Introductory Car Hacking

foreign we're going to get started with the next talk so it's my pleasure to introduce Josh Anderson he's going to be providing an introductory to uh car hacking so please give him a warm welcome [Applause] all right so my name is Josh Anderson I'm a penetration tester for Leviathan Security Group um yeah today I'm going to be talking about the basics of car hacking hopefully give you all an idea of how it works what common problems are and hopefully nobody goes home and Bricks their car before tomorrow um first we need an understanding of what the internal networking of a car looks like um and it's pretty complicated modern cars have become pretty involved pretty

pretty intense internal systems um there's a whole internal network with gateways and multiple protocols and use there tends to be multiple different buses that all speak different languages sometimes there's proprietary languages on top of everything in there um where for the purposes of today we're going to be focusing on the can bus that's a controller area network bus it's slow and old um and very cheap to implement when you look at your cars when you go home you will almost certainly see can bus and Lin in there um some other protocols just to throw out some names so people are aware of them there's uh asrb bus flexray bus most and vehicular ethernet all of these

have their own little quirks and nuances to how they work and a lot of them are geared towards specific applications um but like I said we're going to be focusing mostly on can today if you're wondering what exactly all this looks like internally in a car um this is the wiring diagram of a 2016 Chevy Impala the lump sum of knowledge required to interpret this diagram is insane um very much beyond the capabilities of myself or honestly any single individual person in my opinion um and this kind of gives you a sense for why cars end up having vulnerabilities is there's usually a lot of disparate systems interconnected um in a way that not everybody who's working on them has

the whole big excuse me picture of what is going on um but yeah we're gonna just be focusing on canned in order to understand can we first need to understand what an ECU is an ECU is an electronic control unit there are typically dozens to over a hundred um in a modern car every logical system that performs some sort of operation and needs a control system will be an ECU and they often need ways to communicate with each other for example um your anti-lock braking system and your powertrain control module communicate and work together to form your traction control system if you have a car with park assist it will need to communicate between your radar module

and your instrument panel cluster module um all of these ecu's need a way to talk to each other and in the old and olden days before we had buses that means they would all need to be directly wired into each other if you had your main engine control unit that would mean dozens and dozens of wires coming out of your engine control um and that's just expensive to implement horrible to maintain not a great idea that's why we have can buses um because we have a bus we now just need two wires from every ECU going to the bus and they will all be able to communicate through the bus um can stands for controller area

network it is a communication Network in modern vehicles that enables coordination between different ecu's like I just said earlier um at the physical layer layer one the can bus defines the electrical and signaling characteristics of the communication medium like voltage levels wiring and bit timing but can also operates on the data link layer Layer Two uh in this way it's kind of like ethernet the can bus protocol handles tasks related to message framing error detection and handling collisions it also provides a mechanism for transmitting and receiving data frames and includes features such as messaging identifiers arbitration acknowledgment and error checking um I know this is all a bit dense but I promise we'll get into the really

interesting slides a little on later and uh it'll all build on this Foundation that we're building on here um the can bus basically the takeaway here is it serves as the central Communication backbone within a vehicle connecting various ecu's that control different systems and subsystems these can be responsible for things like engine operation your car's transmission braking steering infotainment and much more it operates in real time and is robust reliable and efficient that is why car manufacturers use it so often is is the robust reliable real-time Communications that enables um it is also a broadcast protocol so that means that anything on the can bus will be able to see in just plain text the frames to anything else on the can

bus and that Allah become relevant again a little bit later believe it or not um here's what the frames look like these frames contain specific information such as the sender's identity the type of message and the data being transmitted each ECU on the network has a unique identifier allowing other ecu's to identify where the message came from these being broadcast frames they don't have any Targets they don't go anywhere they just broadcast messages specifically at that they tend to be specific time intervals to share the state of a ECU on the bus and each node on the can bus is typically configured with a set of acceptance filters that tell it what it is looking for and what will trigger

actions within the ECU itself these filters can be set based on the identifier based on the data content or other criteria if the identifier of an incoming frame matches what the ECU knows it should be listening to it will take it and handle whatever logic that node was programmed to act upon otherwise it just ignores the message entirely the important part of this Frame of this message that we're going to be looking at today is the arbitration ID and the data the arbitration ID is that unique identifier that I mentioned earlier and it doubles in functionality because it also serves to do arbitration of the messages lower arbitration IDs have higher priority on the bus that's how

they handle collisions if two ecu's are broadcasting at the same time say something like your window power control unit and the transmission control module that TCM is going to have a lower ID because it's more critical to the operation of the car and it is going to go first and the window is going to have to rebroadcast over the bus um there are four types of frames that can be sent data frame is the most uh common one and that's the one we're going to be handling today but it's also important to know that there are also error frames those are self-explanatory they are transmitted by an ECU when they detect an error uh remote frames are how

ecu's request information from another ECU they're sent by a node to request the transmission of data from something with the same ID that goes out in the request and then there's the overload frame which is used for flow control and it just injects an extra delay after a data or remote flame when the bus is getting too busy um this is how fast can frames go on the bus this is a car that is on but not even running and it is generating hundreds to thousands of lines per minute um ecu's aren't simply sending event driven messages all the time a lot of them are sharing their state at fixed points your accelerator is constantly

announcing on the bus um I am at zero percent depressed I am at zero percent depressed I'm at one percent I'm at zero percent just at these fixed intervals rapid fire continuously along with dozens of other ecu's constantly sharing their state their engine is constantly checking and announcing its temperature just in case any other components and modules need to act upon that information your tire pressure monitoring system is constantly pulling for updates um because that's also a critical system then it just goes real fast if we pause that and take a look at it here we can see this dump um a little more clearly that first field there is going to be our interface

that we're listening not listening on this is just the output of the can dump command we have the interface we're listening on that second column is the arbitration ID and the third in Brackets is the data size and then following that is the data field everything's going to be in HEX here enumerating these IDs to figure out which does what what is ID 164 what is 133 one is one three f um it's not a trivial thing to do uh it's usually best accomplished by well the easiest way to do it is to look up the spec see if somebody else put the work in first before you and either open sourced what the arbitration IDs are for

your make and model of your car or um to see if you can access manufacturer data sometimes that's behind a paywall but often you'll be able to to look at the manufacturing troubleshooting data to see I want to unlock my doors what is the arbitration ID of that um but there are ways to manually find that out yourself through rebroadcasting of packets um I'll get into that a little bit more later when we talk about what is possible on attacks um first we need to figure out how do we interact with the can bus the easiest way to do that is going to be your OBD2 port that's your onboard diagnostic port if you've ever gone and gotten an

emissions test on a modern car and they just plug something in under your dash that's what that Port is um it's a standardized diagnostic port typically located under the dashboard it has been mandated in the United States since 2008 so all modern cars are going to have it that Port will always have a 12 volt 12 volts pin present on ports 16 ground will be on four and five and somewhere in there there will be can high and can low it's typically pin 6 and 14 but you should check your wiring diagram to be sure can high and can low is what we need to connect to in order to speak can to our car

um also just as a note on here if you're messing around under your dashboard and you see yellow connectors always be super careful around those because those are your airbags and one of our main goals of any kind of car hacking is don't set off the airbags and don't set off the crash frame um so what do you need to actually start getting hacking on your car first you need something that can speak can uh can be as simple as an Arduino or a Raspberry Pi hat that speaks the lava cell or SL can protocol um it can be as fancy as the mashina M2 is kind of the industry standard for this is the best little dongle you can

get to plug into your OBD2 ports to interact with your car and hack on your car there are cheap options out there and they tend to be pretty good especially for reading but they also tend to be slow um we saw how fast messages were flying across the bus earlier if you can only read at a fraction of that speed you're going to be dropping frames um if you are just trying to read and identify frames that's one thing if you're trying to write firmware to your car that means you're going to be bricking something important so if you intend to be writing onto the bus I recommend at least can tact or machine M2 something that can write fast

um if you're just going to be reading and doing replay attacks you can use a 20 dongle that you get off Amazon um next you need a way to interface with the can the easiest way to do this that we spoke about earlier is just directly plugging in through that OBD2 port but um you know this is a security talk we should talk about the unintended ways that you can potentially interact with the can bus all of these in these threat models I've pulled these diagrams from the car hacker handbook which I'll plug in later on at the very end um all these represent ways that your vehicle can be interacted with modern cars tend to have a lot of Wireless

Systems they have cellular Wi-Fi Bluetooth a lot of people don't realize that your TPMS your tire pressure monitoring service that's Wireless you have um little uh RFID chips that generate power when you shake them in every single one of your tires I've actually played around with one physically and if you go fast enough you send out a wireless signal and your car is constantly pulling forward and listening for those and that's how it knows when one of your tires is low on pressure and just as a potential side Channel attack if you were able to send the frame in the ID just wirelessly to make someone's car think that their Tire had suddenly blown and they were a

self-driving car it's going to take some kind of action even non-self-driving cars these days it's going to take some kind of immediate action to try to control the situation because it thinks it's going to go out of control because the tire exploded um so again just something we got to be aware of internal to the vehicle the threat surface uh infotainment systems tend to be how a lot of the high profile hacks happen um infotainment's also just a goofy word that just means the entertainment system inside your car it's your radio if you have a DVD player if you have anything anything for entertainment or the presentation of information to the driver like a little onboard touch

screen that that whole system is your infotainment system um a lot of times modern cars have USB ports the OBD2 connector that we already talked about and um there's always the potential for splicing in directly into the can bus once you have identified how you're going to be getting into the can bus of your car what can be done the Hello World level attack for a car is just replay attacks um they are trivially executable trivially reproducible to the point where if you have access to a can bus you are going to be able to replay any packets that you want and perform any actions on any ecu's on that bus um I should clarify here I don't think I

said this earlier um your car probably has multiple can buses they will not all be hooked up to that OBD2 ports there will be I think some Modern cars have as many as five and some if you want to specifically access a specific ECU you might need to splice into a can bus in the trunk or under the um frame of your car but you will always have access to something over the OBD2 port and that will tend to include your engine control unit because that's what diagnostic mechanics will need to be able to interact with um so you've plugged into your Port you have your interface mounted what does an attack what does a replay attack look

like the first thing you're going to do is run can dump and perform whatever action you want to replay um say that could be can dump I unlock my car with my keys I kill my capture that will all just be a plain text capture of the frames that it saw that you can repeat and replay over the can bus with the can player command you just can player Dash I that log that you played and then confirm that your car unlocks again now from there you can look up the spec to see if you can find the arbitration ID of the door unlock ECU or you can split the whole log in half and

re-transmit those two halves to see which side your um frame you're looking for is on whichever one of those halves half a or half b um unlocks your car doors you're going to go there and you're going to do that again you're going to split it again and then you just keep narrowing down your packet capture until you have a single frame that you can send manually with the can send command and um now you know what frame is being listened for on the bus that will generate the action you're looking for your door is unlocking you can also do this to start your car you can do this to um roll down your windows you can do

this to control your power steering if you wanted to to set the the angle of your steering wheel to a certain angle um at a base level this is what any hack you hear about in the news that that's they they took remote control of the car that could stop the engine they could uh toggle the brakes they could steer the car they're doing this they're doing this just remotely um oh it's also important to note that you can cause denial of service on a can bus so if someone was able to maliciously plug something into your bus here and just constantly spam the error frame or constantly throw noise with a really low arbitration ID that blocks out and

collides with every other message or even just transmitting on the wrong speed on the bus um they'll deny service on that bus and you will you will not be able to use your car um so the takeaway here is that with the ability to transmit on the can bus you can severely impact the car's ability to drive and take over the car's ability to drive um another thing to keep in mind is that the can bus is not encrypted uh anything that is thrown over the can bus will be plain text viewable by every other module on that can bus I've never heard of an attack doing this but I've always wondered why no one has just

written a malicious remote start uh module or a malicious radio there's just some malicious infotainment thing to just listen and steal people's SMS messages when they have their phone connected to their car if you've ever had uh your car asks you if you want to sync your contact book with your car that gets pulled onto the can bus and stored in its own ECU locally and anytime you're going to get an SMS message anytime a Bluetooth from your phone is is getting transferred through that bus everything else will be able to see it in plain text now for the average citizen that's not necessarily a big problem but like if you're the president of the United States for example or if

you're a police person in your car and and your um MFA messages are being transmitted in plain text every time you're in your car uh you know it's a security CERN concern that I just don't really hear a lot of people um worrying about also a whole lot of people don't make sure all their information is cleared out of all the ecu's before they sell their car including the police I had a um buddy who talked about buying second-hand vehicles from a police auction and going in and it just had the entire contact list and GPS info uncleared from when the car was owned by the police so yeah we can do account for our threat model

for sure um it is also possible to read and write firmware to the ECU that is much more complex and that is beyond my current level of comfortability and skill but this is how a lot of those high-profile hacks that you hear about in the news get started is people dumped firmware from the ecu's reverse engineered it went and found open developer back doors went and found vulnerabilities and how the software was written um it's surprisingly often defined manufacturing and Engineering modes with uh weak authorization checks in place and um sometimes you can even write purposefully vulnerable firmware firmware that you have backdoored onto these ecu's but again that is a great way to Brick your car if you're not

super super super sure about what you're doing um I highly recommend checking out Greg Hogan's talk in a whole lot of um car hacking Village talks from Defcon on this a lot of smarter people than me have gone into greater detail about how to do things like firmware hacking and firmware reverse engineering um so yeah how does this all to come together it's pretty rare for people to um gain remote control of a car but security researchers have man managed to do that on multiple occasions with multiple uh makes and models of Cars one of the most famous ones was back in 2015 Charlie Miller and Chris valasek managed to gain remote control of a Jeep

Cherokee and it was featured on wired they drove it into a ditch they were able to start and stop the car remotely while it was moving they were able to steer it they were able to put the windows up and down I don't know why that one's always listed it always seems the least impressive to me um but they could do it um and yeah they were able to do this over the cellular network so it was fully Wireless to accomplish this Miller and valisec reverse engineered the vehicle's ecu's and were able to identify a weakness that they could exploit in the um Uconnect firmware that allowed them to gain wireless access to the Jeep's internal Network

um through this access they were able to view and dump the firmware of ecu's and they found another vulnerability in an ECU this one was uh the one responsible for controlling the vehicle's infotainment system of course it's always the infotainment system and then as soon as they found that vulnerable ECU that allowed them to write on the bus it was the same as if they had just plugged into the OBD2 port they were able to send any commands any frames to anything listening on that bus that they wanted and that bus controlled a whole lot of important things for the Jeep and then so that's how they got remote control in that instance um King Labs Tesla hack ah that happened in

2016 and that was uh remarkably similar um I really like the attack chain that they did on this one they were able to identify that the browser that the web browser that was used internal in the Tesla was an old version with known vulnerabilities they tricked the uh car into connecting to an evil Wi-Fi AP that they controlled where they were then able to exploit the vulnerability in this browser to get low privileged user locally on the car recognized that it was Linux recognized that it was a old kernel version used a kernel exploit to escalate their privileges to root and I believe doing that they managed to get access to I don't think it was the Gateway yet but

they shortly it was just an ECU adjacent to it and they were able to recognize that the Gateway had telnet because of course it did and it had a telnet password but telnet passwords are kind of stored in plain text and they could dump the firmware of the Gateway view the telnet password and then tell that directly into the gateway and then from the Gateway they were able to um connect directly to the can bus and do everything we just talked about earlier they were able to transmit any packets that they wanted send any frames over the the can that they wanted they had full remote control of this Tesla um I should mention that both both Jeep

and Tesla addressed all of these issues um fairly speedily they use vulnerabilities do not work anymore but there's enough difficulty in overcoming the the skill barrier in car hacking that there are all these brands that that people haven't even really looked at there are areas that should be explored that probably are super vulnerable that we just don't know about because nobody's taken the time to to parse through the arbitration IDs and figure out what's what yet um one of the issues that I want to look into that I haven't yet unfortunately is um just free time I want to figure out how these things apply to my motorcycle you go out there and Google for it

there's nothing about motorcycle hacks out there but my motorcycle has an OBD D2 Port my own motorcycle has a GPS system my motorcycle has all of these remote ways to interact with it that could potentially allow you to do some crazy Terrible Things there's a lot if you just tap the brakes on a car nothing bad might happen but if someone was able to remotely tap the brakes on my motorcycle I would probably die so um yeah that's why this field is uh super important um oh I also highly recommend checking out J Max's Defcon 27 talk that one doesn't go as much into the can bus but it's a great example of how iot devices

and adding devices to your car the barrier to entry for that has gotten lower in recent years and a whole lot of companies are throwing out frankly poorly made products um where there's I think in his case he was able to find he remotely took over and started his car with no authentication in three different ways by hacking on this iot remote start system that he got I believe it was my car um he noticed in the mobile app there was hard-coded administrator credentials that was one way he was able to remote start his car and anyone else's car um he was also able to do it through super super basic SQL injection you could just throw in the or one equals

one there was no input validation input sanitization at all in this application and he could also remote start his car through direct object reference super interesting talk from Defcon 27. so methodology tips if you're going to go home and do this yourself uh the first thing you're going to need to do is gain access to this can bus find your OBD2 pin outs look up the spec find the speed uh trying to find out how many can buses your car has and if possible look at wiring diagrams look at manufacturer data try to figure out what your target is going to be and what can bus you should be on for the action that you're

trying to take um when you're on the can bus for each can bus try to find out the speed that they're running at and dump data to get wake up frames you can find the speed either by looking up the spec or you'll need to break out a logic analyzer um make different captures triggering all the different ecu's anything that you might want to do door open door close lock unlock car start um engine wake up anything you might want to do uh try to locate every major ECU the big ones will be the body control module the TCU which is the telemagic telematic control unit um your gateway your in-vehicle infotainment system and your airbags

because you definitely never ever ever want to accidentally fuzz your airbags again that's a bad idea um the Recon phase here is really invaluable um try to find any manufacturer data you can look up your VIN to get details online for your UDS that is Unified diagnostic service commands those are also commands that you can send over OBD2 um to get information about your car and to potentially trigger uh maintenance modes um mechanic forms tend to be a great help there are check for databases dot dbcs GitHub there is com AI That's c-o-m-m-a-a-i slash open DBC has uh databases of a lot of arbitration IDs and UDS information for a lot of models already compiled out there

um that could be a great resource um now I should also mention I should have mentioned this earlier uh if you're hacking on your real car that gives you a benefit because you'll be able to see all of your ecu's all of your in-flight information exactly as it would be in the wild um but you don't have to do it that way it's relatively easy to set up a test bench you can go online and just order a couple ecu's um for your car or whatever you're looking at and plug them into a power supply and mock up a little fake car at home doing a full entire vehicle is a Monumental task and is going to be very expensive they

actually have a car in a box at Defcon in the car hacking Village I think they told me it took six months to fully disassemble that car and assemble it again working in this Pelican case um but the beauty of ecus is you don't need a full they're not aware of everything else in the system as soon as you power them on they're going to start pulling data and broadcasting data just the same as they would in a car so if you just wanted to start with your powertrain module and your remote remote keyless entry system and just plug them in see if they ever talk to each other see if you can uh detect traffic between your ignition and

your um immobilizer um you can just buy those units wire them up together power them up and um they will have canned Communications um that you can look at that you can test and it'll have the same arbitration IDs uh as your car as long as you make sure you're still getting the same make and model and here sometimes they change from year to year um yeah other useful tools that you might need multimeter is really good for figuring out what the lines are in your car a bone tool is really useful for pulling panels panels out of your car and getting access to some of the Hidden can buses obviously a screwdriver and a

