Yannay is a security researcher interested in Linux, Low-Level Vulnerabilities and Exploits, Embedded Devices and everything nice. Yannay also enjoys playing CTF every now and then, injure his tendons on V8 bouldering problems and write about himself in third person. In the last years Yannay found some nice vulnerabilities and developed some general exploitation techniques which he published in conferences, blogs and magazines such as PoC, CCC, Troopers, PoC||GTFO and others. Before having an adult civil life, Yannay served as a researcher and developer in the IDF after graduating his bachelor’s degree in C.S. at the age of 18.
[Abstract]
==========
In recent years the Telematics industry - the industry which provides additional services to vehicles management - is on the rise. Small boxes packed with capabilities are installed in vehicles and used to provide many services such as fleet management, usage-based insurance, real-time position tracking, in-vehicle connectivity and others.
To improve the services provided by Telematics devices (such as real-time malfunction reports), many of them are connected to vehicle's computer network and also to the external world - e.g. the Internet. As such, they serve as a lucrative target to an attacker that wants to remotely connect to the vehicle’s electronic systems. If such a scenario is executed successfully it may yield grave results and impact the safety of the vehicle.
In our research, we analyzed the security of a common Telematics device. We found (too) many ways an attacker can compromise the device (locally and remotely). Using a compromised device, an attacker can send messages to the in-vehicle CAN network over cellular modem connection, allowing the attacker to control critical vehicle functions. The hypothetical scenario outlined above is possible today. Now.
An attacker from the other side of the world can take over these devices, in scale, and cause the vehicles in which they are installed to misbehave. The possibilities are only limited by the imagination.
In our talk we discuss our research and its results. We explain the multiple vulnerabilities and attack vectors by which an attacker can make the device execute commands. We then describe a viable attack plan by which the attacker can take full control over the device. Eventually, we conclude with a full POC showing what an attack scenario would look like. How an attacker can activate car functionalities over the internet without ever being in the vicinity of the car.