Angry Cars: Hacking the "Car as a Platform"

yeah

basically you think that's good enough all right ready to start there yeah yeah

[Music] all right I'll go ahead and start um my my name is Aaron Aaron Weaver um so I I do security I've been in security for about six seven years um why do I do why am I talking about cars well I just thought it was cool to talk about cars I really don't work for a car company uh my whole goal of this talk is to get you guys more interested in hacking cars because I think that you know we hear a lot of talks around ABAC infrastructure now we hear mobile but I think we need to be doing a whole lot more research on the car side and uh there's a lot of tools out there to to

actually help you hack your car uh I guess I guess one of the biggest things is why people don't hack their car well it's Hing around right and who wants to push the brakes and it not work so there there is the entry of you know uh I still want some some uh I still want to be able to get around but what kind of interested me was Reno came out with a press statement and said hey we are going to be coming out with ourlink and and rlink is an Android uh branded device and we're going to have App Store and we're going to have developers and so we developers to come and we need to have them on our platform

and so you're seeing more uh manufacturers car manufacturers coming up with app stores using the Android system to hook up to their car and I think well is that a Fant CLC idea yeah open up every possible so this guy he runs uh he's their Chief digital officer this is just one example so it can be controlled by voice recognition steering wheel it's like we need help we need developers now so there's this big push right just like the App Store on the Apple side so one of the first things I thought of was with the interface look kind of like this your automobile access to your handb steering wheel remember that right is that what that's going to look like

right and so I first thought of you know an Angry Bird kind of game you know we could do with your steering wheel you know they'll only work in your park right who knows so if you look at your car system in your car the option the luxury cars your Mercedes uh will have you know anywhere between 50 to 70 independent microprocessors and you're looking at 100 megab of compiled code not not source code this is compiled code so a lot of interaction going on there a lot of different manufacturers a lot of room for things to happen and so most cars are still using can bus so can bus is been around for a very very

long time in the early ' 80s can bus came around and so now we're up to can buus I think it's only canbus 2 I believe uh and since I think 1987 the US government has said you know you need to have uh a connector to your can bus because we need to be able to do diagnostics and information like that so we have this proprietary system can buus I mean it's out there the specs out there you can go read it um and now we're also starting to see ethernet for cars now not a lot of cars have ethernet yet enabled yeah um if I may point something out the cable connector is called OBD2 yeah I thought that's what I

said yeah yeah how you get to the car I'll talk a little bit more about the OBD2 Connection in a minute so there's also ethernet for cars uh you'll see different microchips I haven't yet run across a car that I at least have been able to get my hands on that has ethernet does anybody have an Ethernet enabled car yet what they know of they haven't it's still ideas talking about it right okay so here's what it looks like right um You have I mean essentially it's controlling every single part of your car now most systems are going to have at least two canvases now it's because they had Security in mind and they were saying

that hey you know we need to separate the ABS from your you know your luxury you know the instrument panel and the CD player right they they were there was Security in mind right I want to see somebody call me on that it's not true is it why were can buses separated to begin with cuz they weren't fast enough so it has nothing to do with security and you can actually jump uh between the the separate can buses there there's actual interconnects between these canvases so here we go here's our uh OBD2 diagnostic connector it's underneath your steering wheel most Mo in most cars uh and technicians connect to your OBD2 connector and they use that to figure

out hey what's going on what's what's wrong with your car uh and they'll be diagnostic that come back from them and and it's very proprietary uh there there there is only obviously the car manufacturers they don't want to share this information would you agree you've done some hard no no everything is very very very closed and so trying to get information from them is is hard so you're going to have to do some reverse engineering to find that there's a lot of now third party uh OBD2 are that that are offering these you can find them in many different places um before I start this so just to talk a little bit more about this is this is the one of the

challenges with securing your car and that is you still your car mechanic must be able to access the code and access your Diagnostics to be able to do things but they're so they have physical access to be able to change things this is a problem in the security world because how do you you have to trust someone and how do you V you know your Automotive guy maybe you should trust because he could he could do other things besides run code on your computer but there has to be some sort of trust and this is where systems needed to be hardened and I'll talk about how Ford addresses this issue but there should be certain things

that an auto mechanic can do with a an OBD2 connector but he shouldn't be able to change the ecus which the electronic control computers so U so he can't be able to he shouldn't be able to reprogram that now there is a caveat that you know a lot of times stuff is coming out from from manufacturers they need to do firmware upgrades so there's this is the challenge in the automotive industry and every industry is regulated by the government and the government says hey you have to have a certain degree of openness in your platform so I'm just going to show you real quick on car tuning is are there any car tuners in here people do tuning you tune your

car okay so I'll just show you uh what you can do with car tuning and this is using your OBD2 connector so it's just a short little thing and I'm not trying to I don't even use these guys as a company so it's just showing you what it [Music] is hey everybody Dave here from American Muscle whether you know it or not your car has a computer in it that controls all of its function so to speak it's the car's brain when Ford programmed your Mustang they did so very conservative they made the car run on a low grade oan and to give you a mediocre Rod that typically was much more like a family

sedan Ford program needs to appease the masses not for the performance of enthusi the easiest way to fix this get yourself a quality tune this will go in and find a hidden and otherwise wasted power a tune recalibrates your factory program making adjustments to things such as your air fuel ratio your advanced timing and countless countless other settings on stock mustach this is used to increase H power torque and fuel efficiency essentially putting the muscle back in your muscle car now on a stock Mustang a tuner will certainly unleash that hidden horsepower and performance but for the true Enthusiast who's modified the vehicle it's even more important since all right so that was just a little bit of information on

there are lots of autot tuners out there and they find this information on their own I mean there's maybe a little bit but uh you know when you take your Mustang back in to get worked on uh they generally recommend to return to the factory settings uh you can you can void your warranty with doing that kind of stuff and and so so tuning has been around for a good long time how long would you say tuning's been around it's been around for years yeah yeah so we've been doing it for a while so two things one there are a couple of these tuner companies now that have license with software so they did not have to bring

it I don't know which ones they are but yeah uh and then the other thing that's going on right now is just right through repair laws right floating around a lot of States requiring or potentially requiring the manufacturers to open it up to make it even more accessible yeah there are also open source applications including some y yeah so I I did try to get some information from a friend of mine and uh that's the response I got you know um they he didn't want to disclose anything he was working on electric car and that company uh I guess it was charging stations for electric car and there was can bus connections there so talking about that right to

repair uh there is the right to repair Coalition because you know we want to repair our cars you maybe you're under the shade tree what they call it shade tree mechanics yeah yeah and so you want to be able to do that and uh a lot of times you can because you don't have enough information so there is this law out there that I don't it's not passed yet I I know that they've had it passed at Massachusetts this election okay all right um so here's some of the issues with with canas uh it's a broadcast nature right so you're just thinking of you know everybody can see all the traffic that's going across um fragility of dust

right I mean you're looking at you know my can buus on one of on one of my cars is I think it's only like 56k or less than that 22k I can't remember and and my uh my Toyota is 110k so it doesn't sound like it's that fast I mean look if you the the messages the canvas messages are very very short they're 8 bit so there's there's not a lot to it there are Noor fields on there so anybody that's on there will obviously be able to see all that traffic you can then spook that traffic because there's no Source address there and and then there's weak access control so they so so vendors don't don't think

that it's just wide open um so vendors have issued you know challenge responses um and there is encryption I know on on certain cars there's AES 128 encryption 256 so they do issue they can issue that but that's something that the the manufacturer has done but on the whole can security is very Legacy so if you think about this we've got this Legacy system and this it sounds a lot like the ska systems right Legacy Legacy and now we want to connect it to all of our fancy controllers we going connect to the internet we can connect to our phones so how how's that is that going to work out for us I mean is

that obviously there's going to be some issues there uh so here's an example of um Can shark so about two or three years ago two universities started to do a lot of research on this and so they came up with this one program called can shark I from what I can tell is they have I don't think I don't believe that they have released it yet but you can see here um they've got this and they have some demos here so you can unlock the doors remove the start remote start engine self-destruct that' be fun to try uh kill lights cancel remote start lock doors uh so essentially how it works is you just sniff the traffic

