These lists of potential vulnerabilities are by no means exhaustive, but they should give you an idea of how this brainstorming session works. If you were to go to a Level 3 map of potential threats to your vehicle, you would pick one of the processes, like HSI, and start to look at its kernel source to identify sensitive methods and dependencies that might be vulnerable to attack.
Having documented many of our threats, we can now rate them with a risk level. Discoverabilty How easy is it to find the vulnerability? Table lists the risk levels from 1 to 3 for each rating category. Could subvert the security system and gain full trust, ultimately taking over the environment.
Is very difficult to reproduce, even given specific information about the vulnerability. Affects a seldom-used part, meaning an attacker would need to be very creative to discover a malicious use for it. Now we can apply each DREAD category from Table to an identified threat from earlier in the chapter and score the threat from low to high 1—3. You can identify the overall rating by using the values in the Total column, as shown in Table In the case of the HSI threats, we can assign high risk to each of these threats, as shown in Table Although both risks are marked as high, we can see that the older version of the HSI model poses a slightly higher risk than do the injectable serial attacks, so we can make it a priority to address this risk first.
We can also see that the reason why the injectable serial communication risk is lower is that the damage is less severe and the exploit is harder to reproduce than that of an old version of HSI. Each group is subdivided into sub areas—six for base, three for temporal, and five for environmental—for a total of 14 scoring areas! Also, MIL-STDE is designed to be applied throughout the life cycle of a system, including disposal, which is a nice fit with a secure development life cycle. At this point, we have a layout of many of the potential threats to our vehicle, and we have them ranked by risk.
Now what? Table includes the countermeasure for the HSI code execution risk, and Table includes the countermeasure for the risk of HSI interception. Intercepts and injects commands from the cellular network. Now you have a documented list of high-risk vulnerabilities with solutions. You can prioritize any solutions not currently implemented based on the risk of not implementing that solution. In this chapter you learned the importance of using threat models to identify and document your security posture, and of getting both technical and nontechnical people to brainstorm possible scenarios.
We then drilled down into these scenarios to identify all potential risks. Using a scoring system, we ranked and categorized each potential risk. After assessing threats in this way, we ended up with a document that defined our current product security posture, any countermeasure currently in place, and a task list of high-priority items that still need to be addressed. Your vehicle may have only one of these, or if it was built earlier than , it may have none.
Bus protocols govern the transfer of packets through the network of your vehicle. Several networks and hundreds of sensors communicate on these bus systems, sending messages that control how the vehicle behaves and what information the network knows at any given time. Each manufacturer decides which bus and which protocols make the most sense for its vehicle. CAN is a simple protocol used in manufacturing and in the automobile industry.
Modern vehicles are full of little embedded systems and electronic control units ECUs that can communicate using the CAN protocol. Differential signaling is used in environments that must be fault tolerant to noise, such as in automotive systems and manufacturing. Figure CAN differential signaling. Notice that when a bit is transmitted on the CAN bus, the signal will simultaneously broadcast both 1V higher and lower. The sensors and ECUs have a transceiver that checks to ensure both signals are triggered; if they are not, the transceiver rejects the packet as noise.
The two twisted-pair wires make up the bus and require the bus to be terminated on each end. You may have to hunt around for it, but its outline looks similar to that in Figure Some are easy to access, and others are tucked up under the plastic. Search and you shall find! CAN is easy to find when hunting through cables because its resting voltage is 2. If you find a wire transmitting at 2. Mid-speed and low-speed communications happen on other pins. There are two types of CAN packets: standard and extended.
Extended packets are like standard ones but with a larger space to hold IDs. Arbitration ID The arbitration ID is a broadcast message that identifies the ID of the device trying to communicate, though any one device can send multiple arbitration IDs. If two CAN packets are sent along the bus at the same time, the one with the lower arbitration ID wins. Data length code DLC This is the size of the data, which ranges from 0 to 8 bytes. Data This is the data itself. The maximum size of the data carried by a standard CAN bus packet can be up to 8 bytes, but some systems force 8 bytes by padding out the packet.
Figure shows the format of standard CAN packets. Figure Format of standard CAN packets. Extended packets are like standard ones, except that they can be chained together to create longer IDs. Extended packets are designed to fit inside standard CAN formatting in order to maintain backward compatibility. Standard packets also differ from extended ones in their use of flags. Sending lots of information over ISO-TP can easily flood the bus, so be careful when using this standard for large transfers on an active bus.
A broadcast message on this system has 0x for both the function code and the node ID. CANopen is seen more in industrial settings than it is in automotive ones. The low-speed bus, a single-wire CAN bus that operates at In contrast, the high-speed bus runs at Kbps with a maximum of 16 nodes.
These bus systems are older and slower than CAN but cheaper to implement. VPW uses only pin 2. Figure PWM pins cable view. The speed is grouped into three classes: A, B, and C. The PWM uses differential signaling on pins 2 and 10 and is mainly used by Ford. It operates with a high voltage of 5V and at PMW has a fixed-bit signal, so a 1 is always a high signal and a 0 is always a low signal. Other than that, the communication protocol is identical to that of VPW. The differences are the speed, voltage, and number of wires used to make up the bus.
VPW has a high voltage of 7V and a speed of The bit must remain either high or low for a set amount of time in order to be considered a single 1 bit or a 0 bit. Pulling the bus to a high position will put it at around 7V, while sending a low signal will put it to ground or near-ground levels. This bus also is at a resting, or nontransmission, stage at a near-ground level up to 3V. VPW packets use the format in Figure Figure VPW Format. The data section is a set size—always 11 bits followed by a 1-bit CRC validity check. Table shows the meaning of the header bits. Table Meaning of Header Bits.
In-frame response IFR data may follow immediately after this message. Messages sent using KWP may contain up to bytes. The KWP protocol has two variations that differ mainly in baud initialization. The variations are:. K-Line uses pin 7 and, optionally, pin 15, as shown in Figure UARTs use start bits and may include a parity bit and a stop bit. It was designed to complement CAN. It has no arbitration or priority code; instead, a single master node does all the transmission.
LIN can support up to 16 slave nodes that primarily just listen to the master node. The maximum speed of LIN is 20Kbps. LIN is a single-wire bus that operates at 12V. A LIN message frame includes a header, which is always sent by the master, and a response section, which may be sent by master or slave see Figure Figure LIN format. The SYNC field is used for clock synchroniziation.
The ID represents the message contents—that is, the type of data being transmitted. The ID can contain up to 64 possibilities. ID 60 and 61 are used to carry diagnostic information. When reading diagnostic information, the master sends with ID 60 and the slave responds with ID All 8 bytes are used in diagnostics.
The first byte is called the node address for diagnostics NAD. The first half of the byte range that is, 1— is defined for ISO-compliant diagnostics, while — can be specific to that device. One MOST device acts as the timing master, which continuously feeds frames into the ring. Transmission is done through the red light wavelength at nm using an LED.
A similar protocol, MOST50, doubles the bandwidth and increases the frame length to bits. In addition to a timing master, a MOST network master automatically assigns addresses to devices, which allows for a kind of plug-and-play structure. Another unique feature of MOST is that, unlike other buses, it routes packets through separate inport and outport ports. The OSI layers are in the right column. In MOST25, a block consists of 16 frames. A frame is bits and looks like the illustration in Figure Figure MOST25 frame. Synchronous data contains 6 to 15 quadlets each quadlet is 4 bytes , and asynchronous data contains 0 to 9 quadlets.
A control frame is 2 bytes, but after combining a full block, or 16 frames, you end up with 32 bytes of control data. An assembled control block is laid out as shown in Figure Figure Assembled control block layout. FblockIDs are the core component IDs, or function blocks. For example, an FblockID of 0x52 might be the navigation system. InstID is the instance of the function block.
There can be more than one core function, such as having two CD changes. InstID differentiates which core to talk to. FktID is used to query higher-level function blocks. OP Type is the type of operation to perform, get, set, increment, decrement, and so forth. The Tel ID and Len are the type of telegram and length, respectively. Telegram types represent a single transfer or a multipacket transfer and the length of the telegram itself. Isochronous has three mechanisms: burst mode, constant rate, and packet streaming.
