April 2016 Presentation Automotive Security

go look into automotive security general and also at these aftermarket devices specifically which will be talking about Muslims night and somewhere around here is that way take over just that yesterday has more details right there of your technical you may find it rather boring it's more geared for governments to enter and Packers I kind of thing sort of the best practices here's common vulnerability what the point in its place ok so that's inserted into a my mobility researcher it serves before this position about a year ago I had built a red team or agency that I'm not supposed to say and so they did red teaming penetration testing a nationwide and triple infrastructure government agencies etc for that over to the face

off north berkeley national laboratory in California it create some software they might have heard of obesity doll i co-founded me sighs thick fur it's gone is now 20 organizers up very

which is coming up on jun x iris indeed winterization tomorrow at our morning mark morning all right we all have advance notice of sale or there were some visualization software which is depicted up here again movie that probably only three people ever saw full path towards couple years ago there pittsford those two CTFs the teams from around both you alright but one some cars okay so probably comes as no surprise to anyone that just points cars are filtered based with computers on heels Tesla seems to be the only car coming to actually knowledge this but if you look down the interesting thing is this little red circle down here at the bottom modern luxury power has somewhere around 100

million lines of code i purchased last week's episode 150 million so it's on par with modern advanced operating systems and the interesting thing is are going to get reasons out here at the bottom one is a mouse 120 million is total DNA base pairs and Geno mobile apps so I'm not entirely sure how good of an arison I think maybe happens to oranges but we stated it some way there's lots of ways to get in cars to know how many you will see the g-pack video on wired so the whole bunch of ways try to gain stars Wi-Fi Bluetooth cellular tire pressure monitoring system is showing maybe two or three years ago people so when I realize that your

wheels have radios that are talking to the integral parts and your tire pressure is and somebody radio waves to hatch inside the car years ago sensor exploitation is kind of an emerging thing that we're just starting to look at so like the crash detection collision detection radars sticking firing rate are out front of your car with info waves of scooping radar signal back to see when you cross bars to decelerate there's something there that kind of things that's another possible having an attack similar things been done already where satellite radio people invented basically delicious payloads into satellite radio edit down to the our way then of course devices smartphones and car contains to attack your car and our miscreants for tonight

meeting two devices so these are the devices were going to be talking about Melissa tonight so obd2 is a small court in your car which is required by the logs in retired since 1996 equally under the driver's footwell and all these devices will plug into that court maybe see me in there at the end and the reason that they exist is so that you can connect to the power and sends requests for called diagnostic trouble codes which just like they sound or codes that tell you what may or may not be wrong with your car engine warning lights the amount of oxygen and air plug things like that so this worked really good when they used to be wired

in a u.s. because really only obvious and mechanics had them and you had to heck with me we're getting in the car first to be able to access but over the last couple of years increasingly we're seeing these having Wi-Fi and Bluetooth he asked cellular all kinds of things and by law powerhouse respond for these things plugged in so it's not like it or at least of its gas proved by somebody test over Hustlas have a court because to art how to work with all the interaction

so you might be thinking okay well these things like all right it's car hobbyists my body's to you know watch the gas mileage or something like that so true what's the risk might be a few thousand people would address of the insurance is now offering people cheaper insurance that they could be better cars and maybe these in at your honor or how fast you guys how party God potentially you get lower insurance rates drive well not sure how many people have actually examined what say things they get from putting one of these in that's what they have her thighs goober for its drivers do something called metro mile it required to put in it we saw your

driving for uber and that way they can pay for the insurance money while you're actually driving through their clients both of those devices that have come to be vulnerable to the various tax rolls with simple attacks they're being used like weed management out so I'm going to talk about one later to be your federal government but lots of large police the government yes that X are putting in cars in order to make monitor where cars are how their drivers are going cetera consumers of course are interested in checking their gas mileage see if you're actually getting what they're supposed to get for professional mechanics would rather use something that has been divided by them or something

so with all the different markets were talking tens of millions of these deployed at least already going to go so the problem is that anything is plugged in interest but we need support in your car then listen to all the traffic or can travel reviewing the details on that book list of all the traffic on your cars and network and now you can listen to it put it right to it that getting these diagnostic cocos requires you to send a request with information to one that what's the current RPM of the engine and then you get that information back so a lot of people are selling these are others saying what does this read-only only

displays information about the car navigating intended use the truth is there is no such thing as real name you need to work have to be able to send messages to it and so I'm kind of stretching an analogy here in the last point but once you put one of these in in a way you really do have to have access to me now there may be other networks that you can't necessarily access anything from that border of things but once you've got one of these plugins your rewrite access and most of the times seat the system's system a 40 oz air conditioner all gonna be on campus to break you access to the vehicle with us

