HarshModi

[Music] floor parking area with the with those devices so anytime you see someone with a laptop and a big antenna do not press your for or if there are multiple people then you can press the for because then it is difficult to uh do that uh to get to intercept that request or anything yes please do you think that this typ of um

so most of the hackers are inspired from games so I think they would I think

oh I don't see the difference but yes yes so Ontario is leading in the country Q back is also leading but Alberta got jealous so last two year the car stealing theft or car theft was at Peak like it is exponentially increased I have that slide like there were like 5,600 cars stolen from each of these provinces British Columbia surprisingly is not on the list but we like to do accidents like really hack the car so we are leading the accident thing but or we are too busy on other problems so but I did not so British Columbia on the list but yes 5600 cars is like billions of dollars so those who have just came we

have not started the presentation we are just taking question and answers because of some technical difficulties yes

sir

at today there is no solution but the problem is that cars are invented before computers and a lot of Security started when computers getting hacked and all these big companies they have a lot of budget but I don't know where the budget goes because they're not using those budgets in they're using those budget in R&D for the features but not on to secure the secure the cars or make them more secure because every year at Devon blackhead we have Pond who own in Vancouver so uh this year Tesla got had Tesla is consistent it got uh reports are submitted every year in ponon the future is we have the limit access uh there's a lot of things we have

integrated computers and computers and there is a lot of computational power in your cars so to exemplify uh you can also play a PlayStation in your car which requires a lot of uh input and output and all those things but I have seen with a little or minimal effort you can play Playstation and because of that computational power tomorrow or maybe next year or within five years people will start writing malware or crypto that would mine Bitcoins in your car and you will never know you'll never know so that's yes sir two questions first is how many cards have you collected do you have so This research is a part of our car hacking research that was sponsored

by cyber insure IIT and other uh companies so basically we tried to do uh for United States and European so we tried to do a lot of Open Source tools and everything and we also invested the budget in some High highend devices to figure it out but at the end of the day there are always an exploit available for Toyota and all those other cars I will not name anyone because this is being streamed so I don't want to uh face anything but the the security in car is something that is recently started and before like the first car on paper was haed in front of a crowd like this in 2010 and so before that it doesn't mean

the car hacking was not going on but obviously people did not uh see the interest in it and then afterwards the security becomes started but when it comes to Connected cars and everything we are also applying a lot of computers and all those now if you see a car you have sensors you have Wi-Fi you have Bluetooth I think you can live in your car you don't need to rent considering the situation in Canada but yes so a lot of those features then there is the Bluetooth hacking you can do the Bluetooth I also seen someone doing Raspberry Pi dropping with the with the hack RFI or any other devices and all the customers going there they are

potentially leaking the telecommunication or any other network in the in the cabs or anything and then you just call the cab next day oh I dropped my power bank and collect it and then you can analyze all the data so

perfect sure next slide so who am I I have my own company in Vancouver before that I used to work for Optive PWC and all those uh big four and Fortune 500 uh these are my names that I've written

research

not promote any car hacking so I will not answer anything how to hack your Toyota Mercedes or those questions I also I also am This research is based on to uh entertain or not to entertain to like help people to understand what are the things that are found in the industry and how actually cars are Ste and a lot of people how what happens when they lose car and all those stuff but I do not promote car hacking and everything if you want to learn then I have some labs and I have some techniques shown here but if you try to do it on your own car then be careful you might break your car that's another

thing but let's move forward why car hacking so why not because there's a billion dollar business in this uh it is less secure there is a huge budget but we don't know where that budget is going at least it is not going in security that's what I can tell modern cars are no less than running computers so this is an example I give because a lot of people don't understand the car technology and six months be when I started even I was not understanding a lot of car terminologies so when PlayStation 3 uh got in 2000 uh in 2006 or 7 at that point what happened is because it was so much computational power uh uh and no other computer was

