Karamba Security’s Challenge in the Car Hacking Village at DEFCON
DEFCON is one of the biggest Hacker conferences – a blend of curious, creative, geeks and professionals come to one place with the aim of looking at the things we use every day in a different way and making them act differently than they were designed for. In practice, to make the event even more interesting, besides the lectures there are prize-winning competitions among all the conference’s participants. Every sponsor was asked to create, design, and operate a challenge for the competition, and each challenge had a few levels of difficulty. Every level offered points to the team that solved it. This year Karamba Security sponsored a capture-the-flag challenge, the RiCAN Morty Challenge, in the Car Hacking Village of DEFCON.
I’m part of Karamba’s CAN Bus encryption team. Over the course of one month, we created a beautiful challenge box with a joystick that controls a toy car (the ROBOCAR) via the CAN Bus. We created 5 levels of difficulty in this challenge to take control of the car without using the joystick, remotely. The 5th level of the challenge was designed to be so difficult that it would be almost impossible: I know this because I had an active part in the mathematical proof of Karamba’s CAN Bus encryption technology, called SafeCAN.
At the event we set up our booth and Friday morning hackers from all over the world started to try their attacks on our ROBOCAR. All day, nonstop, we had visitors in our booth and participants in the challenge. We had over 30 teams – 50+ participants – take a chance at the challenge. Most challenge participants managed to crack levels 1 and 2, but only two people managed to pass level 3. The exception to the rule was a Japanese guy named Sato. The first day he came prepared with the material we had uploaded to the event page before DEFCON even started, and with this he managed to pass the first two levels. He got stuck in the third but promised to work on it in his spare time.
The next day he was back, to pass levels 3 and 4. Sato worked all night on our challenges and came up with a creative solution for the 5th level, the “impossible” level …. I remembered in university my thesis mentor used to say that in cryptography it is important to maintain modesty. When I investigated the solution that Sato applied to the challenge, I understood that there was a bug in the implementation of the challenge.
I will try to simplify and explain what happened. Think of the joystick and the toy car as two people talking on the phone. The joystick gives instructions to the toy car in a unique language. An attacker can easily record and learn how to use those instructions (even though he does not know the language) and she can replay the recording according to her needs. This common technique is called a “replay attack”. In this particular case, the toy car tells the joystick that something went wrong, and the joystick is designed respond with instructions to change the Call command to another language (a language that the attacker has never seen before), resetting the counter to zero (re-sync).
This is what Sato did:
- When the toy car travels forward, Sato sent an arbitrary message, causing the vehicle to send a re-sync request. He recorded the re-sync response messages and a small number of messages after that.
- Then he sent an arbitrary message and next to it the re-sync response messages he had recorded: i.e., he forces the toy car use the same language over and over again. With this smart approach he was able to crack the challenge and reach level 5!
It was exciting to see someone challenging the CAN technology. After we analyzed his approach, we fixed the bug in the challenge, and we added a condition that ignores any attempt to return to a ”previous language”. In the same evening, the fixed version was ready for testing. I wrote an attack attempt that traces Sato’s original attack, and verified that it ran without success.
On the following day, Sato returned to our booth knowing that we would have a 2.0 version for him to have a go at. He worked on it for several hours, without success. When the time to wrap up arrived he politely admitted that it’s too tough, and asked to continue working on it next week back at home. Of course, we agreed.…
DEFCON this year was a great place for me and for Karamba: I met super intelligent people, and it made me proud to think that we in Karamba are challenging the best. Looking forward to next year!