I want to talk a little bit about the can protocol for a minute and extravagant stereo so it's a really simple serial protocol those are these devices use the 80 command set so yeah I had to like rush off by numbering or try to remember back to the haze modems i mean i might remember what the agent commands that works when i started doing this so it's really simple sending serial bunch of hexadecimal but it's in a so it's really easy the format degree symbol as you can see on here we can't identify or think they owned up to eight lights the cops off super complicated I gave a big thing here so interesting thing as you see the cane identifier

what that is is the identifier of the control unit in a car that is responsible for handling that message there is no source to know where a message came so if I'm say some sort of collision avoidance system that automatically puts on the brakes just any message that has my destination address I can't identify or I respond to I have no way of knowing whether that actually came from the radar or became from moving to port or anywhere else because there is no source so if you're familiar with PC and Yuki and things like this this is probably too scary there's a couple examples down here at the bottom and get mortgage this later let's go to some examples you'll see the

cane identifier inning is sending a update since eight bytes of data I just knock out all the remaining zeros into this 01 is the diagnostic trouble code code 00 just says show me all diagnostic trouble codes in support Zota response to this an example later would just be a message that said binary lists all the high mountain Protosevich are willing to fight another interesting one so this one we can identify our 74 is the battery control unit in a fifty thousand thirteen Chevy Volt talking talking again the pipe i walked on flex for these four bytes are requesting the current camps current being now not the purpose of a battery in the bolt if i

change that last white 268 across the term goals you can see there are really simple protocol there are other more complicated protocols are sometimes build on top of it but this is the basics of what runs are covered all those 100 million lines of code so here's another example and I this is just like a one-one hundredth of a second of a live capture the codes translators that you can see some of the things that you waste measure these so pals in the times a second can buffs throughout the car seeing these kinds of messages for careful

this is an example of actually communicating with one of these devices remember when it might be this key point on was talking about earlier which drop some papers on the package stood so what I did here is I connected learning devices just the terminal in Linux or something just a zero protocol this top message is just sinking commanders information check or something at this contain any version of the front where this next game is in Bri v8 version of what I sure the previous slide where I just saying okay EGC mode 1 and then give me all codes that you support now this looks like a pretty short reply to that the 41 DCC is automatically add 42

mode that you requested so that you know what is replying to and then 0 0 is the message that we're flying to all those and this might look like a pretty small amount of information tell you over DC Spencer's dozens and dozens of them but that's haps so you're talking about actually more bytes of data so its size of a I can be for a dress 16 million possibilities so for each diagnostic trouble code Vizier on and off next May and I did here is ma is monitor all which is a little bit misnomer you might think the best but promiscuous mode on network interface in you can see every single packet what it really means

is that your device is going to show anything the address to that device so the other things you have to do to actually see every package but that were just is already out easily next man i'm studying the header to this is the 74th we saw in previous two slides before which are American forward and bolt set header just means that the campaign you keep and for that and then finally I actually issue you can command your pay close attention game or something slides ago and then I get a whole bunch of these back which interpreter properly one of those showed concurrence of the pakery rest over a bunch of other information and I cut

this off there was 30 or 40 lines of those kinds of things that came back and when you want to know what those are this comes in they're all this is in businesses in what they need and what they are this is one volume of the pore volume service radio which cost us about 4 and above the city so it's not cheap to interpret that stuff but it's also not super proprietary anything like that that name because I've universe it's not only main factors with liquid models that's the 2015 shitty 2012 a difference is so every car yeah so we're going to talk about this a little bit later but this is actually sort of security for cars at the moment

kind of the security by obscurity because if you want to reverse engineer whole bunch of different kinds of makes and models you can have a lot of dollars in disease continues because they all are somewhat different even different models between a manufacturer human different years may not respond to and commands as they won did you did you look into how much they differ it's very minor things or esoteric functions that we might not use frequently the cold ones are the same or so from what I've seen is the manufacturer most of the common stuff for being the same like to get attention speeds like that little bit examples obviously there's any differences between models especially the part about

it should we hold here batteries and something whose course don't have the ticket manufacturers tried to stick to their own thing throughout their line but obviously the latest model Chevy whatever is going to have functionality it wasn't in their release today I'm encompassing so we'll talk about that too with how there's an evolving risk figuring out standards across different model manufacturers spoiler of the later part of the top and say I'm basically expecting the seeds that will be excellent 15 released so many mondays person conditioning remote somebody else goes whatever and

I was reading a couple weeks ago the guy who got his Alexa to start his GM vehicle and I just saw the article but anyway he said that GM he's a single wire can I think for a single can versus the rest industry doesn't right are you gonna go into that at all I was not going to look at so on you know me to Decker there are 16 pins and a lot of those are for calls some were required like can there is something called single wire can march and legs and this high-speed can closing their single water damage I believe Doug both hi horsey they wait in the car service working on that degree there's also

tunes for GM names as a customer hi Terry protocol their proprietary protocols that run-over cam purple Kaline welcome back so it gets us there are really go by the only standards there are really is a must support can order / protocols and they must do diagnostic trouble codes so when I did it 0 1 0 0 0 requested etc's that's the standard that I working out a lot of new you guys follow besides that yes over the Society for automotive engineer a zany publishing standards recommended practices and things that were actually working with them now to fight global security recommendations for daily to port so get better yes very sad

so this is a little bit of a rehab or something poor but have a quick little innocents harder networks to take away from this is there's a whole bunch of ways in there's a whole bunch of easy use which are electronic control units to the park and about the networks of may or may not talk to each other let's talk about that anymore definitely so we just have to cover this up with a Segway there the campfire college is required in all powers in the US there was a main proprietary for talk with GM land like every manufacturers can have their own protocols Dec use of electronic control units there will be like an engine ECU

of battery you see you and the bulbs a pc of the air conditioning etc and think about cars you're used to working with pc that has peripherals or even a client server environment there's no central brain in the car all visas to use all they know is i get x message i responded by way so there's no master is trying to make sense of why does this ECU sending this message sent so the easiest I've got to all do it themselves which for burning it up there are other networks besides stand and serial networks that are starting to be used wind is pretty felt pretty well established flex rating on wood beads event or so captain and

you can see in the industry is starting to standardizing things so they're still being put out really knows there's any production yes an ie I done here what's the vehicle to protein in units they making a new pants with real but nowadays I far more than just the radios than absence of it yes almost certainly every part of the scheme soldiers like a 2000 system model has a cellular modem in it even if they don't actually offer you any services over that is working there did it help factors that nothing else and everybody wants their dual entertainment systems you look tell them like what their miles per gallon are the currency is and things like that so it has to be

connected to use the canvas or to talk to you see use and get that law date so I'm sure you're thinking already okay so you're glue them on one side connected to the canvas on the other side what could possibly be wrong within the cars is sometimes there are actually gateways between different chunks of can networks so sometimes I've safety-critical systems when we separated out from a driving game thing that air conditioned anything about that sometimes not but like any computer network you had up running these places where there are unexpected interactions so for example in the air bag system when airbags go off its common behavior for cars to automatically unlock the doors as if it were crashing in like

that car well that means that if you are they will compromise the can network that the airbags are on now you are allowed to send the message unlock the doors so that might not work make that and one thing that makes this really hard is the car manufacturers I will say are struggling with their water requirements to make things big hard to secure a car so we talked about the fact that we need to port is required from us also not only do you need to be able to read these diagnostic values off of your car but by law you have to allow consumers and them panics to update the firmware on whatever ECU controls

commissions and gas mileage for things they have seen software being sold as you can prove your gas mileage Ariki a better acceleration food price of first gas mileage things like that and it's a lot better a lot of manufacturers have to allow you to do that so now we've not only can you write data by law from using too of course but you can update firmware on at least one SKU so it's all the manufacturers can just have at least free to the admissions they can't have sign firmware and say our system start or something and then last is the right to tinker which is various stages of legal permissions I guess throughout the u.s. a month I