available for $600 $700 people started running Linux code on your PlayStation so that can be done with modern cars today I hope people are doing a research on that as well but we'll see those later is car hacking illegal uh if you don't get caught then that's another question but in United States I'm not aware of any Canadian Constitution law I'm assuming that it would be there but in United States after 2015 uh the Constitution says good Fai like if you're doing it for the good faith so I don't think that's a good word for the Constitution nor your ILS exam but uh if you're doing only on your car then you are allowed if you're doing

on any other car then you are not allowed and autometer hacking and all those other sensors or if you try to tamper with them then then they are all illegal because autometer decides the value of the car like if you how how much your car has been running so those things are always illegal this is a Wikipedia definition so we'll skip

yes the problem is that he showed it to a lot of people and that's how the news got out but uh yes yes I agree with your point but if you're just looking in your car and if you are just for educational purposes then that's okay that's what good faith means but he actually he went on a podcast uh inspiring from the Xbox hacker what so the Xbox hacker in 20034 he he was able to access Xbox uh networks and then he went into podcast and showed the entire thing so this guy also did the same thing so after that a lawsuit was filed but usually in North America if you do things like this you get hired by the

company anyways so this is a history of car hacking in 2010 it was demonstrated publicly how ECU can be hack a full ECU is a electronic car unit for the cars and acceleration brakes all the safety features were compromised like without pressing the gas button you can accelerate your car you can disable the brakes or you can apply the handbrake and everything this is a famous 2015 Fiat Chrysler uh UK connect hack then there is Tesla Model S these videos are available on Defcon if you want to uh know how these things y connect is a famous tool that was used by a lot of other uh companies like Honda Toyota Jeep Chrysler Ram Ford everyone so

ultimately all all are affected by this next slide this is USB entry This Is keyless entry fobs by Sami c car one genius General Motors they gave access of the entire car using mobile applications if you saw my talk on mobile applications on bide admon this is you should never do it so you hack the mobile application you hack theti car so uh that's one of the things like you should not trust giving your access onto a third party developing a mobile even if I steal someone's mobile then I have complete access to your car so this is something that was available on dark web and I've seen the device so this is a device available on dark web

that can start the ignition mechanism of your car and if you start the ignition mechanism basically you can drive the car afterwards so a lot of people's uh use it uh uh government comp government organizations have tried to uh ban this and stuff but here and there these kind of things uh come up car hacking statistics I wanted the most stolen car is Honda CRV 8,000 this are the data that is Alberta is uh in last two years we have seen a lot of car Reports car stealing reports and Alber the only problem here is that the insurance passes and then a lot of people don't uh know where their car V also the uh so everyone is happy it's a

win-win situation here if the insurance passes the customer doesn't care about the car the the company doesn't care about the car the police I will not comment on that but after that the the Steeler is also happy because he has also made profit on that so yes these are the reports from the famous uh CBC Vancouver Global News and all those things for the last two years next this is also something that I do not approve or like in news there is always something here and there that can be uh like uh fake or not appropriate so this was one news that was found that uh the car has been hacked by changing the for

key we have not seen any instances where the stolen car is recovered where the uh the internal software has been changed so be aware of such news as well now we'll start with what is SC and ECU can is control area network and ECU is electronic power unit uh ECU is like just your motherboard so if you have Ram Rome then those are the ECU units and the entire network that connects all these microprocessors and everything is called as scbas and can is a control area network and they are connected just like veins and your other organs of the body so now the funny thing is that this is a basic car component model but you can

see there are lots of component components and each of them like I already told there is Entertainment System uh entry radio anti-lock braking systems all of these things are examples of ECU on your car and the can or the can basically controls this or sends instructions in the next slide this is a bit Advanced but like this have so all the modern connected CS would have structured like this that was a bit a generalized uh situ or diagram but you can see that all these things can be hackable it goes under iot uh fantasting or iot security assessments and after that you can break into these you either control the car or one component of the car and then you can

move laterally just like a computer or a network but yes so these are all the components we do need some components but a lot of those are extra and additional features based on the competition of the market and and the other things this is how can uh sense data so I will not go much into this but there is a CRC and acknowledgement field at the L so if you know a little bit of cryptography then you would know that crc's cyclic redention deny check and all those things this is extended can data message I believe it started after so this is the basic model this is the advanced model and basically when you're trying to break into a car you should

know that this is the exact packet data that is been sent by the can and stuff now this is the car circuit without can and this is the car circuit with can and now you can understand that this is a serial connection like a series connection and this is a parallel connection so in in par like in this connection you have each device connecting separately so then it is very difficult to reverse engineer that okay which uh which uh binary is for uh which op code is going for which component part but here you can see that okay from the ECU it will go to the device or for the to the headlight or to the brakes or

to the cars or to the acceleration path and from there it is easy to reverse engineer so this is uh this is the modern version this you would see in a lot of cards today and with this if reverse engineering easy then you can easily break into and provide custom instructions rather uh doing it um by yourself so tools use I I have used a lot of tools like this and other tools and these all are open source so can utilities uh IC Sim we have a demonstration from IC Sim that is from open garages. org scan tool Wireshark PCP dump virtual car is another if you don't want to try it on your own car or

if you don't have that much budget or something you can use this virtual car or those simulations where you will know what actually is happening but you don't end up breaking up your car or any other reasons if you do it you skip two slides okay I personally use cinux because a lot of tools are available on it and it is easy to configure but there are specific device available just for automotive hacking so uh there is Dragon OS there is autohack Os autohack Os has been already demonstrated in Black Cat and Devcon conferences but uh dragon o is based on SDR so you will find a lot of uh software defined radio tools there

so if you have hack RFI or anything all those tools that depend on the radio waves and frequency then you then you don't need to configure a lot of things you just plug and play with uh dragon OS and auto Haack o these are the GitHub links for you to check out uh ICM so ICM is available on this GitHub link and it is a simulator plus physical C so if you attach with your ECU then it will recognize and you can pass uh you can dump the uh the logs of the of the instructions that are being sent but here we have not Ed uh here we are using just a simulator for demonstration

purposes but can s is used so this utility can utilities have a lot of other uh packages but we will use only can sniffer this is a command to start can sneer and the interface and open garage has some Labs so basically what open garage does is that it will create a virtual instance on your K Linux and then like a Docker container and then it will show you that okay if you press the a button on the controller then you then the it is used for brakes it is used for your front doors back doors uh for for the front lights for the back lights and you have to reverse engineer all the data that is sent by the canvas to each

of these ECU components and then you will find out that okay if I send this packet then the car is accelerating if I send this packet then the brakes are applied or the front door or the back door is locked this is the simulation so basically it's showing a remote but these are the doors these are the acceleration and all this so you have to press here and then you can see that okay for accelerator accelerator there is this autometer or the uh this is provided that you are on 20 you on 40 speed and in the background this is this is how you can dump the data and you can look into so you have to reverse

engineer this thing for every card and you will and you will then know that okay this is the bite code or this is the place which is the exact instruction of of the brakes or the acceleration or the doors or the or or any other of the sensors you know if someone is passing right beside you there is a sensor so all these things can come into this picture I showed two two figures that one is with ECU one is without ECU when it comes to without ECU you will have a lot of dumps because everything is going differently but with ECU this this thing is uh very less like compared to the file size and stuff so that's why it is

easy for reverse Engineers to find the exact packet data or the op code and from there you can just replay this or with a command line you can send that to the exact uh ECU I would suggest something if you're doing it on your car or doing it on it if you try to accelerate it make sure you're not standing in front of your car because uh you know what I mean right so it is better to know the car first and then uh do things like this because I've seen on uh YouTube PHS or stuff where you accelerate the car but you're standing in front of the car so that's a bit dangerous so

these are the devices that I use one is hack rf1 the other one so these are like uh devices range from $5 to $10 to $10,000 $20,000 but the devices that I've shown here are around1 to $500 like uh purchasable by a common man or someone with a less budget and and they have a pretty standard range so as I mentioned one room two room so you can do that in a parking lot or stuff that other devices that are higher in ranges like probably 500 600 meters or above so those devices are are those devices are with government or military level capabilities because this is completely Radio based so it does not mean that you

