Car Talk - Christopher Craig

[Applause] what you say former colleague it sounds so terrible all right all right thank you all I like that it's still going I like that that

that all right everyone thank you all for coming I Know Travis Goodspeed is a much better talker than I am or a much better presenter no no no no no he he definitely earns it um however but I'm I'm here to give kind of the other side of car talk if you guys have and this is kind of a um an introduction but kind of a different side of that introduction uh the talk this morning especially at 8:00 or no 9:00 this morning was kind of like hey here's how you hack some stuff I'll be talking about that but this is more so at a higher level so it's in my mind an actual introduction or baby's first

introduction to vehicle security so who am I a few of you know me uh my name is Christopher Craig uh that is me at the San Diego uh San Diego Zoo uh mounting a uh North American Siberian tiger uh or at least a replica of it with my friend with a captain hat uh I've been working five years at uh Cisco Systems and I've been working for about seven actually about eight months now so seven years or so of a year at Oak National laps I'm really into a moti rotors and as you can tell uh from the center of this image is a my first 30 minutes of drone ownership greened head first into a tree and then

I patiently waited for it to fall down for the rest of the afternoon I still have it it's Smyrna and it's a pretty good multi-rotor if I didn't crash it uh now I'm a lot better of a pilot and I hope to get into uh drone racing and hopefully some um some drone plus pineapple stuff a little later so we'll see that for hopefully for the next besides uh I'm in a motorcycles um so it's surprising the cars aren't listen here do I need to do I need to speak in M more so yeah you should probably be all right oh thank you thank you sound a little better there we go ah bringing the Bas the sultry tones so I'm into

motorcycles as you can see that's my Twitter and as you can see that's my absolutely terrible like problem ridden like Suzuki Katana but I love that thing and uh it's mine so only I can [ __ ] on oh sorry poop on it are we PC we're PC here right okay who cares and Woodford Reserve uh it's a it's it's a great great whiskey and or bourbon I'm not entirely sure which but it's delicious of course in moderation so why talk about vehicle security why care it's an attractive topic I'll get the elephant out of the room uh ever since uh Chris valis and uh Charlie Miller committed their first kind of demonstration on wired with Andy

Greenberg uh of hey we can hack cars now this isn't hackers this is reality that exists people have been very interested in it and um I've had the fortune opportunity to kind of work tangentially related to it uh as you'll find later in the presentation my work is specifically related not necessarily to ec2 hacking even though I do have one for show inel um that is an engine control unit there's a lot of acronyms related to vehicles but um it's an attractive topic and yeah uh also it's really easy for things to get blown out of proportion uh that is from uh This Week Tonight with John Oliver saying scientists say smelling far can prevent cancer

which is not true like it like if you actually dig into the article they don't say that at all and I feel especially with vehicle security and people saying oh my God we can hack cars that it's something that like is as ubiquitous as getting um kind of data dumps from you know not necessarily like Dropbox but as as as often as information disclosures actually do occur uh hacking a car is not as common as you would think and it's not as easy as you would think um in fact a lot of things have to go right in the wrong way in order for you to successfully compromise a car and actually speak directly to the Cann bus

through an external entity um as in the talk this morning they had just so serendipitously happened to have the uh ECU direct or sorry the engine control unit directly linked to the um the uh Automotive dashboard essentially like the display board get compromise on this on the dash but it's kind of hard to speak to the can unless they kind of mess up in a particular way and that was a happy accident for them and Charlie Miller and Chris valc actually did find another happy accident in their scenario but I'll continue to talk about that a little bit later but yeah it's easy for things to get kind of blown out of proportion it's easy for people to over

speak and kind of not talk about how hard this is but just talk about the result but uh and it's not all doom and gloom um this is niist arb's Twitter which I'm a big fan of and I have a Dark Twisted sense of humor um but it's not all doom and gloom a lot of people like to think oh my God they're hacking cars oh my God this is so no if anything it's actually a great it's a great Venture that we're starting to actually explore vehicle security because more so than any other embedded or embedded device or cluster of computers We Trust our cars probably a lot more than we should and we put our

lives in their hands and it's good that we are pentesting it's good that we are trying to figure out where weaknesses or vulnerabilities in these vehicles exist so this is not a bad thing this is not a doom and gloom talk I am going to bring up some um kind of faulty areas of security Within These specific vehicles but it's it's far from and and and I don't want you to kind of leave this thinking oh my God we can hack Vehicles this is terrible this is what's going to happen oh my God it's all no it's not a doom and gloom thing security is supposed to make a a system more robust and we are trying to make cars more

robust so oh and be all we are setting a precedent uh so nothing more than the um kind of current Apple versus the US I think the FBI uh issue coming up uh we are setting a legal precedent so what the states is it's kind of hard to see from back here but Michigan politicians want to want people who hack cars to spend the rest of their lives in prison and that is in my opinion absolutely ridiculous if you kill someone with a vehicle you have committed manslaughter we already have laws in the books for that if you ha your car to do it what are you accomplishing it's not necessarily getting the same goal across

trying to set legal precent in a negative way go ahead uh those sorts of law laws and ideas for legislation aren't necessarily new I mean that's that's pretty much how I Things That Computer Fraud 195 yes true it's also how we had uh what is it the there there was supposed to be a back door chip of was supposed to be implemented in all uh in all that was in 1990s or so there was supposed to be a back door chip implemented in all security devices and it failed immediately because that's not how this works that's not how cryptography works that's not how Computing systems work so we're setting a legal precedent and we need people to be informed on vehicle

security to kind of write the knee-jerk reactions of our fellow politicians and our Representatives so this is this is on us this is as a security group this is this is our responsibility as well go ahead that's where Michigan that's where Detroit is right yes that is where Detroit is located that's a coincidence right no it's not a coincidence in fact uh also you might see some stuff from like leeburg Virginia that is another place where you might see a lot of kneejerk reactions happening quickly and I do have evidence to kind of go along with that so we'll continue but what I want you to leave with from this talk is that haging cars

is scary oh my God like I'm not trying to understate that in any capacity hacking cars is terrifying we can do something about it we're not helpless we're not a helpless Community especially you know a group of a room full of hackers like we are not helpless in any way so first comes to defining it what is vehicle security duh it's in in a Layman's kind of stupid way uh I've kind of described it as doing everything possible to keep your car performing as intended and keeping you alive is one of those intentions like not just necessarily like the vehicle performing well or even optimally but just like not knee-jerk reaction caring into a ditch or things

of that nature and a car is kind of stupid it go well it's smart in a lot of ways but its intention is just to go fast in a direction Park eventually that's pretty much it but I like to actually because a computer is or sorry a car is an amalgamation of several different embedded systems it's properly an embedded systems problem so vehicle security really should be defined as the N standard for computer security which states that measures that computer security is the measures and controls that ensure confidentiality integrity and CIA of Information Systems assets including Hardware software firmware and information being processed stored and communicated basically that it's not messed with and and there are no

surprises um that's in a nutshell what you would really like a vehicle to do you would like it if you turn on the radio to a certain if you like you would like it if the brakes when you press the brakes down the brakes work they effectively work and there's no U malformed Can messages being sent saying n don't don't don't close the brakes you don't want that so that's in a nutshell kind of what I'm kind of describing so what's the attack service of a vehicle sorry vehicle how does the information flow throughout the system what inputs does the car receive how does one obtain access to those inputs so as you'll see there's a

variety of several inputs that are actually in a modern vehicle um I'm trying to keep this light but you we're getting in the nitty-gritty uh but like there cellular Wi-Fi Bluetooth specifically TPMS is the tire pressure monitor sensor so that's kind of like how and there have actually been several attacks kind of taking advantage of that so that's why they uh the car hackers handbook which is I believe up for auction or up for say external do you mean external to the car I don't mean external to the car I mean these are the specific inputs that the car can potentially receive not necessarily through steering to go in a specific Direction Direction which of course is a

type of input but um what type of potential inputs could come into the ECU or the um Automotive CPU so the a or not automo CPU the um acpu uh which is controlling like the dashboard and all the other uh fancy features that we like to have in our modern vehicles um this is kind of a better example if you want to think about it this is all the stuff that could pretty much interact with your car we have a smartphone remotelink type app app airbag ECU which uh the TP what is it I don't think they actually have the tire yeah there is TPMS in the bottom right corner which is surprisingly noisy like

you can listen to that externally and it screams a lot of information about a specific vehicle uh passive keyless entry of which I actually am a smart key uh owner I was going to whip it out but my mic's in there uh but I I do own a smart key and I will talk about smart Keys actually in this uh in this talk uh lighting system there's a whole bunch of things that are just chattering to and fro back and forth not necessarily explicitly within the can bus but also throughout the vehicle itself so there's a lot of inputs that your car is both screaming and listening to um yeah so as I mentioned in my abstract

I'm going to talk about these four frontiers of vehicle security so as things are changing as things are getting kind of terrifyingly different um the landscape is definitely changing um I'm going to talk about these kind of four Frontiers for vehicle security where things are changing and um what currently has been presented and uh kind of existing vulnerabilities and kind of things to think about because what I would really love is for you guys to leave with a sense of uh not necessarily urgency but also like an understanding of where we are and where we can go so yeah oh by the way that is a Nissan Frontier that is another stupid uh stupid carard joke that is kind of

surreptitiously embedded in this in this talk you may find other dumb ones but but um hopefully they'll be less stupid the picture should have had four Frontiers it should have had four Frontiers yeah you're right boo all right so physical access um those tell the jokes I know I know so those of you that know me know that I am an amateur lock picker uh that is within the state of Tennessee and I do actually do not pick locks I do not own a lock pick set which is legal a felony in state of Tennessee is no longer as if I'm not affiliated to uh a specific uh Lock Locksmith school so you said that

wrong you're a locksmith Apprentice right I'm locksmith Apprentice yes that is the that is the be catch all but uh physical access so this has been so internet this has been the historical view of security just people not getting into your car not hijacking you having a physical lock there maybe have that weird claw that was invented in the 1990s to stop the Wheel from turning so you don't so carjackers don't leave even though they've already drilled through that and drilled through your ignition to take control of your car um but physical intrusion is kind of how people have classically viewed vehicle security and it's not wrong it's not wrong it's just not good and there are three specific Advent

there's three specific um features that have been recently invented not recently but like past 20 years or so uh that have helped in this effort but there are significant ways around them uh laser cut Keys kind of being the first so as you can see uh a laser so a key ignition specifically the tumbler within a key operates in the same way with a pad lock um in the sense that pins go up if you visited the lockpicking village you've kind of been recently aware of this pins go up and the thing turns uh laser cut Keys actually make this a far more precise problem um and it also works in both directions as Sometimes some keys

uh do Implement and uh the tolerances are much higher on a laser cut Key Making picking it a timely process and that's kind of what you want in a weird way the same way your passwords are never necessarily uh bulletproof they're just time sensitive it just takes a long time for someone to actually brute force a specific password some until the you know heat depth of the universe but still uh it increases the number increasing the amount of time it would take in order for you as a lockpick in order to find a specific um uh find the specific pins necessary to actually uh pick the lot it's not necessarily foolproof and it does have

another mechanism within it called a transponder uh the transponder is obviously a combination between transmitter responder and it's in this weird kind of collaboration with the key to let you know that the right key is in the ignition in order for you to turn the key and start the car so as it says the key is good the ECU which I actually have below and I should just kind of bring it out now um which is the engine control unit and I brought one for my job but in a nutshell this is it this the brins of your car this runs Windows 10 ain't that weird Windows 10's in your car you don't want it to but here it

is you'll notice that it actually has if I kind of covered specific ports it looks awfully familiar as many of you computer Nets will know um but it does have W land support and two SIM cards which uh Charlie Miller and Chris Val took advantage of uh in their kind of Infamous attack to attack car remotely via cellular um exploit so I was kind of in the mood to pass this around just it rattles but like don't break it so sounds like it's already it is already broken but so the key with the transponder and the key cut is that kind of like two Factor it is not quite like two well in a way

there is a physical aspect and a um as I'll turn so I'll finish the statement and then I'll actually get back to that question or I'll finish the slide and get back to that question so the ECU sends a message to the key the car starts if the ECU has the correct response basically there's an encrypted code within the transponder of the key to actually communicate to the immobilizer within the actual car if it has a bad key the immobilizer which actually stops direct fuel injection into the car so sure your car will turn or crank but it won't actually spin it won't spit any gas into the ignition and so your car won't start

kind of like a weird abstractive way of kind of viewing it the ignition actually has an encrypted code within it the transponder it views so you might see a little black ring around your ignition that's actually an antenna that's supposed to communicate or that's receiving the information from the transponder to send that data to the internal ECU which is going to take that speak to the immobilizer the immobilizer is like oh I recognize that code okay totally fine I will begin to send ignition I will begin to start the fuel injection process which I think after 1980 most cars are actually fuel injected now um or at least some form of it you don't have a carburetor in your

car unless it's a classic car which is quite old um what's the range of the transmission uh it is within a few inches however I will get to relay attacks which are ways some ways of circumventing that so does your motorcycle feel injected absolutely not it is a terrible POS which is why and made in 2007 but is still carburated so yeah if you're all paranoid just buy a motorcycle and risk your life as I do ell bike trying to sell my bike yeah so uh but yeah essentially this is kind of how it works and if everything's going well the CPU will actually speak to the ignition and the injection parts and then your car will start however if

everything's not present it shouldn't start that being as it may there are ways around it specifically relay attacks and hey just drilling through the thring the through the ignition and actually physically turning the crank sometimes can um can actually bypass the however smart keys are a recent invention so as recent as and I don't actually have the dual screen that I was supposed to my notes are not up so let's wing it um I think it's recent as 1995 I think it was in a mercedesbenz I actually have notes specifically on this but uh smart Keys meaning hey I'm actually going to reach into here and try to dig these [Music] out no don't help me don't help me okay

so so I specifically have and I'm kind of covering the rest of my house keys here CU this is being recorded uh smart key I'm not dumb so a smart key which uh allows you to unlock your car um unlock your trunk within a specific limited range and actually I found out that um and even start your car but I found that the um the internal LF field specifically related to the ignition is actually only supposed to have a tolerance of 10 uh CM meaning people with your key can't just yank your key out of the car and try to start it it need you need to be physically in the car in order to

actually start that however that can be circumvented with some pretty some pretty neat relay attacks um uh and some clever Ingenuity but I'll get in that but yeah so keyless cars are a recent invention but there're also another mechanism that's supposed to add another layer of physical security to the device and so these are the kind of ways you can kind of circumvent that really attacks essentially meaning hey if I let's say am in a I'm trapped in an airport bathroom and someone is aware of that um I have someone hanging out in the stall next to me and then there is a recipient uh next to my physical car they know that I have some top secret

documents I'm a government shill working at ORNL so why not and they need access to my trunk so they would actually have a um a relay within listening to my key which is very noisy and Loud because it's a smart key uh screaming out and trying to send those same messages basically they're relayed to the trunk which now has the other agent kind of like next to my trunk relaying the other device and opening the trunk so that's a very simple relay attack but you can also so these keys are the specific keys are actually supposed to roll over but you can jam the specific signal in order to actually prevent key roll over because

it doesn't recognize the other side of the key so it keeps retrying the same key and you can use that to your advantage uh you can perform forward uh prediction taxs dictionary attacks which is a form of Brute Force you can drill to the crank to actually start ignition which is another actual type of root Force um this is It's a surprising way uh cars are kind of currently being broken into uh I think Memphis is actually the still number one as far as car thefts or Grand Theft Auto and uh all things if you have a lot of intimate time with a car you can actually uh pull Cod from the immobilizer memory and just

directly respond to to the the request the imobilizer is required so so when you say drill to the crank are you saying like the the immobilizer is just something mechanical that no prevents you from the immobilizer so some people have or so depending on the specific type of car there are actually two types of immobilizers uh no there's one sorry let me rephrase that there's one type of immobilizer which stops the fuel injection from happening but there's another where it will actually kind of prevent um the crank from turning what people do often I think in 2005 or later there's like a little pin that stops the crank from moving to actually physically start the car they

will drill through the actual like like they'll actually bring a huge big drill and drill through the ignition to knock out that pin and then they physically turn the crank with a screwdriver in order to get the car to crank and go and they just throw a fake key in and pretend like everything's fine for vehicle stop points but it is a problem um so moving on to the infamous odb2 Port as you guys are well aware um this is your kind of direct link into the heart of your car which I will kind of just the canbus is kind of how you speak it's how you speak car to your car it's it controls things such as U not just

Diagnostics but also uh your brakes steering in some ways depending on the features enabled by your car um there's a variety of messages that you can send via can that uh uh can be compromised if you have direct access to this odb2 port um and the ECU which I've recently passed on where is that by the way I do need to keep track of it hey thank you okay cool just making sure uh we're booting it back there oh you're booting it you you loading up Windows 10 you're really excited about it so uh and the ECU is the eded device that can uses can to speak to various parts of the car to make your brakes break and things of

that nature so od2 speaks uh can and this is the can protocol um I think it was alluded to in the previous talk but I'll kind of walk through the individual parts of it there's an arbitration field which is basically the ID of the advice trying to communicate um and IDE or the identifier extension which is just a kind of standard bit the same way kind of the uh uh I am comparing this to TCP a bit later but just kind of a standard uh there's the data length which is the size of the data being sent and of course the data now if we compare this to TCP you kind of notice that there's some things

missing um I won't necessarily call TCP a robust protocol but it works you know for the internet and um there are some things missing for example sequence numbers to prevent replay attacks right like you know that a sequence number specifically corresponds to a specific conversation and compromising a sequence number is difficult I won't say impossible but difficult um There Are offsets there specific Flags sent you know there are some improvements on it such as the window size none of this is really present in the canvas it's an embedded device designed to speak to all of the other embedded devices within it as such it's typically broadcasted there's no authentication and it's kind of fragile to Dos attacks um there's uh in a paper

I will lead to earlier from 2010 by the University of San Diego in the University of Washington that say that it's PR vulnerable to fuzzing like you don't want to scream a lot because it will break and you'll break your car and you can't turn your car on again oh my God so some e and and some ecus employ a challenge and response mechanism which these researchers found um that can kind of make it difficult but not necessarily undefeatable so all this is basically to say that as far as the physical access from tier getting in your car is kind of simple this is an Infamous XKCD um kind of basically describing that your specific view of security may not

actually be in line with reality's view of security as I mention there's a lot of reasons people are still bringing a drill to a Grand Theft Auto like it works and uh there are ways to get in so this is actually interesting unless you implement something as complicated as the South Africa was it South Africa implemented Blaster which is two flamethrowers on the side of your car as theft deter there's a whole video correlated to this this but I kind of didn't want to bring that up but U yeah it's surprisingly effective and also illegal in America for all the right reasons um so so it's legal there for a time yes yeah for a time yes so yeah gosh I mean

makes you not want to ride a motorcycle yeah it doesn't so so these are the common tools like when you think of vehicle security specifically physical access like this is it bringing a trans ther in a relay is not what's done it's a set of like slim gems like actually picking into the passenger side door it's a cloth hanger or worse a piece of string which is kind of a popular YouTube clip of people throwing a piece of string into the door and just lifting the lock or as I'll demonstrate or not demonstrate because I'd love to but um show off in this YouTube video uh the porcelain of a spark plug okay so it's going to buzz a bit but

hopefully this will work okay spark plug Hammer got in mik spark Hammer smash Spar clug get ceramic last yeah it's pretty simple so so if you want to get into a car it ain't hard it's not exactly it's kind of trivial as long as you're willing to deal with you know a few consequences like a busted windshield getting in the car is not a problem um what just happened uh he took the uh hard ionized part of of the porcelain of a spark plug threw it at medium strength and this is actually a specific part of it through it medium strength at the tempered glass of a window and if you remember tempered glass is heated cool in such a way that

it is resistant to a lot of um a lot of kind of just not attacks I'm trying to think in pen testing way basically it keeps it from sharding and and breaking in like a dangerous way so it breaks in little tiny Pebbles when it does however it only requires a very small point of impact and because the porcelain is so hard I mean pretty [ __ ] tough uh you can throw it at the medium strength at glass and as long as you can kind of prick just a little bit of the glass the whole thing will sh and breaks into little tiny pieces and tempered glass is in the side and rear parts of

your window or parts of the typical so yeah getting in your car is not a problem so I've seen hammers bounce off car windows but not not spark club so so chunk chunk of a toilet will do it yeah know no he actually does a later video uh I wish I brought it up but he actually does a later video when he throws both a hammer um a a piece of normal porcelain off a toilet and both of them bounce off the tempered glass but then they use the spark plug and Shad it's because it is specifically so hard and you actually have to have a bit of a jacket point to pierce the tempered glass in such a way

that it just it just gives and it is illegal in C these are called ninja rocks by the way these are illegal in California I don't know why they're called ninja rocks things what a dumb name for uh these are illegal in California um basically like an accessory to bir the same way what is illegal actual no using it within a I know that supect but I don't care so are you a lawyer so so I'm going to kind of change gear so remote attacks so basically physical attacks are kind of just like well we accept it's like that's physical attacks are or at least getting physical access into your car for the most part they're trying to

leave it untampered there's a lot of mechanisms being developed but at the same time there are very very root Force ways of getting into your car meatly so how do we prevent more stitious attacks those the kind of nation states for um you know malicious but ill intented people so I'm going to get into remote attacks and let's talk about Charlie an let's talk about these two guys because they hands down have changed the vehicle lcap more than two other people ever have before by exploring Jeep and sending andyg of wi the ditch sorry knock over my sorry knock knocked over my Red Bull which should be consuming but I'm siing on water boy is not good so uh this is Dr

Charlie vill Chris Val the paper is listed in the um girl below and then kind of go through 90 pages of how we did it uh it's an extensive paper want read personally but I will paraphrase a lot of it so this is kind of a platform that they were given um initially they found that they were kind of in cix QX which is a Unix like system kind of operating with the Jeep um they proved that it uses kind of kind of weak ppa2 passwords um not necessarily completely like like dumb like somebody speak of you know or kind of uh idiotic but actually just that there are only so few passwords because I

think of so it was a remote compromise of key driver functions was essentially what they were able to accomplish and this is unprecedented and I think it's because of the means that they used to get there oh and they put Andy Greenberg in a ditch uh which is that is an actual video so they really sent him kening in there kind of Reckless honestly as pentesters kind of questioning the ethical part of their whole hacking but you know he asked for it he did ask them to show him something interesting um so what did they do what they did essentially and this is a giant paraphrasing of their 90 page paper please read it it is worth it um but I'm

going to paraphrase it in five bullets which grossly understate the amount of work that they spent um but basically they scanned the vehicle for through the Sprint network in order to get specific IP and they ipv4 of the Sprint vehicle on the Sprint or of the Jeep on the Sprint Network um after that they were able to tether via cell phone to the car and exploit specifically the obb chip so basically think of the ODB chip uh within the Jeep is kind of like the um display it's kind of like the dash and the initial kind of media center for the car they were not able to it also had Wi-Fi which they actually found was

useful but not nearly as kind of like wow as the um as the cellular network which actually did expose I think p 6667 which is a well-known IRC Port um desktop bus right debus I'm not entirely sure if it was debus or not I do know that they did expose Port 6667 which is what they were able to use to specifically send messages to the obb chip um but after that so they were able to get on the obb chip but they weren't able to speak directly to can so unlike the previous talk given earlier this morning where the ECU and the um kind of dashboard the uh the obb was directly connected they weren't they were air

gapped in Andy Greenberg's Jeep so they had to and and they speak over SPI or spy so they had to specifically within three months of some hardcore Ida and a lot of time reverse engineer the Spy bus in order to actually send direct messages to can so this is the hand waving oh it took so long part of it and it's nontrivial um it it's it's it's a fair amount of work but um after which they were actually able to get through the car's firmware to install uh to install an exploit via USB or x uh sorry via USB but specifically the Spy Port I think that's mislabeled pardon um but the end result was basically sending can messages to

the vehicle via a cellular signal and I think if you're on Sprint now you'll realize Port 6667 is blocked you can't send it over Sprint um which is interesting uh but what they were looking for initially was they started targeting cars with auto parking features and you might think why Auto parking well that's a weird specific thing to Target it's because your car is parking which means it has control over uh over uh acceleration and steering even more so than cruise control steering it actually can control where your car is going so if they can actually compromise Auto targeting they both have acceleration and steering but here's what not a lot of people talk about they weren't alone um in 2010

there's a paper experimental security analysis of modern automobiles written by researchers at the University of Washington University of San Diego that did a physical cyber physical threat model of a modern automobile and they identified and exploited a lot of issues that were exercised by Charlie Miller and um Chris Val I think I'm saying that right yeah uh hold on I don't want to five years ear yeah about 5 years earlier Charlie Miller Chris get uh about 5 years earlier like and had no response from the community no one was screaming oh my God these researchers had totally broken into cars and I think it's because they were specifically accessing the odb2 port in order to get

a lot of these firmwares and compromises kind of into the system and then they were able to compromise them remotely uh so they were like all right cool let's do it again and in 2011 they decided to go through a variety of Wireless attacks in order to compromise the machine and same researchers or at least a large majority of them and they investigated both cellular Bluetooth and fmds which is like your CD player and one of the coolest things and I mean coolest they were able to hack the car and install U malevolent or malicious firmware through a CD they hack the car by mixtape and that's great so cool uh basically the at the time I mean this is 2011 so cars

were actually updating some of the more impressive features of their dashboard and their CD players by CD so they were able to actually inject a uh a firmware update into the CD and broke a lot of surprisingly broke a lot of CD players in the process and I thought that that line listed in the paper was hilarious cuz you can see on top of their like whole research deck is like just a sack a stack of walkman's just dead from all of their failed exports but I was just going to say my my brother's is a uh he's a mechanic over at Lexus of Knoxville you know and I we often talk about attack surface of cars cuz he

really knows the car but he doesn't think about it that way and and that totally makes sense to the CD uh because they use DVDs to up update the maps for the nav system you know it's not just for playing audio Yeah that's how they actually ship updates so for the recording yeah being able to update maps and and accessories for the uh through the CD player is is a is an Tax Service that not a lot of people are keenly aware of and kind of take for granted but definitely can be optimiz or can be um leveraged by a sophisticated attacker even DARPA was involved and DARPA Dan uh Daniel Kaufman remotely demonstrated all

the attacks listed in the paper once again around 2010 2011 um uh and in it he showed that you can you know have remote acceleration you can cut the brakes you can turn on windshield wipers like just kind of arbitrarily control the system via exploits on the canvas bus and yeah he too frightened a reporter by the way he works at Google and Charlie Miller and Chris Val now work at Uber so it goes to show like there are vested interests in trying to prevent this sort of stuff so but what I want to kind of leave you with especially for remote attacks is the influence of software and they're all kind of featur driven um ABS allows

software to control brakes cruise control allows software to control acceleration specifically stagnant or increasing because you have a little button that says go faster on your cruise control never touch the pedal so Auto parking control steering uh and in the near future and I do mean near um they're trying to implement apps for your car so you can download Last FM app a sirusxm app things of that nature are trying to be designed I know you're grimacing don't it I know so I know but this is the future this is the unavoidable future we are walking into and self-driving I mean is it Christmas like seriously are you going to completely give away all of the driving

Mobility to your car and the answer unanimously from the consumer is oh my God yes like like we want to give ourselves to these cars and we don't want to necessarily drive them all the time and they might make smarter decisions than we do so if that's going to be the case if this is our inevitable future how can we best protect it wait until cars can uh talk to each other oh that's going to be even fun I I actually have a lot to say on that um oh this is the okay so you kind of cheated but here's the trivia thing okay how many so I'm going to talk about electric vehicles and this is kind of one of the

the third Frontier that I'm going to talk about but how many electric vehicles I got to keep track of time how many electric vehicles are currently and I'm I'm willing to I'm going do Price is Right Price is Right closest without going over how many electric charging stations are present in Knoxville currently 10,000 47 I'm going to say one per mile they can drive 100 47 okay I heard 75 76 100 no one I I was listening I was listening 75 right there 80 80 charging stations so I don't know what I give you no I'm not there's one within couple hundred feet from here I guess I'll give you what do I give this person I don't

know weird windows with dv6 has three of them he's not counting those so simply with a Knoxville or I will say the greater Knoxville area cuz yes I include Oak Bridge blah blah blah and faragate yes which is a different city yeah whatever uh there 80 there are about 80 charging stations with the Knoxville so even us we are we are getting into this field like we thought we were kind of or you'd think that we're small we're not necessarily kind of involved no we are we're keenly involved there more charging stations kind of popping up every day I know Oakridge alone accounts for eight 10 of them so so uh about 9 or 10 so like we're getting intimately

involved and and electronic Vehicles actually are going to kind of control a large majority of the market share uh this is a Bloomberg report saying that in 2012 electric vehicles will cost the same as about their internal combustion counterparts basically yes this is Tesla I will just go ahead and say that that's Tesla uh $35,000 is an attractive offer for a completely automated vehicle and uh it's only going to get like not necessarily worse but electronic vehicles are going or specifically electric vehicles are going to be a large majority of the market share in the near future so it's kind of an unavoidable certainty that they will be an issue that we can't ignore um aside from an impending oil

crisis uh electric vehicles will have uh additional Diagnostics more software influence than what I just listed before because not only is it just monitoring that it's also monitoring the battery um maybe it might be smart enough to know GPS and Telemetry to find M's charging stations because that's keenly important to an electronic vehicle uh or to someone that owns an electronic vehicle um and good software is not perfect software right like we know that there are bugs in this code and so more features tends to equate to more problems and I didn't know about this till today one thing I didn't really think about as far as uh electric vehicles ransomware there is actually Tesla

ransomware that as of today finally got the master key like revealed because they just decided nah we're not going to do it uh yeah people can Ransom wear your car like that that is that is that is an inevitable future that I did not really realize until this morning and I was kind of like reading through my newsfeed today and yeah like people are doing this as of February 2015 people were Ransom wearing cars so like that's a serious problem of someone kind of compromising your car and a very different way than we were originally anticipating and finally connected Vehicles so unlike everything I've kind of babbled about this is kind of the thing I actually know the most SL least

about uh as in I am now into the field and you know when you begin when you begin to understand a specific subject you realize how little you actually know um but our cars talking to each other and this is a personal opinion I will completely recognize that is an unavoidable future but kind of one that we don't necessarily need to be reluctant to embrace so I'm going to kind of throw up some some terminology I hate doing that because I don't like acronyms but it's kind of important so there's v2v which is vehicle to vehicle V toi V infrastructure which is kind of like this basically all the vehicles in your specific system kind of talking to your

um very very very busy um intersection there's v x which is talking to anything which is kind of something I'm not actually as much of a fan of as much as I am the v2v and V toi aspects and there's the intelligent transport system which is basically the giant Network graph that you would uh draw between all of the individual nodes in this network um and I say sorry so our cars will be able to speak to one another through a Department of Transportation infrastructure or each other vehicle and it's not like a cell phone because a lot of people are like well oh my gosh you could you know track me anywhere you know the government knows

well yes and kind of no um it's not like a cell phone in the sense that uh it's in your car by law like that is it it's currently reached a notice of proposed law or rul making meaning it's on the books to be voted on as far as becoming a potential law people are writing protocols forward it's it's impending um the sensor is far more accurate actually than GPS um I did have all my notes here kind of the specific type of sensor but it is at least at the very least as accurate as modern commercial GPS systems um it has a higher sampling rate meaning even though your phone will kind of sample between specific moments uh

the sampling rate for your car spec is is much more frequent uh has active measuring time and the VA ey components facilitated by dot meaning unlike Verizon which has to get a subpoena before they release certain aspects of uh like your SMS or whether or not you were listening to uh Spotify as you enter to crash uh these are kind of owned by D um and it's not sending out arbitrary data in that nature it's not a cell phone it's screaming out stuff like I am the size I am going this fast um things that are kind of kind of generic and should be adequately anonymized for your specific vehicle and I kind of want to accurately

portray the promise of v2v because it's hands down one of the most unattractive listed so far um but the Department of Transportation believes that this can actually improve safety it can enable more robust crft prevention and if fully implemented in a robust system it can prevent 80% of like stupid crashes as in I'm looking at my phone and I don't recognize that something's happening um it turns out it's a traffic accident up ahead but I'm agitated so I'm veering off into the uh the far right lane even though I shouldn't things of that nature uh it can also improve congestion because everyone's keenly aware of when they should merge and shouldn't it can send sort of uh um

it can relay uh information of a potential crash kind of further up and daisy chain its way up to um or up a specific highway to kind of inform all users that there's a crash ahead and I believe Less in this but uh hopefully by more efficient travel we can also reduce um the kind of harm on the environment from uh the specific impact per commute because not everyone's going to be merging in our lanes uh hopefully and by having a more efficient traffic system we'll hopefully have a better one that can impact the environment uh this is an example of kind of what I was talking about earlier this is um it's not listed I really need

my notes but uh basically this is kind of a demonstration of an oncoming vehicle so let's say that someone stopped ahead there's someone stopped in the middle of the highway instead of everyone kind of careing around that person potentially causing more incidences uh the emergency response vehicle will kind of send a huge alert to the rest of the corresponding Vehicles which will then kind of pick up on that and they'll kind of automatically be or they'll automatically inform the driver hey you need to get into the far left lane you need to get out of the way uh there's an incident up ahead and just kind of a warning without having to patiently wait for NPR to get to the new section for

you to be aware of a potential traffic incident is kind of important like you can just be aware of that without having to check your phone mid travel which most of us do uh it can it can really help congestion so that's one of the promising aspects of it and this is the new new new new new this is where I believe as researchers as security researchers or even as just people keenly aware of uh security and kind of where things are going we can make the biggest impact and of course it's inevitable so this is the official notice of uh proposed rul making uh to begin implementation of vehicle uh to vehicle Communications technology so it is

coming so we should be ready it's kind of my caveat not caveat my so where do I as a dude that's standing before you kind of fit into all this well I work at Oak Ridge and Oak Ridge is actually working on the specific front so what you'll see is this is actually research done at the lab um not specifically within my group I will get into that but uh This Is Us capturing multimodal sensor data um so in a nutshell I'm going to completely butcher their uh their research but basically they take a variety of bits of information from a specific vehicle and they basically make it a signature uniquely identifying that vehicle and the rang finders detect

vehical information measure distance speed and uh the alarm triggers a bun of camera snapshots and so what I really like to kind of correlate that into is sure being able to give each individual device or each individual car kind of a signature or some sort of like unique fingerprint for that specific uh vehicle is nice but where it really lines up to is like Amber Alerts what if you tie this into the VY and you notice that they and I asked the question and I know uh uh is it Casey Trent was recently found uh but how many other white Vans were stopped how many white Dodge vans were stopped to actually find her like like

they like her specific car was not the only one on the road and if we actually had better Telemetry and better metrics in order to and and what if other cars were not just participating what if other cars were participating in the then knew that the specific vehicle information from this car was requested and they all started not snitching but essentially telling each other that hey these cars are around me and they had this specific signature and I noticed that they received that from me uh we may have been able to find a lot find her a lot sooner so this is definitely a case that um kind of needs to be investigated but definitely has

potential right uh this is something ruse yeah what was that movie there was some movie U where they you know tap it might have been a Marvel movie where they tapped into the cell network like all over the world to find some that is Batman 2 uh that is the the Christopher Nolan yeah that's definitely the Nolan verse uh but I think you're giving it way too much credit it's it's it's much dumber than you think like when it's actually same concept much D crowd sourcing like essentially you're crowd sourcing uh specific oh there crowdsourcing but also there's aspects of like specific entities and uh these signatures are unique but uh there's a lot of noise in

the natural world go ahead yeah how long you keeping the signature for uh in this case is this is specifically just research to see if it's even possible to specifically I honestly don't know because I'm not

impl you're looking at from an investigative standpoint let's look at it from the standpoint if if um cuz I know of a particular case in the situation this is why the guy gave up on the car he'd been waiting on for 3 years if you're an attorney and you're going to in you're going to interview somebody for your case and you don't want the other side to know about it and now you've got something that's tracking your system in your car who manages that who's watching The Watcher uh because now you're in a situation now where that information if you're going to retain that for a longer period of time we already know we got IRS agents who can't

be watched you know how does this go you're now at a point where if you're in those type of secure situations and you are one of those people that does not need to be watched at that point I mean it get it makes me want to go back and finish restoring my 73 cutless and start driving that around town cuz you know there's my answer at that point cuz I've still got the first car I ever bought so I take that start driving in and I don't worry about it but you know there's a side to this from the investigative what about the side where the investigation needs to be kept quiet um of course I have no idea uh I also

don't know the time I think I'm might be running over uh I don't I obviously do not know I obviously have no idea um as far as my projections for of course this has potential abuse I'm not going to ignore that regardless of my government Shilling um however I don't know I don't know to be completely honest with you I don't know uh I think what he's trying like from what from what he I believe he's tell me is that all all this stuff is strictly research just to see how things work and how it can all be done I don't think it's being I don't think the Judiciary is going to be doing anything with this

data no none of this is being exercised in any capacity at any point yeah I I think I think your fears the future are well well warranted however I have no idea as far as where this could be applied at this point um actually kind a general question do you know why higher pressure monitoring sensors have to broadcast out their you know serial number all the time I do not know EXA why are they so chatty and why can't they just be interrogated I do not know I don't I do not know necessarily exactly why they are so noisy because you're correct they are noisy and they do have documented published exploits against them um um how yeah I don't know

specifically why the way it was basically a push approach rather than a pull approach it is a push approach other than the fact that you would like to know when your tire push is low so and there's nothing really there's no wire connecting you to your tire in that sort of you got to be inside the tire right so you can't physically go ahead you got a question run cable I think it uh and this is just from my point of view bear in mind I haven't exactly done research on it but I do believe that it has to it does have SP like several information just so that way it actually sends it to

the right car and whatnot like you don't want to pick up tire pressure information of another car and also I think the tire pressure monitors much like o other Technologies and protocols like DNS they were they were made and they work very well however I don't think they were made with security in mind at the time so we're just kind well until we make them better which is kind of my point um this like immediately about vehicle to vehicle communication vehicle to infrastructure communication you're saying it's going to be anonymized I'm thinking they're going to anonymize it but still send the VIN number out um no that's not part of that's not part of it um so talk about

this vki okay so vki is actually a way so one of the biggest questions in this is how do can how can you trust a message sent from a specific vehicle how can you even guarantee that it's going to be uh trustworthy and um this is actually something kind of I'm Clos closer tied to Jason Carter actually LED this project which was develop a protocol or at least one of the proposed measures in order to guarantee vehicle to vehicle communication actually determine whether or not it is or is not trustworthy um essentially they developed an algorithm to ensure driver entities and movements remain anonymous um and kind of anonymizing this information is critical it's okay that

