(Thanks Jinx!

By Land, By Sea, By Air

brought to you by
One World Labs (OWL) Research
Chris/Jesse

Overview

Cars (updated from 2012)

Breaking them down, making friends with Mercedes, Volvo etc.
Architecture and attack vectors

Floating things
Fishing for ferries, simple Wi-Fi attacks

Tractors.Seriously?
What started it, and why
Methods for accomplishing the evil genius plan

All

Missiles and things that go bang:

Pac-3, a Coyote and Dr. Strangelove

Q&A: Ask questions throughout.

things with engines:

Busses and trams (Oslo ones noted, targets were in the USA)
Boeing again, this time Dreamliners
Drones, quick thoughts on what to do with the pesky things

Un-Hackable
John Deere Model B and a
Witte 2hp Hit and Miss engine

Not a challenge, merely a

statement. Based on the
LACK of built in electronics

Un-Hackable
Anyone want to guess whos?
(bonus points for date)
(First Norwegian plane, 1912)

Yea, we know about these,

early days of cruise liners
designed to go forth and make
friends

Hackable
Modern Combine Harvester,
500-1M lines of codenot
including the different heads

Modern aviation, 5 to 7 Million lines of

code (not including the entertainment
systems)

Mercedes E220 cdi, between

80 and 100 Million lines of
code!

Putting it into Perspective

VS.
Quantity of
Code:

Something to consider here is the security of the

code, whos using, accessing, developing, and which
of the 3rd party organizations are managing the
source code, or portions thereof?
(heres a hintthe Mercedes code is less distributed)

Example of ProgressBrakes

Evolution from:
Un-Hackable
To
Hackable

And to add insult to injury, this doesnt

take into consideration the Airbags
processors, Safe-Net, Tyre Pressure
Sensors, TCS or myriad of other systems
built around JUST brakes

CAN (Bus) and AUTOSAR

(Controller Area Network) AND (AUTomotive Open System Architecture)

Thanks to jcelectronica.com for the graphics!

Cars Overview (and updates)

Main CAN networks within a vehicle,
the image only shows a low number
of devices attached to the networks.

CAN and MOST networks

interoperability within the
vehicle. Primary access is via the
Bluetooth interface which can be
on either system (we love
standardsnot!)

MOST Architecture
The communication profile defines that
in a CANopen network there must be at
least one master application and one or
several slave applications, the main
target for the management of this is the
CGW (gateway module)
Applications being defined as ABS,
Cruise control etc

Every slave node contains a state

machine with the four states called:
1. Initialization,
2. Pre-Operational
3. Operational
4. Prepared
Theres primarily 5 different
management messages that can be
sent to these nodes:

Intellibus Exploded

Thanks Boeing for the graphics.more on this one later

Traditional Access Controls

Original access controls involved PHYSICAL

access to the target system, either through
independent/human analysis or ODB-II (later
years) all required access and physical presence
on-site.

OUR Access Controls

Laptop with necessary software (will go into that in a moment) Bluetooth

adaptorand either a software patch for 232/Bluetooth, or dongle/Serial/
USB device that can take output and move data across Bluetooth
spectrum (2.4GHz)

The Easier Way

Vehicle tuning software freely available, most of the systems have the
necessary embedded logging, monitoring and management software.

There is also logging software that once connected to the vehicle will initiate
a sniffer/management interface to be able to query what devices are
embedded. (ALL can be run via Bluetooth over RS232)

In PracticeYesterday

Fishing lessons for what is advertising within the 2.4 Spectrum.this is

one method for examining what targets are within range. At this point you
will also need VISUAL identification to understand attack vectors (different
based on vehicle type)

Volvo Fishing from the 6th Floor

Making friends with a Volvo while
sitting in Joes Application Penetration
Lessonto the side is the CAN232HSW,
below is the latest EControls S/W with
the Bluetooth Capture Interface
running.

And YES,
we made
friends
with it.

In PracticeThis Morning

For all those who are not Linux friendly, Mac/Windows has multiple
Bluetooth sniffers/scanners that can be used for initial target analysis.

Mercedes CAN Bus PID IDs

Simple spreadsheet demonstrating the availability of the CAN Bus IDs

necessary for the injection (in this case this morning we decided to put
all the Taxis into neutral (#003-6-0-0-0-0-0-40-0-0 PID ID injection)

Data ElementsBackground
Vehicle architectures, CANBUS and other necessary data elements are
regularly posted on-line, below Mercedes E220 DieselABS/Engine
management systems are noted, allowing us to modify and/or influence
the control surfaces.