are just attacking uh cars but you can also attack telecommunications and all those other things also with this device because at the end of the day it's just a radio signal uh that is you are passing by the for

so the first phase is to jam car key forbs and then we can intercept the original one uh there is this one utility osmocom that is used to jam all the signals if you know or if you have seen any rallies or protest or so not protest but if you have seen any government entity moving in a car or or or someone or he's going for a speech then you can always find his Jammers in his car or stuff and you cannot access your mobile phone or Wi-Fi is not available because of the security of that person though they have advanced devices that have a pretty large range but you can do something like this at

your own uh level like in a room or something for demonstration purposes so basically what osmocon does and this is a command- d-f is the frequency hack RF is our physical device that we have and so basically what it does is that it throws a lot of gibberish into the area it generates a lot of packets and throws into the area that the original packet or the original uh packet that is meant for the car or for your telecommunication will not reach to its place and so this is kind of a DS thing in our application security so that's the thing one TV show that has shown this is Mr Robot I don't know if you have watched this or not but

there sitting in the parking and they are trying to break into the law enforcement vehicles but yeah so there is you if you do that this around airport or any other places then you can might mess up with the other uh radio frequency devices and stuff but you need a very large range to do this normal devices or devices available on Amazon will only have one one room a range so you can do that you can bring a three or four mobile phones and then you can start this and you will see that you will not have uh Network or uh telecommunication Network on your mobile phone and stuff because a lot of these devices are used by uh military and

government to block connections when you are uh when the ministers or those people are going up that is for security reason do not do this because if someone finds you then you are in trouble because any kind of DS or any kind of uh denial of service can put you behind bars now we'll try to capture the for the request from the for so I've written the exact instructions if anyone wants to try then replay the uh so just look just look here if you have the for with you you press the button signal is transferred and I have I have my device in the parking area or wherever I am and then that uh intercept weite that is a

locking uh or unlocking device uh unlocking relay if you if the person does it again if the instruction passes then the re then the car is locked or unlocked so you have to first figure it out whether the car is locked or unlocked and based on that you can see whether which kind of uh uh which kind of packet data or the radio frequency you have that's why you that's why a lot of Thieves use the first request so that they send a lot of jamming signals into the uh area and then you are able to intercept the one packet that comes from the for and then you replay that attack when the owner is not there a lot of

cars Stealers use this but also if you're trying this at your home or somewhere make sure you are alone and doing this sometimes you also capture your neighbors for signal if you both are playing at the same time and that is not legal because now you have a uh now you have a legitimate request that the car will respond to and that does not belong to your car so keep that in mind because we did face into a situation like this so uh now I will show you that this is exact uh po you can see the spikes going up so we have obviously we were uh doing this in a parking where we only had our

car and no one else was present so whatever we intercept is our car basically and then the spike here there is a button here to replay and if you replay the button then the car was opened up and then I also captured the lock request and then replaying the uh request the car was locked and the car was unlocked so that's it and then in some cars you have the button to start the engine so you good to go the we also covered those older cars where there is no button you use a key to ignite the engine but that is not part of this research now if you're a Tesla fan or user then this is the pawn to own 2023

Vancouver so Tesla was hacked within 2 minutes a th $100,000 Bounty was given uh the vulnerability was in this uh time of check to time of use TCO tou attack on Tesla's Gateway energy and this was done by stic it is a French company I don't know much of them the only thing I've been close to France is the french fries so I don't know them but yes it was a cool bu it was covered in a lot of uh newspapers and stuff but not all not a lot of technical uh L A lot lot of technical things were disclosed in this but Tesla also has an article acknowledging them so it is legitimate it is not like the newspaper article I

showed before yes so this is legitimate now we will have something that I found on Tesla and I reported this uh week because I I I got a lot of request from people are you showing something on Tesla are you showing something on Tesla so I started my Recon on Tesla and then I and then I found something so basically Tesla has a feature that shares uh you can see here this is the user usage disc and all those things and above is the model number and whether the brakes are applied or whether the car is lock whether the passenger or the driver is sitting in the car because you have those automatic features where if

you sit then the the heater starts in the in the seat so this was all the apis this was all the apis and I was able to see coordinates that is latitude and longitude then I uh then I put it on the on the Google Maps and then it was parked somewhere in Florida I did not open the complete dashboard because I thought that would be illegal because this is a Tesla Model 3 I believe that's the the latest I'm not sure I'm not a big fan of Tesla but yes so that's the thing so if you see the Tesla documentation uh for that feature then it says track live location check if driver present in the car or not check

if car is locked or not you can also make online car to sleep the trunk is open or not this information is also available and I don't know what is Sentry mode because I I have not been able to research much on that but that option was also available for those apis and I'm pretty sure when you open the dashboard you will have a lot more information and where you can toggle the these certain options and so this is pretty bad so apis are used for these features on authenticated or a misconfiguration so now this is not a car vulnerability like a physical car vulnerability this is something that was added on as a feature using the apis and

everything so web application also comes into the picture we have something called a zero trust policy uh very famous nowadays in application security but that does not apply to cars and other iot devices and that's why when you even on mobile application there is a web view if you implement the web view all the over St and for a web application is is now included in the mobile application here all of top 10 apis are now included in a car hacking uh scenario so this is how this is what happens when you integrate or when you give a lot of features and then you are able to see everyone on the internet my honest opinions I already

shared the two of them that malware will be based on C and crypto mining so your car will be earning more than you but you won't be knowing it and then there will be iot devices will be used in car hacking Raspberry p you can plug those hack RF and all those stuff you can place it anywhere on the in the parking lot or anywhere and those things there is something called as protected cases like I've seen a lot of those things on Amazon but the problem is that still you have to open that case and put the forms uh into the for so that is that is used to not clone your entire for so

there are devices that can clone your entire fors then what you can do is that you have a different for with sending the same sometimes it works sometimes it doesn't but even if it is a 10% uh possibility then it is dangerous I already mentioned this thank you everyone for coming I would also like to thank all the bides Calgary volunteers speakers and every everyone who was involved sponsors everyone who was involved in this and these two days have been excellent for us and thank you everyone if you have any questions we do have

minutes

yes we are very far from that actually right now we have just things we don't have control so if a circuit is there it is there there is no privilege because car is used by only one person so you will either have full privileges or the car is locked the self driving surely there's an additional tier of security present there or should be it should be there but self-driving car is autom like we don't trust AI today right i' I've seen AI like monkey and cat telling the same thing so but in future we would have an AI like that who can drive a car but right now that those things are in implementation so we don't have a lot of

information on that but if there is a self-driving car and with no security then someone can just drive your car for fun and you you won't even know it like if consider this example if there is another feature to drive a car like you have seen in this James Bond's movie right they have the mobile and from mobile you can drive the car so if there is an API with with which you can drive the car then I'm sitting in Vancouver I'm driving someone's car in Florida and because of the extradition he cannot even come and uh arrest me or something like that so it should be there as that's what I've been saying that uh

these things when they were started there was no security model at that point and that's why we lack a lot of security models for the car yes

sir

okay thank you for the information

yes

I the first play two times a single will and then they're replaying the first one but then keep the second one is there any protection against that and is the replay attack still up to date let's say since more and more companies are like okay you know replay [Music] pretty that way yes yes so those are some Advanced mechanisms we have seen those in our research but just for the presentation and for the I've started with the basic ones because if I say that okay there is two times iterations three times iteration but you don't know what one iteration looks like then it would be difficult it's the same as like for anyone who is in the web application is

like double encoding triple encoding but then there are also ways to because here you are just intercepting and forwarding it so there should be a mechanism on the car side to understand that this doesn't come from a legitimate a user or someone from a device not from the car for so yes but we can talk after the session [Music]