light as far as far as capture and sniffing tools you can get a can a Lin and an Ethernet Automotive adapter um those will all be slightly different but they'll all be different bus protocols for communicating internally in your car it's also a good idea to have various different Wireless sniffers um Wi-Fi sniffer Bluetooth low energy sniffer SDR if you want to get fancy with it you can do some fun things with key replay attacks um if you have something like a hack RF um if you have friends that are mechanics or if you would like to make a friend that's a mechanic um it's surprisingly easy to convince them to hand you their diagnostic tools

and those tend to have a lot of interesting proprietary capabilities again they just plug into the OBD2 under the dashboard and sometimes enabling um a manufacturer mode a maintenance mode or even a higher paid service that you wouldn't be able to get if say if you like didn't pay for the fancy satellite radio on your car and it's currently disabled usually you can re-enable those just if you know the right frame underneath your car and if you can get your hands on a diagnostic tool from a mechanic and dump that firmware usually you can figure out what those secret frames are there's there's not a whole lot of security there it's just security through obscurity more

than anything else um yeah uh well I will conclude the presentation here with some thoughts on the future of car hacking what might be important and what might be uh emerging in the coming coming years um I personally think as more ecu's get added to the vehicle and the attack surface of the can grows we will have increased remote access uh exploits as people figure out ways to exploit infotainment systems over 5G over LTE over whatever the cars are using um it is it is getting more interconnected and easier and cheaper to develop applications for these things which as all of us in security know tends to mean people cut corners and there'll be a lot of telnet running on

your internal Gateway um these I think will become more and more important as self-driving cars become common um self-driving cars arguably have a higher Reliance on can communication availability and and um Integrity for communications on their bus um as I mentioned earlier a self-driving car that receives an erroneous malicious packet letting it know that its tire has blown will do unpredictable behavior um I know there's talks of vehicle to vehicle communication in the future that would allow for things like um mesh network communications saying hey there's a pothole in the road up ahead um if you can broadcast that with with good intentions a bad person can broadcast that with bad intentions currently we don't know how the cars are

going to react to that kind of information because those kinds of systems are not fully fleshed out but that could be a whole nother attack surface an attack Vector for people to um perform malicious activity against each other's cars um I know in Biden's 2021 infrastructure Bill he requires that car manufacturers start to look into advanced drunk and impaired driving prevention technology as standard equipment in all cars manued manufactured I think after 2026. currently the national highway traffic safety administration is still in charge of figuring out what exactly that means but based on what they decide um it could open up a whole nother method for people to remotely shut down your car make you unable to drive your

car make your car pull over and stop in the middle of driving if you can erroneously trigger these whatever these drunk driving protections are that are going to be in all cars after 2026. um I personally think that probably in the next decade we're going to see some sort of large car based ransomware event just based on how the industry has been in the last decade or two as things get more interconnected as the systems get more homogeneous and related to each other eventually someone writes a worm that goes from system to system and just starts to encrypt everything um if there was a way to do that remotely on a whole lot of people's cars

I think it would see the highest payout of just about any ransomware that's that's been seen in the wild lately it's one thing if you lose your files but if you lose access to your car a lot of people lose their livelihoods that that's going to be uh a whole lot of people that I know would definitely pay that Ransom to unlock their cars um and honestly I think it's surprising we haven't seen anything like that yet um anyways I digress here's some more resources for um things to look into if you're interested in car hacking I highly highly recommend Craig Smith's book the car hackers handbook from um no starch press there are also a plethora of talks

from Defcon the car hacking Village is always a really really good resource and if you want to go home and do some hacking yourself but don't want to plug into your car or don't have the hardware um I see Sim is a fully virtualized can bus and car environment you can control it either with your keyboard or with a remote controller and generate um all the little traffic you can see on the top and the screenshot down there there's an accelerometer there's a tiny outline of the car with one door open you can lock the doors you can open the doors you can break um it's a really great way to get started in in just seeing what