At the moment, most4linux should be considered alpha quality, but it includes some example utilities that you may be able to build upon, namely:. The current most4linux driver was written for 2. FlexRay is a high-speed bus that can communicate at speeds of up to 10Mbps. FlexRay uses twisted-pair wiring but can also support a dual-channel setup, which can increase fault tolerance and bandwidth.
- d a t defensive arts training manual and study guide vol 1 Manual.
- The Car Hacker’s Handbook.
- The Discovery of Electricity: A History Just for Kids!.
However, most FlexRay implementations use only a single pair of wiring similar to CAN bus implementations. It also supports star topology, like Ethernet, that can run longer segments. When implemented in the star topology, a FlexRay hub is a central, active FlexRay device that talks to the other nodes. The bus and star topologies can be combined to create a hybrid layout if desired. When creating a FlexRay network, the manufacturer must tell the devices about the network setup.
Recall that in a CAN network each device just needs to know the baud rate and which IDs it cares about if any. In a bus layout, only one device can talk on the bus at a time. In the case of the CAN bus, the order of who talks first on a collision is determined by the arbitration ID. In contrast, when FlexRay is configured to talk on a bus, it uses something called a time division multiple access TDMA scheme to guarantee determinism: the rate is always the same deterministic , and the system relies on the transmitters to fill in the data as the packets pass down the wire, similar to the way cellular networks like GSM operate.
FIBEX topology maps record the ECUs and how they are connected via channels, and they can implement gateways to determine the routing behavior between buses. FIBEX data is used during firmware compile time and allows developers to reference the known network signals in their code; the compiler handles all the placement and configuration. A FlexRay cycle can be viewed as a packet.
The length of each cycle is determined at design time and should consist of four parts, as shown in Figure Figure Four parts of a FlexRay cycle. The static segment contains reserved slots for data that always represent the same meaning. The dynamic segment slots contain data that can have different representations.
The symbol window is used by the network for signaling, and the idle segment quiet time is used for synchronization. The smallest unit of time on FlexRay is called a macrotick , which is typically one millisecond. All nodes are time synced, and they trigger their macrotick data at the same time. The static section of a FlexRay cycle contains a set amount of slots to store data, kind of like empty train cars.
When an ECU needs to update a static data unit, it fills in its defined slot or car; every ECU knows which car is defined for it.
- Navigation menu;
- African American Vernacular English: A New Dialect of the English Language?
- Get Your Free Publishing Guide Today?
- Course Listings.
- The Tinker King?
This system works because all of the participants on a FlexRay bus are time synchronized. The dynamic section is split up into minislots, typically one macrotick long. The dynamic section is usually used for less important, intermittent data, such as internal air temperature. As a minislot passes, an ECU may choose to fill the minislots with data. If all the minislots are full, the ECU must wait for the next cycle. In Figure , the FlexRay cycles are represented as train cars. Transmitters responsible for filling in information for static slots do so when the cycle passes, but dynamic slots are filled in on a first-come, first-served basis.
All train cars are the same size and represent the time deterministic properties of FlexRay. Figure FlexRay train representing cycles. FlexRay clusters work in states that are controlled by the FlexRay state manager. While most states are obvious, some need further explanation. Specifically, online is the normal communication state, while online-passive should only occur when there are synchronization errors.
In online-passive mode, no data is sent or received. Keyslot-only means that data can be transmitted only in the key slots. Low-number-of-coldstarters means that the bus is still operating in full communication mode but is relying on the sync frames only. There are additional operational states, too, such as config, sleep, receive only, and standby. The actual packet that FlexRay uses contains several fields and fits into the cycle in the static or dynamic slot see Figure Figure FlexRay packet layout. The frame ID is the slot the packet should be transmitted in when used for static slots.
When the packet is destined for a dynamic slot 1— , the frame ID represents the priority of this packet. If two packets have the same signal, then the one with the highest priority wins. Payload length is the number in words 2 bytes , and it can be up to words in length, which means that a FlexRay packet can carry bytes of data—more than 30 times that of a CAN packet. Header CRC should be obvious, and the cycle count is used as a communication counter that increments each time a communication cycle starts. One really neat thing about static slots is that an ECU can read earlier static slots and output a value based on those inputs in the same cycle.
For instance, say you have a component that needs to know the position of each wheel before it can output any needed adjustments. If the first four slots in a static cycle contain each wheel position, the calibration ECU can read them and still have time to fill in a later slot with any adjustments. At this time, there are no standard open source tools for sniffing a FlexRay network. Technically, a FlexRay cluster can have up to configurations with 74 parameters.
When spoofing packets on a FlexRay network with two channels, you need to simultaneously spoof both. This pin is often marked as optional, but the Bus Guardian can drive this pin too high to disable a misbehaving device. Ethernet can transmit data at speeds up to 10Gbps, using nonproprietary protocols and any chosen topology. This standard supports quality of service QoS and traffic shaping, and it uses time-synchronized UDP packets.
In order to achieve this synchronization, the nodes follow a best master clock algorithm to determine which node is to be the timing master. The master node will normally sync with an outside timing source, such as GPS or worst case an on-board oscillator. The master syncs with the other nodes by sending timed packets 10 milliseconds , the slave responds with a delay request , and the time offset is calculated from that exchange. Typically, a connector will just be wires like the ones you find connected to an ECU.
Some exposed connectors are actually round, as shown in Figure Figure Round Ethernet connectors. Mappings vary by manufacturer, and these are just guidelines. Your pinout could differ depending on your make and model. For example, Figure shows a General Motors pinout. Figure shows the plug view, not that of the cable.
Figure Typical DB9 connector plug view. A DB9 adapter can have as few as three pins connected. Figure US-style DB9 connector, plug view. This communication is typically accomplished through a roadside transponder, but cell phones and satellite communications work as well. The idea is to have the system report that pollutants are entering the atmosphere without having to wait up to two years for an emissions check.
The vehicle phones home to the manufacturer with faults and then contacts the owner to inform them of the need for repairs. As you might imagine, this system has some obvious legal questions that still need to be answered, including the risk of mass surveillance of private property. Some submitted request for proposals to integrate OBD-III into vehicles claim to use transponders to store the following information:. As of this writing, it has yet to be deployed with a transponder approach, although phone-home systems such as OnStar are being deployed to notify the car dealer of various security or safety issues.
When working on your target vehicle, you may run into a number of different buses and protocols. Not all bus lines are exposed via the OBD-II connector, and when looking for a certain packet, it may be easier to locate the module and bus lines leaving a specific module in order to reverse a particular packet. See Chapter 7 for details on how to read wiring diagrams. When you begin using a CAN for vehicle communications, you may well find it to be a hodgepodge of different drivers and software utilities.
The ideal would be to unify the CAN tools and their different interfaces into a common interface so we could easily share information between tools. If you have Linux or install Linux on a virtual machine VM , you already have this interface. Today, the term SocketCAN is used to refer to the implementation of CAN drivers as network devices, like Ethernet cards, and to describe application access to the CAN bus via the network socket—programming interface.
The can-utils package provides several applications and tools to interact with the CAN network devices, CAN-specific protocols, and the ability to set up a virtual CAN environment. In order to test many of the examples in this book, install a recent version in a Linux VM on your system.
The newest versions of Ubuntu have can-utils in their standard repositories. This functionality allows the kernel to handle CAN device drivers and to interface with existing networking hardware to provide a common interface and user-space utilities. With traditional CAN software, the application has its own protocol that typically talks to a character device, like a serial driver, and then the actual hardware driver.
In order to install can-utils , you must be running a Linux distribution from or later or one running the 2. You should be able to use your package manager to install can-utils. The next step depends on your hardware. As of this writing, the Linux built-in CAN drivers support the following chipsets:. When you plug in a supported device, these modules should automatically load, and you should see them when you enter the lsmod command.
Using the display message command dmesg , you should see output similar to this:. You can verify the interface loaded properly with ifconfig and ensure a can0 interface is now present:. Now set the CAN bus speed. The key component you need to set is the bit rate. This is the speed of the bus. Once you bring up the can0 device, you should be able to use the tools from can-utils on this interface. Linux uses netlink to communicate between the kernel and user-space tools. You can access netlink with the ip link command. To see all the netlink options, enter the following:. If you begin to see odd behavior, such as a lack of packet captures and packet errors, the interface may have stopped.
If the device is internal, run these commands to reset it:. External CAN devices usually communicate via serial. In order to use one of the USB-to-serial adapters, you must first initialize both the serial hardware and the baud rate on the CAN bus:. The slcand daemon provides the interface needed to translate serial communication to the network driver, slcan0. The following options can be passed to slcand :. Table lists the numbers passed to -s and the corresponding baud rates. Table Numbers and Corresponding Baud Rates.
As you can see, entering -s6 prepares the device to communicate with a Kbps CAN bus network. With these options set, you should now have an slcan0 device. To confirm, enter the following:. Most of the information returned by ifconfig is set to generic default values, which may be all 0s. This is normal.
If we see an slcan0 device, we know that we should be able to use our tools to communicate over serial with the CAN controller. At this point, it may be good to see whether your physical sniffer device has additional lights. Your CAN device must be plugged in to your computer and the vehicle in order for these lights to function properly. Not all devices have these lights. You can set up a virtual CAN network for testing. To do so, simply load the vcan module.
By default, it listens on port It can be used to handle some busy work when dealing with repetitive CAN messages. You can specify as many interfaces as you like and have canbusload display a bar graph of the worst bandwidth offenders. It can also take filters and log packets. It can also generate random packets.
Some of the more advanced and experimental commands, such as the ISO-TP—based ones, require you to install additional kernel modules, such as can-isotp , before they can be used. You can grab the additional CAN kernel modules like this:. Once make finishes, it should create a can-isotp. To load the newly compiled can-isotp. The can-isotp. The can.
Ignore the err 0 messages. These messages indicate that you need to load the can. Once loaded, everything should work fine. In order to write your own utilities, you first need to connect to the CAN socket. This code snippet will bind to can0 as a raw CAN socket. A BCM service is a more complex structure that can monitor for byte changes and the queue of cyclic CAN packet transmissions.
These lines set up the CAN family for sockaddr and then bind to the socket, allowing you to read packets off the network:. Writing to the CAN network is just like the read command but in reverse. Simple, eh? The SocketCAN network-layer modules implement a procfs interface as well. Having access to information in proc can make bash scripting easier and also provide a quick way to see what the kernel is doing.
Some other useful procfs files include the following:. You can limit the maximum length of transmitted packets in proc :. Set this value to whatever you feel will be the maximum packet length for your application. Socketcand includes a full protocol to control its interaction with the CAN bus. For example, you can send the following line to socketcand to open a loopback interface:.
Socketcand, however, is a bit more robust than the BCM server. You can download a binary package for Kayak or compile from source. Once the clone is complete, run the following:. You can attach as many CAN devices as you want to socketcand, separated by commas.
Buy This Book
Right-click the project and choose Newbus ; then, give your bus a name see Figure Figure Creating a name for the CAN bus. Click the Connections tab at the right; your socketcand should show up under Auto Discovery see Figure Figure Finding Auto Discovery under the Connections tab. Drag the socketcand connection to the bus connection.
To see the bus, you may have to expand it by clicking the drop-down arrow next to the bus name, as shown in Figure Figure Setting up the bus connection. Press the play button circled in Figure ; you should start to see packets from the CAN bus. Choose Colorize from the toolbar to make it easier to see and read the changing packets.
Kayak can easily record and play back packet capture sessions, and it supports CAN definitions stored in an open KDC format. Kayak is a great open source tool that can work on any platform. In addition, it has a friendly GUI with advanced features that allow you to define the CAN packets you see and view them graphically. Finally, you learned how to use socketcand to allow remote interaction with your CAN devices and set up Kayak to work with socketcand. The OBD-II connector is primarily used by mechanics to quickly analyze and troubleshoot problems with a vehicle. When a vehicle experiences a fault, it saves information related to that fault and triggers the engine warning light, also known as the malfunction indicator lamp MIL.
DTCs are stored in different places. More serious DTCs are stored in areas that will survive a power failure. Faults are usually classified as either hard or soft. Often to determine whether a fault is hard or soft, a mechanic clears the DTCs and drives the vehicle to see whether the fault reappears. If it reappears, the fault is a hard fault. A soft fault could be due to a problem such as a loose gas cap. Not all faults trigger the MIL light right away. When storing the DTCs, the PCM snapshots all the relevant engine components in what is known as freeze frame data, which typically includes information such as the following:.
Some systems store only one freeze frame, usually for the first DTC triggered or the highest-priority DTC, while others record multiple ones. In an ideal world, these snapshots would happen as soon the DTC occurs, but the freeze frames are typically recorded about five seconds after a DTC is triggered. A DTC is a five-character alphanumeric code. The code in the first byte position represents the basic function of the component that set the code, as shown in Table Table Diagnostic Code Layouts.
When set to 3, byte 2 is both an SAE-defined standard and a manufacturer-specific code. Originally, 3 was used exclusively for manufacturers, but pressure is mounting to standardize 3 to mean a standard code instead. The five characters in a DTC are represented by just two raw bytes on the network. Table Diagnostic Code Binary Breakdown. Except for the first two, the characters have a one-to-one relationship.
Refer to Table to see how the first two bits are assigned. You should be able to look up the meaning of any codes that follow the SAE standard online. Here are some example ranges for common powertrain DTCs:. To learn the meaning of a particular code, pick up a repair book in the Chilton series at your local auto shop. Mechanics check fault codes with scan tools. Scan tools are nice to have but not necessary for vehicle hacking.
These are typically dongles that need additional software, such as a mobile app, in order for them to function fully as scan tools. Higher-end ones should have manufacturer-specific databases that allow you to perform much more detailed testing. DTCs usually erase themselves once the fault no longer appears during conditions similar to when the fault was first found.
For this purpose, similar is defined as the following:. The reason for this is simple enough: to prevent mechanics from manually turning off the MIL and clearing the DTCs when the problem still exists. Unfortunately, although UDS was designed to make vehicle information accessible to even the mom-and-pop mechanic, the reality is a bit different: CAN packets are sent the same way but the contents vary for each make, model, and even year. Auto manufacturers sell dealers licenses to the details of the packet contents.
In practice, UDS just works as a gateway to make some but not all of this vehicle information available. Diagnostic tests like these send the system a request to perform an action, and that request generates signals, such as other CAN packets, that are used to perform the work. For instance, a diagnostic tool may make a request to unlock the car doors, which results in the component sending a separate CAN signal that actually does the work of unlocking the doors.
In this listing, 7df is the OBD diagnostic code, 02 is the size of the packet, 01 is the mode show current data; see Appendix B for a list of common modes and PIDs , and 0d is the service a vehicle speed of 0 because the vehicle was stationary. The response adds 0x8 to the ID 7e8 ; the next byte is the size of the response.
- habits for success.
- IJCA Contents – NADIA;
- Recruitment of employees and seasonal workers.
Responses then add 0x40 to the type of request, which is 0x41 in this case. Then, the service is repeated and followed by the data for the service. ISO-TP specifies a method to receive response data. Table lists the most common error responses. In this response, we can see that after 0x7e8, the next byte is 0x03, which represents the size of the response. The next byte, 0x7F, represents an error for service 0x11, the third byte. The final byte, 0x11, represents the error returned—in this case, service not supported SNS. Run istotpsend in one terminal, and then run isotpsniffer or isotprecv in another terminal to see the response to your istotpsend commands.
Then, in another terminal, send the request packet via the command line:. In the case of UDS, the source is 0x7df, and the destination response is 0x7e8. The first 3 bytes make up the UDS response. Enter this VIN into Google, and you should see detailed information about this vehicle, which was taken from an ECU pulled from a wrecked car found in a junkyard. Table shows the information you should see. Table VIN Information. The first byte of the data section in a diagnostic code is the mode.
Shows data streams of a given PID. Has the same PID values as 0x01, except that the data returned is from the freeze frame state. Allows a technician to activate and deactivate the system actuators manually. System actuators allow drive-by-wire operations and physically control different devices. Dealership scan tools have a lot more access to vehicle internals and are an interesting target for hackers to reverse engineer. This mode pulls DTCs that have been erased via mode 0x One such module is a DCM module that deals specifically with discovering diagnostic services.
Set your channel to that of your SocketCAN device. Now, to discover what diagnostics your vehicle supports, run the following:. This will send the tester-present code to every arbitration ID. Here is an example discovery session using CaringCaribou:. Next, we probe the different services on 0x Notice that the output lists several duplicate services for service 0x As of this writing, CaringCaribou is in its early stages of development, and your results may vary.
Restart the scan from where it left off using the -min option, as follows:. In our example, the scan will also stop scanning a bit later at this more common diagnostic ID:. In order to keep the vehicle in this state, you need to continuously send a packet to let the vehicle know that a diagnostic technician is present. The tester present packet keeps the car in a diagnostic state.
One possible workaround is to tell slcand to use canX style names instead of slcanX. The enhanced version, 0x22, can return information not available with standard OBD tools. Use the SecurityAccess command 0x27 to access protected information. This can be a rolling key, meaning that the password or key changes each time, but the important thing is that the controller responds if successful.
You likely know that airplanes have black boxes that record information about flights as well as conversations in the cockpit and over radio transmissions. All and newer vehicles are also required to have a type of black box, known as an event data recorder EDR , but EDRs record only a portion of the information that a black box on an airplane would. While this data is very similar to freeze frame data, its purpose is to collect and store information during a crash. The EDR constantly stores information, typically only about 20 seconds worth at any one time.
These boxes collect data from other ECUs and sensors and store them for recovery after a crash. Figure shows a typical EDR. Figure A typical event data recorder. CDR kits include both proprietary hardware and software. The format of vehicle crash data is often considered proprietary as well, and many manufacturers license the communication protocol to tool providers that make CDRs.
Obviously, this is not in the best interest of the consumer. The SAE J standard lists recommended practices for event data collection and defines event records by sample rate: high, low, and static. While the SAE J states latitude and longitude recordings, many manufacturers claim not to record this information for privacy reasons. Your research may vary. Not all manufacturers conform the to SAE J standard. The SDM does not record any post-crash information. These coincide with other crash recovery systems and extend the functionality by contacting the manufacturer or third party.
ACNs are specific to each manufacturer, and each system will send different information. For example, the Veridian automated collision notification system released in reports this information:. Captured freeze frame snapshots rarely contain information that would help determine whether the DTC was triggered by malicious intent. This type of attack would most likely occur during the research phase of an attack when an attacker is trying to determine what components the randomly generated packets were affecting , not during an active exploit.
Accessing and fuzzing manufacturer-specific PIDs—by flashing firmware or using mode 0x08—can lead to interesting results. Unfortunately, security professionals will need to reverse or fuzz these proprietary interfaces to determine what is exposed before work can be done to determine whether there are vulnerabilities. If they can keep undocumented entry points and weaknesses a secret, then their exploit will last longer without being detected.
You have learned how CAN packets can be linked together to write larger messages or to create two-directional communications over CAN. You also learned how to read and clear any DTCs. You looked at how to find undocumented diagnostic services and saw what types of data are recorded about you and your driving habits. You also explored some ways in which diagnostic services can be used by malicious parties.
In order to reverse engineer the CAN bus, we first have to be able to read the CAN packets and identify which packets control what. The rest of the nondiagnostic packets are the ones that the car actually uses to perform actions. See Chapter 2 for common locations of the OBD connectors and their pinouts.
CAN wires are typically two wires twisted together. This can be difficult to identify because the bus is often noisy. The CAN bus uses a ohm terminator on each end of the bus, so there should be 60 ohms between the two twisted-pair wires you suspect are CAN. You should get a constant signal because the differential signals should cancel each other out. If the car is turned off, the CAN bus is usually silent, but something as simple as inserting the car key or pulling up on the door handle will usually wake the vehicle and generate signals.
First, you need to determine the type of communication running on the bus. In order to do so, locate the bus those target components use, and then reverse engineer the packets traveling on that bus to identify their purpose. There are a ton of these devices on the market. However, a proprietary device specifically designed to sniff CAN should still work. If your background is in networking, your first instinct may be to use Wireshark to look at CAN packets.
This technically works, but we will soon see why Wireshark is not the best tool for the job. Wireshark can listen on both canX and vcanX devices, but not on slcanX because serial-link devices are not true netlink devices and they need a translation daemon in order for them to work. If you need to use a slcanX device with Wireshark, try changing the name from slcanX to canX.
I discuss CAN interfaces in detail Chapter 2. Figure Wireshark on the CAN bus.
D.A.T. Defensive Arts Training: Manual and Study Guide - Master Dwayne A. Thomas - Google книги
Listing uses slcan0 as the sniffer device. Listing candump of traffic streaming through a CAN bus. Devices on a CAN network are noisy, often pulsing at set intervals or when triggered by an event, such as a door unlocking. This noise can make it futile to stream data from a CAN network without a filter. Good CAN sniffer software will group changes to packets in a data stream based on their arbitration ID, highlighting only the portions of data that have changed since the last time the packet was seen.
The cansniffer command line tool groups the packets by arbitration ID and highlights the bytes that have changed since the last time the sniffer looked at that ID. For example, Figure shows the result of running cansniffer on the device slcan0. Figure cansniffer example output. You can add the -c flag to colorize any changing bytes. For example, to see only IDs and as cansniffer collects packets, enter this:.
The command uses a bitmask , which does a bit-level comparison against the arbitration ID. Any binary value of 1 used in a mask is a bit that has to be true, while a binary value of 0 is a wildcard that can match anything. A bitmask of all 0s tells cansniffer to match any arbitration ID. The minus sign - in front of the bitmask removes all matching bits, which is every packet. You can also use a filter and a bitmask with cansniffer to grab a range of IDs.
Using 7FF as a mask is the same as not specifying a bitmask for an ID. For example. For those not familiar with AND operations, each binary bit is compared, and if both are a 1 then the output is a 1. Figure Kayak GUI interface. The can-utils suite records CAN packets using a simple ASCII format, which you can view with a simple text editor, and most of its tools support this format for both recording and playback.
For example, you can record with candump , redirect standard output or use the command line options to record to a file, and then use canplayer to play back recordings. Figure Kayak recording to a logfile. Once your packet capture is complete, the logging should show in the Log Directory drop-down menu see Figure Figure Right pane of Log files tab settings. To play back the capture, right-click the Log Description in the right panel, and open the recording see Figure Listing shows the logfile created by candump using the -l command line option:.
Listing candump logfile. Notice in Listing that the candump logfiles are almost identical to those displayed by Kayak in Figure First, you may have missed the action in the recording, so try recording and performing the action again. Try unlocking the passenger door instead while recording. Try to replay the recording a few times to make sure the playback is working.
Once you have a recording that performs the desired action, use the method shown in Figure to filter out the noise and locate the exact packet and bits that are used to unlock the door via the CAN bus. The quickest way to do this is to open your sniffer and filter on the arbitration ID you singled out. Unlock the door, and the bit or byte that changed should highlight. You should be able to tell exactly which bit must be changed in order to unlock each door.
Figure Sample unlock reversing flow. For instance, by removing different halves of a logfile, you can identify the one ID that triggers the door to unlock:. The specifics will vary for each vehicle. Now, what happens when you change the 0x0F? To find out, unlock the car and this time send a 0x But why did 0x03 control two doors and not a different third door?
The answer may make more sense when you look at the binary representation:. What about the remaining four bits? The best way to find out what they do is to simply set them to 1 and monitor the vehicle for changes. If not, they might control different door-like behavior, such as unlatching the trunk. For the UDS protocol, this value is actually as follows:. This is because vehicles often compress the RPM value using a proprietary method. Be sure to put the car in park before you do this, and even lift the vehicle off the ground or put it on rollers first to avoid it starting suddenly and crushing you.
Ignore all the blinking warning lights, and follow the flowchart shown in Figure to find the arbitration ID that causes the tachometer to change. Consequently, you may have to play and record more traffic than before. Remember the value conversions mentioned earlier, and keep in mind that more than one byte in this arbitration ID will probably control the reported speed. Again, make sure that the car is immobilized in an open area, with the emergency brake on, and maybe even up on blocks or rollers.
Start recording and give the engine a good rev. Then, stop recording and play back the data. Once you have the reaction you expect from the vehicle, repeat the halving process used to find the door unlock, with some additional Kayak options. The slider represents the number of packets captured. Use the slider to pick which packet you start and stop with during playback. You can quickly jump to the middle or other sections of the recording using the slider, which makes playing back half of a section very easy. Figure Kayak playback interface.
To override this noise, you need to talk even faster than the normal communication to avoid colliding all the time. For instance, if you play your packets right after the real packet plays, then the last seen update will be the modified one. Reducing noise on the bus results in fewer collisions and cleaner demos. If you can send your fake packet immediately after the real packet, you often get better results than you would by simply flooding the bus.
To send packets continuously with can-utils , you can use a while loop with cansend or cangen. The instrument cluster simulator ICSim is one of the most useful tools to come out of Open Garages, a group that fosters open collaboration between mechanics, performance tuners, and security researchers see Appendix A. ICSim was designed as a safe way to familiarize yourself with CAN reversing so that the transition to an actual vehicle is as seamless as possible. To use ICSim, first load the instrument cluster to the vcan device like this:. In response, you should see the ICSim instrument cluster with turn signals, a speedometer, and a picture of a car, which will be used to show the car doors locking and unlocking see Figure Figure ICSim instrument cluster.
Figure ICSim control interface. The screen looks like a game controller; in fact, you can plug in a USB game controller, and it should be supported by ICSim. As of this writing, you can use sixad tools to connect a PS3 controller over Bluetooth as well. You can use the controller to operate the ICSim in a method similar to driving a car using a gaming console, or you can control it by pressing the corresponding keys on your keyboard see Figure Once the control panel is loaded, you should see the speedometer idle just above 0 mph.
The control application writes only to the CAN bus and has no other way to communicate with the icsim. The only way to control the virtual car is through the CAN. Accelerate up arrow Press this to make the speedometer go faster. The longer you hold the key down, the faster the virtual vehicle goes. Play around with the controls to make sure that the ICSim is responding properly.
Try to identify which packets control the vehicle, and create scripts to control ICSim without using the control panel. Most of the changing data you see in Figure is caused by a replay file of a real CAN bus. All methods of replay and packet sending will work with ICSim, so you can validate your findings. Figure Screen layout for using ICSim. One of the great things about ICSim is that you can challenge yourself by making it harder to find the target CAN traffic.
ICSim supports four difficulty levels—0 through 3, with level 1 as the default. Level 0 is a super simple CAN packet that does the intended operation without any background noise, while level 3 randomizes all the bytes in the packet as well. You can replay or share a specific seed value as well.
If you find one you like or if you want to race your friends to see who can decipher the packets first, launch ICSim with a set seed value like this:. It may take you a while to locate the proper packets the first time using ICSim, but after a few passes, you should be able to quickly identify which packets are your targets.
Depending on your vehicle, one solution to reverse engineering the CAN bus is OpenXC, an open hardware and software standard that translates proprietary CAN protocols into an easy-to-read format. This access could be read-only or allow you to transmit packets. If more auto manufacturers eventually support OpenXC, it could provide third-party tools with more raw access to a vehicle than they would have with standard UDS diagnostic commands.
Different vehicles may support different signals than the ones listed here or no signals at all. Members of the medical personnel are protected because they must remain neutral towards the armed conflict in which they are performing their duties. Their personnel are analogous to military medical personnel. The Geneva Convention includes the doctrine of proportionality — a concept which provides foundation for LOAC … It also embodies the protection of the various classes of people affected by the hostilities.
In addition to the conventions, Additional Protocols are incorporated which deal with people and their claim to protection under defined circumstances, such as medical and religious personnel. Additional Protocol One includes international conflicts and wars of national liberation. In effect, it defines the protection of the civilian population in times of international conflict.
Additional Protocol Two defines two things: limitations in the conduct of operations and principles relating to the protection of civilians in a non-international conflict. Thus, every combatant should understand the consequences of this Protocol. Operational Law Manual , , p. Enemy medical and religious personnel shall be respected and protected and shall not be made the object of attack, unless such personnel, when checked, have committed acts which go beyond their professional medical or religious duties and if they refrain from taking part in hostilities; if the said persons observe the established identification rules … Protection may cease only after a warning has been given setting, whenever appropriate, a reasonable time-limit and after such warning has remained unheeded.
The Law of Armed Conflict. If they do, they will lose their protection. Medical … personnel of the parties to a conflict, whether military or civilian, are to be respected and protected. This protection is not a personal privilege but rather a natural consequence of the rules designed to ensure respect and protection for the victims of armed conflict. Protection is accorded to medical personnel to facilitate the humanitarian tasks assigned to them; the protection is therefore limited to those circumstances in which they are carrying out these tasks exclusively. The manual points to the distinction between permanent and auxiliary medical personnel and restates Articles 24—25 of the Geneva Convention I.
Medical … Personnel. Two types of medical personnel are involved in military operations. They can be categorised as follows:. Those exclusively engaged in the search for, or the collection, transport or treatment of, wounded and sick, or employed in the prevention of disease. Staff engaged exclusively in the administration of medical units and establishments … shall be respected and protected in all circumstances.
Auxiliary medical personnel, specifically trained for employment, should the need arise, as hospital orderlies, nurses or auxiliary stretcher bearers, or in the search for or collection, transport or treatment of the wounded and sick, shall likewise be protected if they are carrying out these duties at the time when they come into contact with the enemy or fall into enemy hands.
Auxiliary medical personnel are not protected when carrying out their normal military functions. The following persons and objects fall within the specifically protected category under the LOAC:. Civilian persons, medical personnel and chaplains present in a military object or in the immediate vicinity of such an object share the risk of possible attacks. The LOAC grants particular protection to specific categories of persons and objects[. Persons who are specifically protected are persons who do not participate in hostilities and objects specifically protected are those that are not used for combat purposes.
Such persons and objects are not used in attacks and cannot properly defend themselves against attacks. These persons are:. Medical personnel are:. Apart from the abovementioned general principles, the LOAC also contains specific provisions relating to the respective categories of protected persons and objects, which must be complied with. Such employment may either be permanent or temporary. The staff of the National Red Cross Societies and that of other legal and recognised Voluntary Aid Societies and their transportation and equipment Geneva Convention I article 26 [a]re placed on the same footing as military medical personnel, provided that they shall be subject to military laws and regulations.
Personnel of these organisations may be employed on the same duties as military medical personnel, as set out above. Recognised societies of neutral countries may lend the assistance of their medical personnel and units to a Party to a conflict, with the prior consent of its government. Such personnel and units must be placed under the control of that Party to the conflict. The neutral Government must notify the adversary of the Party to whom the neutral State is providing the assistance and the Party who is making use of such assistance must also notify the adverse Party thereof.
Such medical assistance may not be regarded [as] interference of the neutral State in the conflict. Geneva Convention I article Additional Protocol [I] Article Medical auxiliary personnel are only protected while actually carrying out their medical duties. If such services are not required anymore, they must be released to return to their own forces. Article 9 of [the ] Additional Protocol II determines that in non-international armed conflicts, medical and religious personnel shall[:]. Even if the abovementioned loses its right to protection, the following steps must be taken before such an establishment or unit can be attacked.
Military medical personnel and chaplains of the armed forces are specifically protected by the LOAC. Military and civilian religious personnel are both specially protected by the LOAC, but are protected differently in that military religious personnel have the same status as military medical personnel and civilian religious personnel enjoy the same protection as civilians. Military medical personnel are those persons who are exclusively permanently or temporarily employed in the medical tasks and support personnel such as those exclusively employed in the administration of medical units and establishments.
Medical auxiliary personnel are also specifically protected while engaged in their duties. The staff of the National Red Cross Societies and that of other legal and recognised Voluntary Aid Societies are treated the same as military medical personnel, provided that they shall be subject to the same laws and regulations. The same applies to recognised societies of neutral countries that may lend medical assistance to a Party to a conflict, with the prior consent of its government.
However, their property remains private property. Members of the medical personnel and chaplains may not renounce the rights that they have under LOAC. Military medical personnel and religious personnel mentioned above are at all times entitled to protection from the use of force against them as long as they refrain from any hostile military action.
Medical and religious personnel are non-combatants, therefore they do not become POW when falling into the power of the enemy Party. They may be retained by the capturing party for the purpose of providing medical and religious services to POW. While they are retained, they are entitled to support and assistance by the retaining Power. If such services are not required anymore, they must be released, according to specific prescripts, to return to their own forces.
Captured military medical establishments, units or vehicles are the responsibility of the captor who must care for the wounded and sick therein. The captor must also allow the captured medical personnel to continue with their duties until such time as the capturing Party assumes the responsibility therefore. Before military medical establishments, units or transport can forfeit their protection, due warning must be given to that institution or unit that it is to lose its protection and render it liable to attack, a reasonable time limit must be given for the institution or unit to put an end to its harmful acts; and the warning must remain unheeded.
Medical and religious personnel are also protected during non-international armed conflicts where they shall be respected and protected, granted all available help for the performance of their duties and not be compelled to carry out tasks which are not compatible with their humanitarian mission. As seen above, it is allowed for civilian hospitals and therefore also civilian medical personnel to deal with civilian as well as military wounded, sick and shipwrecked. However, it must be remembered that the civilian and military status of the persons and objects concerned are not affected thereby.
Wounded, sick and shipwrecked combatants will be protected as hors de combat personnel, while such civilians will remain protected as civilians. It is prohibited for civilian medical personnel to renounce in part or in entirety the rights that they have under this Convention. Article 7 of Geneva Convention I. Non-International Armed Conflicts. Article 9 of Additional Protocol II also applies to civilian medical and religious personnel.
They shall therefore also:. The LOAC extends special protection to civilian medical services and religious personnel. The provisions governing military medical personnel, establishments and transport apply equally to civilian medical services. Civilian medical and religious personnel are all medical and religious personnel that are not military medical personnel or chaplains of the armed forces. Staff of civilian hospitals are those who are regularly and solely engaged in the operation and administration of civilian hospitals.
They must always be respected and protected. Civilian medical personnel shall be respected and protected. All available help must be given to them where civilian medical services are disrupted by war. Occupying Powers must assist them with the performance of their functions and may not require from them to give priority to the treatment of any person, except on medical grounds. Civilian medical personnel shall have access to any place where their services are essential, but the relevant Party to the conflict may introduce supervisory and safety measures.
Civilian medical personnel may not renounce any of their rights under Geneva Convention I. During non-international armed conflicts, civilian medical and religious personnel shall be respected, protected, granted all available help for the performance of their duties and not be compelled to carry out tasks which are not compatible with their humanitarian mission. Members of the medical services and religious personnel who have been captured are not regarded as POW but enjoy nevertheless, as a minimum, all the advantages of Geneva Convention III.
Medical personnel of hospital ships and their crews shall be respected and protected and they shall not be captured as long as they serve on the hospital ships, irrespective of whether there are wounded and sick on board or not. It is prohibited to specifically target those possible targets which are specially protected under the Geneva Conventions and Additional Protocol I such as:.
Such as wounded and sick, civilians, persons hors de combat , medical and religious personnel and journalists. The manual further explains:. It must be underlined that the protection of medical personnel is not a personal privilege but rather a corollary of the respect and protection due to the wounded and sick, who must be treated humanely in all circumstances.
Practice Relating to Rule 25. Medical Personnel
This means that the protection of medical personnel is not permanent but is only granted when such personnel are carrying out their humanitarian tasks. Medical personnel lose the special protection to which they are entitled if they commit acts of hostility. Such behaviour might even constitute perfidy if in so doing they take advantage of their medical position and the distinctive emblems.
The manual also states that medical personnel of the armed forces and civilian medical personnel are protected persons and cannot therefore be attacked. It should be emphasized that the protection to which medical personnel are entitled is not an individual privilege granted to them, but rather a natural corollary to the obligations to respect and protect the wounded and sick, who must be treated humanely in all circumstances. This means that such protection is not permanent; it is granted when and for as long as medical personnel are performing humanitarian duties.
If medical personnel commit acts of hostility, they lose this special protection, and their conduct could be considered an act of perfidy if they take advantage of their medical status or the protective emblems to commit such acts. They may not be attacked or prevented from carrying out their duties. The Aide-Memoire further states with regard to the protective signs of the red cross and red crescent:. Civilian and military medical personnel must be enabled to carry out their duties at all times. Civilian and military medical personnel who do not participate in hostilities must be protected at all times, even when wearing no distinctive emblem or no distinctive emblem that has been officially recognized by the Conventions.
Explosive weapons and collective weapons are prohibited. Medical personnel do not participate in hostilities, except for their own protection or for the protection of the patients in their care. Nor must they be engaged in other harmful acts e. Superiors make the necessary arrangements. Non-combatants those who do not fight are members of the armed forces who provide assistance to them but take no direct part in hostilities.
These [include] medical personnel … Weapons shall not be employed against such persons while they are engaged in the performance of their direct duties. Such persons become combatants in case of their direct participation in hostilities. The manual specifies that the duty to respect and protect means that medical personnel. The pure accidental killing or wounding of protected personnel when in or near the area of combat is not a legitimate cause for complaint.
The term embraces not only doctors and nurses but also a wide range of specialists, technicians, maintenance staff, drivers, cooks and administrators. It expressly includes military and civilian personnel and those assigned to civil defence organizations as well as medical personnel of national Red Cross or Red Crescent or other duly authorized and recognized national voluntary aid societies. Personnel of medical units and transports of neutral and other states not parties to the conflict, national aid societies of such states and impartial international humanitarian organizations are also included within the definition if made available to a party to the conflict for humanitarian purposes.
While the expression includes dental personnel and chaplains in medical units and part-time medical personnel while engaged on medical duties, it excludes qualified medical and dental practitioners who are not assigned exclusively to medical purposes. Service medical personnel must be clearly identifiable as such so that they receive the protection and respect due to them. To achieve this, all service medical personnel must, in addition to normal service identity discs, wear on the left arm a water-resistant armlet brassard bearing the appropriate distinctive emblem.
The armlet should be issued and stamped by the military authority. Service medical personnel must also carry a special identity card bearing the distinctive emblem. This card is embossed with the stamp of the military authority. These service identity cards must be uniform throughout the same armed forces and, as far as possible, of a similar type in the armed forces of all parties to Geneva Conventions I and II.
Parties to a conflict must inform each other at the outbreak of hostilities which model identity card they are using. Identity cards should be made out, if possible, at least in duplicate, one copy being kept by the home country. In no circumstances may service medical personnel be deprived of their armlets or the right to wear them or of their identity cards.
In the case of loss they are entitled to receive duplicates of the cards and to have the insignia replaced. Auxiliary medical personnel are members of the armed forces who are specifically trained for employment, when the need arises, as hospital orderlies, nurses or auxiliary stretcher-bearers in the search for or the collection, transport or treatment of the wounded and sick. Auxiliary medical personnel are issued with a special identity card. Auxiliary medical personnel become prisoners of war on capture. They may be required to exercise their medical functions in the interests of prisoners of war of their own state.
In that case, they are exempt from any other work. Civilian medical personnel are to be accorded the same protection as service medical personnel and, in occupied territory and areas where fighting is taking place or is likely to take place, they should be recognizable by the distinctive emblem and carry an identity card certifying their status. This card differs from that issued to service medical personnel.
Civilian medical personnel who fall into the hands of the enemy should not be detained and should be allowed to continue their medical duties. If any security measures have to be taken, civilian medical personnel have all the protection of protected persons. Furthermore, the manual prohibits attacks on medical and religious personnel in non-international armed conflict. The US Field Manual grants respect and protection to both permanent and temporary medical personnel as provided for in Articles 24—25 of the Geneva Convention I.
