The emergence of drive-by-wire, in-vehicle sensors for ADAS, and connected infotainment has added massive complexity and weight to a connected car growing in cable harness weight under the load of Ethernet and CAN cabling running throughout the car. WiFi helps address this growing problem and is commonly used not just to provide a roaming hotspot for in-vehicle passengers but is also used for connectivity between the head unit (HU) and Telematics Control Unit (TCU).
When performing a penetration test of a HU, you'll first want to understand the network topology. By running a tool, such as airodump-ng (part of the aircrack-ng suite) or if you have a bigger budget and can use a WiFi Pineapple Tetra from Hak5, you'll be able to identify wireless access points (APs) that are beaconing out an ESSID as well as hidden wireless networks
that have clients attached to them.
In this article, I will explain WiFi, why the Evil Twin attack is capable of being employed, and explain man-in-the-middle attacks and what they aim to accomplish. I'll explain some of the Evil Twin tools available to you to employ this type of attack and how to successfully employ one against a HU/TCU. In-Vehicle Hotspots
Some of you may have walked up to a vehicle and seen the WiFi symbol sticker on the driver's side window indicating that there is a mobile hotspot running inside the car. This was added by automakers to provide internet access to in-vehicle passengers.
While mobile data plans have become far cheaper than they were in the late 90s -- many cellular phone providers now offering unlimited data plans (at least within the United States), automakers wanted to provide passengers who may not be able to fire up a mobile hotspot on their phones, access to the Internet with a wireless hotspot running inside the car. In most implementations, this AP is typically running inside the HU and is often a paid subscription with the automaker. For somewhere in the neighborhood of $40-$50/mo, you can have internet access with your in-vehicle hotspot.
In addition to using the wireless network for passenger internet access, it is also leveraged by the OEMs for communication between the HU and TCU. But I'll digress for a moment and come back to this later.
A Quick WiFi Primer
WiFi stands for Wireless Fidelity. It is a wireless network technology that allows computers and other devices to be connected to each other into a LAN and to the Internet without wires and cables. WiFi is also referred to as WLAN, which stands for wireless LAN, and 802.11, which is the technical code for the protocol. In my previous article in the Hitchhiker's series on V2X Networks, I decompose the application of 802.11p employed in V2X/V2V communication between vehicles and roadside units (RSUs).
WiFi is in actuality a protocol, a series of rules governing how data transmission is carried on a network between wireless client(s) and wireless access point(s). The name given to the family of protocols that govern WiFi by the IEEE (The Institute of Electrical and Electronics Engineers) is 802.11 followed by a letter to indicate a version of the specific protocol implementation, each with varying improvements to the speed and range of the implementation.
WiFi implementations in connected vehicles will vary from OEM to OEM but in general, you'll typically see the use of 5Ghz channels over 2.4Ghz as the reduced range of 5Ghz is a nonissue due to the size of the vehicle as well as the fact that you don't want the signal bleed to be too far outside the vehicle.
WiFi operates on two separate spectrum bands 2.4 Ghz and 5Ghz, each with their own unique channels.
The tradeoffs between 2.4GHz and 5GHz have to do with interference (almost entirely in 2.4GHz), range, and speed, three properties that all relate to one another. The more interference, the less speed and range; the greater range you want, the less speed you can have; the greater speed you want, the more you have to mitigate interference and work closer to an access point.
In a connected car, the HU typically acts as the wireless AP and the TCU will typically act as the client. When you're performing a penetration test, every implementation will be different, but I've found that more expensive HUs (the ones that go in more expensive car models) will typically have (2) wireless interfaces in the HU, with one operating as the WiFi network for the passengers that broadcasts its ESSID, and a second hidden wireless network on a separate interface that acts as the wireless network for the TCU to connect to. That network is typically not broadcasted, though I've see this only once before. While the wireless network is hidden, there are ways to find it, which I'll explain later in this article. But just know that hidden doesn't really mean you can't find it.
Demystifying Man-in-the-Middle Attacks
A man-in-the-middle attack, as first made famous by Kevin Mitnick in the now infamous "Mitnick attack" on Shimomura where Mitnick used TCP sequence number prediction to perform a man-in-the-middle (MITM) attack purporting to be a host in a trusted communication session between two of Shimomura's systems in order to gain access to it, is simply the use of a third host to relay and even alter the communication between two hosts who believe they are directly communicating with the other. The attacker in this case is purporting to be one of the hosts in the trust relationship and the host is used to relay messages between the two others not realizing the entire conversation/communication is being controlled by the attacker. One such type of MITM attack in wireless networking is an Evil Twin attack, which we'll discuss in the next section.
Uncloaking Evil Twin Attacks
The etymology of the term "Evil Twin" originates in many different fictional genres as the antagonist that are physical copies of the protagonist in the story but with radically inverted moralities. Though there may be moral disparity between actual biological twins, the term is more often a misnomer. In many cases, the two look-a-likes are not actually twins, but rather physical duplicates produced by other phenomena (e.g. alternative universes). In others, the so-called "evil" twin is more precisely a dual opposite to their "good" counterpart, possessing at least some commonality with the value system of the protagonist. Comic books contain some other early appearances of evil twins, such as the one seen here in the cover of 1968's Wonder Woman #176 which explicitly references the "Evil Twin" of Princess Diana of Themyscira.
The concept of an Evil Twin attack in wireless networking is not much dissimilar from its original use of the term in film and storybooks -- the concept of broadcasting the ESSID and BSSID of a legitimate wireless AP that an existing client has already connected to and trusts by projecting a stronger signal than the legitimate or "good" twin causing the wireless client to connect to the "evil" twin instead.
Evil Twin Employment Options
There are numerous tools available for employing an Evil Twin attack against a legitimate AP, some free, open source downloads, others not-so-free, commercial off the shelf (COTS) tools, such as the Pineapple Nano or Tetra from Hak5. I've successfully employed an Evil Twin attack against a HU between the HU and TCU in a connected car as shown in the screenshot below from a Pineapple running PineAP. This article is not how to leverage a Pineapple to perform this attack. I'll only be focusing on the use of open source tools, such as Aircrack-NG and Fluxion.
A note on use of the Pineapple to employ an Evil Twin attack against a connected car: Because many of the implementations you'll find of WiFi in a vehicle will typically be 5GHz, you'll need to purchase the Pineapple Tetra and NOT the Nano as the Nano does not support 5Ghz.
It is without contestation that you not rely simply on the wireless adapter inside your laptop to perform these types of attacks. You'll want a good external wireless NIC capable of performing packet injection as most do not support this capability. As you can imagine, wireless adapter manufacturers are not looking to add features to their standard wireless adapters to suit the needs of a hacker. Other things to consider include how far you'll be from the target. External wireless adapters such as the Yagi are instrumental when targeting HUs from long distances away from the target. The critical decision here is to ensure the right chipset is used that supports the distro you've decided to use. For example, here are a list of chipsets supported by Kali Linux as of this writing: