EVSE Ecosystems & Connected Vehicle Privacy

nice to meet you all this is Hugh Davis here from PWC uh we're going to talk about electric vehicle charging systems and cars and security things generally the aim of this talk really is to make you as excited as we are about fiddling with ecosystems and vehicles um we do a lot of this it's really good fun what we're not going to do is drop a whole lot of old days um and then get ourselves fired I'm afraid because that would make our Lord's mouth is very sad with us hopefully we're going to give you enough information and skills and knowledge and excitement to go find your owner days because there are so many of them to do

so um so here's the talk through the um the uh the charging part first and then I'll move on to the vehicle path second so um without further Ado because the clock's against us yeah these are the instructions and those are our faces it was our offices this is our Hardware lab which is I don't know like obviously out of that window just around the corner by the castle so when I joined leadership I don't know four or five years ago um built an electronic slab to be able to tear apart vehicle head units and other pieces of Hardware I suppose at that point that's electric vehicle charging wasn't really on our radar um but we've got the ability to do

um a variety of hard writing things I suppose so do a lot of Hardware teardowns understand what components are on a board um it's quite boring for electric vehicle charges that because they're all the same um we do chip off analysis so let's pull the pull storage chips off and dump them and then read out the contents of them usually nothing's ever encrypted so that saves us a bit of time um once we've got that chip off we've got a couple of very apps reverse Engineers but they're not me I can use strings and that's about the extent of my skill um we have got a bunch of little Automotive ethernet adapter um funny increasingly now that people had

units require some sort of can or Automotive Ethernet or something to keep them sort of to wake up keep them alive um it's got a bunch of that stuff as well um just invested in a big RF chamber room thing so that we can do uh cellular assessment so that has been driven quite a lot by the electric vehicle charges we find increasingly particularly the home charges that they have got cellular modems in them for communication with sort of the cloud services that they rely on um some of them have got Wi-Fi some haven't some got Bluetooth but I think we're increasingly seeing cellular so we've got um some cellular base station kit as well to be able to spin up uh so that

much in a box but because none of us want to go to prison we've got to sit there and stuffy room um we've also got the ability to simulate OT and Industrial iot networks um that's not hugely relevant to either of its in this topic um so evsc uh uh someone said apparently earlier on you know it meant so electric vehicle Supply equipment [Music] um just an attribute Target sort of is um broadly there are two types there's the types you get in your house um or attached to the side of a house uh and there are the bigger ones in Tennessee for the motorway service stations and um Cardiff starting to spring up now

[Music] um very brief history of it so in in the early days that the home charges tended to just be a tiny Arduino that all it had to do was generate a little pwm signal to talk to the car and tell her how much power there was on offer to be able to read a voltage back from the car that told it uh what the car was about to do or what was what it was currently doing um they didn't tend to have any external comms um they were relatively cheap um I mean it was a relative thing um but with some recent legislation the government has been to all of those now you have to all of the all electric

vehicle charges sold now in the UK as of gym last year have to be able to be connected to the internet but that is usually up to the end user some other sake and we're selling that just automatically connects you've got no choice some of them tend to have Ethernet or Wi-Fi that you can choose not to connect should you be paralyzed um and then as it gets into the sort of the public charges the interconnectivity between the charger and all of the things it relies on that would have come on to later um becomes really very complex um yeah so there's it's it's a very rapidly moving Market we're probably from the beginning of that and obviously

electric vehicle's been around for a very long time but the charges probably the majority of the Technologies development and movements in the last five or ten years so there's a lot of new companies popping up to deliver electric vehicle charging services and sell charges on the market that are not taking security seriously as maybe they should be which is why this is a lot of who's fun really because um it's quite easy you can do some quite cool stuff so it's a couple of new stories um probably you've seen these first one wasn't very exciting in terms of a sort of hacking thing someone um just replaced the content on a CDM that was displaying ads on a loop they just

replaced the ads with this important but obviously kind of news um was a bit embarrassing for the uh the Isle of Wight Council where who owned the charges um this one was a little bit more interesting so um there was a little bit of anti-government sandering going on on the screens but they also disabled all the charges on that Network as well so it was a little bit more than just the sort of changing pictures on the screen [Music] um so I've sort of touched on this a little bit so we um there are more and more regulatory requirements coming in as I said last June the requirement came in that all of these charges needed to be connected to

the internet in December which is six months later there was some mandatory secure security requirements added um just to give the manufacturers a little bit of time to catch up um they're not very exciting they are don't put default passwords in and sort of it's all a bit naughty so again there's still quite a lot quite a lot of fun to be have here um the government are talking about bringing in uh mandatory availability requirements so it's quite a common thing that you rock up to an electric vehicle charger and it's not working or the payment terminal is broken or for some reason it's just off or physically isn't there or there's all sorts of

stuff where they're not quite as reliable as turning up to a petrol station and filling it with diesel um get driving

so yeah um but the availability requirements yes I think you will find it's hilarious as anyone else I think the target is now 99 up time for Ev Chargers which presumably what will happen is just they're just going to disable and turn off and remove a bunch of them because there are quite a lot of old crap ones that just I think I'm not going to be able to manage that level of availability um obviously there's some ddpr requirements but actually as I'll come on to in a minute the data is transferred between an EV charger and sort of the supporting Cloud systems isn't particularly interesting from a privacy perspective um usually um and then also there's a couple of other

things so recently sort of in the last couple of years the government have mandated that if you turn up to a fast DC charger um you should be able to pay with it pay for your charges using the contactless card so again most of these now are popping up what they have to have a contactless payment term limits foreign but it doesn't have to work I'm sure there'll be others but um yeah as as yet nothing hugely exciting with respective so challenge themselves as I said is broadly two types of sort of sort of stereotype them into home and and Motorway but really the the major distinguishment is whether they just give you straight AC power off the grid

um or they have got a massive transform inside them and turn it to DC for the uh the battery in the car so all cars will sell yeah we'll have a good the battery in an actual car in DC um so if you want to charge it app you can either give it a small amount of power because the car will have a little um AC DC converter in it and can charge the battery but those tend not to be huge and sort of some cars are down to seven kilometers some others are up to about 22. um but then the DC charges again it just tends to be how fat the cable is inside

the uh inside the car that goes to the batteries determine how fast you can charge but usually it's sort of that you've got 10 and 20 times but so um the communication between these aren't mandatory so it is mandatory that a DC fast charger has to use uh more complicated Communications with the vehicle than the AC ones do the AC ones are welcome to use it if they want but generally they don't because it's more expensive okay um and then once you sort of get past all the Power Electronics it's just another iot device there's been quite a lot of public news stories and things about sort of pen test partners that sort of be going at these for a couple

of years now there are a lot of them that are just Raspberry Pi's we're seeing quite a lot now of the of the newer newer ones for home usage tend to be even dumber than that so they'll be esp32s um the big DC fast charges because the communication requirements tends to have a bit more of an interesting OS um obviously the DC fast charges tend to also have a user interface although they don't have to um and then there's sort of the authentication requirements which can either be uh well if it's home charger there aren't any usually but if it's a if it's an AC charger in a car park say 0.1 Tesco in a

Tesco car park usually they've got a little modem inside them a new authenticate charge by through an app and there's no other way of sort of tapping a card or anything like that and then that all that data from your charges usually fed up to some sort of cloud platforms control the app from a controller charge from an app whether it's on your house or whether it's somebody else's so communication protocols um the open chargepoint protocol is uh the so I suppose the brokering protocols used between the charger and a management system a management system can either be a little box that sat on the network next to Chargers or it can be almost always now it's a it's a cloud

service so sort of a typical ocpp use cases that you'll turn up to a charger you'll beat your RFID Card um your the charger will use ocpp to send the RFID token it's always only the uid they do it more complicated than that to the management server the management server will decide whether or not that RFID is in this database of allowed users and then we'll tell the charge of whether or not to start the charge um and then once the charge starts the chargeable report back metering data and usage and the amount of time card being plugged in and all that stuff so that the um the user can be built in this phase

it also gives all heartbeats and things so that the server neighbors of the charges online and the server using ACP is able to um do a couple of sort of interesting things from a denial of service perspective so it can tell a charger that it's offline if it wants to you can tell a charger to put itself into maintenance mode and again won't allow people to start charges I can also tell a charger that's reserved for a future charge so not again to allow anyone to rock up and plug into it um because it just needs to wait um it can also stop charges so so if for example the use case would be that