interacting with the can bus looks like and that's all I have for today um thanks for listening everybody and if anybody has any questions do we have time for questions sweet yes can we call divs on the morning crash yes well just pen that in right now oh yes you mentioned not all the ECS there could be up to five and those aren't connected you got to find a way to patch up some of those that don't have the nice easy accessible is there a method to that did it put some of those critical systems on the harder to access emphasis you hope there's definitely one of the um common defenses and and the best defense

internally for your car is segmentation um gateways will control communication between disparate can buses and um if you segment out your infotainment system and everything that has Wireless communication from your car's operational buses um it gets a lot hard suddenly you need to exploit the the Gateway specifically instead of just any ECU to be able to send things over the critical can buses in the case of Tesla they did have it segmented out and they did just get access to the Gateway through that telnet but in cheaper cars and in older cars they tend not to uh have that segmentation in place but yeah so there's no like standard around them right everything manufacturers not currently I think there's some laws

that kind of are in place now about how cars need mandated security testing I think they might be starting to um enforce segmentation of critical systems but don't quote me on that that might just be me being hopeful um but yeah there's definitely not a standard across manufacturers about this needs to be here this needs to be here or anything like that last question have you connected have you bought an individual airbag and connected it to ECU no I have not I've not bought an airbag uh maybe I should that does seem like fun they're pretty expensive but that definitely seems like fun

I think uh we got the microphone coming around now I forgot we're recording so that's that's going to be a good idea um is the Gateway essentially like a message firewall like is it blocking certain arbitration IDs and only allowing certain ones through is that yes okay um critical systems as needed through and then if you have like um something coming from the uh infotainment section or the the arbitration ID of your window motor like it'll it'll be like there's no reason for this to come through but yeah it's it's it'll be filtering based on arbitration ID or data fields awesome and then my actual question um the arbitration ideas you said kind of set

the priority of the messages um is it safe to assume those are like sequential like id1 is as a higher priority than id2 yes okay so you could presumably if you say like I got the arbitration ID for like window roll up and down I could test every arbitration ID higher than that knowing that I probably won't hit the airbag arbitration I did is that the logic there I'm hesitant to say yes only because I'm not certain I feel like the logic there is sound um but there are ways that you could accidentally end up triggering a crash frame um the crash frame is when when your vehicle is in an accident a whole bunch

of your ecu's that are able to detect damage will send off we have been in a crash and it'll do things like try to shut off your gas flow try to um keep the engine from running so you don't damage your cylinders it'll it'll halt a whole bunch of things in your car and I know I accidentally triggered that by fuzzing something that I thought was safe so um there's a chance you could run into a scenario like that

yeah my question is related to like external access to the can bus I'm imagining you could probably take a tire off and talk to the receiver portion of the TPMS at least get to the wires to speak on the can bus are there any other likely venues external like without unlocking the car that you could actually talk to the can bus um let's go back to this guy um so splicing into the can bus I think it's a little bit uh like like if you get under the car with an angle grinder um all bets are off you're going to be able to find wires and then your hardest bit is going to be trying to identify

which of those wires are the can bus um if you can sit under there with a multimeter for long enough you'll definitely be able to find access um I know that there are if you were able to pop off the front bumper and take out the headlights I know that in some um cars the headlight that you can move the headlights around in have their own dedicated can bus um so you could probably get in that way um it's it's a case of if you have physical access to the car in enough time you're probably going to get onto the can bus one way or another I personally would um try to break in through the locks I know

I know enough about lock picking that I imagined that that would be the easiest way for me to get in just with uh with uh either a shim through the door or a Jiggler key of some kind um yeah does that answer your question okay

So speaking of motorcycles what are you riding and have you started playing with something like dealer tool to uh to get into it um I have a I have a KTM Duke and what was the second part of the question have you started playing with tools like dealer tool or something like that uh I haven't yet I've I've been meaning to I let its battery die over winter and I was intending to have some um information about it for this talk but I just ran out of time um but that's definitely something I'm gonna start looking at pretty soon here any other questions

looks like we're good so I give up a warm brand of Applause for the speaker thanks everybody