The Hitchhiker's Guide to Hacking Connected Cars: Exploitation of a Telematics Control Unit
In our previous article, we set up and configured our rogue BTS with the preparation of our jump kit. Now, we’ll discuss exploitation. This will effectively be the most important and trepidation filled article in our series – at least for the OEMs who haven't secured against this type of attack :).
Historically, it was a lot more difficult to setup a rogue BTS as you had to get your hands on an old cell phone like a Motorolla C139 to act as your RTL-SDR along with a CP2102 cable and then setup and run OsmocomBB.
However, with the availability of the BladeRF from Nuand and the HackRF from Great Scott Gadgets, the necessity to use a circa 1990’s cell phone and OsmocomBB is superfluous. Combining a BladeRF or HackRF with YateBTS will give you a rouge BTS in a box. Combine the BladeRF, a Raspberry Pi, and a battery pack and you have yourself a mobile Dirtbox. However, that is outside the scope of this article, perhaps I’ll cover this in the future.
Since you should have a fully operational rogue BTS already from our previous article on Jump Kit Readiness, I will assume you have it fully running. We’ll make a few tweaks to that setup including completion of the NiPC configuration and addition of a USB 4G dongle to connect our rogue BTS to a legitimate cellular network.
Configure NIPC
In the previous article, we installed network-in-a-pc (formerly NIB: Network In a Box). "Network in a PC" ("NiPC") performs all the functions of a regular GSM network. It implements Javascript script(s) for registering, routing calls, SMSs, and user authentication for YateBTS. The scripts implements a 'Network in a PC' for its users and will allow routing calls outside the network. NiPC contains the basic HLR/AuC and VLR/MSC functions of the 2G GSM network. The NiPC mode is a standard feature of all YateBTS installations, but its use is optional.
However, we need to go over a few key configuration changes that a successful penetration test will necessitate.
Subscriber Settings:
Subscribers: Regexp ‘[0-9]*’
Mobile Country Code: To find out your MCC, a great updated list can be found online but recommend www.mcc-mnc.com
SMSC (Short Message Service Centre). The SMSC is an element in a GSM network responsible for the delivery of short messages (SMS). All messages are sent to the SMSC. The SMSC stores the messages, extracts the destination from it and tries to deliver the message.
2. BTS Configuration
Radio.Band: This is dependent on your country. You can find the bands supported in your country by visiting gsmarena, which has a lookup tool: https://www.gsmarena.com/network-bands.php3. Another great tool for looking up frequencies for your country, especially if you know the mobile carrier of the SIM chip used in the TCU is to use www.frequencycheck.com
WARNING: It is your responsibility to know your host country’s local laws as it relates to legally using specific frequencies for your testing. I nor Wiley & Sons are responsible for your illegal use of specific radio frequencies in your country.
Radio.C0: This is the ARFCN of the first channel. In GSM cellular networks, an absolute radio-frequency channel number (ARFCN) is a code that specifies a pair of physical radio carriers used for transmission and reception in a land mobile radio system, one for the uplink signal and one for the downlink signal. In our testing, we’ll use 128.
MCC and MNC: MCC (Mobile Country Code) is used in combination with a mobile network code (MNC) (a combination known as an "MCC/MNC tuple") to uniquely identify a mobile network operator (carrier) on a GSM network. Mobile Country Codes (MCC) are used in wireless telephone networks (GSM, CDMA, UMTS, etc.) in order to identify the country which a mobile subscriber belongs to. In order to uniquely identify a mobile subscribers network the MCC is combined with a Mobile Network Code (MNC). The combination of MCC and MNC is called HNI (Home network identity) and is the combination of both in one string (e.g. MCC= 262 and MNC = 01 results in an HNI of 26201). If you combine the HNI with the MSIN (Mobile Subscriber Identification Number) the result is the so called IMSI (integrated mobile subscriber identity). An updated list of MCCs and MNCs for each carrier can also be found on the www.mcc-mnc.com web site.
Shortname: This is the network name that will show up in the list of available networks when attempting to manually connect to YateBTS.