you've got an allocated amount of credit for your charge um if you hit that cap then the server can tell the charges you can't offer charge and come back to it and not as charged carriers I thought you has um so the communication protocols that we're saying about they're obviously the low level communication was just is just uh as just a pwm hospital population Square wave that um the duty cycle of the wave determines how much power there is on offer from the charger I think we even know that's Communications very very basic um a much more interesting one is on the high power charges um they use uh press called Green fight which is based on the home plug protocol

which is um as an eggplant because some people so you can still buy them um the plugs that you can plug in around your house and sort of stick an ethernet cable in one end and it uses the wiring of your house to um to make another Ethernet or pop out somewhere on the other side of your house so it's the same as that it was originally designed for um Smart Home Smart metering type stuff so that your smart meter could talk to your washing machine but that's not really it in the UK but it has sort of been taken off well it's mandatory for really charging um what's interesting is that uh as the

home protocols become would be more and more demand for people to be able to get gig speeds across their Network it become more and more complex whereas green fire I think has only got a transmission speed of like 10 Megs but it's very very highly robust so you can actually pick up three fight signals quite a long way away from from the sorts and like I've did a little bit of Investigation a little while ago and one of my neighbors was able to plug in a green type plug in there not a green pipe a home plug in their house and pair it to mine so back up through my meter boxes back down again and

um a great green fire is even more robust than that so um quite an interesting sort of potential Snoop in on the on the communications there usually there is encryption requires but it's not always implemented um so that's that's quite an interesting area for for playing with I've not had as much time to play with that as I would have liked but is a it's an interesting thing handbus uh so one of the EV big DC charge connectors that are available a couple of canvas directly into the um into the EV charge socket they're quite uncommon in the UK now so um they tend to only so I think it's only the Nissan Leaf and maybe one or

two other cars that are using those still um but generally they are connected to Canvas to the vehicle so all of your normal canvas hacking um trip Supply here um equally the green fight is actually just an ethernet connection into the vehicle and solving the one or two vehicles I've had to play with and looks for wiring diagrams they tend not to be connected further into the vehicle but as more and more vehicle manufacturers are moving towards most of the internet for their sort of communications buses within the car to replace canvas it'd be interesting to see how far that ethernet bus can penetrate into the vehicle um so yeah so it's all these higher level

Communications that are required so the charger can monitor the state of the battery and just make sure the car is not going to explode um it's nothing very exciting but actually it gets a fair amount of data from the vehicle um so it can pull unique identifiers um obviously a lot of stuff about the health of the the battery sometimes making well usually make a model sometimes even color of the vehicle I think um so I said that not very much data tends to be transferred to ocpp it's got a very rigid set of things that can be transferred and really the only unique identifier is your RFID token or your account number um but some of these charges because

maybe they're a little bit chunky um will crash and have incidents and will keep error logs and the charge of sometimes just uploads a big lump of data about all of the the error lock has happened which tends well can include a bunch of private data about the vehicle but or even the checkpoint operator wasn't sure was there so um it's quite an interesting again some of the data being transferred sometimes not even the manufacturers and charges are necessarily aware of where that's going um this was something that sent to me by a client yesterday um not hugely exciting but basically um just someone talking about having a bunch of EB charges sat next to each

other on a network um and they had child support services at the end and if you plug in that laptop into that same um same EV charge Network and try to authenticate a charge using the unique identifier of the charger whilst an existing charging session is happening with the logistical charger um this particular server the author the original charge um charging um obviously you've got to get onto the network so it's not hugely exciting um but again sort of demonstrates how this is all this is all a bit of a new thing and a bit of a wild west so um you can try pretty dumb things and uh and have sort of some success and it's probably

worth noting that obviously whilst it's all a bit of a game and a bit of fun actually you know if you can stop someone's car charging and they're expecting to come back to a Charged Council that you can get home somewhere you could really like ruin some of the day here or potentially worse if maybe um it's an ambulance or a police car you deal with the charge for rather than somebody who's just gone for a shopping Tesco so this is a rough sort of idea of all the things that a high power DC charger tends to be connected to um so you've got the charge itself in the middle here you've got some other uh

EV Chargers sat next to it on the adjacent Network as I say you've got a payment terminal it's usually locked inside these um for the majority of the ones that we've seen um because at chargepoint manufacturer doesn't want to get into all of the uh the joys of PCI DSS they just buy an off-the-shelf payment term and I'll stick it in if it connects it to the modem and they don't really see any of the data they get the payment information back in the same way as you would if you were you were a shopper payment center on your desk um most of these tend to have RFID readers on the front of them for you to have

sort of a membership card or something to be able to start charges um as I said earlier these all of the ones I've ever looked at only use the identifier of the RFID tag um and almost always that is what is used as a unique identifier to authenticate all of your charging sessions so if you can code some of these RFID cards you can charge your car on their account forever more um and there seems to be again fairly literal checking of the impossible travel and things like that that goes on with chargepoint operators um obviously the electric vehicle communicates we've discussed that and then you've got engineering interfaces so some of these are more interesting

errors some of them you'll find is just a sort of a UI connection on the front of it um a couple that we reviewed a little while ago had at least an interface and hosted their own at the web server for you to interact with the charger um which in that case presented a couple of quite fund vulnerabilities which are on the next slide so I'll come upstairs um and then you've got your Cellular Map link and then all of the stuff that's sort of in in the cloud then so uh all of these could be well I suppose the charge management and software update could be coming from the same place um or they could be separate

um the back end management is the the owner and the operator of these usually there's a phone number Plus on front of them if you can't really charge to start because the car terminal is not working or whatever you can usually phone the math and make an authenticated charge without you having to pay for it so they've used a lot of accessing um there is the potential but again I've never seen it that the charger can communicate with the grid to be told by the grids to sort of calm down its charging because that's a high low period or to um sort of quickly shed a little bit of load um and that was the main motivation for

bringing the legislation early last year was so that local distribution network operations could disable people's cars charging for five o'clock attorney catalogs car charging wants to do that at the same time um and then obviously all of that sort of ties into mobile apps so a brief Whistle Stop tour of that some of the things that we've seen in these default credentials um so we're in his face that we saw on one of those charges uh had three user accounts one of them was a an administrative account one of them as a user account one of them was a super user account um and the super user account you couldn't change the credentials for um it was hard cages and it was in the

sort of the installation manual that you needed to go back to the manufacturers to find out what those were if you worked for the manufacturer or you could just decompile one of their updates um

English and trivial password um and those are hard-cated into every charger of that type so I don't know if they've really snapped out to fix that but when they hadn't um it's a bunch of interesting bootloader attacks so again we've seen a couple of these have got um service almost there they'll pull um an image from a tftp server if you can spin one of those up and give an image that it likes and it'll be um as I say a couple of these had web apps built into them uh they were pretty chunky web apps with pretty like again low level easy attack so um basic rejection one of them had a um some Diagnostics a diagnostic page

um and one of the options was a ping and you could just sort of close out your your IP address and had full root command ejection on the uh onload interface to get a little call back um has full reached out I think I think that might be the fastest route shell I've ever seen someone achieve they're often multi-homes so I think we go back here this sort of neighboring edses sometimes on corporate networks when these uh installs this might be connected to her you might not have the modem or seller app link as the main way that you want to be able to connect your charging data so you might connect to the evse to your corporate

Network but the manufacturer might leave a modem in the top just so they can access the charger and then you've given yourself them a nice back door into your corporate Network um definitely not seen that um separates on the side we have um we it was one quite interesting one it was a there's a manufacturer you can buy part of the EV charger so you can get an electrician to come and install the bit the electrician needs to install um and then you can buy the actual brain inexpensive at a later date so if you were fitting out car park and you wanted at some point to have 50 charges but now you only have the money for five you

could buy 45 of these um sort of insulation kits that the installer could program an RFID token on the back of them with Wi-Fi credentials for whatever Network you're going to connect them to um and a bunch of personal information about the installer and the the owner of the system um and that was all that was needed to get onto the network obviously with the other EB charges that were there and you could sort of do all of the ocpp stuff you're talking about d-off charges and all that cool fun stuff um and even once you install the charges it was still possible to read the Wi-Fi network out off the bat um so I think quite a lot of this stuff

where people come up with a really cool idea and then just not the security implications of it um so it's where we're going with this so the there are a couple of things that are coming over here hell obviously the government it's not just here but generally governments are very keen to install as many EV charges as they possibly can everywhere um so it's going to become an increasingly interesting thing obviously as people and public become more reliant on EV charges and companies become more invested in EB fleets again this becomes more of an interesting sort of it's not enough service for a business not being able to use vehicles that they thought were charged overnight and actually