Our Test Subjects

Mercedes S600 interface

Porsche Interface

Main Audi/VW group interface, this

was done on an A8L

Think of all the fun you could have bringing the Presidential motorcade to
a standstill in the middle of DC one day(Kidding, honest)

Other Targets
Engine ignition (spark, timing etc)

Fuel injection

Emissions controls

Collision avoidance systems

Heating/air conditioning

Navigation systems

Suspension systems

Transmission controls

Lights, horn, wipers, defrosters

Entertainment systems

Braking (anti-lock brakes)

Steering (steering assist etc)

Seat & pedal positions

Communication systems

Safety systems

Noise cancellation

Security systems

Current vehicle designs have +/- 100 processors/microprocessors/chipsets

Number of processors expected to double within the next 5 years.

A typical car contains 3 to 5 miles of wiring

FerriesBriefly
Making friends with the ferries down at the docks

Sit!! Stay, No Damm Walkies!

Doesnt help when the prey leaves the scene of attack on a semi-regular
basispatience is a virtue, so is knowing/understanding how long you
have to prepare and execute an attack..even more of an issue when
dealing with cars in traffic

Despite Walkies p0wned

Remember patience is a virtue...this mornings activities (EARLY

morning)

Tractors:

Remember Un-Hackable?

NEVER say Un-Hackable

Tractors
Why
Blame Jesse, and a late evening over pancakes

Why again?
Because cars are single/one-time hits
Because nobody else has done it
2 Billion metric tons of food (more on that later)

Seriously?
Yes, seriously, bear with us on thiswe are not
going to give away the code, but well at least
point you in the right direction.

How to Tractor Jack

Several components to the
art of tractor configurations
Main target needs to remain
obliviously the distribution
Same process as virus/
trojan propagation, you need
a host and a carrier
Distributed architecture (We
love FTP Servers)
Simple code insertion and/or
manipulation

Method 1 - Variables

Easier of the two methods, still involves a rewrite of the configuration file, however the
depth variable JUST needs to be fooled.

Ensure within the code you at least attempt

to hide the variables.

GUI Depth has to remain constant whereas

code depth variable can be adjusted for a
different unit of measurement WYSIWYG
(Not!).

Within two of the consoles the variables are

standard library input/outputs, so the
knowledgebase necessary is minimal. (cin/
cout) for one of them.

In ALL cases a detailed understanding of

ISOBUS will be necessary (John Deeres
ISOBUS Data Dictionary is 159 etc.)

IDA Pro Software

Method 2 1+1=3 Code

Some of the systems do not use
simple depth variables, for these
we need to do some math
adjustment
C o d e d e p e n d a n t
manufacturer

upon

Simply put we need to influence

the libraries that are in place by
adding in our own adjustments
Specify (declare) the integer and
then ensure the correct library
variables are found, and then just
simply cout/cin!

Deployment
Coding done, deployment method is by utilizing the existing
infrastructure (and programs deployed by manufacturers)
Two options here
Upload to manufacturers server (use your imagination!)
Direct influence of the endpoint devices (PCs that
manage the in-tractor consoles) This can be done by
identifying networks and then the correct open portshint
(use a bloody sniffer & proxy on your code!)
Dont forget the language variants for the config files!
Certify/Sign the code, a couple of the sneakier manufacturers
have some level of security. Circumventing this is simply
taking the original code,
decompiling (IDA Etc) and then
reverse engineering into the authentication methodology.

Now What?
Code deployed, now its a matter of waiting for the
updates to be picked up by the endpoint PCs
From PCs (which automatically pick up updates)
the consoles on-board are updated via USB cable/
card/stick.
As long as youve done your work correctly new
configuration will be accepted by the terminal and
adjusted/rates are now offset to your specifications.
Our test subjects Yellow/Green tractors accepted
the modified code on the second try...(the test)

Now We Wait
Given all thats past the following happens:
Crop sown March/April
Sprouting 2-4 weeks later (IF it were normal)
Configuration file 1 should have a shallow setting thus increasing
frost and/or wind damage (roots etc) (1+1=1.5)

At this point crop producer realizes they have an issue,

and re-seeding would occur, then we have two options.
Same configuration file 1 would have the shallow setting thus
increasing wind damage (roots etc) (1+1=1.5)
OR secondary configuration file is available that now has a depth
variable of 1+1=4 (or more..) so crops would eventually come
upbut too late for harvest (affects germination)
OR given we have access to planter, and its possible that depth
would be suspected, modify the spacing variable and decrease yield
(seed weight variable in some Mnf.)

Target Audience

USA Corn, Wheat and Soy

Brazil Soybean, wheat and corn

Europe Wheat, barley and oilseed

China Wheat, barley, oilseed and

rice

Russia Wheat, barley, corn and

sunflower
Rough estimates we could affect
approximately 1.5-2Billion metric ton
of food productionnot bad for some
minor edits and coding to
configuration files

Target Audience - Revised!

Due to the threat of lynch mob behavior from the
Thotcon crew in Chicago we have REMOVED Barley
from the target list (and hops)thereby preserving
the BEER. and still destroying food!

USA Corn, Wheat and Soy

Brazil Soybean, wheat and corn

Europe Wheat, and oilseed

China Wheat,, oilseed and rice

Russia Wheat, corn and sunflower

Rough estimates we could affect approximately 1.5 to 2 Billion metric

ton of food productionnot bad for some minor edits and coding to
configuration files

Busses/Trams:

Busses, Reasons and Logic.

Transportation:

Ease of access:

1000s of targets throughout the city, country etc..and if you head to the
USA we have plenty. Cummins Diesels (Las Vegas ones have Cummins ISL
and hybrid enginesand weve tested those in-situ..thanks B-Sides)
Freely available data on the Internet on city by city location for assessing
impact.

Wireless and other methodologies for management of the facilities, busses,

engines is readily available and does not take a genius to acquire.
None of the 3rd party software packages consider security in their design/
implementations

Its a mobile target.

40-60 human capacity, seen the movie speed? we can do it better, faster
and cleaner.
Its a bus, its there, theres lots of them and they frequently stop and
present themselves in easily locationslot less hassle than taking out a bank
these days!

Architecture and Access Points

Location, location, location:

Architecture:

Bus depots, unguarded, lack of security and ease of access, most major
hubs have insufficient controls both physical and electronic.
Refueling points, these are already stocked with the necessary APs that can
be watched, cracked and eventually cloned onto your own AP.
Just ride the damm things, take public transportation

Wireless, several different implementations observed/tested/used so far,

some simple 802.11, some utilizing the 850-1900MHz (Cellular modem
systems that also have the GPS units embedded)
OBDII/J1939 connectors if you have to do the physical connections first to
check out what your quarry looks like close up (SAE standard connectors)

Access Controls:

Access Point (used both a re-configured AirMagnet AP as well as a Sprint

MiFi to test out.
AirMagnet's wireless suite through to Backtracks arsenal of tools, this gave
both the initial what am I dealing with, through to providing the cracked
WEP keys necessary for the build

Bus Menu, Pick your Targets

Thanks to a Canadian transit discussion boards we have a full menu of

whats running, where its running and what engine, transmission and
systems are installed.
Think of it as fishing with a menu its coordinated, target practice.

Busses, the Take Down

Game:

Set:

Configure access point based on prior work done (wardriving the bus depot,
crack the WEP password and then configure duplicate/secondary
If you are going in S/W based they youll need the necessary Cummins
software downloaded, installed and your wireless cards communicating on
the COM ports ready to work. (if using CAN only then CAN232HSW is a good
program for USB/Wireless activities.)

Wait for your busensuring your AP is advertising, and you have Cummins
INSITE program locked, loaded and waiting. (as above this is necessary for
both S/W as well as the
If you are going for a simple re-flash instead of full access youll need the
INLINE program with the modified configuration files locked/loaded and
ready to send.

Match:

On the busses tested theres a 4 digit code between the cellular/802.11

access controls and the main driver interface units, lockouts are not enabled,
let the brute force begin. (simple port login code/authentication retry)
Controls accessed once on the network (and authenticated) now its possible
to use the INSITE/INLINE programs to interface with the Cummins engine
management systems.

Busses, The Variables

Eco Friendly things:

Some of those damm busses now have batteries, never fear, UQM
comes to the rescue, same basic methodology, however instead of
working with RPM and other stuff, you get to play with voltage.

Detroit:
Wait for your bus, accurately identify it as a Detroit, and go get
coffee, they are old and they run on coal and capacitors.they are
also leaving the playing field.if anyone gets a crack on one let me
know (Caterpillar too)

If you have to go find the codes:

Details on the CANBUS and AUTOSAR speed/modules and offsets
get that data from either manufacture download, or the power
train site (Mercedes/Volvo/MAN)

Physical:
Two main options, either OBDII connected engine management
scanner (several options available) or theres now a lot of Palm
pilot management systems that will read the majority of engines,
however not used these on the busses

Bus Not Stop? Wifi To The Rescue

Management software
for the hybrid engines,
this also works for the
mall type busses (tried
and tested)
Concept is still the
same, the AP needs to
be configured for the
bus to recognize and
associate.
Next, simple 4 digit pin,
either crack or social
engineer it, and then
fire up the UQM Motor
S/W
Theres two options on these types of assessments, either a rapid re-flash of the
configuration files (UQM configuration package) or the Reader which can be
configured to run either wireless or Bluetooth over the Com1/3 port (serial remapped or just use O/S built in options)

You Know We Had To

This is your Capt. Speaking

Setting the scene.
Roles of the humble computer in planes
Components to be aware of, and acronym hell
Its secure..right? Heck its a damm plane after all !!
Planes.Seriously??
From cars to planesand howbrief insight into planning 101
The theory and practicality of tagging a 747/787/A380/F15
What you need in the toolbox (no, not giving code away)
Scenarios and what to do with the damm idea now
35,000 feet up and its all nice and quiet.
CFIK (Or how to annoy Jesse), Eco Friendly, or Nickerson Complex
Q&A: Ask questions throughout.

Box of Electronics in the Planes

Boeings Electronic Distribution

System (BEDS)
Teledynes LoadStar Server
Enterprise (LSE) and NFS Devices
(IP to Avionics, Off-board
communications etc)
Intellibus (Multi-drop
communications via single link)
L-3 Communications, specifically
their Air Data Acquisition Systems
(AirDAS) and NetDAS

Thanks Patent Office!

Thankfully the Patent office has all
the Boeing Patents for most onboard/off-board systems.

And snippets of code to demonstrate

their point, this datas bloody useful
and allows a much cleared picture of
the acronym hell to be built (and to
understand how these things work)
And if you get stuck,
they have some nice
relationship mapping
diagrams too (thanks
chaps)

In English? (Queens Version)

For this, well focus on Intellibus (although its not the core of all the
systems well hit in a moment)
Bus Master/Controller
Runs the damm network, scheduling/membership etc
Network Device Interface (NDIs) (or Intellibus Interface Module
(IBIM)
Analog (accelerometers, pressure transducers etc)
Digital (Mil-STD-1553 devices), ARINC 429 devices (application
specific data bus.widely used)
Single/Multiple channel modes
CIM Modules (IBIM in a can) single modules stacked for multiple uses
in one chassis
Analog and Digital as above, same target types!

Components Youll Need!

A healthy appetite for research! And Google Docs is your friend.

Depending upon target:

Wind Rivers Workbench and a healthy understanding of VxWorks.
(Real Time OS)

http://www.patsnap.com/patents/view/US20090138385.html#
The above URL will help (A LOT) in understanding command
architecture for one type of interface to the target system.

An in-depth knowledge of DO-254

If you are going to write your own codes: Active-HDL Testbench or similar
for building, emulating and then encapsulating the code.

Laptop with either Vista TEC S/W (Telemetry) or other controller based
communication (along with interface (L-3=CDM Etc)

A Plane or a testing environment (well talk about that later)

Theory Tagging a Plane

Walking up with Laptop and Cat-5 is not going to
worklets get that straight
Ground based maintenance systems are easiest
targets for access.and dont require
specialized equipment
Secondary access vector would be the portable
ground support systems
If you have to go in while on the planeyoull
need to get to cockpit or cabin crew areas (and
will still need communication programs/SW)

Remember Research?

Enough Theory.

No More Theory 787

Left, TTP Interface,
and software from
TTTech, Right one of
the communication
chips / controllers
thats used by the TTP
in the whole FADEC
(Full Authority Digital
Engine) that controls
engines ;-)

No More Theory 747

Above is a model of the FADEC found
on a 747-8, combined with the
requirements from the diagram below
we can ascertain that a revised
Engine Rating Plug/ID Plug could be
introduced (thereby circumventing the
original version thats driven off the
Power Lever Angle (Go-Stick)
Current:
CMM
IPC 73-23-15
Full Authority
Digital Engine Control - GEnx 2B
16-Jul-11114E9849G1, 114E9849G2,
2124M70P02, 2124M70P03
GENX 2B

All we do, modify the configuration, and

post via either the eADL (airborne
loaders) or Portable Data Loaders.

Goodbye Theory Hello Helicopter

SMART Card readers integrated into the avionics and controls within this
particular target, nice thing here is the company in question also looks
after both standard avionics and autopilot systems. (USB too!)

