Practical Car Hacking - A Hands-On Approach // Willem Melching

In-Person | March 18-21 | 4 Days

BOOK NOW

ABSTRACT

Interested in opening up a car hacker's toolbox and applying these tools and techniques hands-on? Then this training is the best fit for you!

In this course, the participant will become familiar with the theory and practice around numerous techniques in automotive security. This allows the participant to see what’s in a car hacker’s toolbox, and how to mitigate possible security vulnerabilities.

The trainee will learn how to leverage open source tools to perform an analysis of various aspects of the modern car. Everything from attacks on the physical layer and diagnostic protocols to the reverse engineering of firmware will be covered.

Various simulated networks and real Electronic Control Units (ECUs) will be available to practice on. Based on experience level, different ECUs and challenges will be available.

Due to the wide variety of hands-on exercises, the training is suitable for both beginners and people more experienced with automotive (security). It's the ideal method for security researches to become familiar with the automotive domain, and be able to start a real project in the span of a few days.

Practical Car Hacking - A Hands-On Approach // Willem Melching

In-Person | March 18-21 | 4 Days

BOOK NOW

INTENDED AUDIENCE

  • Security researchers interested in automotive
  • Engineers interested in developing aftermarket automotive products
  • Automotive engineers/suppliers
  • Hackers interested in learning more about their own car

TESTIMONIALS

💬
"Willem's training saved us valuable time on getting up to speed with automotive security. The training focuses on hands-on experience against real automotive ECU's. Adding to this the trainer's extensive knowledge on car hacking made this training an excellent experience."
💬
"The course for the training was very informative and useful to understand the networking within a car and how an attacker can abuse it. This was a very fun course especially the hands on challenges using the tools comma ai, Cabana, and reversing using Ghidra to solve challenges that involved ECUs from Tesla model 3, Volkswagen Golf, Hyundai Sonata, etc. I highly recommend it for anyone who is curious about automotive hacking."
💬
"I attended the Practical Car Hacking training by Willem and I consider it to be a great foundation for my car hacking knowledge. I now feel like I have the required expertise to perform a real-life assessment on the security of a car, despite knowing little about car hacking before attending this training."

KEY LEARNING OBJECTIVES

  • Attacks on the communication networks found in cars, such as spoofing, DOS and MITM and their mitigations.
  • Overview of diagnostic protocols such as UDS and CCP/XCP and their security features.
  • Various methods to obtain firmware files, and how these files can be protected.
  • Reverse engineering of automotive firmware. Learn how to quickly identify the relevant part of an ECUs firmware.
  • Overview of wireless attack surfaces such as TPMS and Key Fobs.
BOOK NOW

COURSE DETAILS

Day 1 - Vehicle Networks and Tools

Day 1 of the training will be used to become familiar with the standards used for the communication between Electronic Control Units (ECUs) in a vehicle. Attacks on the physical and link layer will be discussed, and their possible detection and mitigation.

In the second part of the day, we will look at hardware used to interact with the vehicle’s network, and implement our first attack.

Theory:

  • Introduction to a typical modern car network layout and gateways found within.
  • Physical and link layer standards such as CAN, CAN-FD, LIN, FlexRay and Automotive Ethernet.
  • Where to find schematics and how to interpret them, look at available OEM software for repair shops.
  • Hardware attacks on these networks and possible mitigation strategies.
  • Real world examples of CAN traffic including integrity checks such as counters and checksums
  • Recent developments in cryptography for automotive networks (SecOC).
  • Hardware used to interact with the vehicle’s network.

Hands-On:

  • Introduction to analyzing CAN traffic using Wireshark and cabana.
  • Find signals on CAN bus and create a DBC file.
  • Connect to a CAN bus using your computer, and perform an attack on the physical layer.
  • Reverse engineer a checksum algorithm and spoof a message

Day 2 - Diagnostic Protocols and Hardware

On the second day of the training, we will dive into the actual hardware of a car and its ECUs. You’ll learn how to find the schematics of a certain car, and identify the best points to connect to the different networks. We will look at software provided to repair shops by the manufacturer

Theory:

  • Diagnostic protocols such as OBD-II, KWP2000 (ISO 14230-3), Unified Diagnostic Services (UDS, ISO 14229-1) and Can Calibration Protocol (CCP/XCP).
  • Discuss different microcontroller architectures commonly used in ECUs.
  • PCB reverse engineering, extract firmware from ECU using debug probe.
  • Fault injection attacks against automotive microcontrollers.

