Automotive Networks-, Controllers- and Systems-Security | Nullcon Berlin 2022

Trainer Name: Nils Weiss , Enrico Pozzobon

Title: Automotive Networks-, Controllers- and Systems-Security

Dates: April 5, 2022 To April 7, 2022

Time: 9 a.m. To 5:30 p.m. CEST

Venue: NH Hotel, Alexanderplatz, Berlin-Germany




Note: Regarding COVID-19 safety, Nullcon will seek to ensure a safe event, as the health and safety of our exhibitors, delegates, speakers, and staff will always be our number one priority. Nullcon will follow all applicable health regulations required by the local and government authorities.

Training Objectives

Automotive Security is becoming more and more important but entrance into this research field is still very difficult.

In this training, we will teach all basics of automotive protocols and systems which are required to understand all details and specialties of ECUs. We will provide physical ECUs for hardware reverse engineering and explanation, a virtualized and remote environment to overcome the usual difficulties during practical work on hardware systems. In the automotive industry, every OEM has its own design philosophy. We introduce relevant tools and background information, necessary for the hacking of real cars. Furthermore, we introduce basics on firmware reverse engineering of automotive systems. Last but not least, we show automation strategies for automotive network security and system security assessments.

Training level: Intermediate

What to Expect? | Key Learning Objectives

Students will:

  • learn how to identify attack surfaces on ECUs
  • understand low level CAN communication and attacks
  • obtain an overview on vehicle architectures and network topologies
  • know the most relevant protocols in current vehicles
  • receive hands-on experience in automotive network scans
  • will learn how to attack diagnostic protocols, including firmware dumping and reverse engineering
  • will learn how to break security access mechanisms in some current cars
  • will learn how to execute code on insecure ECUs
  • will get an overview on toolchains of OEMs and their software update mechanisms
  • will know basics about current immobilizer systems

Module Outlines

  • Introduction
  • Goals of this training
  • Exercise Environments
    • Physical ECUs
    • Simulated CAN-Bus
    • Simulated ECU
    • Remote ECUs
  • Vehicle Network Structures
    • Network Technologies
    • Topologies
    • Automotive Network Layers (Protocols)
  • CAN-Layer
    • Basic Protocol
    • Low-Level Attacks
    • SocketCAN
    • Linux can-utils
    • python-can
    • Scapy CAN layers
    • DBC files
    • MITM Attacks
    • Message Authentication
    • Fuzzing
  • ISOTP
    • Basics of ISOTP
    • Linux Kernel Module and Utils
    • Parsing of CAN-Messages
    • MITM-Attacks
    • Scanning of Networks
  • UDS/GMLAN
    • Basics of the protocols
    • UDS and GMLAN in Scapy
    • Security Access
    • Scanning
    • Automation
  • DoIP / HSFZ
    • Basics of the protocols
    • Useful tools
  • SOME/IP
    • Basics of Automotive Ethernet
    • Basics of SOME/IP
    • Useful tools
  • CCP/XCP
    • Background information
    • Basics and tools
    • Scanning
  • OBD2
    • Basics of the Protocol
    • Scanning and Automation
  • OEM specific
    • Overview of most popular car hacks
    • Security Access Implementations
    • Update Procedures
    • Tool-chain Overview
      • BMW
      • Daimler
      • VAG
    • Immobilizer Systems
  • Real Car
    • Demonstrations
    • OEM-Tools
    • Free-Hacking
  • Hardware
    • Locate interfaces on ECUs
    • JTAG 101
    • Firmware dumping
    • Firmware reverse engineering
      • Ghidra 101
      • Overview of popular architectures
      • Memory Maps
      • Peripherals
      • IVT
      • Identify UDS Services
      • Understand Security Access Algorithms
      • Bootloader and Flashloader
      • State Machines and general firmware patterns in automotive systems
    • Firmware patching

Who Should Attend? | Target Audience

  • Security Researchers and Engineers
  • Hackers interested in cars
  • Engineers, Developers and Designers for automotive systems

What to Bring? | Software and Hardware Requirements

  • Laptop with WiFi ((Arch) Linux is the preferred OS for this course) and Admin / root privileges
  • SSH client
  • Installation of latest Ghidra version
  • Feel free to bring an ECU you want to hack

What to Bring? | Prerequisite Knowledge and Skills

  • Basic knowledge of programming (C, python)
  • Basic knowledge of Linux
  • Basic knowledge of embedded systems is a plus, but not required
  • Basic knowledge of firmware reversing with Ghidra is a plus, but not required
  • Basic knowledge of Wireshark or Scapy is a plus, but not required

Resources Provided at the Training | Deliverables

  • Access to various ECUs through a remote setup during the training.
  • Virtualized automotive setup for exercises.
  • Lecture materials.

About the Trainer

Nils Weiss is PhD students at the Laboratory for Safe and Secure Systems (las3.de) of the University of Applied Sciences in Regensburg. He is focusing on automotive security research since more than 5 years. After an internship at Tesla Motors, Nils decided to start with automotive security research. During his bachelor and master program, he started with penetration testing of entire vehicle. Besides penetration testing of automotive systems, he is contributing to open source penetration testing frameworks for automotive systems (Scapy).

Enrico Pozzobon started with automotive security during his Erasmus semester at the University of Applied Sciences in Regensburg. He studied telecommunication engineering at the University of Padua. Since 4 years, Nils and Enrico are building up a laboratory for automotive penetration testing at the University of Applied Sciences in Regensburg. Besides automotive, he is focusing on side channel analysis and fault injection attacks. Enrico contributes to the NIST Lightweight Cryptography project.