Hackers of India

Hacking ICS devices for Fun Penetration Testing of Vehicle Components

By  Arun Mane  on 08 Aug 2019 @ Defcon : Lockpick Village


Presentation Material

Abstract

Today all vehicles are connected through V2X technologies. All manufacturers are coming with new technologies which can be added technologies for Vehicle industries like Fleet management systems, diagnosis toolset etc. These systems are from third-party vendors which are still in a vulnerable state. So addressing their weakness requires specific skillset in cybersecurity as well as attack mitigation of vehicle industries. Mitigation part requires huge and niche expertise in vehicle industries. No one show, how to mitigate these vehicle attacks over ECU and FMS in any conference. In this talk will show you how mitigate vehicle cybersecurity attacks against CANBUS and LIN protocol over ECU and FMS (Fleet Management System).

AI Generated Summarymay contain errors

Here is a summary of the content:

The speaker discusses the importance of securing industrial control systems (ICS) from a hardware perspective. They explain how to extract data from a PCB board using an EE PROM programmer that supports SPI and I2C protocols. The device used, a Chinese-made SOIC8 clip, costs around $4, but commercial versions can cost up to $400.

The speaker demonstrates how to find credentials stored in the SPI EEPROM, which can be used to update web applications or firmware. They emphasize the need for security awareness and bug bounty programs for ICS protocols, citing the example of Mirai botnets that can communicate using default credentials and flash entire firmware.

During the Q&A session, the speaker answers questions about securing SCADA systems, recommending the use of next-generation firewalls (NGFW) or unidirectional gateways depending on the architecture and device levels. They also suggest starting with hardware hacking using low-cost Chinese devices, but caution that these devices may have vulnerabilities.

Finally, the speaker teases a discussion about a recent nuclear power plant cyberattack in India, promising to share more details later. The presentation concludes with applause from the audience.