Velodyne LiDAR, Inc. HDL-64E, HDL-32E, and the PUCK

Velodyne is a LiDAR sensor manufacture. LiDAR (Light Detection And Ranging) is a way of locating physical objects in spatial relation to one another by triangulating the projection of a laser or an array of lasers. Today Velodyne LiDAR, Inc. claims to work in the following industries:

  • Automotive
  • UAV
  • Mapping
  • Automation (ICS)
  • Robotics
  • Security
  • Urban Planning
  • Agriculture
  • Mining
  • R&D
  • Topography
  • Geology

Summary

HDL-64E, HDL-32E, and the PUCK (AKA VLP-16) All make use of packet captures to relay in plain text (ASCII), telemetry from the sensor to server (Controller). The server will make a logical determination based on the telemetry this could be leveraged to, in the case of an automobile tell the server (CPU) in the system that the sensor or vehicle has a wall in front of it. They have also employed an embedded web server that doesn’t require authentication to access and update both firmware and calibration files for the lasers. If an attacker can gain network level access at any point they can modify the firmware and calibration files. With very little effort an attacker could access the GPS data also collected in some configurations of the sensor and launch a replay attack replaying telemetry from the sensor itself at a given latitude and longitude. Additionally if an attacker is on the network, all they need to do is launch an attack at a given telemetry and control what the vehicle (for our example) can see live thus allowing them to steer the vehicle if an attacker has commend and control of a network enabled device. Some of the documentation that is public also shows you how to parse the data.

Demonstration

The video below is a “proof of concept” on how an attack could play out using information and tools supplied to the public by the manufacture.

Velodyne LiDAR Telemetry Vulnerability from Daniel Lance on Vimeo.

The official vulnerability of this system

Network level command and control without encryption or authentication lacking basic security practices.

Suggestions

Full network segmentation. Recall any devices that are used in mission critical, or could present a health and welfare risk to users, and/or bystanders. Until basic security practices can be implemented.

Notes

ICS-CERT collaboration concluded.

Velodyne LiDAR, Inc. has been contacted about this issue far in advance of publishing and has refused assistance to fix and acknowledge the issue. Due to this, examples on how replay attacks could be made more effective against this device, and how to attack at a GPS location have been withheld for safety concerns. It is not my intention to harm or weaponize this vulnerability.

Published 8/29/2016

2 Comments
  1. Sven 2 years ago

    Hi Daniel,
    Nice work there.
    Could you share how you managed to modify the original PCAP file?

    • Author
      Daniel 2 years ago

      Sven,

      Thank you! You can do this a few ways… The easiest way is to take a normal pcap using the device then dump that pcap into cocoa, or Wireshark and trim the pcap to only include the playback portion you want, think about it like slicing film. In the video I dropped a wall in-front of the vehicle by slicing the pcap. This would bring most self-driving cars to a stop (I hope). If you were going to do a malicious attack without the sensor in hand. Ideally you would copy the header and dump the telemetry into something simple like excel and do a plus one on each cell on a straight portion of road with a wall on the left and right sides so the vehicle moves forward still then repack the pcap, dump this pcap using a timed attack by doing a +/- -0.1 range on the GPS output from the device. That way when you dump the payload (pcap) you can be relatively sure the vehicle will be launching off a bridge… Another way of doing this that I couldn’t confirm yet is to write a string and have the processor calculate the laser positions with a very simple formula that replicates pcaps output to control the vehicle. I believe its doable but I needed more time on the device.

      Thanks for your question!:)

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT DANIEL

Send Daniel an email and he will get back to you, asap.

Sending

©[2016] Daniel Lance views and opinions shared on this site are my own and do not reflect my Customer or Employer

Log in with your credentials

Forgot your details?