understand in Massachusetts has the most liberal but this basically means that car mechanics should be allowed to do things through their own cars that something criticisms macarthur park attraction so used to be putting bigger engines in now includes video to modify the computers in the parking lot so that's carbon factors can't do anything except in my dad except for that policy i'm not going to get it at home alright so now you can eat school / license so this is our victim we have a Chevy Volt that city blocks away upon some uni campus there on Sunday because I without a partner logical make sure I look my last this was graciously loaned to us by the

public transportation and turn to them by the median department transportation so later on your see some messages coming across their own kilometers we understand that they're just going to crush it when they get it back so I

need our contestants in our competition see who is at least secure the devices and we're going to go through a few of these a little more detail I wanted to quickly mention the bottom there's development device what this was is the federal government put the file attention hundreds of thousand license we work with the manufacturer of the rider and stuff ahead of time to identify any security problems I difference fixing stuff so the agreement was would not publish their names and since we're all published before they actually bought into cars so they were really good

absence of I'm in generic drugs talking about this little bit before but I have this one device here so you can get a ton of these with different names and stuff on eBay or Amazon or I'll Baba or something like that they come with different names they all are pretty much the same they're very cheap very simple dirty so I just want them all is generic this happens to be the one that I examine but it was to America like this so rather they call out that when this specific brand name together a category so this is an example of an athlete see this is actually goes with the license in my car right now this is the iphone

app but this is the kinds of information they would typically see by mapping using these kind of things I don't know how we can read up such as in the back but there's the miles per hour or gaming temperature that airflow our game engine you're a battery that's the actual regular the car battery people example desktop app so it's the same thing all these apps all they're doing is they're connecting to the device and they're sending these coats camp over there talking about to get this information back so this is something that we can probably tell from the design of the window and stuff here that this coppers office looks like

so later on if you want we can either protection we can bring my car over here I've actually connected to show you diesel it's really gonna show up same screen valued on our country some screenshots to but this is what you're supposed to do with these but we don't want people so we kind of came with a few different attack vectors to try outs one thing inspected all these have some sort of radio connection will be a bother testing us actually our first so all these have some sort of looted Wi-Fi cellular or SMS over cellular at the time and where she attacked me get an app so what you're shooting in screens up yeah

if I can compromise that app somehow I can make some download updates we have that land which is coded she thinks the car compromise the bodies either if I can't compromise the app itself if I can compromise poem that's in the car that you're using and it can actually a bootable device that I can just decide where all the pain and student voice and reverse taxes up for attacking mobile devices in the car so if you've already managed to get access to one of these plug-in devices can you then attack cell phone or laptop using power tools one example hereís light accumulations yes so these are kind of the things that we test it out don't freak the information

about how these things work so this is my cheapo ten-dollar one definitely be the simplest and really this is just going to write which goes to gain controller that interprets that a message is because it has to be timing a circle a bit like that and it just send those messages out to a serial port there is no intelligence in this to say about our relationship apps i get for that's a ton of the car anything like that it's just a passive so the only security you're likely to have on these devices especially the super cheaper one it is whatever security happens to be on radio bluetooth what's in my pocket

so first look at Wi-Fi oh god here the worst pre-shared key i found is just one two three four five six seven eight I was actually the Wi-Fi version of this is Wi-Fi version at took ten seconds I mean whether I got with these devices and with it like half an hour ahead is who that who sense their slightly better is this autumn so had a unique Wi-Fi password for each device which was good first I'll go to this and I said OS four bytes I wonder if it's like the IP address or something I've got a part of the mac address you could actually find any logical way that they assign that but even so when you've got uppercase

letters for many digits and numbers of who Patrick Ramsey so it's not like you're right by kind of attack but you actually really wanted to license would pay for best I saw it is this one which is one that's on my car because our and so that's a pretty good password right it's evening / device and it's a little bit weak because I summer that you know these are all hexadecimal numbers you'll have a TV in 120 as possible and the godson same place all the time so there's really only 12 everybody's over to talk art but I didn't try to cracked it better in some nap in it was saying that I could crack it but it would take

anywhere from like a couple years on a high anymore two decades so I feel that's pretty secure someone's in my power found something are the one concerned that i had in this last one is that you can sit colonel run just like fall is an access point so turn anything on it shows a we like whatever you period but can also call it compared to the existing Wi-Fi network as a client would appreciate a key on and my guess is that they think might be destroyed mechanics and garages so if you've got Wi-Fi in your garage is pre-programmed these things to connect SATA taking the party okay next to my pleasure done my concern is this somebody might decide to pair to