haven't um got the currency only factorable authentication there so something that says that I've been doing for a little while but there is now a proper standard form where the car the pki with the um with charger and so that sort of removes some of the outfit stuff but again I'm not able to play with any of that stuff yet but I'm sure I'm sure someone will be doing a bit of a rubbish job there yeah vehicle manufacturers put their uh every CA in every vehicles um yeah so it's a lot of fun to be had you should go and buy some okay I think so we brought a file for 18 minutes before close on speech so crucial rattle

through this um that was my first car it had no connectivity issues whatsoever apart from the gearbox linkage that kept falling off because it was a very effective British cleaning vehicle at the time so I guess the point for this is so I'm sort of mid-40s that was the kind of the drive-in that's kind of University things have changed a lot in 20 years maybe a little bit older than five years but things are moving at a really significant pace so um this is the car I'm looking at on the car scheme currently there's nearly a meter of screen a meter screen is ridiculous um but very cool and very shiny sad sadly the more we've ready to change so

I'll forget one um but hey but the amount of tech in here is just absolutely you can't really describe those two vehicles in the same sense they have a mechanical engine and that's about the end they have in common with four wheels um so our world is moving really really quickly and privacy is becoming a really interesting thing you don't even see this it was about 2017 one of my most amusing stories on the internet where somebody got found out for having an affair because he'd done something with it locked into his wife's phone with his Uber app or something crazy um and so she was getting pinged alerts even though he'd logged out while he's

going to do whatever he was doing um 45 minutes a lot of money but I think the point of this really for me is just privacy is a real thing that a lot of people are focused on really now a lot of things we're carrying around with us have changed the amount of data that we're leaking all of the time everywhere we go there are things like character phones without Apple watch the whole world is tracking me I appreciate that but now so is our car so this is much less funny story but it really brings to light um some of the data points we've talked about this is the crossbow murder that happened in West Wales a little while

ago um the key the key I wanted to call out on this really is what the Barrister said the prosecutor sorry if it were not for the telematics not fact that there was a black box in the Land Rover which recorded all of the information is sent off to Jaguar Land Rover Mr War would have got away with his lies basically a guy was saying I wasn't there I didn't do it you can't prove anything I was nowhere near that guy's house the crossbow except for the fact that I'm in interesting I won't go through all of this timeline here but his vehicle when he came to be absolutely at home drove to near the

house where the guy was killed and the boot opened 15 seconds and then it closed and then the thing happened for 25 40 minutes and they came back again so the police basically managed to use a whole bunch of telematic information to just completely disprove um the story that he was telling so but that level he had no idea that level of detail was being tracked from his vehicle and this wasn't even a particularly modern vehicles I'm a jackal animal can't help it it's just I like our Land Rovers um even a relatively modest vehicle sending a lot of tracking data I think it's worth pointing out as well I think it wouldn't be a cloud at the

end so he wasn't what he thought Carl was scrapped there was nowhere to be able to get out but that was all being said yes this was David had gone as far as he was he was up in the sky already said what did history and also taking so car theft is it saying it's been a thing for a long time nothing has changed anything is available yet nicked in some way in mind that it's got carjacked in Manchester jokes about Manchester United's applicable um criminality moves to meet the requirements basically of the task at hand I guess it is the short answer here numerous press stories about the latest car hacking repeated thefts of data resource because

this one really interests me so if you're of an age and you remember back sort of 15 20 years ago quite a lot of big software companies had lots of software Stacks stolen a couple years later then quite a lot of interesting attacks so appeared so why are jobs in England I wonder how they managed to find those folks I'm paranoid I have no idea this basis on other than the fact that there's a bit of a pattern emerging here there's quite a lot of big oems getting done and clearly I can't mention any of the names any of this talk so um you can Google them afterwards but anyway fast and furious eight all my favorite films

takers yay the car hacking bit in that is one of the darkest most extreme comedy things I've seen in a long time but you would struggle to say that it's absolutely not possible so remotely control a vehicle virus can bus over a 4G connection over data the fact that there are sort of if we're giving things doing it I suspect it's more tricky but if you've not seen it it's on YouTube it's five minutes of Comedy gold um and we're heading to everything as a service even Vehicles as a service that are coming over the hill pretty soon I was chatting to somebody in the office on Thursday Zach Castle this sort of things this is where the world is going

