The first person to crack Tesla, the 360 ​​car network security center engineer Liu Jianwei also created a "universal car cracker": a new car bought by the eight children, can be easily driven away by him? ! In fact, in November, Liu Jianyi showed off this cool technology. In the 360 ​​company building, there were more than 20 luxury cars. Using mysterious technology, Liu Jianwei and the team easily solved the cars one by one.
This time, he came to decipher in detail - how he did it.
BUG left by CAN bus
The source of all danger is the car's CAN bus design.
CAN is the abbreviation of Controller Area Network. It was developed in 1986 by German BOSCH company, which is famous for developing and producing automotive electronics products, and eventually became an international standard (ISO 11898). It is the most widely used internationally. One of the widest fieldbuses.
For cars, there are many ways to attack: OBD boxes, WI-FI, Bluetooth, car APP, car networking platforms... they are all controlled via the CAN bus. If the CAN bus is safe, even if the hacker uses the above-mentioned methods to make a move to the car, the overall safety of the car can be guaranteed. These tricks are just "entertainment". However, if the CAN bus is not safe, such a car can be attacked by a "dog strap" - it is useless to hold the car key, which is now a hacker who controls the CAN bus.
How to guard the security of the CAN bus, from the structure of the CAN bus.
The story started like this, a long time ago...
The traditional car harness structure is like this: many controllers are linked on one thing, and the controllers may interfere with each other...
Until one day, people can't stand it and design a bus architecture. Just like a switch, all ECUs (electronic control units) go through this "switch": exchange information and coordinate commands.
However, it seems that the CAN bus has several deadly attack points:
1. It complies with the CSMA/CD communication method. When any node is connected to the bus, the bus data can be seen, so the hacker can find all the data in the car as long as he finds a point to break.
2. It supports multiple access. All nodes on the network receive data through a bus. All data is on one line. The data sent is broadcast, so you can see the control commands sent by many controllers. If the control command is Clear text, then you can control some of the car's equipment by replay;
3. It has a collision detection mechanism. All nodes continuously detect the transmitted data during the process of sending data, preventing conflicts with other nodes. Because of this mechanism, as long as the data is sent in the traditional line, it can lead to The CAN bus refused service and no controller on the car responded.
Liu Jianwei introduced that as long as you know the data, ID, and transmission period of the CAN bus, the hacker can judge a certain control function through replay.
Therefore, the attack on the CAN bus is actually very dangerous. It can eavesdrop on bus data, falsify protocols, and implement replay attacks and denial of service attacks. This means that if you do these actions, the car is in extreme danger. Can the universal car cracker really crack all the cars?
Yes, as long as the car has a CAN bus design.
First look at the theoretical analysis - the automotive CAN network reverse process is mainly divided into four steps: screening, positioning, cracking signals, verification and preservation.
The first step: screening
Using some USB-CAN tools on the market to connect to the car's CAN bus, CAN data packets broadcast on the CAN bus can be obtained, and reverse analysis can be performed from a large number of data packets to find the desired CAN data packet.
Step 2: Locate the CAN_ID
For the control of a certain function of the vehicle body, only one CAN ID data packet is needed. At this time, it is only necessary to simply replay to achieve the purpose of the attack, and some functions require a combination of multiple CAN ID data packets. Yes, there are some CAN ID packets with counters that must be added to the attack to bypass the pre-crash system.
The third step: crack the signal
There are 8 bytes in the CAN_ID packet. What each byte represents and the numbers on these bytes are not fixed. For example, the value on the speedometer is calculated according to the formula. If it is changed to the desired one. The value (that is, changing the speed in the movie to death) requires a formula to get the correct result.
In the process of testing, it is necessary to trigger the car action, then determine the change of CAN_ID, and then find the corresponding value, so that the signal and the car action can be cracked.
Step 4: Verify and save
Combined with the above results, the FUZZ tool is made, and then more car loopholes are discovered. If it is necessary to repair, it is of course possible.
In practice, we must continue to solve some difficulties.