mobile hotspot in their car but it's on the Indian containment system or theirs on the phone or whatever then we all know how good password teams will choose hidden there they're not going to be like this they might copy data so they're not going to that but in one of the most likely attacks for this is if somebody decided to go and just parrot firm to a hot spot in a car that's something to attack that basically I knew the security you get from is nice pass palladium ok so the don't like that

this was kind of interesting developed into Wi-Fi access points which was this password waters that Iran and math on the device from my laptop and gone through a couple pores open on 8053 and coordinate contains Academy now for the Wi-Fi hotspots village that twice it's an email password is that appreciate Pete itself with no sign of my system so we have to move them for that so once you're there you basically have control over hotspot which allows you to attack any devices that happen to attend to that hotspot and change in s the routers all that kind of thing but it didn't give me any access to the actual power don't eat this was only a base Whitaker

outer that took a google hot spot has to try out the cellular quarterback didn't have any path they never passed to me too so next thing I did a little footballer go easing the web app in the East Indiana service themselves to see if there was any minute I can get into the firmware underneath those to access the serial port and I didn't find anything I did get the IP address from a dinner so the global IP address out on the internet prices network we're in an nmap against that but the only thing that I got back to the pain so I had player Pedro firm wearing the apple juice with a sign didn't find any vulnerabilities in the

app so at that point I was like their table somebody has this i can probably own all any bicep next to access later Barbra put

so this is a velvet voice I was talking about we were asked to look at this first thing I did was go out and find documentation like hook up the FCC ID and I guess the Seas website they just would included user manual for the device which for me a lot about it just googling around upon a few other documents like an API for programming actually kind of putting the top trim or we can give you the user manual an API and stuff we don't have to sign an NDA folks I didn't have the heart to tell them they'd already found it up like two minutes of good ways so then we found look down here there's couple pins on

the side of that look like they would take connector or something so I don't know they may reduce it a calculator so we plug ajit I you later on that Randy that source a couple opinion with serial connection to the serial port with these no go clips and that was super useful we could actually send any messages to it over 20 program tons of debugging information as you can see some going to have work like what password in statistical data IP address all I kind of stopped again I do with block I tried to end matha try to ping it I couldn't get anything that occurs but it also told me that there was a phone number it's very Texas tan

shirt off I can pass it back from texting look up so between trial and error with my phone and reading through the documentation that i found on this website found the government hacking car I just send SMS messages no authentication or anything it would set me back orders of the car is her head and skied altitude I can configure everything about the device which management server reporting back to you with password waters etc I could trigger certain opening to commands and that's why I did it initiate an update of the firmware from an arbitrary URL so Center text given you are on the text it went out automatically tredegar boots new firmware new firmware download

it install it remove run with the new firmware well okay so I got to do the existing text of a copy of the firmware I already have a good we're going on what's over towards a battle of that that we're fine there was the same firmware so the next thing with a firm or something yeah this is crc 16 code which would actually a foot so such a checksum so as long as we change the initiative checksum match get customized the firmware out we wanted but their checks on in put down with it except it is correct so what I can send a text message to it talk to download for my web server and a firm order stuff

that I mean I put crc quran so do you basically whatever I wanted we go a whole lot farther this believe items and disassembler arm firmware that's Norman ship so we use that business out of it and the one good thing is that by depaul you does not just send any serial traffic onto the canvas like most of these do so it's got this pre-configured list of diagnostic trouble codes that you send it a message and say hey I want to do secondary air system monitor and then it figures out what the can command should be in sends it almost I can't be said of arbitrary campaigns but Alec adjacent so cool I can find out where this points

to so this is from Idaho I can find out where that points to go change what can me and that's actually send you so the next time I send a message to it saying broke up rpm it can be like front of race so that was fun to be happy little bit exhausting but it was an easy pitch to right all you had to do is there was already going to put a password on the SMS things and wrangling the car time we're after that to the best of my knowledge the firmware is not yet and the birds are is an easier play politics yes right we grew in the fact that they can do over-the-air updates and back in

checks for updated firmware season foods up which is great we're generally big proponents of over-the-air updates and check for the cellular number I'm guessing you're probably in chunks from the the vendor said okay so once you get 12 in the block so that was one thing that I kind of wrestled with it as fact that jerk if you don't actually have the device junk it was seen the phone number on the syrup or that I was able to do how hard would it be to get that but don't eat orange much in the gsm packing when gsm startup in connection descend with how the eye and si but I it's the equivalent of an IP