you know cuz we are kind of in a habit of sending out our information but anonymizing as much of this as possible is uh pivotal so in a nutshell and I'm grossly overstating his research but um essentially uh the vehicle itself would kind of be an inter inter a CA uh it would kind of produce and sign its on certificates you cannot hold hold onto your phone it can uh produce and uh sign and verify specific key pairs those are sent of course to other vehicles which man have a Banks uh of specific key Pairs and uh they're kind of trusted through group signatures uh as kind of the name before so this is kind of how specific messages

sent from one to another or or this is a proposed measure I mean to say how specific messages from one vehicle to another are trusted it also adds a bit of privacy because these pseudonyms will actually change far more frequently than a standard certificate from I guess the web or uh through TLS or SSL uh and are private to each individual vehicle as an intermediary sier and uh the group signatures kind of preserve their uh privacy through cryptographic means so people are senstive about the travel data but I would like to reiterate kind of that we've all kind of adopted a fair amount of um uh we've all adopted kind of a not necessarily a relaxed approach but we

all share more information I think than we intend to and especially our phone kind of being the main culprit for that um these slides are not mine these are flly stolen by Jason but uh it kind of brings up an interesting point in that we are sharing a lot of information kind of already um and kind of on the Forefront of the fact that we're setting a precedent is that we're going to share uh what is it this is Florida's Department of Transportation uh one of the spokesmen said we're going to share information our camera images all our information that comes from the sensors on the roadway and ways is going to share its data with

us sure like like that's very interesting and and I'm glad that maybe the Department of Transportation of Florida is all adamant about trying to share as much of its roadway data but I mean to what end and um especially if we consider these locations private um we need to be more keing aware of kind of where this is going so I don't so I'm kind of welcoming your your paranoia but I kind of also would like to bring up that we kind of selft trck ourselves uh I personally own a Fitbit I know exactly what it can or cannot relay because I have seen my own traffic and I am surprisingly uh lazy uh I pretty much work out like one

day a week and that the rest of that bar is pretty steady um but we do track ourselves through a variety of applications not necessarily our phone screaming out but we volun arily partake in it to other corporate entities so the dot trying to get it to save your life necessarily isn't another one that's that's completely disinterested because they want people to stay alive that's a good report for them so you know there is cynicism but let's make sure it's well metered so I put this slide in specifically to show you that this information is public this is where you can get it but this is the deidentified leberg data it can of show you uh in

frequent visitations and this is kind of just to demonstrate if you do have adequate V DOI like vehicle to infrastructure information and it's being pulled uh kind of through either frequent or infrequent visitations you can kind of learn an awful lot about a particular uh uh not even necessarily a particular user this is not necessarily one specific instance but kind of a group of them kind of what's traveled what's not looking much like a Sim City graph if you're a fan of that video game which I definitely am and had to stop for all the right reasons um but it asked it it really asked a lot of really interesting reidentified reidentification reidentification questions which is like what if there's

a large cluster of Geo points how do we indicate dense or slow traffic if they're all kind of moving in a herd um what about clusters with small Geo points can we estimate velocity things of that nature so I'm kind of hammering through this CU I'm I'm running out of time but yeah uh you can cluster for patterns and try to see individual patterns and kind of where that lines in and where that goes um and the breadcrumbs of our data provide a rich identifying data source so yeah that I think that's kind of kind of reiterated yeah still go home every day uh yes so I'm not that's awesome so internet show uh cars are now in the ioe yeah

that's pretty much well know um especially with the connected vehicle technology that's something we really can't avoid security is a moving Target um and interested parties want to keep you safe also interested parties want to keep want to cause you harm uh I'm I'm not buttering this up in some sort of fantasy land like this is the reality that we live in some like the do and and other entities especially government entities are are kind of interested in just keeping people alive uh it's kind of bad for people that just die so there are it's not all super conspiracy bad stuff however yeah duh there there's also malicious entities at work and the laws are in their infancy like people

are reacting more so than just being proactive about the laws currently being written on these sort of things so keep that in mind the next time you vote or the next time you write your Congressman uh so neat talk I want in so what if you actually want to be a part of this what if you actually want to uh you know brandish a flag and March forward uh well I have good news for you so uh there's a vehicle security Center actually located up the hill at Oak National Labs that we are trying to develop and uh this is the national research Transportation Center this is actually an image of it in there we got

a full Dyno we got a huge giant tool kit we have car shark we have a giant big old monitor that you can view and a bunch of other stuff that's currently being developed to like assist people that are trying to do vehicle security within Knoxville yeah I know the guys in uh I know there was a talk earlier specifically about vehicle security but unless you want to fly to Israel I don't think you can exercise a lot of their tools that they have there um but we have one locally and uh currently seeking proposals so if you do have an interest the pricing has not yet been solidified but talk to oh I have them up ahead surprising

not been solidified and the VCS but I want to kind of reiterate that the VCS is not exclusive tol like talk to us let us know and hacking a car the kind of leaving thought I want to give you guys is hacking a car is terrifying but we can do so something we are not as completely uh uh crippled to the impending kind of future that we have ahead of us we can take part in it we can be a part of it so that's so that's what I want to really leave with not necessarily that it's all doom and gloom oh my God they're tracking us but like hey like let's make sure that this is

done proper let's make sure that this is done well let's make sure that if people are interested let's make sure that they have proper access to this sort of stuff so that's what I really want to make you guys aware of uh these are the guys you contact about the lab Jason Carter specific spefically asked to be photographed in the Iron Throne um he's also the guy heading the VP uh the VP K kind of infrastructure and Stacy is heading the uh specific lab and that's

me