3. GPRS Configuration
Enable GPRS
GGSN: Set DNS to a nameserver, such as Google: 8.8.8.8
Set Firewall to: No Firewall
Set MS.IP.ROUTE = The default gateway/route
TunName = sgsntun
4. Tapping
Enable GSM and GPRS Tapping: This will tell YateBTS to send all packets to the local loopback interface (lo) allowing us to capture the packets using Wireshark.
Set the target address to https://www.linkedin.com/redir/invalid-link-page?url=127%2e0%2e0%2e1 (local loopback)
Connect your Rogue BTS to the Telephone Network
Now that we have a fully operational rogue base station, we need to connect it to a legitimate telephony network so the TCU can “phone home” to its backend to send/receive SMS text messages. This can be done simply by installing a 4G dongle. In our case, we used a Huawei unlocked 4G dongle, which can easily and cheaply be purchased from eBay for $40.
This is described in greater fidelity by Ralph Moonen at Secura [1].
"What we’ve done by connecting our rogue BTS to a legitimate carrier’s network is legal, but only under certain conditions. You can transmit on the unused channels of the DECT Guard Band, with very limited transmitted power. And if you do, you cannot impersonate a real network publicly. However if we place our transmitter and the device under test in a Faraday cage and make sure the real network is not hindered in any way, this is permissible in a lab situation.
A Faraday cage (a.k.a. Faraday shield or Faraday box) is a sealed enclosure that has an electrically conductive outer layer. It can be in the shape of a box, cylinder, sphere, or any other closed shape. The enclosure itself can be conductive, or it can be made of a non-conductive material (such as cardboard or wood) and then wrapped in a conductive material (such as aluminum foil)." (Moonen, 1)
A Faraday cage works by three mechanisms: (1) the conductive layer reflects incoming fields, (2) the conductor absorbs incoming energy, and (3) the cage acts to create opposing fields. All of these work to safeguard the contents from excessive field levels. A Faraday cage is particularly useful for protecting against an electromagnetic pulse that may be the result of a high-altitude nuclear detonation in the atmosphere (a.k.a. EMP attacks).
In our application, we’re using the Faraday cage to prevent our rogue BTS from interrupting the legitimate carrier’s ability to provide service to mobile equipment.
Enjoy! At this point you're now ready to fire up your rogue BTS, connect it to the telephony network, and begin hunting for your TCU after it associates to you. This entire process and the remaining steps is further decomposed in my upcoming book, Hacking Connected Cars: Tactics, Techniques, and Procedures coming out in January 2019 and is available for preorder on Amazon.com and Barnes & Noble.
As usual, if you liked this article, please support me by clicking LIKE and share it to your own feed! This is the best possible way that you can support me and my continued research in this area. If anyone has anything to add or comment on in this article, please feel free to share it with everyone below in the comments section!I am the Group CEO of Brier & Thorn and heads up its Connected Car Division where my team and I perform penetration testing and risk assessments of cyber-physical vehicles (CPVs) from OEMs in the United States, Europe, and Asia. As a recognized thought leader in the new Internet of Everything economy, specifically telematics and infotainment systems, I can be found speaking at security conferences in North America and EMEA, vlogging, blogging, and writing contributed articles on the idiosyncratic cybersecurity issues affecting IoT that matter most. Learn more about me at my homepage at www.alissaknight.com, LinkedIn, listen to my weekly podcast episodes, or follow me on Twitter @alissaknight.
I am the Group CEO of Brier & Thorn and head up its Connected Car Division where my team and I perform penetration testing and risk assessments of cyber-physical vehicles (CPVs) from OEMs in the United States, Europe, and Asia. As a recognized thought leader in the new Internet of Everything economy, specifically telematics and infotainment systems, I can be found speaking at security conferences in North America and EMEA, vlogging, blogging, and writing contributed articles on the idiosyncratic cybersecurity issues affecting IoT that matter most. Learn more about me at my homepage at www.alissaknight.com, LinkedIn, listen to my weekly podcast episodes, or follow me on Twitter @alissaknight.
References
[1] Moonen, Ralph "Practical GPRS MitM attack- mobile setup with YateBTS" Accessed on 24 Jul 2018 at https://www.secura.com/blog-Practical-GPRS-MitM-attack