addresses heard the phone number the same way that IP address nastiness and there you can buy first woke up she was up phone numbers multiplying massage would it would as you work the Tory determine adversary who wanted access to traffic Hargrove don't suppose there's any sort of a database out there they might be aware of that you know maybe ties that phone number to have been or anything like that I don't drag that back for user so that information would be in the database of people that run this having a club

and that brings up another point which is we were not able to test any [ __ ] ends of a

server so probably only affect their zoo but follow-up question sunset it grips then in theory there is a way to fingerprints every vehicle done yes i'm not sure if i don't think that this stores them in global configuration so yeah there were some concerns about just fact that regard manipulative car so there's nothing awesomely tablet rising one has he as I once you've seen rising debt whatever

old costume here society sorry it's full custody SSID

oh sorry course when she found a number was there any documentation in the API or the other documentation found online as far as the payload for the SMS messages are just like travel when I was all they have smaller crowd here the first I didn't put examples of messages because when you google

okay so some things we did the best on the car nothing like draw what person from the jeans destroy figure so here's the spa mosaic examples of actual self resent to the world so Miss ases requested RPM did a set header header okay good this pretty simple message and come back this is the long reply basically this is to win my ice and message to send me or is Penn message 62 is this 22 a prince at x 42 rest of this message said so you know what this is apply to quietly run deep x and there's like this long algorithm figure out how this may put something but all that means is certain the audience took a long longer to

actually figure out

there's another example an outside temperature of the same kind of things and the message and you can add 30 in for 100 x 30 x looking out for nothing

so this is just I took an example people that reverse engineer a lot of the code already for the chevy volt and here's just examples there's probably 50 or 60 different game point we're both here are some of the more interesting ones even if i don't have only Dumbledore instead of text message to track it five access essentially these packets into the parlor and still request trip distance in time I'm like media station area so you can imagine employers when you want to know how much time your car stationary over here a fedex moving in we've got three ala jurisdiction or cognitive radio show in a kind of wonder what attaches our dinner which you know Jim it for something to

you me

so that I'm human better ones on the walls this is a 29 min ki tarah 50 that's why it's a lot longer once you set the header on this seems are pretty similar but semester oldest block all the rose again like all the doors the disappointing else is new again breaking my bulbs do whatever center which is not like crashing progress anything I can also turn on an off with panic alarm and start the car drive all excited about that person that yes XD oh my part I'm not the door will start car jumped a driveway start actually start sitting like accessory modes of recognition come on the radio I'm not sure if that just because it's

like a car so my next project access to reverse engineer arrests they have sent to the old remote fob to send your message see if I can set that message well a lot of action you so I ever make some car moves like Chris and Charlie driving the Jeep down the freeway stunning lat / house hungry at one point I was sending a whole bunch of command and the terms of dignity I have died you I I cannot get to come on again so that was the closest I papercrafting photostream intrinsic one points that was not really the focus of this the focus of this fun my sis allow you to effect a car wash

we have our five years so if you conclusions so the bunch of potential impacts that normally think okay so they can hack my part in crashing that's we guys there's a lot of other things depending on the adverse a filmmaker brokencyde other things so there has long been an underground you're trying to figure out how to unlock the car system see you apart so that just gives me sir when you can do it from the iphone app obviously control card and way of accurate accidents or stopping traffic cam something worse talking about cracking the vehicle potentially no quality stars on microphones in or when you're doing new shoes with your headset or sometimes potentially microphones cameras most part ammonia

cameras back repairs but using people starting to put cameras in the cars for insurance reasons playback in the white house we were at all or not so you with access that camera or what once really came bus you get to this IDI so anybody that has had rental car recently nosy didn't weren't part of the first thing he does is Paris their phones if you will download all your contacts and disruptions Sicily potentially station davia or compromise other mobile devices with the hotspot central repository box box as well being my biggest concern from the bottom here which is that might have no vices and talk with you or something to have one of these devices

in my car on the compromise that mobile device I now have something funnier that all the time and help my car ready to be party time that cell phones in it so you know first you're thinking okay we use Wi-Fi eww pretty close to do this right the part of your body so many models now currently able to care with which is cause the carpet fraction in the anome fraction of a second no but you can get onto the cell phone this person has in that car with them all day in detention puzzle happen I think I was probably more likely attack back swap i driving