Liu Jianxi said: "We took some traditional USB tools and connected them to the car. We found that the screen is very fast. When analyzing the CAN protocol, we must look at the execution and the eyes will be spent."
In order to analyze the data clearly, without tools, create one yourself. Therefore, Liu Jianwei and his team created a "CAN-Pick". This "CAN-Pick" is their "car safety bus test platform" - test whether the car bus is safe.
In fact, it is also a universal car cracker.
Although, its appearance does not look so cool, it is just a small black box and a software platform that can be connected to the car.
So, how exactly will this car be blacked out?
With the computer and the small black box connected to the body, the body will also generate some data when it is at rest. These data are called interference data, and the first step is to obtain the interference data. When the small black box is connected, visual interference data will appear on the software platform; then, the vehicle light is operated to obtain the data packet when the light is operated, and the interference data is compared, thereby discovering that the operating light can be actually released. Instruction packet. By replaying this newly acquired packet, the headlights can be operated.
The other operations are the same.
Yan Minrui, another engineer at the 360 ​​Vehicle Network Security Center, introduced:
This software supports the whole platform, there are a variety of hardware to be tested, whether it is on the market, or developed by yourself, will provide SDK, let you try it yourself. At the same time, you can write some plug-ins online. These plug-ins can be shared to the server. You can also download some plug-ins written by others from the server to share them. Many people can operate this software at the same time.
This means that “all people†can join the “black car†– oh no, it’s a platform to test whether the car is safe.
Since the CAN bus can be attacked and this tool can also detect if a car is safe, is there any way to stop this from happening?
Liu Jianwei said that the car bus design was originally used in a closed network environment, and did not consider security issues. For the design of the bus network structure and control commands, it is necessary to enhance the verification measures between the ECUs, including the use of time stamps and verification. The method prevents replay crack attacks, increases the cost of the control protocol being reversed, and controls the security of the connected components.
Their current thinking is to securely encrypt the CAN bus, for example, whether some encryption algorithms can be inserted in the data packet. Liu Jianxi revealed that at present, the research team of Tsinghua University is also conducting research in this field.
Outdoor Rental Die-Cast 640x640
Full Color Led Signs improved competitive price with better effect and quality. The Led Display Signs Die Casting Aluminum Cabinet size is 640x640mm for Outdoor Usage, Good resolution for Led Advertising Signs P4mm P5mm P6.67mm P8mm, Rental LED Signs Outdoor to achieve uniform brightness and driving chip of high consistency and pixel brightness consistency.The screen showed more uniform and more clear. When choose 640mm x 640mm Led Display Rental Cabinet, it can depend on different price for P8 P6.67 P5 P4, because all their module size can be 320x160mm, it is easy to make 640x640 Die Cast Aluminum Cabinet.
Light and slim seamless connection design die-casting aluminum cabinet, it`s only 90mm in thickness which can achieve better wall mounted effect The cabinet is light, it`s only 28kg/sqm which is labor saving.
1) Stronger protection: LED chips are welded on the PCB board directly, then do encapsulation. It has excellent protection capabilities.
2) Higher reliability and stability: simpler process on material using and producing than SMD, so it has higher performance on heat dissipation to prolong life span.
3) Larger viewing angle: has larger viewing angle and is easy to control the loss of light refraction.
Easy Installation: magnesium alloy cabinet design and fast lock make the installation, transportation, maintenance easier
Lightweight: only 30kgs, saving workforce and transportation cost
High Waterproof Level: IP65 for rear and back side, fit for naked installation without decoration.
Adopt dual service of black kingkong series among core techniques, free back service path for all kinds of installation surroundings.Broadcast level color scale, color temperature and brightness adjustable intelligentizedly, smooth color, high color ratio, nature pictures.
We Jongsun LED is specialized manufacturer from Shenzhen China, which focusing on the research and development, production, sales and engineering services of terminal LED Displays. We have the perfectly after-sales and 7x24hours technical support. Looking forward your cooperation!
Led Signs Outdoor, Led Advertising Signs, Led Display Signs, Full Color Led Signs
Shenzhen Jongsun Electronic Technology Co., Ltd. , https://www.jongsunled.com