SANS Holiday Hack Challenge 2020: Objective 7 — Solve the Sleigh’s CAN-D-BUS Problem

Each year, the SANS and Counter Hack Challenges teams put together my favorite capture the flag (CTF) competition, the SANS Holiday Hack Challenge. The 2020 SANS Holiday Hack Challenge, featuring KringleCon 3: French Hens! was held at Santa’s newly renovated castle at the North Pole from December 10, 2020 to January 11, 2021. This is a walk-through for an objective from the event.

Objective 7) Jack Frost is somehow inserting malicious messages onto the sleigh’s CAN-D bus. We need you to exclude the malicious messages and no others to fix the sleigh. Visit the NetWars room on the roof and talk to Wunorse Openslae for hints.

The CAN-D-Bus system, located on the Roof near the Netwars room, was only accessible by Santa and his key elves. Once taking on the role of Santa, I was able to access the CAN-D-Bus interface which had three sections: a stream of events on the right, the ability to filter out certain events in the middle, and the ability to trigger certain events such as braking, acceleration, etc. on the left.

CAN-D-Bus Interface

I filtered out all the CAN IDs that I could see in the stream (244, 188, 19B, 019, 080). To make sure I had filtered out all the events, I played around with each of the settings I could manipulate: accelerator, brake, steering, start, stop, lock, and unlock. When I pressed Start and Stop, I also got events with a CAN ID of 02A, which I also filtered out. My initial filter is shown here.

Initial filter excluding all known CAN IDs

My goal was to re-enable each CAN ID one at a time and observe it to determine what it does and see if there is any weird behavior observed. I started with 02A since I had already identified that it was associated with Start and stop in the previous paragraph. I pressed the start and stop buttons several times each and observed the following records so how up in the interface.

Start & Stop Records

Next, I investigated CAN ID 244 by removing it’s filter. Upon doing this, I observed a constant stream of values with all zero’s in the data points. I began pressing different buttons to see which one would trigger this data to change. I found that when the Sleigh was started, the records with CAN ID 244 had values that corresponded with the value of the accelerator.

Accelerator Records

Next, I investigated CAN ID 188. Upon removing the filter, this also streamed a data value of all zeros. No matter which options I changed, I could never get this value to change or identify what caused it.

CAN ID 188 was unknown

When investigating CAN ID 080, I learned quickly that it was associated with the brake. Initially, when no brake was applied, the value was all zeros. However, as the brake increased, so did the data values. Something strange happened though. As the brake increased, there was also another value that was streaming for that CAN ID that seemed to have nothing to do with the brake. It always started with F’s. This seems like one of the malicious messages I need to remove.

Brake-related records (start with #0000) and erroneous records (start with #FFFF)

The CAN ID 19B is associated with locking and unlocking the sleigh. When the sleigh was locked, the value was all zeros. When it was unlocked, it was 00000F000000. However, when that ID was isolated, I also noticed another erroneous message value that was included. It had the value F2057 which didn’t seem to correlate with any unlocking or locking activity. This seemed like another malicious message.

Lock and unlock messages with the erroneous message at the top.

The final ID, 019, correlated with the value of the steering dial. The value in the message correlated directly with the value on the dial.

Steering messages

With all of the IDs identified, there were two erroneous messages that I felt needed to be filtered out. First, when the CAN ID is 080 and the data starts with FF FF and second when the CAN ID is 19B and the data value equals 0000000F2057. When I removed my existing filters and added these in, the sleigh was successfully defrosted!

The defrosted sleigh!