you sniff the can codes that go across just go across like a regular bus you look at those and a lot of it's trial and error trying to figure out well okay so on this car this code you know is what takes the window down or this code is what you know will um you know Engage The Brak uh you're not like I said you're not going to find a manual that says this is this is how you do it uh now there are there there are um some common codes out there and that would be the OBD2 spec that's out there but that OBD2 spec is simply Diagnostics it's not going to it's not going to go beyond the

internals of how that specific automobile manufacturer has implemented it uh so here's a cheap up2 diagnostic connector I bought it on Amazon for $14 uh I have a I I brought it here and um it it's actually a really good platform I believe and I'd like to do more with it for uh for hacking um because it's actually fairly open it's using the elm 32 chip which has been around for a while you mentioned you use the elm familiar with Elm 32 Elm Elm anybody here use the elm lm32 chip yeah so that's what this is based on uh lm32 is actually just a pick 18 so if any of you are you know programmed and into

microcontrollers um this is what this is based on it's this is a Chinese knockoff so they they actually are just um yeah they you know in the first talk they talked about getting parts from China well that's this is and that's why it's so cheap you can't even buy an LM 32 chip that cheap so this is the reason why I say this is a good platform is because I can take this I can take I've got a programmer here and I started to do it but I'm also running out of time you know as far as um but I can reprogram this and so I can make it do what I'd like you know if I wanted to have it do

stuff like car shark I could do that with this and it's it's very it's very small so you know if I wanted to go up into you know I don't have a car to do this so I was thinking Justin back there gave me a great idea he's like go get a rental right and Away you go I don't know what happened to it just driving it and uh make sure it's a GM vehicle so you can hack into the OnStar and get your data sent back to you right right don't bother with the rental go work as a h even better so uh that's a cheap one to get into I mean there's lots of them out

there uh you can get uh anybody here torque did use torque back there no you get torque people yeah so you can get all those stats um and they send it over Bluetooth and and you know it's pretty awesome uh I tried it you know I'm going down the down the down the highway going like 70 miles an hour and I'm like oh cool I can see how fast I'm going as I'm looking at my phone I always like just put that down please I can see the you know the temperature so you know it's going to tell you um you know your last misfire uh it will give you all your diagnostic and so if you're a real Gear Head your

gear heads that information's cool to you I could really care less but I think I think it is it is pretty interesting so here's those chips that I talk about um you can buy those they even have a a printed circuit so you can actually integrate that into your own build if you wanted to make your own um you know circuit board and you wanted to put that in there you could do that or you could go the Chinese way and then just roll your own uh which is why I think that's kind of cool um so here here is that that board I just took a picture of it just to show you uh this is their USB interface and

this is that chip right there and this is the programming header if you've ever done any programming uh you can take that and you can reprogram it I was able to pull the firmware off of here um and then I can modify it to to do what I'd like so my my goal is that I'd like to mod make this board modify it to do like you know injection and different things like that now now the thing about this one is is that it it runs on Bluetooth and what do you think the key is to pair it which is hardcoded in there 0000 right so that's that's cool11 yeah and so you can you can tell

that into this and and you can send it at commands that's how the that the interface works and and it will get you back information but you can take it a step further create your own and uh that's one way to do it so Arduino there's a lot of people that like to do ardu um you can do the same thing they've got a nice little Shield here the can bu shield and uh you can create your own little can bus Network and uh you know plug in your Shield there and you can start doing uh can hacking and and seeing what's going on there with your car uh and certain cars are different so

like I plugged it into Hyundai I didn't see any traffic um sometimes they fire all firewall in a way in a sense off the traffic that's there so that you're only seeing you don't see the actual canas traffic so sometimes you have to hook up to maybe um a different wire uh it just depends on your car like I know that my Toyota I was able to hook up and see all the data however that little uh the US the the Bluetooth couldn't keep up with the traffic so I kept getting the buffer overflow a buffer pool which actually they probably do have buffer overflows but that's another thing so here's just some uh examples of

