pyvit: Python Vehicle Interface Toolkit
Pyvit is a toolkit for interfacing with cars from Python. It aims to implement
common hardware interfaces and protocols used in the automotive systems.
CANtact INTERFACE
You need hardware like CANtact to get the most out of this Python library. This interface
is an Open Source interface that allows to interact with a computer with
Linux and CAN bus through the Can-utils of SocketCAN and pyvit(designed for Hacking). The source code and the hardware design are
available on GitHub:
With Pyvit and CANtact you can implement several Denial of Service, Fuzzing and Injection Attacks.
After configuring and enabling the interface you can use the tools of the can-utils, such as candump, which allows you to monitor the CAN bus. Output is also redirected to a text file for future analysis. Similarly, cansniffer allows us to monitor the CAN bus and grouping the packets by ID( highlighting bytes that suffered some change).
To carry out a packet injection attack and control the car's functionalities, the monitored traffic is first stored while a specific action is carried out in the car (such as opening and closing a door, activating and deactivating the handbrake, etc.). After analyzing the Logs to find a repetitive behavior in the IDs and thus determine the range of the filters, which will be used with cansniffer to determine the packets that could perform the action (it's like playing battleship). Subsequently, the injection of each package with cansend is made until the action has been carried out.
With Pyvit and CANtact you can implement several Denial of Service, Fuzzing and Injection Attacks.
PRELIMINARY
SocketCAN provides three types of CAN interfaces: virtual interfaces(vcan0), native interfaces(can0) and SLCAN interfaces(slcan0). To be able to
establish communication, it is first necessary to configure slcand (it
is installed with the can-utils), which performs the interaction between
the serial interface and the CAN bus. For this
you need to know the name of the connected device, in this case ttyACM0,
which is required to configure slcand with the following options:
-o open the device
-s6 defines the transfer speed of the CAN bus in 500Kbps
-s6 defines the transfer speed of the CAN bus in 500Kbps
-t hw specifies the control flow
-S 500000 indicates the serial transfer rate
-ttyACM0 device name
After configuring and enabling the interface you can use the tools of the can-utils, such as candump, which allows you to monitor the CAN bus. Output is also redirected to a text file for future analysis. Similarly, cansniffer allows us to monitor the CAN bus and grouping the packets by ID( highlighting bytes that suffered some change).
To carry out a packet injection attack and control the car's functionalities, the monitored traffic is first stored while a specific action is carried out in the car (such as opening and closing a door, activating and deactivating the handbrake, etc.). After analyzing the Logs to find a repetitive behavior in the IDs and thus determine the range of the filters, which will be used with cansniffer to determine the packets that could perform the action (it's like playing battleship). Subsequently, the injection of each package with cansend is made until the action has been carried out.
FUZZING ATTACK
Fuzzer-1.py inject Frames with established IDs and mutable data in the ECU:
ID Data ... ... ... ... ... ... ... ... ...
3D1 xx xx xx xx xx xx xx xx
3D5 xx xx xx xx xx xx xx xx
3D9 xx xx xx xx xx xx xx xx
The result of the execution of the script with the engine turned off and on was successful, since when the Frames were being injected all the witnesses on the dashboard were switched on randomly, the flashing lights were activated, the trunk was opened and the safety locks were closed doors:
This script injects Frames with the ID and data in zeros, which are sent every so often to have the highest priority and thus saturate the communication bus.
The result of the execution of the script with the engine turned off and on was unsuccessful, since when executing the script it was possible to start the engine and carry out actions without problem.
The objective of
this attack is to inject malformed packages created dynamically, in
order to cause unexpected behavior and observe the reaction of the car
when it is on or off. Executing the
Fuzzing attack could cause some failure, some of the dashboard's lights turn on randomly, Check Engine's warning lamp is activated or the communication bus
is saturated. Therefore, it is convenient to do these tests in the BCM and the Combination Meter. For this, the following script was executed:
Fuzzer-1.py inject Frames with established IDs and mutable data in the ECU:
ID Data ... ... ... ... ... ... ... ... ...
3D1 xx xx xx xx xx xx xx xx
3D5 xx xx xx xx xx xx xx xx
3D9 xx xx xx xx xx xx xx xx
The result of the execution of the script with the engine turned off and on was successful, since when the Frames were being injected all the witnesses on the dashboard were switched on randomly, the flashing lights were activated, the trunk was opened and the safety locks were closed doors:
DoS ATTACK
This attack has
the purpose of saturating the communication bus, so, when an ECU tries
to send a message it will not be able because it is transmitting
data with higher priority and therefore will be put into listening
mode. In this way, if you want to take some action on the car will not be possible, because the ECU will not respond. To make this attack you can use the following script:
(DoS-1.py injects Frames with IDs 000 on CAN Bus, which have higher priority)
ID d1 d2 d3 d4 d5 d6 d7 d8
000 00 00 00 00 00 00 00 00
This script injects Frames with the ID and data in zeros, which are sent every so often to have the highest priority and thus saturate the communication bus.
The result of the execution of the script with the engine turned off and on was unsuccessful, since when executing the script it was possible to start the engine and carry out actions without problem.
Comments
Post a Comment