-can and using a HackRF One to replay a key-fob button press.

Overall, I'd say that going to one of the largest hacking conferences in the world to participate in a hacking competition against something that you have zero experience hacking on...well it is probably not the best way to devote your time. But, we did it anyway and the main takeaway/advice we have to offer for our fellow car hacking n00bs is to devote a handful of hours to it and at least look at the challenges presented, talk to the organizers and other participates, and plug in to some of the physical setups they have. I guarantee you will learn something new. 

I mean, check out this setup:

3PO (2012 Ford focus)

We were told that this was the most Challenging One

Tesla

And that wasn't even all of them.

Believe it or not, we scored the first flag, and lead the board for a hot minute.

First Place!

We knew we wouldn't hold first for long, nor did we care, but having been the first team on the board; we won the first drawing to roll the D20! Our lucky roll gave us 500 points. The D20 was rolled every hour by a team who's card got picked. They seemed to be handing out the cards to teams completing certain challenges and possibly at random. At one point we basically just asked for a couple and they obliged!

Team Details

Each number on the die corresponded to a positive, negative, or destructive event. Our first roll won points, in another roll we lost points, and I think our third roll caused the top 10 teams to lose points. Plenty of other teams rolled the die as well, and there was a quite a bit of aggression taken out on a brand new Tesla because of the D20 demanded it. 

Look at that Beautiful WTG Sticker on the Frunk!

This prize was a bit of a head scratcher to most - but the idea, as I understood it, was that the first place team would win this car, it would be drivable but ruined, and so it would be better suited as a hacking platform than the winner's new daily driver.  The frunk took most of the hits, all of the body panels were keyed, and the whole car was covered in stickers and paint. Jayson Street even got weird with it. 

To prep for this event, I basically got a crash course from Adam Logue the night before it started.

Only WTG in this pic is Wearing Orange

He was also kind enough to loan us some gear:

Car Hacking Load-Out

I had a difficult time getting the ValueCANs to play nice with my VM. We had the 3 and 4. Ideally, I would have figured out how to use these with my setup before sitting down to any of the challenges but I got them the night before. As these were not mine and are out of my price range, I was thinking about what I could use to help me learn at home but not break the bank.

As luck would have it, @mintynet was sitting next to me at one point during the CTF and he handed me a board for his nano-can project. He told me that if I'm going to build it; use the official Arduino nano board as it wouldn't give me any issues with the CAN speed where as the knock off boards probably would. So picked one up ($20), as well as the MCP2515 ($11), and an OBDII plug ($7) and followed Ian's instructions and put it all together.

Assembled Nano-Can

Some tips on the assembly, the Low connection on the MCP2515 goes to OBD2 pin 14 and the wire has the stripe in the build pictures. High goes to pin 6 in the plug, and when you look at the google image search results to reference the pinouts on an OBD2 plug, you are looking at it from the back. I tested it with a multimeter to be sure but at the time it tripped me up for a few minutes.  I'd also recommend soldering the OBDII connections on the MCP2515 terminals because it's super easy to unplug while using it in a car. 

Loading the sketch was painless, I figured I'd start with the can-receive-all sketch and see if I could see anything. 

It Works!

I have big plans to mess around with the sketches in order to see if I can do anything interesting like unlock the doors, roll down windows, and pull the VIN. I'm still a noob in this space so it will probably be slow going. 

With Derbycon coming up, I'll have to return all the gear I borrowed from Adam. So, I figured I'd better play around with the HackRF One while I still had access to it. This particular one has the Portapack H1 installed and is running Havoc firmware. 

I heard that my vehicle has a vulnerable key fob, though it's not static, it is possible to replay the signal or even simply brute force it. 

As I only have the one device, I don't believe it's possible for me to jam the car, record two keypresses, etc...I will experiment with this later when I have two HackRFs on hand. But for the time being, I simply went out of range and recorded the unlock key press and then used the HackRF One to replay the recorded signal as seen in the video below:

Dude, Who Unlocked my Car?

The steps I took to do this were as follows:

1) Lookup my fobs FCC ID to learn the frequency range. Though the HackRF can find this too. 
2) Capture > defined the frequency and set the other settings to: 25K 0 16 32 500k
3) Went out of range of the target vehicle, recorded the unlock key presses.
4) Returned to the target vehicle
5) Go to Replay > press Open file > select recording BBD_xxxx.C16
6) Press Play
7) Profit!

I do plan on acquiring a HackRF One with the Portapack so I can look into these attacks a bit more. I understand it may be possible to brute force the code to unlock without jamming or having to go out of range. I also plan on borrowing a second HackRF One to learn how to do the rolljam attack.

When I get that far, perhaps I can do a guest post on doyler.net.  

Anyway, the Car Hacking Village was a lot of fun and even though I may have jumped into the deep end when I should have started in the kiddie pool, I'm glad I did it because I'm now well on my way to learn a whole new set of skills.   

Thanks for reading!

Find us on Twitter: @teamWTG











Popular posts from this blog

A Primer for On-Site CTFs

BHIS CTF@Shmoocon 2019 - Feeling Blue?