The manual states:. The respect and protection accorded personnel by Articles 19, 24, and 25 [of the Geneva Convention I] mean that they must not knowingly be attacked, fired upon, or unnecessarily prevented from discharging their proper functions. The accidental killing or wounding of such personnel, due to their presence among or in proximity to combatant elements actually engaged, by fire directed at the latter, gives no just cause for complaint.
Protection is also granted to the personnel of aid societies by reference to Article 26 of the Geneva Convention I. Medical personnel, including medical and dental officers, technicians and corpsmen, nurses, and medical service personnel, have special protected status when engaged exclusively in medical duties and may not be attacked. Medical personnel of the armed forces, including medical and dental officers, technicians and corpsmen, nurses, and medical service personnel, have special protected status when engaged exclusively in medical duties.
In exchange for this protection, medical personnel must not commit acts harmful to the enemy. If they do, they risk losing their protection as noncombatants and could be attacked. Medical personnel … falling into enemy hands … unless their retention by the enemy is required to provide for the medical … needs of prisoners of war, … must be repatriated at the earliest opportunity. National Legislation.
International Crimes Tribunal Act , , Section 3 2 e. War crimes envisaged in the [Geneva] Conventions … and in the [ Additional Protocols I and II] … , as well as in Article 8 2 f of the [ ICC Statute], and listed below, … constitute crimes under international law and shall be punished in accordance with the provisions of the present title … :. Criminal Code , , Article Whoever, in violation of the rules of international law in time of war or armed conflict, orders or perpetrates in regard to … medical personnel … any of the following acts:.
Criminal Code , , Article a and b. Emblem Decree , , Article Penal Code , , Article All authorities and persons in Colombia must protect the medical … personnel of the public forces [i. Decree No. Any person who uses war instruments or procedures the application of which violates an international agreement entered into by Denmark or the general rules of international law, shall be liable to the same penalty [i.
Code of Military Justice , , Article Penal Code , , Article a. Article Criminal Code , , Article 1 a. Combatants must respect and treat with humanity all persons protected by the applicable international conventions, as well as their objects. Protected persons are protected as long as they abstain from taking a direct part in hostilities.
It is prohibited for combatants to deliberately target protected persons. Code of Defence , , as amended in , Article D Penal Code , , as amended in , Article Criminal Code , , Article 2. Geneva Conventions Act , , as amended in , Section 4 1 and 4. Law of War Decree , , as amended in , Article Criminal Code , , as amended in , Article Military Penal Code , , Article 57 2. Anyone who contravenes or is accessory to the contravention of provisions relating to the protection of persons or property laid down in … the Geneva Conventions of 12 August … [and in] the two additional protocols to these Conventions … is liable to imprisonment.
A member of the military or the police shall be punished with deprivation of liberty of not less than six years and not more than twenty-five years if, in a state of emergency and when the Armed Forces assume control of the internal order, he or she:. Attacks medical … personnel … who are identified with the protective signs of the  Geneva Conventions in accordance with International Humanitarian Law.
Military and Police Criminal Code , , Article 95 2. Penal Code , , Article 1 2. Use of weapons against … medical … personnel. Violence against medical personnel … — 1. If the violence consists of homicide, including attempted murder or manslaughter, or severe personal injury, the corresponding penalties prescribed in the criminal code shall be applied. The penalty of short-term imprisonment shall, however, be increased. Failure to release medical personnel … — Anyone who, in violation of the laws and international agreements, fails to hand over or release or otherwise detains any of the persons referred to in the preceding article when they have ceased to carry out their work in the hospitals, ambulances or other places where they were providing services, shall be punished by military confinement for one to five years.
Military Criminal Code , , Articles , 1 and 3 and Military Criminal Code , , Article 77 4. Penal Code , , Article 2. Exercising violence against medical … personnel or against a member of medical missions. Penal Code , , as amended on 25 November , Article 2. Armed Forces Act , , Article Ordinance on the Red Cross Service , , Articles 1—2. Rumsfeld in , amends Title 10 of the United States Code as follows:.
C military medical or religious personnel. Definitions; construction of certain offenses; common circumstances. Code of Military Justice , , as amended, Article National Case-law. In , in the Constitutional Case No. Constitutional Case No. In its judgment in Physicians for Human Rights v. Supreme Court, Physicians for Human Rights v. The provisions of international humanitarian law grant protection to medical … personnel from being attacked. Thus … arts. A detailed definition of what constitutes protected medical personnel is laid down in art.
Physicians for Human Rights v. The Court stated:. The accused has been indicted before this Court on three counts of terrorism, that is to say, contraventions of s 54 1 of the Internal Security Act 74 of He has also been indicted on three counts of attempted murder. By the terms of [the Additional] Protocol I to the  Geneva Conventions the accused was entitled to be treated as a prisoner-of-war.
Since, if such a notice were necessary, the trial could not proceed without it, Mr Donen suggested that the necessity or otherwise for giving such a notice should be determined before evidence was led. On 12 August there were concluded at Geneva in Switzerland four treaties known as the Geneva Conventions. South Africa was among the nations which concluded the treaties. After the Second World War many conflicts arose which could not be characterised as international.
It was therefore considered desirable by some States to extend and augment the provisions of the Geneva Conventions, so as to afford protection to victims of and combatants in conflicts which fell outside the ambit of these Conventions. Protocol II relates to the protection of victims of non-international armed conflicts. Since the State of affairs which exists in South Africa has by Protocol I been characterised as an international armed conflict, Protocol II does not concern me at all.
The extension of the scope of art 2 of the Geneva Conventions was, at the time of its adoption, controversial. The article has remained controversial. More debate has raged about its field of operation than about any other articles in Protocol I. South Africa is one of the countries which has not acceded to Protocol I.
Nevertheless, I am asked to decide, as I indicated earlier, as a preliminary point, whether Protocol I has become part of customary international law. If so, it is argued that it would have been incorporated into South African law. Once all this has been shown it would have to be demonstrated to the Court that the accused conducted himself in such a manner as to become entitled to the benefits conferred by Protocol I on combatants, for example that, broadly speaking, he had, while he was launching an attack, distinguished himself from civilians and had not attacked civilian targets.
To my way of thinking, the trouble with the first Protocol giving rise to State practice is that its terms have not been capable of being observed by all that many States. At the end of when the treaty first lay open for ratification there were few States which were involved in colonial domination or the occupation of other States and there were only two, South Africa and Israel, which were considered to fall within the third category of ra[c]ist regimes. Accordingly, the situation sought to be regulated by the first Protocol was one faced by few countries; too few countries in my view, to permit any general usage in dealing with armed conflicts of the kind envisaged by the Protocol to develop.
Mr Donen contended that the provisions of multilateral treaties can become customary international law under certain circumstances. I accept that this is so. There seems in principle to be no reason why treaty rules cannot acquire wider application than among the parties to the treaty. Brownlie Principles of International Law 3rd ed at 13 agrees that non-parties to a treaty may by their conduct accept the provisions of a multilateral convention as representing general international law. I incline to the view that non-ratification of a treaty is strong evidence of non-acceptance.
It is interesting to note that the first Protocol makes extensive provision for the protection of civilians in armed conflict. In this sense, Protocol I may be described as an enlightened humanitarian document. If the strife in South Africa should deteriorate into an armed conflict we may all one day find it a cause for regret that the ideologically provocative tone of s 1 4 has made it impossible for the Government to accept its terms.
To my mind it can hardly be said that Protocol I has been greeted with acclaim by the States of the world. Their lack of enthusiasm must be due to the bizarre mixture of political and humanitarian objects sought to be realised by the Protocol. This position should be compared to the States which are parties to the Geneva Conventions. This approach of the world community to Protocol I is, on principle, far too half-hearted to justify an inference that its principles have been so widely accepted as to qualify them as rules of customary international law.
The reasons for this are, I imagine, not far to seek. For liberation movements who rely on strategies of urban terror for achieving their aims the terms of the Protocol, with its emphasis on the protection of civilians, may prove disastrously restrictive. I therefore do not find it altogether surprising that Mr Donen was unable to refer me to any statement in the published literature that Protocol I has attained the status o[f] customary international [law]. On what I have heard in argument I disagree with his assessment that there is growing support for the view that the Protocols reflect a new rule of customary international law.