so this we have released vulnerability and the new driver don't blow it up there I sleep

so some of the things that were made with one of your next starting on the volcom intel macs stuffs over notes and the type things eigi itself the Sun reflection that would be other country in the onstar a public one star already police are problems done a lot of time last other people are doing interesting medicine generals on the things that I can look into is just telematics time across the border problems avast is that we're working as a ER we use three standard so just basic things like a lot of diagnostic trouble codes allow us with required by law don't pull out a minecrafter to be passed through there so you know this as a vehicle to vehicle imported

infrastructures are interesting so this is all your cars starting in 2017 I think that have the target yes our opening patients I think radio and the idea of that is that your car can talk to all cars around it and all the things around it so you're going to the construction zone the sign says South African structure might also be sending a message out for power Sonia towards Asia slow down there well so our question is can you send messages that are not supposed to be sensitive and Department transportation actor has test out of the self-inductance be that to a man so the books probably before that go self-driving cars obviously that's like a later over there then other classes of

vehicles so I know if you can control your horse advance for each builder or

so I guess that's it for my slides if you want to talk later there's a couple two doubles here that you look at and this is it's always it was a raspberry pi but I found this Kevin dreaming anyone doing this testing you going to put some in the dashboard oh I better laptop and stop the obviously a pie hat sir I depends on its up for us be in network this is really anything and annoying apps and making food you've chips and stuff so I actually have any customized allowed I was for doing you should have a helpful here going to go through all voters

that's all I brought so thankful Susan questions yeah i think that ever talked about you know the bluetooth attack vector say that it's not that risky because you can go in seven miles per hour that doesn't have on the concert last thing someone could easily probably just sneak a quick bluetooth thing on your card box on the audience section tab you're powerful it's Doppler something so so there's plenty of chances where I'm something pair then post code if you're so much like after like two three minutes yeah yeah I totally agree that I've actually thought about going like down by the forked tongues or something a lot shower and you're staying there with an uber

tooth well don't even perfect spot yeah because everybody's going like one mile an hour to the time so yeah definitely true it is a risk I think my point there was that a lot of people sail without how I rest of the most guided by quickly your writings we're going in general Oh if you do the young lady your canvas adapters for nearly know before one's not really so I was actually just reading today about can triple and it was interesting writers have enough the reason i ask is i have a dog 313 with the electric sugar oh yeah so you can't let it in drive reverse apart principal so my first questions make that work what interstate cars i wish i

could afford one is a all drive by wires and tech- parking brake

you guys looked into there's this I don't know if there's other aftermarket ones like it but it's called I data link maestro it's for third-party stereos basically you wire it to the can I mean gives you two pins to wire to / manufacturer and then it has a harness that then plugs into your aftermarket stereo then you can see your climate control or you know some of those things which I would imagine would be your weak link then would be the head unit could then talk back to the can which commemorate I don't ask you guys look into that one so I'd like to kind of wondering Your Honor birthplace stereos and one of older cars and years passed

and now there's a head unit of sony place dozens Christ and coming there's none product here real quick right over there what do you say had trouble getting it to be more than turn on the pointer was that because you couldn't get the device to pass off for traffic if you have full unrestricted access to it was more because it has is so much traffic than trying to figure out what those a takes a lot of time it was just a little bit outside or so so if you can write correctly tipping at Boston anymore yeah maybe figure like when Christopher you keep favorite person you can cost anything to get it too

yes let's say I'm i replaced the unix radio well you did and it's two screws and it pops off to get radio and it will access to all the chemical you know the radios Murray knows about ass when it has announced for the offer the plug to fake it heavy so if things that has a woman dead employment that's an hour in the unfertile the list of playing devices with everything you do something important thing is that not from automatic yes because they talked a lot about security and others if their claims stood up to analysis so that one more about it we didn't find any query vulnerabilities we think we can probably force from work a Twitter sign

or try to actually so as I possibly being able to pin so I mean there was a record that automatic and he immediately unsurprising so does that mean I should like remove that part of the recording this is not search date with my okay yes Oh thoughts anyway they will obviously help and so don't like sign from

