Wireless Remote Exploits for Vehicles

This is a proof-of-concept to validate the ability to hack a vehicle made after 2008 remotely via Wi-Fi connection.

Comment

Inspiration

Basically, we wanted to prove that it's possible to hack a vehicle, without having a physical access to the vehicle. To validate our idea, we come up with a method that exploits the vulnerabilities from the OBD II port remotely. We weaponize our exploits by reverse engineering the CAN message by leveraging the Vehicle Spy. The manipulated CAN messages are injected into the CAN bus through Neo OBD II Pro dongle. We demonstrate the GM Camero can be controlled, such as shutdown the vehicle, open/close windows, increase/decrease the radio volume, and change vehicle speed, fuel gauge.

Attack vectors

Key Fob Radio On-board Diagnostic Port II

Scenarios

The attacking scenarios are listed below:

1) The car owner presses a lock button and an attacker blocks the keyless entry system, which keep the door unlocked. In this implementation, the attacker has physical access to the vehicle and plugs in a Raspberry Pi, with Neo dongle to the OBD II port and hides its visibility.

2) The attacker first sets up a fake wireless Access Point (AP). Then, she connects the AP via the Raspberry Pi, which connects to the Neo OBD II. To do that, the attacker can control the car through the cloud.

3) Piggy-backed on the scenario 2, the attacker sniffs the CAN messages and reverse engineers the CAN messages using Intrepid Neo VI FIRE and Vehicle Spy. The attacker transmits arbitrary CAN messages to the bus to unlock the door, increase the volume up and down, and finally performs a Denial of Service (DoS) attack on the CAN bus. The attack can successfully shutdown the vehicle.

Project Objective: Our project executes the above-mentioned attack scenarios. The goal was to remotely lock and unlock the vehicle, increase the volume, and perform a DoS attack on the bus.

How I built it

We built the project using Raspberry Pi -> SocketCAN -> Neo VI FIRE -> Python -> Pineapple Wireless Access Point -> Kali Linux -> Secure Shell enabled on the Rasberry Pi for remote access -> Neo OBD II Pro cloud Platform to transmitt and receive CAN messages

Challenges I ran into

It took us a while before we get to communicate with vehicle. We overcome the challenges by creating a SocketCAN communication through the Raspberry Pi and using SSH to control the vehicle remotely. Also, reverse engineering CAN message was challenging.

Accomplishments that I'm proud of

We are proud to control a vehicle remotely, increase volume, control windows, and shut down the vehicle completely and the vehicle was not able to start for a while.

What I learned

We learned how to send a messages wireless, control windows, reverse engineer CAN messages

What's next for Vehicle Wireless remote access

Work on implementing a secure gateway so that the adversaries are not going to replicate this attack. Improve security and weakness within the automotive

Built With

Share this project:

Updates