Difference between revisions of "Projects:2021s1-13003 Car Hacking"

Abstract

The Event Data Recorder (EDR) is a sub-module of the Airbag Control Module (ACM) used in modern day vehicles. The ACM is constantly monitoring the vehicles status and if it believes a crash has occurred, will deploy the manufacturer specific safety response and stored the crash data in the EDR[1]. It is the data in the EDR that has guided the direction of our group. It has created our main objective to be: to what extent can the data stored in an EDR be trusted after a deployment level crash. This led to the following lower-level objectives:

• How is the data stored and secured and is the data accurate? (John Vlass)
• Can we change what EDR data is recorded? (Amirsalar Aryakia)
• Can we change what EDR data is read? (William Circelli)

The major tasks we plan to complete are ACM chip level analysis, Firmware extraction, debugging tools to extract data and investigate the forensic applications and implications this project revolves around.

Introduction

Over the past 30 years, the motor vehicle has evolved in a direction greatly driven by the safety and security of its passengers (RAC). As these systems evolve, they become more deeply embedded within the vehicle and are considered to be more intelligent. On a low level, all electronic modules of a vehicle communicate using the Controller Area Network (CAN) bus which is a multi-master serial bus standard used in automobiles (FTDI). Electronic modules are used for a range of purposes in a car, including controlling engine functions, power steering and cruise control to name a few. The module of interest to our project is the Airbag Control Module (ACM). This module is used to detect and evaluate data from a range of sensors around the vehicle. It can identify a vehicle’s current status and in the event of an accident, deploy a safety response (e.g. airbags, seat belt tensioners etc).

The position of our research is focused on a sub-module of the ACM known as the Event Data Recorder (EDR). The EDR is a data storage tool designed to capture all relevant data that is produced in a motor vehicle crash. The EDR is constantly storing and refreshing data in its memory with data from various motion and crash related sensors around the vehicle [1]. This data consists of information on vehicle speed, status of brakes (ON/OFF), throttle position, seat belt use and etc. This data can then be used to determine crash outcomes. It is used by SAPOL Major Crash for forensic analysis and insurance companies to determine who in the crash is liable. As this data has been used in the past as supporting evidence for crash re-creations, we as a group are interested in the trustworthiness of the information given by the EDR post-crash. More importantly, can this data be manipulated to benefit or relieve an individual of crash liability or even modified to reflect a different sequence of events.

Project team

Project students

• John Vlass
• Amirsalar Aryakia
• William Circelli

Supervisors

• Matthew Sorrell
• Frank Wu (Defence Science and Technology)
• Aaron Frishling (Defence Science and Technology)

Advisors

Objectives

Group 13003 will explore the possible car hacking of EDR units within a vehicle. The project’s objective is ‘To what extent can the data stored in an Event Data Recorder (EDR) be trusted after a deployment level crash?’. The project plan will break down the main objective into three primary objectives. These objectives will be:

• Analysing EDR Hardware
• Data Extraction Techniques
• Reverse Engineering Firmware
• Bosch CDR Analysis

Method

Analysing EDR Hardware

The project investigated methods of hacking via tools of software such as the Buspirate, JTAGulator, Arduino, Minicom, and OpenOCD. These methods commonly use integrated circuit communication protocols and debug tools including SPI, I2C, UART and JTAG, to gain access and/or control of the target. The project has attempted to apply these hacking techniques on EDR systems to determine if any vulnerabilities exist.

Hacking Hardware Layout

Reverse Engineering Firmware

The goal of reverse engineering firmware is to understand and analyse a device in search for bugs and vulnerabilities that can be exploited. Firstly, a body of research was constructed in order to identify known and tested methods. Then, new methods were created based on the compiled knowledge. The tool used to analyse firmware is 'Ghidra', a reverse engineering tool created by the National Security Agency (NSA). The firmware of the Bosch CDR tool was chosen to be reverse engineered by Ghidra.

Bosch CDR Analysis

The Bosch Crash Data Retrieval (CDR) tool is the dusty standard method of retrieval and analysis of crash data from a wide range of vehicle manufacturers. Through reverse engineering techniques and pattern analysis, the algorithms used by the CDR was replicated through Microsoft Excel using in-built functions. The Excel generator can determine up to 91% of outputs based on the hexadecimal data retrieved from an EDR. This generator will allow for prompt and easy and decoding of EDR data once it is obtained from an EDR.

Depiction of the Bosch Crash Data Retrieval (CDR) Tool used by CASR. The picture shows the CDR module (green) and the serial connections for computer to CDR and CDR to ACU.

Conclusion

In conclusion, the Car Hacking 13003 group was able to identify potential security concerns within EDR systems. The group developed skills in hacking using available tools including the Buspirate, JTAGulator, and Arduino Board systems, accompanied with softwares including Minicom, Flashrom, and OpenOCD. The project concluded the primary area of concern for hacking into EDR systems was through the debugging interfaces (JTAG) present on the EDR microcontroller/microprocessor systems. Future research should focus on developing methods to utilise the debug interface on EDR microcontrollers. This could result in the development of data extraction and manipulation techniques on EDR systems and its firmware.

References

[1] R. Shirley, Airbag Control Modules May Contain Useful Information, 1st ed. p. 1.

[2] C. Pearson, "See how car safety has evolved since the early 1900s | RAC WA", RAC WA - For a better WA, 2018. [Online]. Available: https://rac.com.au/car-motoring/info/future_history-of-car-safety. [Accessed: 01-Apr-2021].

[3] What Is CAN?, 2nd ed. Glasgow: Future Technologies Devices International, 2021, pp. 2-6.

[4] "Air Bags", NHTSA, 2021. [Online]. Available: https://www.nhtsa.gov/equipment/air-bags. [Accessed: 28- Mar- 2021].

[5] R. Toulson and T. Wilmshurt, Fast and effective embedded systems design, 1st ed. Oxford: Newnes, 2012, pp. 273-295.

[6] “Printed Circuit Board (PCB) Assembly”, Hetech. [Online], Available: https://www.hetech.com.au/manufacture/printed-circuit-board-pcb-assembly/. Accessed: 04-Apr-2021].

[7] M. Elsegood, S. Doecke and G. Ponte, "Collection and analysis of EDR data from crash-involved vehicles: 2019-20 summary report", The University of Adelaide, Adelaide, 2020.

[8] M. Tabone and M. Farrugia, "Synchronization of Event Data Recorder (EDR) Data to Data from the CAN Bus and LabVIEW", IEEE, 2020.