after another night

just least my after yeah so one of the beautiful if I instead they use name two days soon which is it shouldn't be able to pass any rain if you signed the firmware so people can't change them although they were pretty much bigger nice pink password use ssl for updates that don't give it access any this job so this brilliant connect community a lot of cases we one of us actually didn't a lot of the same tracking features about that onward average but gave me nightmares and functionality with words of course can't actually real

english project some otherwise I'd wonder y squared

hand

of what would you say are some of the risks of playing with this sort of stuff on your own vehicle running out to see you yeah I needed certainly damage ECU or something else in the power to get prepared i think the bigger risk is you so he's thought about let's just start buzzing in canvas when we thought about where the part of what you'd go with the Academic Senate accelerated and decided to see any lawyers present to have sunday janessa bigger risk is hurting yourself so so what you're saying is I get you a forklift and I can listen up around your puzzle your and I took up on a good lift yes they did it happen to

sort of you know we complete a seat placement but just we're on trial for that if you just walking by foot brake you have the parking lot yes we r you said there was URL for the firmware that you were able to point it to an arbitrary URL already these doing OTA just all the time looking for new we're or burn without that one that I talked about what yet the dsms self Gators soon see it same where is URL some of mine so more keep an eye on

what do those yeah well so the results are undefined maybe standards I would imagine probably good shutout ubiquitous and out of traffic my guess is that note these devices or device agnostic but

that's one actually a combination you can't attacks i watch some person Charlie stuff is to just send eight packets they made way more often than rope handles their work that was deals recording the speed is 10 miles an hour back to the speedometer and you just sent it 60 miles an hour faster tiny window covers

very much so the requirement for the vehicle executive order requires a past markings on how none of that requirement is in contract now however he did work on people to reply to our

air the next our music

I know you

any possibility that can be changing the regulations that required in 37 Rosen so we talked about that vento exactly there are suggestions of different ways to do it like you can still modify the firmware on your margins teach in there for the trust interesting Oh

that

possible

and I'm it's great working

finally my phone yeah and I said another hand relief I based on they should say

so you talked about the ten items on the bus would it be possible to attack like yo Dee Dee reader ever example white-haired like the progressive snapshot and hello hey I haven't moved my vehicle in three months my rate come down again so as a matter of fact was actually formed out on the internet for how to treat your progressive snapshot into absolutely possibly the name quality really moving his walks in traffic

yes we were just talking about us related regulations but there are many jurisdictions around the world do you happen to know anything about places like the EU or China or Japan or India or you know what are they what are they requiring of their cars what kind of half ability aspects of those cards have based on those requirements right I probably don't have the financing to poetry buckles have another okay yeah the most of the cars inside or the main the same way right there is a similar standard bb2 and you something good so they have some more requires the EU requires similar stuff right cars there yes try to row houses on the protocol

so the attacks that we're developing in America maim a pretty well on the European part they probably change

well we don't have any more questions are the things that was differ between Mike gas-electric diesel models like is there anything that would differ you know what you're doing um yes no so some of the stuff like sending a message that the accelerated was rusted quarter losses in that regard sweater that how does my friend when you get a little bit farther into it right you just turn me on I did so once you get a little bit farther in than there's definitely what you're going to do you wonder like what can you do shut off the battery itself or something than Chevy Volt don't basics inside knowledge is only different different corners and I have one of the whole saga measles

perhaps on a bleep on that so I should probably

so regarding the question I was going you can clarify something you mentioned earlier about the Tesla's have n go to be 2s that plug into with higher than anything I thought we were just talk about how they required so this was sort of anecdotal talking to a guy from Tesla and it over drinks that mark Rogers a Tesla had / gericom required to have you eaten port and so they do put it back to watch

I assume that's legally because of no missions really

comments 0 just a note i actually purchased a new GM vehicle a couple weeks ago and when I was signing the papers what's that I'm having sure a couple of parking lots down but uh the having actually ID sign a think through on star which is of course a service that I opted into it said i would not reverse engineer i would not try to bypass any of the safety mechanisms etc etc which is getting a step towards what you were saying as far as what the right stinker what not i don't know if that's so the colors that is as a December 2015 there copyright assumptions so every three years they review what's them from the

DMCA hundred protections in December they added the ability to impersonate colors now not violated whether that frees you from a crack holding cell

what else thought all done my phone just any questions about the incident right thank you very much today