No writer has been cited who supports this proposition. Here and there someone says that it may one day come about. I am not sure that the provisions relating to the field of application of Protocol I are capable of ever becoming a rule of customary international law, but I need not decide that point today. For the reasons which I have given I have concluded that the provisions of Protocol I have not been accepted in customary international law.
They accordingly form no part of South African law. This conclusion has made it unnecessary for me to give a decision on the question of whether rules of customary international law which conflict with the statutory or common law of this country will be enforced by its courts. In the result, the preliminary point is dismissed. The trial must proceed. Petane case , Judgment, 3 November , pp. In Petane , … Conradie J found that the provisions of [the Additional] Protocol I are not part of customary international law, and therefore are also not part of South African law.
Referring to the fact that in December only 66 of the States party to the Geneva Conventions had ratified Protocol I, the Court [in Petane ] stated:. I therefore do not find it altogether surprising that Mr Donen was unable to refer me to any statement in the published literature that Protocol I has attained the status of customary international law. Important changes with respect to certain aspects applicable at the time of Petane have taken place.
The total number of States that have ratified it, is now … This last aspect forms the basis on which the First Respondent [the State] and the applicants agree that Protocol I forms part of customary international law as well as of South African law. As requested, this position is accepted for the purposes of the decision, without deciding on the matter.
Despite these changes, it remains debatable whether the provisions of Protocol I have become a part of South African law in this way. The consensus of both parties to the conflict is required. See Petane … and Article 96 of Protocol I. See Petane. Boeremag case , Judgment, 26 August , pp. If the [ Additional Protocol I] applies in South Africa as customary international law, the two requirements that form the basis of customary law must be met.
It is arguable that the requirement of usus has been met by the vast number of States that have acceded or ratified it. By ratifying Protocol I the Republic of South Africa has indicated its intention to apply the Protocol, thereby fulfilling the requirement of opinio juris. Boeremag case , Judgment, 26 August , p. In March , in the Hicks case , the accused became the first person to be tried and convicted under the US Military Commissions Act of In April , Hicks returned to Australia to serve the remaining nine months of a suspended seven-year sentence.
Other National Practice. Report on the Practice of Algeria, , Chapter 2. The Friends Group is pleased with the work undertaken by the Security Council, in the last few years, in progressively strengthening the protection framework for children affected by armed conflict. Members of the Friends Group have reliably called on the Security Council to strengthen its protection framework even more and consistently called for all six grave violations committed against children in armed conflict to be included amongst the Security Council Resolution [of ] listing criteria.
The Friends Group has supported a progressive approach in this regard and therefore commends the Security Council in filling an important gap in the child protection framework by including attacks against schools and hospitals as the latest trigger through the resolution it will adopt today [Resolution ]. In , in a statement before the UN Security Council during an open debate on the protection of civilians in armed conflict, the permanent representative of Canada stated:.
The Secretary General and the International Committee of the Red Cross highlight the fact that health care providers and facilities continue to come under attack in situations of conflict and violence. Canada, Statement by the permanent representative of Canada before the UN Security Council during an open debate on the protection of civilians in armed conflict, 25 June The brutal conflict in Syria represents a stark example of how much work remains to be achieved to better protect civilians who are routinely victims of deliberate and targeted attacks, as are hospitals, medical facilities and health care workers.
The result is that people in desperate need are denied lifesaving humanitarian assistance. Canada, Statement by the permanent representative of Canada before the UN Security Council during an open debate on the protection of civilians in armed conflict, 19 August , p. Report on the Practice of Chile, , Chapter 2. Report on the Practice of China, , Chapter 2. The Report on the Practice of Germany notes that the German Federal Armed Forces may incorporate medical staff into combat units, if they are needed, especially for special missions.
Report on the Practice of Germany, , Answers to additional questions on Chapter 2. The Report on the Practice of Iraq refers to the protection afforded to medical personnel by the Geneva Conventions. Report on the Practice of Iraq, , Chapter 2. Report on the Practice of Iraq, , Chapter 4. The report adds that the implementation of this policy is subject to such personnel being clearly recognizable and not participating in hostile activities. It further states:. The IDF … has chosen to incorporate its front-line medical staff in its combat units. As a result, when participating in combat missions, front-line Israeli military medical personnel would not carry distinguishing marks and do not expect to be granted protected status in combat situations.
In many cases IDF forces suspended their operations against legitimate military objectives when … medical staff were in the vicinity. According to the Report on the Practice of Kuwait, attacks against medical personnel are an offence under Kuwaiti law. Report on the Practice of Kuwait, , Chapter 2. Report on the Practice of Nigeria, , Chapter 2. An agreement, concluded in between several Philippine governmental departments, the National Police, and a group of NGOs involved in the delivery of medical services, provides for the protection of health workers from harassment and human rights violations.
The preamble to the agreement states that the parties are adhering to generally accepted principles of IHL and human rights law. The Report on the Practice of the Philippines notes that medical personnel are given protection when they are delivering health services. Report on the Practice of the Philippines, , Chapter 2. Report on the Practice of Rwanda, , Replies by army officers to a questionnaire, Chapter 2. In , in a statement before the UN Security Council during an open debate on children and armed conflict, made partly on behalf of the Group of Friends of Children and Armed Conflict, including South Africa, the deputy permanent representative of Canada stated:.
The Friends Group is pleased with the work undertaken by the [UN] Security Council, in the last few years, in progressively strengthening the protection framework for children affected by armed conflict. South Africa, Statement by the deputy permanent representative of Canada before the UN Security Council during an open debate on children and armed conflict, made partly on behalf of the Group of Friends of Children and Armed Conflict, including South Africa, 12 July In Armed conflicts recognisable emblems serve above all to protect military and civilian medical installations as well as the buildings of national relief organisations and their personnel from attack protective function.
This protection is guaranteed not by the emblems themselves but is based directly in international law. The medical and religious personnel who administer to prisoners must not be considered prisoners of war, although they have the right to the same treatment. In , in a statement before the UN Security Council during an open debate on the protection of civilians in armed conflict, the permanent representative of Switzerland stated:.
The current situation in Gaza cries out to us the importance of the issue we are discussing today. Switzerland, Statement by the permanent representative of Switzerland before the UN Security Council on the protection of civilians in armed conflict, 14 January , pp. One of the primary concerns of humanitarian law and policy is to guarantee access to victims and to provide assistance to them. However, it frequently occurs … that it is impossible to ensure the security of humanitarian actors.
This was once more clearly evident in the Gaza Strip at the end of and at the beginning of Switzerland called upon all the parties to the conflict … to protect medical personnel, hospitals and other medical units. Report on Foreign Policy , 2 September , Section 3. In , in a statement before the UN Security Council during an open debate on children and armed conflict, made on behalf of the Group of Friends of Children and Armed Conflict, including Switzerland, the deputy permanent representative of Canada stated:. Members of the Friends Group have reliably called on the [UN] Security Council to strengthen its protection framework even more and consistently called for all six grave violations committed against children in armed conflict to be included amongst the Security Council Resolution [of ] listing criteria.
Such attacks constitute a war crime, a flagrant violation of international humanitarian law and an attack on human dignity. Such attacks constitute serious violations of international humanitarian law. According to the Report on UK Practice, there is no practice of incorporating medical staff in combat units in the UK armed forces. Report on UK Practice, , Chapter 2.
It is the understanding of the United States of America that the terms used in Part III of [the Additional Protocol II] which are the same as the terms defined in Article 8 [of the Additional Protocol I] shall so far as relevant be construed in the same sense as those definitions. In , in a diplomatic note to Iraq concerning operations in the Gulf War, the United States stated that medical personnel must be respected and protected at all times.
Yearbook of International Humanitarian Law , Vol. According to the Report on US Practice, it is the opinio juris of the United States that medical personnel are not to be knowingly attacked or unnecessarily prevented from performing their duties in either international or non-international armed conflicts. Report on US Practice, , Chapter 2. Order No. The Report on the Practice of Zimbabwe states that the rule on the protection of medical personnel from attack is part of customary international law.
In particular, it points out the customary status of Articles 15 and 16 of the Additional Protocol I.