Hands-On:

  • Implement a scanner to identify available UDS endpoints.
  • Find and communicate with CCP/XCP endpoints.
  • Communicate using Diagnostics over IP (DoIP)
  • Extract ECU firmware using various methods

Day 3 - Reverse Engineering

Different firmware update files and their protections will be discussed. We will also look at the inside of an ECU and ways to extract its firmware. A quick introduction to Ghidra will be given.

An ECU firmware file consists of up to millions of lines of code which would take a long time to fully reverse engineer. Tips and tricks will be taught to quickly identify parts of the firmware that are of interest. After reverse engineering the security access algorithm we can flash the firmware back to the ECU.

Theory:

  • Extract firmware from manufacturer update file.
  • UDS update/flashing procedures.
  • Fault injection techniques
  • Introduction to Ghidra.
  • Identify processor architecture and load firmware into Ghidra.
  • Common patterns used in automotive firmware.
  • Firmware integrity checks: checksums and secure boot.

Hands-On:

  • Reverse engineer an ECUs security access algorithm.
  • Write your own tool to flash the firmware onto an ECU.

Day 4 - RF Hacking using Software Defined Radio

On the last day of the training we will look into all things wireless. Using a Software Defined Radio (SDR) we will interact with different parts of the vehicle. We will look into how tire pressure monitoring systems work. Recent developments in FM radio have opened up a whole new wireless attack surface.

We will also look at the different kinds of attacks on keyfobs. Finally we will learn about how the powerline communication between EV and charging station (EVSE) can be monitored with an SDR to leak personal information, and can be disrupted.

Theory:

  • How do Tire Pressure Monitoring System (TPMS) sensors communicate
  • Attack surfaces on modern FM radio’s (RDS, HD Radio, DAB+)
  • Attacks on keyfobs
  • Powerline Communication between EV and charging station

Hands-On:

  • Receive and spoof a TPMS sensor
  • Various attacks on keyfobs
💡
Note that this is a highly practical training. Besides the introductory and recap sessions which discuss key concepts, all sessions are accompanied with hands-on exercises.
BOOK NOW

Knowledge Prequisites

  • Experience with hardware and microcontrollers
  • Python programming experience
  • Basic reverse engineering knowledge preferred, but not mandatory

System Requirements

Hardware

  • Laptop with functional ethernet port. If your laptop does not have a built-in ethernet port, make sure to bring your own USB adapter.
  • Windows/MacOS/Linux are all fine

Software

  • Latest version of Ghidra Installed (including required Java JDK)
  • Latest version of Universal Radio Hacker installed (including RTL-SDR drivers/udev rules)

YOUR INSTRUCTOR: Willem Melching

Willem Melching (https://twitter.com/PD0WM) is an independent security researcher. He has over 7 years of experience working on automotive security and reverse engineering. During his time at comma.ai he worked an aftermarket ADAS device and providing open source tools to help the community reverse and interact with a wide variety of cars. Check out his blog (https://icanhack.nl/blog) for recent work.

https://www.linkedin.com/in/willem-melching-54a2982b/
https://twitter.com/PD0WM

BOOK NOW
See also
In-person Training

Practical Firmware Implants and Bootkits

Master low-level firmware security in this hands-on course focused on BIOS/UEFI manipulation, bypassing Secure Boot and Intel® BootGuard, and creating BIOS implants and Bootkits. Learn Intel hardware debugging, exploit development, and enhance your offensive and defensive firmware security skills.
3 min read
In-person Training

5G Hacking for Red and Blue Teams

Learn how to identify and counter threats in 5G networks. Dive into 5G core security, protocols, assess vulnerabilities and develop exploits. The training features hands-on exercises simulating real-world attacks and defenses on a local, isolated 5G network.
5 min read
In-person Training

Fuzzing and Attacking Custom Embedded Systems

This training covers analyzing, fuzz testing, and exploiting devices with custom embedded OS. It dives into Arm Firmware, teaches reverse engineering with Ghidra, and offers hands-on exercises to build proficiency with tools like Unicorn, AFL++, and Fuzzware.
3 min read
Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated