All Your Fleet Are Belong To Us: Vulnerabilities in Fleet Management Systems

I like you Dan client dan is a most important and you're the founder effect size are you not what one of the funds whispered besides and damn [Applause] if you can all again Oh Oberlin and Dan is also the recipient of the prize black badge the very first one I won in 2010 half this because he lost the third one the beginning did y'all you're looking good and or damn like all of your kids hilltop right is it going to work on the data in fact is a bullet village researcher at cert just like the hills and we've now just ignited upon as a DC of reading on any reunion it is when I serve everyday Monday slinky you

putting John that's sure right okay I know reason he put a root beer all day I'm going to throw a bunch of have to decimal nickname on that too so yeah okay that's a good thing okay group and you can turn a few disclaimers I'm going to talk about coming over to needs and keeping engine systems or real needs are public as a get correct and public Stamatakis so hoping that you do raise your secret sauce here long doing the issue doesn't talk at all depicts so those other products at home and all the information on the pop on is available in public documents like manuals and things like that so a lot centers there are no zero day awesome

speaker copier Odyssey so by the organ complete telematics and interesting area because the supply chain is very complex so normally loner abilities we get coming in as a buffer overflow and some piece of software or whatever this date it's not clear really where $2 billion lies because you haven't blew em until the device will be programmed by an integrator and sold by a carrier reseller so this is well supply chain it's not as obvious we need even pops we get more little fixed we have to quite a few weeks of trying time to record some swap to give you tips to it so that's what are you legal right it's what are they tell that there are lots of

organizations that use clean Colorado solutions that you work for do sleeves so it's the examples are long-haul trucking or will the delivery whether it's you know the people I are the floor top or whatever law enforcement Public Safety or fire trucks ambulances obviously service providers and contractors us in terms of like training air conditioning Depot driving around events initial days I'm seeing a lot of became less arts resynthesizing and first military is a lot of heat to vehicles so the point of some has any vehicles is able to a lot of it is the ability or track their vehicles in their fleet know where you're going wondering at the door its mark on it whatever

reason to - mileage and means and patient into that well to this example you can look at key minitor look at your cars and say okay now there were always where they all are not going to want a bunch we probably around the church boomers their needles closest patients but this is really a table by the fact that there will be very cheap telematics money think again on the cars these days a lot of the plug directly in the obd2 port which is required on all parts now McCaw since 1996 this is what a fairly complicated one over there to talk about this one a lot but up I'm gone wound off of ebay for ten dollars is the serial

port connections within lesson here - super people super Chiefs and that's really encouraging lot of people to use these devices more Caucasian that still very cheap there's must've been actually a third wire into cars these are more used for more for trucks please stay in valence people but that is a little bit more functionality so what we've done is we will do a lot of needs and what we found is there's a total of common border region such as realizes that you're Asian can pretend rocks Trafalgar definitely security of the universe I'm going on all the one to look that you found out common things so we turn organization so you can connect winning devices via Wi-Fi to the room

actual one two three four two hundred meters away no encryption of an off so area medically they're using as a cell to do anything or anything a cell on the bottom one thing correctly so handle it unplanned further updates is he more the standard than anything else like time very very seeing people timer former agency biases oxygen idea on gorilla the main point into these are that group back to us here marketing these necks that leads you were just a loop in here - no cars that's connected directly to networking are called canvas it's connected to our google mods will binding for logical for Lux parade experience of I know the other a minute centric in a piece of popular manages

the buzz of them to talk about their actually a little bit better than some of the ones I've looked at but there are some words need to talk about watch the polygon consent as well so I think that we'll talk about today instead of our communication so about study we're going to go into those little isolations neutral never known problems earlier that we learn communication so the world of older brother calls to say like get them they don't edit a TV station power detecting to on and worse than that most of I think the that we are more than happy to down Dre from liver or both others need to get them so they drew Johnson tower says I'm sorry is

beginning lighting state okay well I'd rather have something productive and fingers often errs meet Darrell encryption almost those many patients they say that it is any better than that they're mandating certain levels of encryption but in other countries it's not so good so we work our big international meetings and sugar netting vehicles about the word Mexico or something you know if they're using is $14 in fact even it helps which is kind of occurrence you know cellular standards and provide you comes out location trapping is often a lot of really good papers on this we can track education and down from within a square longer so radio translation so we're gonna get any better than that

these places without so there's known problems already suffer another area skipping so far and how people do things to cellular of probably all you learn PC captures or one of the brain names and stingrays so complete and other not so great people sounds like that was facilities with not so many people please but also people that are not as being forgiven you Cindy catchers to grass help them it makes gonna be what I just described which is the Chinese oh no I don't speak GSN are going to need to downgrade and talk to me that way and guess what happened talk to you now effective base station so they can grab most it's not all

information so is that if you set up a little sign your lap and we go through this real quick because new lock on lines them probably this is not less interesting thing but uh so we have no cellular lab this is a very tense when you simply block out all our missions in your house and when the office is going to be a choice and cozy emeritus and Christmas all you can stuff going on but basically this is our road supplement our week eight of a whose power supply there something find radio and stuff but with this we can emulate stay in eighteen t power so basically how this works one more cell phones I mean nobody vaccines

you're undertaking okay social 1202 text is awkward by radio which has been pre-configured to do so they were rid of communications console laptops or analytics some software or open BTS which allows you to emulate cellular communications and ask us for the boost abroad keep ours this is a little glimpse of what it can be test looks like keeping configurate pattern whatever identity you want kind of the important thing down here down the bottom there's a red square system on cellular networks we call your network where everyone well 18 feet and any phone is looking for a CT we're trying to cancel that like I said if you downgraded to GSM it's not going to bother son welcome to the base station

this example adding a body client to LA o PDGF so when I don't want your device be the first thing I want to do is I want to find out what the phone number is genetics things a lot easier so you're stuck way to do this something called the impeded international mobile subscriber identity um which the Vice can broadcast or starts up so this population gravity to see if you're lucky please read on the same carbon a bone we're going to license overtopping dot and it might be encrypted in the cartoon in which case you just pick up with me open each a Sandra ten cars are talking about and you can th see because

it has to broadcast that tower to the first comes up after you get the empty look like this hope you like is much reliance so he looks something like this it breaks down to something like this the first three digits of the funky code second three or the network coding the lastest phone number get your lucky so that happens sometimes you've got one problem problem is mobile mobile number portability stated fifteen years ago or so and Watson you move your cell phone numbers different years actually what it means you can move with Oh number two different SIM cards and so therefore the inky which you get data for only two phone number of gasser advice I'd only run a process

once anymore advices I think that's mostly because they're manufactured to just be darkest old movie carry the phone number is fairly sometimes itself under different changing phones every time rises good deal whatever but if you do run it it there's a few ways around it you can actually pay and just look up the India in the attic of the providers have to move doesn't buy access databases a lower spaces you can get a general idea of what phone number range device is in Central Texas sir description text every device and in bondage children okay so it's a little morbid Norris examples see also find all devices we want to start dissecting it see how what are dairy so first thing

what I'd wanted to do if I want to look for serial crackpot advice and so the little white hanging here on the screen that's a stereo her face and on the way tied all that mess is because the serial cable eccentric in Parker but I had to cut up in the tragedy figuring out something vicious I got a serial signal office well serial traffic is it's really easy to identify oscilloscope because zero traffic and all zeros are one either maximum or minimum voltage so when you see a square waveform like this it's really easy that's zero input or output your time to be going up and down to zero one zero one two long ones or GG

with the road for example so little pins on a no interfaces I'm atmosphere package once I got that I found out they do cannot wait to the once then disabled legally he can access the serial input do anything Gretna Green from which is fine it was all kind of debugging which is be done to the serial port also suggested moving up very interesting what's more interesting invented is that a whole bunch of information about how is connected so uh this tops red circle appearances ATP's eroding water for people that are old like me remember that Mullins you keep it simple gating pancetta to talk things out siren stupid same thing well I'm fair that Mike's been looking

at again later although further down here there is the 18th and pong phenom ii r interval that's just a number of the bikes so that was really easy i just have to listen to the serial cracker but buzz competin something well and then the lectures that you can see down here this is what rotations if you can read it where you can see it does not happen cell phone number written as you see here it also gave me not lots of useful information about the IP configuration knows what the units are proceeding once ask forgiveness you didn't run them passwords without being able bunch of information enemies so that was really useful on one device that i got you know

all this awesome stuff i'm serum next one I thought unfortunately they had disabled L debugging information in serial ports so then I thought nah not even electrical signals of telescope I was like okay well how can I get a destination especially the senator communications information so the information is coming from a cellular modem has to be controlled by a microcontroller hoping the CPU on device also able to the orders on and a house microcontroller on the board translating that serial information to a modem ATP fortunately there is a to not with this exact room after the Internet so I could look at that out cut periodic pins on it words serial interface at a nice little

chart for me and gave a few different options they said rx only transmit and receive something like okay there's probably serial pins so that narrowed it down a little bit termite I suppose go back and look at those pins i power likely and power through the reduce real traffic so I had pretty good candidates for what painting on this Motum shift we're doing serial fire to microcontroller so that governor is going to if I don't logic analyzer it means but the problems long we had this is untrue Campylobacter so this is the best picture anything which you can trim it but basically there's bad role on the outside of loading identify ones that I bought with the serial in half and my

controller in Sony book rooms on those two if the electrical signals off of them connection to the logic analyzer I tried some pretty fertile book on me you see inter event in ground in time I'm not acquitted but by one a time but this is the logic analyzer and old screenshot below under conditions you see his waveform which is similar to the stereo waveform that you saw before of a deluxe analyzer knows what does it actually need protection premium the a few values beams waveforms and data by this is actually just like a test program they see the numbers are bugging for here and then over here and take because the diplomas to correct protocol and shows

you what information is coming along so why I end up with a bunch of columns of numbers like this and not you gonna be ready to like top to bottom in the next column top to bottom on three again so what we need UMP out at me is in this first column we have these are red letters we see the thing that is on the Syrian people for write 80 e 0e months or started selling depreciation there see them in and out here later I have to the couldn't do printed receipt and time again supposed to come across or Lincoln's eventually came up with black that uh it wasn't commands just a motive and everything it just one word out of

here Givaudan alright broke out into a bunch of numbers I don't know they need an opponent so once again had a phone number this is kind of a complicated way of doing it and why does not have repellers have a bunch of production yarn go into it then turn your phone number off the board but that's not the right number but once it is my party with the positive only I sent us so I think if I watch it all the car music internet so it's like plug in under that rope attended a text message thankfully the only head manual it happens doesn't it or even neediness and that's interface to Nevada stock I was going 34 down the

bottom this little part and see minute is what Quneitra put a silver note request to advise or reprogram foreigners they can be at ease because there's no password oh this is my phone I'm sending commands to the device and it happens in two back bunch of information some of which is more interesting than the other like driving time here but you know we've seen a patient out perhaps you can't afford a car as well as the heading and the speed of the problem so we put some number and then what are the devices in I can put their texted all dating it back you can score top tilde where is that they're not party time at but I think it's

information that we might go to legends amongst this so once your basic SMS configuration trans on I found special set evening click password you can set IP address here in third command and that racing the firewall and this IP address is allowed to connects to this advice that seemed pretty useful of important device what is on that's pretty awesome so this place I can send text messages of doing most administrative functions on this device that's pretty awesome I'm pretty happy with that but whatever I want to do is hang IP connections because that's that's nice to just you know sometimes your scheme image delay and we're going downward North has ongoing the tcp/ip connection in this case media attention

to the denying selectors it didn't hurt there a lot performance of carriers blocking down access so we can't generally under photo or any gender study of the bodies we can't make it inbound connection to a key key key for our UDP port this is one of the problems with the key factors and found that there's this open port and smeared network and other sprint phone and at least 2 X 2 at Forbes spur to success is that an ATT prospect identity um so there are made who they're blocking any non connection but it's not Easter different so it is a documentation I found the school David said be looking at these two specifically for the IP

addresses the Weiss will deliver maintenance messages to importance entity already create me connection actually I think that I hope IP address is that um and indeed under see to that with a little right hand corner is red box and IP address in Turks with it I am in front with that means nations and this is after I've already set the maintenance server for this particular device to be my IP address on a CMU key phase like okay so SF IP address to be amazing server that around so I've ever units being old specials on the server and on this other parameter that I consented is how often we means that's an essentially it's server until what

we're doing essentially by 300,000 second ridiculous ah a little pay that's kind of a negative go ahead line so I start out here I'm sending a text command just to see what the current settings are you can see that the main server is currently hot an address that's in ESS previously query I ask what the border this was an on talking about as Senator the number commandant say that they would set the maintenance message interval 270x to 120 seconds so I want to wait the line bear by to that so it did um and then I have set the IP address to encourage addresses use PHP the only tricky part not abbas i it takes a 32 bit in front of it so i have

to convert my kiddos to have dozens of networking 101 so thankfully you will be able to do that even if you will be inverted so did that the doors to see and to get to see be covered and figuration ensure that you can see it from here down there has changed the IP address it's now trying to talk to my teachers so instead of candy little neck pack on my laptop and so it's listen on that Forks a wait for a bit longer than two minutes and i get your candy message back but for the body saying at another country areas to mean I don't care economy key connection right so I was okay I need to send and you can keep a

kickback to it and see if it will actually do something what they need to pack so the natives to started respecting administrative traffic on that court but they probably just use the same code just pushing any EP packet comes in from singing functions right if I look at this first I would like I'm getting I don't know that's worth a lot I'll subtract them to figure out but thankfully all this first chunk down here are the options and they are backed up so really the only thing I have to worry about is the message header and message content world of those bad with the pants okay okay so be real I don't really a kit

that should conforms me mister and protocol of that about students to motivate advice first one is just because I have to set the most significant bit and first night or at all thanks s if you're a zero because it's an unacknowledged request I was just getting this I was like I've got one or two chance I'll try down first we're right here seven I'm studying it to admit request message we've seen what most likely thing where I didn't know anything about the Devon so you could send your requests thankfully that worked out next student budget at started at age as a sequence number it's totally arbitrary since whatever has track sessions as 25 messages to that record and five others

to 0-2 which makes an augmentation disease Union request message that determines a version reports in an accent that if you want about the most patient has another possibly said in back to advise on an old zero just require pattern so I made this little text file how that it is in binary why are not met Pat again until it in this case to looking on the port but also to the first time I get the message to send back what Ivan is created in my mood five it is hopefully back it's useful so when I first came back is the staining message before were house stuff like it works we understand it sends back the message which I've divided over

TCP dump or a second layer whatever I get this different message it should be at version and the serial number on my new GPS reinsert taking so now I have a whole back-and-forth EDD connection to device and this race commands to deflect who's our workable firewall blocking me from doing so got it so we're almost there not administrative access to the device either with us mess or to submit key great awesome but the only remaining problem of the pattern let's see is this the messages the can't ethically which those are the messages to get sent on from Carter's box to receive information they're hard coded in the attitude that's on these slices so their spectra

control only get a lot of information from the park so for example the bottom with typical will be e to from the end they can retain at my news or whatever 7000 ones that'd just be different speech here's you know those are hard coded plus winged horses one Wow in so it's kind of cool to the other son it information get back on the currency book I want to do is send can messages of my whole bunch of the cockles right so next question is can modified firmware civil send what I wanted to instead of what looks intended to do so the top here just II its message up here but pulled out a little

bit more this is a text message that could send it will long to do this if it's in system represented text message that is update the firmware here's the version I want you updates you and here's the arbitrary URL to Fort Ord pretty rule and the screen you can kind of see it gets another double action downloads as well otherwise you have to call it a doctor our file is not about 300 or worse download file installs it that's great look that right now all I'm doing is I'm installing the listing versions of firmware and on at lunch just to see if I can tell it what you are out together so next question is

okay I've been tell it to craft firmware from the arbitrary URL clinics modified firmware until to grab my project from Florida I look at the binary the ends of look do look very random so who was digitally sign the digital signatures usually on either end of it and it's pretty random it looks very well so I changed my one character in it truck that was my third I change and I got this image CRC failure okay let's check some problem like it will expecting to check something somebody will be right so multi promote load so okay we're check some Cod perfect rafter you should be that hard to modify my first generate new checks comments and if you check

something with Department and yes look at that hard yet it was that hard because my organized idiots and we assumed it was a crc32 code because nobody else was using the outlaw years until two days trying to write Python scripts to generate the crc32 build a rocket anywhere in the find another yeah they didn't system uses here some 16 codes we could try that and it's our little finance their comment like two centers this is like if you do the Serie C calculation of the file one too late to the end end of it c16 median if you look at the very end of the liner in fly of the last two points look at this publish we're taking

attendance figure out to be check the CRC code so now the latin is designed to change the firmware again i just want to see if i can actually do it and gets past that fear see check but is dependent changes straining work right to last when we keep you saving on the river characters i didn't have any poppers or anything like that didn't work encountered worker and just want to see my can do modified from Wow I changed it I towards the downloaded I guess patent uh services in the CRC pass crashed so you know that was the former reduced and bottom you see instead of operating company is there's potlucks this company three so that's just my

decision Springer they're not trying to do anything with it please we can modify the firmware ominous what can we do so I mean the color would would probably be you could reverse engineer this firmware and figure out exactly what they're doing like where the maps are we can messages put your own can messages in and inside the input but obviously that's too much work okay this is really a single once you flash memory you can load them I can worry my own firm works do I want you instead you know me he weeks versus loose again this way you have control over that twice and wherever you want to go so so this is what can attacker do if they could get

one of these slices they put an infernal slices represent we track food stars in real-time Topsy's please please to use these types of us is not easy specific it necessary input no sure criminals would love to yes and have a on ability eg IP connections they can just like Bradley you guess what it's a tall tree starting area every 112 the heading this or if you're like an evil business you can plug the editors around some customers like Gannon equal flower shop wants you to track your competitors why this person on the street their flower shop division week business to me I want to see decorative deliberate people government where they stop better attract them you're going to try often

the questions of discount what we're just thought you could potentially each doubt on the occupants of the vehicles so the canyon from the vehicle also talks to buy which is the vehicle infotainment system this is looking at a microphone that you use to make a Bluetooth hands-free calls where you driving around so I'd be able to work but you could potentially get access to you that access simply must oppose the video signals from backup camera etc so you could you could each job in Iowa started this actually is really easy you had a Chevy Volt we were testing various things on for a while and I could send it like it to bring them can packets on

the can bus over to stock so it's really that such a simple attack you have got the little numbers a bunch of vehicles owned by a competitor or whatever some sort of time to say I pay within beats this 50 package learner takes you to let Nicky would be able to their time it didn't have so many packs on them you know to do that to a complete if you guess people's work on December 23rd it's going to have a business impact you get from Walker steel vehicles unlocking is actually super simple so if you want to unlock things to steal them to a dirty vehicles the can commands to unlock cars are really basic stealing is

a little more difficult because you have to take the fact that the key is the vehicle that one of any spooky type ignitions think it makes keys India conservators not that it's you control the thing that says did the key on indicator talk so you can stay connected since yes in Bali because copper James obviously if you possibly vehicle is or something like that it imagine if you've decided to shut down whole bunch of tabs at rush hour in attack not so there you can potentially cause crashes we've all seen the Jeep video they the engine in something you can get to at least Mysterio drinks like those cars he says crews can photograph you can keep it controlled spirit of

getting air acceleration race not sometimes you know getting towards the more difficult type of attacks if you really want to be on the nectar imagine so there's a lot of things that is little hundred everybody's people were to buying me a bulk turning the engines thousands hundreds of pounds of power stoppage about the risks involved so kind of more of the story of the fact that it's fun to reverse engineer get less when this is done first welcome using it come back be able they're not part of your corporate network so one of these problems we've had talking to people about this expected weekend whose are buying it until 82 know where it Carlos they go on by picking up anything

by ITR some security just I mean I don't think about how to take cars well if they don't understand that this is my key issue IT people to take on story from robbers and keep seasons of other important cars they are now part of a difference somebody needs to something other then also in a complex if I change learning this is basically we've got whole access to this based on the fact that there's an SMS ocean with the original media action box is looking handy to somebody make sure it in there people to build out the systems didn't they talked back it was in there people resold it in that so you have potentially all these

devices have this functionality to duplicate long it's here you can think about and no it's not so I'm owner ability innocence like another drug pump or overflow or anything it's just a configuration that aids wait years long complex supply chain in procurement system and about the world unfortunately this case didn't not on the world because it it's one stop with it so kind of like for to morals and that's takeaways part of your network in it ultimately doesn't have to be some super sweet hack you know on in place Windows 10 antivirus whatever is being that somebody didn't monitor to figure something you made its way through a little auction without a fix so thankfully we did this the public

editors they were super awesome about fixing it right away so this is the signal ability sorry optimal baby screaming this won't help anyone so that is it I had comments couple minutes left preposterous yes sir yeah so again sixteen interest to that at least autumn so I work with the manufacture of e+ in the laundry services Randy and they promise with animated that when it person self a block will turn you from are that limits and since we talked to them they're now verified and from there down only further from they've now added funding to the bottom areas etc so is another layer of configuration it happens after that works people that buy the devices both the systems install

them one of the other people but they have to configure to and so they have some sort of ongoing process really in configuration things and that's what dancing us is intended for with something bigger so now that work would be something put passwords on their interconnection put passwords on the arrow as ask you since it is buddy hit into the bottom that could something to be that students think yes I'll just want to look she used tested as if underneath the Emperor's it works just like off universal like seven series makes your induction Emily deeper sixteen addresses in grief long right a writable I have a beautiful uni will new TCU's okay there is a singer this component beautifully

super there's also things you can eat or acquire division no one that I can say that offenses are you okay I was want to get done like a water turbine car keys washing and I'm 37 it series motronic were quite acceptable for the first 16 at memory addresses you call being over edible nicely maybe true this is it so there's something new saanjh yeah this is fun this is when you went through this beautiful way that could be regulated that you're going to make detective eidt there are the packaging enabled path we should take yeah I mean there's a lot of conversations going on about that this was partially funded by Department transportation the aftermarket

especially is really unavailable but easier not easy but you can make their relations for cars is scarred and they make some cybersecurity standards and not regulations aftermarket so pretty wide open and then there's things that is the right to repair so you buy it are we actually it's not even being stupid things your car and they even pick out a dirty bubble um so that conversation is happening constantly I don't even know if I haven't painted up that's where your doesn't want to do this I think violent I'm trying to clear responsibility to move on to the vendors and main factors and people are buying something to manage repeats do right now I will complete these things but reasons have

you talked a lot of team images oh that's cool you test these once this is over reason to secure I'm never going to say oh yes that's accurate but I'm going guess there's really be small [Applause]