User:Kdelvill4474/enes100/My Work 2

Week0 Activities
My goal is to continue with my old car hack project but now incorporate different techniques in this case being able to read off tire pressures off of different cars.

My First Task
My first task is to find out tutorials and ways to hack tire pressure and how past people were able to do it.

Summary of actual work over first weekend
What I ended up doing was researching and trying to find ways that people have done it before. I came across various articles, but not many tutorials. I searched through different blogs and what I found is listed below.

Week1 Narrative
What I ended up doing was reseaching and trying to find ways that people have done this before. I found different articles such as http://www.networkworld.com/community/blog/defcon-hacking-tire-pressure-monitors-remotel http://www.autoblog.com/2010/08/11/cars-hacked-by-researchers-through-wireless-tire-pressire-monito/. I found out that universities like Rutgers and University of South Carolina were the first in doing this. What they ended up doing was spending 1,500 in materials so my goal is to find the same things that they used such as programmable radio transmitter, a specialized circuit board, and free software, but for much less. I also found it helpful that I can only read off tire pressures from cars made after 2008 since the wireless sensors, are only in new automobiles that the US made since 2008. However I did have many failures in how they exactly went about this. I read through many blogs and different website how to exactly hack into different cars and read off their tire pressures. Most of the articles that I found were very repetitive so my main focus now is to find some type of tutorial and a gateway of how they went about this and the materials that I need to order off of amazon. This is what is going to start me in my right direction.

Here is another article that might be useful.

http://arstechnica.com/security/news/2010/08/cars-hacked-through-wireless-tyre-sensors.ars

My Second Task
Record what you are planning on doing for the team during the second weekend.

Summary of actual work over second weekend
What I ended up doing this week is researching case studies and trying to find a list of materials needed for this project and a more in depth analysis.

Week2 Narrative
The case study that I used to find my list of materials, procedure, and diagrams is this one. This was the one of the students from Rutgers and University of South Carolina that first did this project.

The whole TPMS system is built on different components TPM sensors that are on the back of the valve stem of each tire, a TPM ECU, a receiving unit that can be integrated with the ECU or stand-alone, a dashboard TPM warning light, and one to four antennas connected to the receiving unit. How this works is that the TPM sensors periodically check pressure and temperature measurements, from here the ECU receives the information and runs test and does it's operations before it finally displays a message in the TPM warning light. This is the general procedure it follows.

The list of materials with links to purchase: link
 * (1)ATEQ VT55 TPMS trigger tool,
 * (2)Tire pressure sensors, link

Download GNU Radio from this page GNU Radio
 * (1)Laptop
 * (1) Low noise amplifier (LNA)


 * Note: This experiment is fairly costly and will run you just below $2,000

My goal with these list of materials is to show step by step how this project would be done and what someone would need in order to complete this. The first thing mentioned was the TPMS trigger tool which is very similar to the one used in the case study but slightly different. The tire pressure sensors you need two which you will call tire pressure sensor a and tire pressure sensor b. Your own laptop is also needed as well as a low noise amplifier.

My Third task
For my third week I will have a whole list of exact procedures to follow in order to run through with this project since I have the overview and list of materials needed for this.

Summary of actual work over third weekend
What I did was very similar to what I planned to which was to research exact procedures and step to follow in order to get this project to work.

Week3 Narrative
Going into this was very frustrating because I couldn't find directions anywhere on how to do this and everywhere that I was pointed to never gave me any positive results. I would just find small articles on how other students where able to do it before but not how it was done. After many hours I found out interesting information. From my first project I got the hang of how the ECU works in controlling the car with the OBD and the arduino, however for this project what really is important is the TPMS. The TPMS consists of sensors inside a car's tires that measures pressure, and a central wireless antenna(which most people have on their cars) or an antenna in each wheel which is more for expensive cars. However the ECU which is the electrical control unit that I was just mentioning is what picks up the signal to display a warning light on the car's dashboard to warn a driver when tire pressure has dropped. What is important in this project for the ECU is that it calculates pressure changes, and filters out noise from sensors in neighboring cars, and compensates for pressure changes due to temperature. In the process of filtering out noises from other cars it can focus on the one that we need.

Now what we would need to focus on is a process called reverse engineering. The sensors which we would have to purchase which I linked in week 2 would have different Manchester encoding, so their packet formats would differ tremendously. The next step would be to determine the message mappings for the rest of the bits of each sensor (TPS-A & TPS-B). To understand the size and meaning of each bit field, the students at Rutgers manipulated sensor transmissions by varying a single parameter and observed which bits changed in the message. If we wanted to duplicate this project this is what we would have to do the same. What they did was adjusted the temperature using hot guns and refrigerators, or adjusted the pressure. By simultaneously using the ATEQ VT55 (which I linked in week 2),they were also able to observe the actual transmitted values and correlate them with their decoded bits. In this they were able to determine the majority of message fields and their meanings for both TPS-A and TPS-B. These included temperature, pressure, and sensor ID. They also identified the use of a CRC checksum and determined the CRC polynomials through a brute force search. At first they did not understand these bits in the messages but what they ended up doing was just reconstructing these by generating messages with the software radio, changing the bits, and observing the output of the TPMS tool or a real car. What ended up happening was that it turned out that those were parameters just like battery status, in which they had no direct control. Note that it took a PhD-leveled engineer a few days to figure this out while it took the group of students replicating it a few weeks with no prior knowledge of any of this. So this process of just reverse engineering might take a while to get down. What I found most interesting about this part that motivates me to want to do this is that they found out that each message contained a 28 or 32 bit sensor ID depending on which type of sensor they used. Given that there are about 254.4 million cars registered in the U.S just ONE 28-bit Sensor ID can be used to track every single registered car.