Toolbox 101 (And a Map)

New version of the toolbox, used on the 757-200 from Newark to Oslo on
Sunday, access to the systems through the interface under the seat that
provides both power and entertainment access. Main network IS
susceptible to influences

Next Steps 35,000 feet

Concept: Drop a plane from the sky (preferably without being onboard)
FADEC/EEC (Full Authority Digital Engine Control)Redundant
systems, but no manual override, complex systems, integration
issues etcsome listed below:

Code to documentation anomalies

Incorrect code comments
Redundant code
Aliasing
Unstructured code
Mismatched data types
Overflows miss-handled
Want me to carry on? This was just a helicopters issues!
6 Million lines of code, and a HEAP of errors just waiting for attention

TTP Modules and Controllers

CFIK (The Jesse) Syndrome

Remote avionics lockout to enable a revised pre-programmed
route to take over once airborne
Rockwells AFDS-770 is the target
Controls speed, altitude, flight path/angle modes, and most
importantly heading/track modes (with landing selectors)

Unhappy JesseAutopilot

Other Targets

Some Future Thoughts

Intellibus
FADEC
TTP
TTP/IP
How about we
talk about the
Tactical Telemetry
Systems?

The Nickerson Complex

Leave plane in sky, mess with the

Environmental Control Systems
(ECS)

Pressurization/depressurization of
cabin systems to induce Hypoxia,
mild decompression sickness etc

Youll need the CPCS (Cabin

Pressure Control System) module
loader, along with a revised
program that would be able to
remove the ability to manually
over-ride the system, once done
you can then alternate between
40,000 and 3-8,000 depending
upon target system

Missilesish:

Things That go Bang

Intellibus Missiles and

X-47 UCAVs Boeing &
Northrop networks
Intellibus
meets IVHM
Health
management

Coyote Acquisition Method

Acquisition II

SHOPPING LISTS

Acquisition III
Lockheed and
Portland telling us
about the SQL
database they are
usingwould be
secret if they kept
it OFF the bloody
Internet
Left, packing list (Lockheed
and Raytheon, Right a man
from Boeing threatening his
loyal guidance system with a
screwdriver

Guidance Systems 101

Ok, got the guidance
sorted, the challenge
now is how and
what to be able to
influence to actually
get the logic onto the
device. Thankfully we
yet again have the
wonders of the Net to
thank!

Tactical Telemetry (UTTM)

Above, Input/Output block

diagram for how it handles
messages/sources. Top right Nice
GUI interface to part of the
device below thats attached to
some of those nice missiles we
talked about earlier

Thanks Walter

Boards and Gates (Not Bill)

FPGA (Field Programmable Gate Array

PrPMC (Processor mezzanine cardsandwich)
PrXMC (Switches sandwich)
PrAMC (Advanced sandwich cardsmart!)

DoD Standards for PAC-3

Now we have this, as well as the configurations for the actual

communications architecture, all we need to do is put the jigsaw
together: (I think)

PAC-3 Missile- Delivered

Target = Guidance Systems PAC-3
Baseline Architecture = Got that (Patent Office)
Components Involved = Sorted (FPGA/PrPMC)
Communication Sorted = Mac Panel/MicroTCA
Communication Methodology = DoD Document
How CORDIC (so far)
COordinate Rotation DIgital Computer (Math)

Consequences ?

(Always wondered that, if a USA

made missile, fired against a
USA target would it work? Or is
there any programming to
terminate it?)

Sit! Stay! Play Dead

Thank you! (Questions?)

One World Labs (OWL) works with individuals and organizations ranging
from small operations through to multinational corporations and regularly
partners with some of the leading organizations in the field of Information
Security.
OWL Research assists businesses with all areas of data security, architecture
and design, including security assessments, and critical incident response.
Our in-house laboratory allows us to work at the forefront of vulnerability
research, and provides valuable intelligence integrated into our service
offerings. All security services are conducted by experienced and certified
information security specialists.
OWL maintains a presence in the community with regular presentations both
at conferences and on TV/Cable channels.
Doing what little one can to increase the general stock of knowledge
is as respectable an object of life, as one can in any likelihood pursue
- Charles Darwin

Legal Stuff
No part of this publication may be reproduced or transmitted in any form or
for any purpose without the express permission of One World Labs, Inc.
Data contained in this document serves informational purposes only and
does not constitute legal, regulatory, or technical advice to any specific
person or entity for any particular purpose. (Nor does it demonstrate a
legitimate reason to go and duplicate what you see!)
O.W.L has no control over any information that you may access through
the use of links contained in these materials and does not endorse your use
of third-party Web pages nor provide any warranty whatsoever relating to
third-party Web pages or any information found therein.
Theres probably more legal language, but you get the idea, you are on
your own insofar as your actions (Im around for any questions)

Copyright,2012 One World Labs (All rights reserved)