and every time that kind of platform gets rolled out more monitoring goes with it more tracking more data points more cloud services more telematics um as hackers we should be excited about this which is fine this is data everywhere um I'm a car freak so um it's data encounter so what more can you want relay attacks it's been done probably before an interesting time keyless entry attacks yeah it's been done as well this one's particularly interesting because it's basically rubbish crypto you would think in our world rubbish crypto wouldn't be a thing anymore because crypto done properly as in just use the library somebody has written and put on the open source internet for you

with some proper keys and it kind of works but people still make these mistakes I think particularly in the automotive engineering space there's a lot of people without excuse me back and doing engineering and if you think about where Alternatives come from it's generally been people making cars go quickly around tracks and having fun and all my Falls getting the money whatever it is but actually security has not been really the driving force of all these things that's changing um

you've probably seen this already driving from the back seat using a laptop it's really good fun um I can't name the organization here because yeah you can Google it later it's completely possible to drive a vehicle over the air basically when you're driving in the driving seat if not my microwave you are driving it over there you're actually just using data and Computing to control powertrains particularly so in the UV space this was interesting one um I will tell you the backstory to a repair at some point if anybody's interested I can't tell you I'm recording um we know who it wasn't why but from CC with a vehicle right the way through to domain admin

um there's a lot of trust going on in his Network so what what we're seeing a lot of is it's an APN it's trustworthy actually weirdly the police used to use that argument in the UK about 15 years ago we can't get inside our APN the SIM card push it down it's just to stick in the modem um there's a lot of assumption about layers of security in the space which are actually really easy to break down as well run onto pretty quickly so connected vehicle attack service again that's not my maestro OBD Bluetooth USB radios keyless smart Cloud satellite receiving generally but the options are available pedestrian's mobile Wi-Fi vehicle to everything Communications where you can see around

corners and your cars are telling the next car that you can't see that's coming what's happening that traffic infrastructure stuff as well um and a lot of this a lot of these bits of tech are now implicit in vehicles that you're buying when you don't even know that they're there um one of the things that you and I's wax lyrical about quite a lot is the the way the tech that you'd have seen only probably in a high-end German brand than say a decade ago is now completely standard um so one of our family cars for example is a little tiny run around that has way more Tech in it than any of the other

class I have just because that's what the market demands that's what sales cars is to put cool shiny Tech in small cars um for people who want it and then cameras photos of everything sonar lidar camera's really interesting in this context because it's a feature as well as potentially a bug um one of the main major manufacturers has got an app for your phone where you can actually look 360 Android car while just at the pub so if you want to walk back to your client concerned about where it was part of my sketch you can check there's no one around stalking people as well if you wanted to use your car as a mobile surveillance

station um these things that have privacy impacts both ways really do have a have a have an impact and also a serious thing about Diagnostics there is one vehicle brand for example that we know of that um when the head unit crashes which does quite a lot it's crap um it takes us a screenshot of all of the screens and if you happen to be in Reverse at the time so your camera is up then it's it's diagnostic logs including screenshots from the camera because that's what was on its screens these are basically not very clever bits of I.T that are just being sort of coerced into doing cool things right background to ivis I'll okay

then we planned but basically you no longer have a CD player in your car so I just have a big fold of CDs and you put them in it's very exciting and you can play music at you it's great um what you're basically driving around with now is a small board computer and a phone all bolted together with a Wi-Fi access point um voice voice recognition quite frequently as well um and it does everything um I won't tell you the brand because I get all off but my dad's car for example is really annoying you can't even work the the airflow in it if the if the engine crashes and it's like yeah buttons are bad

um why should we target the head unit basically it's connected to everything um and this is this is one of my boat better um because people want on their screen to see if you're driving a hybrid car the data the the energy flow sorry when you're slowing down you get all the nice arrows saying yeah sure recovery energy that's great that's great that's I mean the power train cam that these things all need to be connected it also stores 4G sorry emails texts you've had two of them um and off to this calculates uh 4G network I've been given a five minute warning so I'm going to go through this at some pace uh surely this should be hard I'll be