Next what is used is a process called Eavesdropping. This is where it becomes even more challenging. The technique of eavesdropping is just filtering out noises however what makes it so difficult is that it only leaves a time gap of 60-90 seconds max for you to hack in and it only reads one tire pressure in each one of these 60 second intervals. For the case study on how the students did it in Rutgers and University of South Carolina they had to decode the two sensors TPS-A and TPS-B. For this project the two sensors which I linked in week 2 to purchase will be called TPS-A and TPS-B. TPS-A would now be decoded to ASK and TPS-B would be FSK.

My Fourth task
For my final week of this project I plan on having everything together and ready to go with diagrams and the rest of the project outlined done so it can be repeatable for the next group.

Summary of actual work over fourth weekend
What I planned to do wasn't that much of a difference of what I actually got done. I finished up all the final steps that needs to get done to get this finished.

Week4 Narrative
What I did for my team the last final week is get the rest of the procedures finished off so it can be done by the next upcoming group.

The next process that we need to bring into this tire pressure hacking project is a process called packet spoofing. The good thing about this is just being able to eavesdrop on TPMS communication from a distance allows us to further explore the feasibility of inserting forged data into safety-critical in-vehicle systems. The way that they did it in the case study was that they had a live eavesdropper that could detect TPMS transmission and decode both ASK modulated TPS-A messages and FSK modulated TPS-B messages in real time. Their packet spoofing system is built on top of their live eavesdropper. The Packet Generator takes two sets of parameters sensor type and sensor ID from the eavesdropper; temperature, pressure, and status flags from users and generates a properly formulated message. It then modulates the message at baseband (using ASK or FSK) while inserting the proper preamble. Finally, the rogue sensor packets are upconverted and transmitted (either continuously or just once) at the desired frequency (315/433MHz) using a customized GNU radio python script.



Next is to determine the logic of ECU filtering. We would want to find out what is the minimum requirement to trigger the TPMS warning light once, what is the minimum requirement to keep the TPMS warning light on for an extended amount of time, and can we permanently illuminate any warning light even after stopping the spoofing attack. For the case study they mostly focused on triggering the TPMS-LPW light which we will too for this experiment.

To understand the minimum requirement of triggering the TPMS-LPW light, they started with transmitting one spoofed packet with the rear-left-tire ID and eavesdropping the entire transmission. They observed that (1) one spoofed packet was not sufficient to trigger the TPMS-LPW light; and (2) as a response to this packet, the TPMS ECU immediately sent two activation signals through the antenna mounted close to the rear left tire, causing the rear left sensor to transmit eight packets. So although a single spoofed packet does not cause the ECU to display any warning, it does open a vulnerability to battery drain attacks. They gradually increased the number of spoofed packets, and found that transmitting four spoofed packets in one second suffices to illuminate the TPMS-LPW light. This is one of the big discoveries that will come in helpful for this project. Also it is good to keep in mind that when the interval between two consecutive spoofed packets is larger than 4 seconds or so, the TPMS-LPW no longer illuminates.

This indicates that TPMS adopts two detection windows with sizes of 240 ms (a packet lasts for 15 ms) and 4 seconds. A 240-ms window is considered positive for low tire pressure if at least one low-pressure packet has been received in that window regardless of the presence of numerous normal packets.

Next is to figure out how to keep the warning light on since the TPMS-LPW light turns off a few seconds if only four forged packets are received. To understand how to sustain the warning light, the students repeatedly transmitted spoofed packets and increased the spoofing period gradually. The TPMS-LPW light remained illuminated when they transmitted the low-pressure packet at a rate higher than one packet per 240 ms, e.g., one packet per detection window. Spoofing at a rate between one packet per 240ms to 4 seconds caused the TPMS-LPW light to toggle between on and off. However, spoofing at a rate slower than 4 seconds could not activate the TPMS-LPW light. As they increased the spoofing period, the TPMS-LPW light remained on for about 6 seconds on average, but the TPMS-LPW light stayed off for the majority of time which was proportional to the spoofing period. Therefore, it was very likely that the TPMS-ECU adopts a timer to control the minimum on-duration and the off-duration of TPMS-LPW light can be modeled as the equation toff = 3:5x + 4, where x is the spoofing period. This equation is possibly the most important part of this part of the experiment.

Complete Team Page
Car Hack 2