um the different types I mean they have Wi-Fi OBD2 yeah I would recommend that at least running with that for any period of time uh they have you know the little connectors and some of these you know start in the range of 50 to can be anywhere between 800 to 1,000 to even more than that like the fire I believe fire is rather expensive but it does a whole lot of of really cool stuff I mean you can you can really look at what is going on on your can bus I have a friend who's an automotive he works in aut automotive and um so this is a this is one of his uh interfaces that he showed me and he

hooked it up to my car and uh he just showed me how that system works and how it interfaces so I mean dealers you're when you take it in every time depending they'll plug it in to see what's going on with your car uh interesting enough there there is even an option in there to deploy airbag so so you can set off the airbag uh with ob with canvas commands um there there are supposed to be spale safes built in so you know the car should be moving and there should be this sensor hit and this sensor hit those two sensors you know they've got an algorithm that decides whether that that uh that airbag deploys but

sometimes like my my brother was in an accident and the airbag didn't deploy because of the way the car was hit and it didn't it didn't hit Those sensors correctly and so it didn't actually where you have a vehicle where you can turn them off what's that my vehicle I can turn off the airbags and turn off this traction control okay well I know that on the passenger is that even even beyond the passenger wow toj Cruiser to turn off the traction control and the airbags when we're using it Offroad okay nice when I turn off the ABS and mess with the fuel air ratio well so so what's possible with the you know what can we do in the canvas like

what kinds of things can be done so those those two papers that came out in 2010 and I think uh 2009 uh one of the things that they did with car shark was this so Pond by car shark and notice that we're going 140 M hour and notice where we were at we're Park okay so that's all right that's a fairly benign kind of thing um they were able to disable the brakes so maybe have the left brake enabled and the right rear brake not enabled uh and and interestingly enough they were so how did they discover this so they were fuzzing it so I know a lot of guys here you know into application security

or you know how do we find bugs we fuzz it right and we see what happens so fuzzing is just sending data and then let's look at the results of that data so they locked the the the the brakes and they couldn't get them unlocked and so they had to fuzz it and figure out and they figured out that I think it was the sixth bit that actually unlocked that and there was nothing would tell them you know so they thought oh we're going have to go buy another uh we're going to have to repair this module this is why it gets expensive doing some of this stuff because you know either you might um you might actually destroy a

unit or you know to repair it or you know they had these cars up on blocks to actually figure out because I mean you don't want to be driving down and all a sudden you can't the brakes don't work anymore right so here's some here's just an example you know here's the packet so like I said the packets are not that big I mean they didn't show these middle packets here but you know um so they had their you know manual override at speed so they were able to engage the left Brak at speed uh and they tested all their test results and they have a really good paper so if you're interested in looking at more of these

details uh you just have to I think it's carc I have it in my notes in in the end but carse sec.org uh where where they talk about how they did this and they have all these different results and here's exactly how we did it and here's the what what came out of it so if you remember the old Need for Speed right so trying to think of like you know what are some scenarios right they I think what if it went under 50 the bus uh then he would blow up the bus or something like that but we you know you could imagine some scenarios where you know you if you hadn't you know you

wanted to destroy a car you know or you go into a shop and you know you just I could 2 seconds in somebody's car plug this in their obdd two Port uh compromise their ECU um and and maybe say you know in 10 days when they're driving at 60 disable their brakes you know you could come up with like ridiculous scenarios like that that that type of stuff you know I think is it definitely is possible it moves out of the movie realm into actual real world kind of stuff so you know you might be thinking you know I'd like a firewall for my car please yeah uh well there actually you know I I did see one in um the golf the

golf mini is kind of acting like that where uh your peripheral things like your you know CD DVD player any of your infotainment entainment uh entertainment systems are are going through they're going to be firewalled off from the actual you know the the functions that control your braking control your uh um any any part of the any part of the car so so there there are physical firewalls that they do have not to say that these can't be beaten and and honestly do you know the reason why they have that in there is so it wasn't for security it was so that people can't reverse their stuff they they just didn't want them to have the code from

what I can understand it wasn't that's not why they put it in there so you're you might be saying to yourself well that's all well and good you know but but you know if I have access to your car I could go and cut your Brak Lins right okay so you know how is that any different well here's here's the reason why this is all all starts to become more interesting is because there are so many different ways now that we can communicate right we can communicate through our radio uh TPMS tire pressure monitoring systems uh keyless entry uh OBD2 which we've been talking about uh you know we've got our in uh internet pstn telematics we even got