sure um I'd love to say this is really really difficult actually generally these things have got Wi-Fi Bluetooth u-wop shells we found hanging out the back of them a pair of wires ethernet connectors Android G vulgar all the things that we would do to generally phone kit about a decade ago and laugh at um is basically what's in your car now um it's someone's quite interesting plugging in USB devices that suddenly then pop up and become a new method of comms I've never seen any kind of full dispension ever so you pull the chips are good um there is some signing and updates hidden menus Google it it's good fun basically why do we care you stick it in

debug mode it just pop some firewalls brings up SSH terminals that were there the day before um apparently again that's the feature and people on the internet love hacking their cars so a lot of this stuff about getting green menus up and things where people want to enable additional features has been done already whether it's from an I.T security point of view and we're much more interested in what that announce us to do so um inside of a board back of a random head unit if anyone's Googling something on play later these things matter these called Factory connectors these are automotive style connectors you can get them on all sorts of random shiny sites um generally one of these will be sort

of USB for example one of them will be um or various sockets you find in your car they look a bit weird at first sight but they're not um they're keyed like this but the ones you can buy from various Chinese locations just ignore the key and give you wires blocks couldn't um splice it straight into a standard USB lead off you go um this is I'm going to go through this really quickly uh data didn't work playing with ethernet why not no scan results well we've got data now because it turned out that some funky corporate laptops remove VLAN tagging data for you just to be really helpful so a rubbish five dollar USB card off

yeah um and then all of a sudden great there's an SSH show off you go um you'd expect at this point proper difficulty looking in cracking passwords of things we know for this random box support on the internet there was no passwords uh route and blank was quite successful how do we get to find some of this stuff out so we had a surrogate board took the um some of the memberships off technique sometimes I was dead briefly when you take one off upside down draw the wires back in again um allowed us to power the board on so they unlocked the chip with a password let me give you the data around then all of our favorite debugging tools

the one you probably care about are left hand side root colon colon our favorite thing there's no stars um so This Is Us playing at the firmware knowing then that we can jump straight in interesting data on these so all the photographs that were synced from your um very splits to your phone you've seen people's Facebook photos get synced across and things we don't really know why it does that apparently it's helpful um but these all end up basically on a local you know on a local disk on a units machine um NFS the 80s don't want their Tech back um but these things still use this because this is practice practice 74 inside the secure bubble lots of

assumptions about being a trusted space um FTP details SSH super details for the back-end network of the vendor that built the vehicle for running for connected back clearly we don't connect to these only the work that we do because that would be very nauseous so what we learned they're basically rubbish Unix machines from a very long time ago um and they're really good fun to play with and they're cheap on eBay which is a winning combination so um modem units quite interesting some some of them have uh I mean it's off board some of them are on board the off-board ones tend to be running um Android as they're off OS generally not universally very common shipsters there are probably

only two or three chipsets that we see commonly across these um they're really interesting they've got a key role in the power management of a vehicle so you think about my my future and the key off everything stops you go home jobs are good and not anymore you get in your car you press the start button things beat gonna wake up you've got cars with touchless handle uh touchless key locks for example you'll find that the head unit starts powering up once you get to the car after trying to get ahead of you so uh and real world privacy actually Vehicles store a lot of information a lot of them actually just think back to the oems

they can access them remotely for debugging which is quite an interesting one over 4G Networks why an apple carplay seems to be the one that we should has the least impact from critically in terms of beta being synced but I would that changes clearly the software updates come along Android auto is better than direct Bluetooth it's somewhere in between this is a really interesting one though some manufacturers either play in um a big German vehicle someone as a test car recently um but for company parts team and the first thing he did was Flash out privacy warnings like set these settings are you a guest driver are you what role are you having so clearly there's a there's a

thought process in the oems where they're starting to take notice that their sales cars now and has an impact so it'd be really interesting to see where this goes over the next few years but fundamentally they are still foreign

before I get kicked out but any questions other than what that was way too fast

no generally not it's what they often give you is a box that says accept it's not usually a box that says don't accept so yeah sadly not at the moment but I think we will see that change over the next computer so I'll just be told that our time is up if anybody has any questions afterwards not now clearly but calling me somewhere I'll have a chat that's absolutely fine otherwise thank you for listening and [Applause]