vehicle vehicle communication I think that's going to be a lot of fun and I know this I know that they just did something in Michigan where they're I think they deployed 500 500 to 800 cars that are doing vehicle to vehicle is anybody familiar with the vehicle to vehicle yeah yeah they actually are allowed to do tests uh on the highway where they have a lead driver and all other cars are actually unman and they've done some tests with man drives they've done some drives in Brush hour they had a few accidents with people tail G know don't know if you saw the pictures the video from that yeah yeah yeah but bug we correct it

okay yeah so also like some of these vehicles and vehicle Communications it'll also be able to say you know you have sensors along the road and uh it'll be able to send message marketing messages to your car right you know there's a McDonald's up on the right that won't be abused right I don't think so or you know um the car cars are coming towards you uh just came out of rain and so they'll be broadcasting to your car to say car turn on my you know windshield wipers so I get ready I'm going to be going into rain in in a minute or two here so uh that kind of stuff is is going to be coming and and

actually almost every one of these in just a little bit of of you know attacks that have been done have all been compromised so met module coming out yeah exactly metas for cars right um TPMS I'll talk a little bit about that's been compromised keyless entry uh there there are some attacks on that side um let's go the next so TPMS system tire pressure monitoring system I I just love it that I kind of find the TPMS system annoying but TPMS you have that in your cars familiar with it where it'll tell you you know okay which tire is absolute pain in the they are they are you you how to fix it what's that much leave no take all take

all the sensors out cuz then it say when it broadcast take all the sensors out get a piece of 4in PVC pipe glue a cap on one end put a screw cap on the other end put a fitting valve put air pressure in there throw all five of them in there screw it shut hit it with air pressure throw in the trunk nice I like that because in Pennsylvania they won't pass you on emissions yeah I know if the lights on and if you put aftermarket rims on an Offroad truck or anything if you put rims on anything sometimes the the sensors won't fit just thr in a PVC pipe hit it with air up to the pressure

so the light goes off throw it in the drunk I like that so I guess it wouldn't surprise anybody that uh the communication between your TPMS device and your car is not encrypted it's actually a a number or pretty much a serial number that's broadcasted it's broadcasted every 30 to 60 seconds once your car goes above 5 miles hour so you can do uh all sorts of things the other funny thing about it too is this guy was doing some research on it and uh you can he fuzzed it and so he was able to turn that you know light on and off so we could just fuzz it we just fuzz it off completely um he was able to disable it

there was all sorts of things because they're not doing input validation so in absec we always talk about cross- scripting SQL injection uh well you know you could do the same thing in cars right they they're not doing input validation on on any of the stuff that's coming in so here's an example of what would it look like if you took apart one of your TPMS sensors nice all TVC sorry so Market in case the cops find Trum yeah what is that so all all devices have the fcci ID so if you want to figure out what a device is or what it's doing in your car go to the FCC and they'll tell you all

about it which is really cool because they'll give you actual images of it because they have to go through a certification process and so you get to figure out exactly what microprocessor they're using uh you'll you'll find out exactly what that sensor does so really cool um so one of the ideas they came up with is if you're trying to do some of this stuff is you can really easily they use the G radio to to intercept that traffic that radio traffic and it and it goes a remarkably far distance so what you do is is you set up uh one that falsely broadcasts that your tire pressure is low and then you make a deal with this with a gas

station for a cut to uh you know have their tires looked at and so that's a way to make money uh with your with tire pressure monitoring system uh OnStar so so somebody in here mentioned OnStar uh one of the things these guys didn't 2010 was uh the way OnStar communicates it's actually it's they actually use uh modem um to trans because they want to be able to anywhere you are you know whether you're 3G 2g or 1G they want to be able to uh communicate so they're it's only at like 300 bot and it's actually you know 300 bot and so they were able to replay you know that that that process and they

were able to connect to the OnStar system they were able to find a offer overflow and they found that there was an FTP server running and they wrote a little exploit that was only I think 300 or 400 bytes and that installed an IRC server and so they had two cars that were 1500 M apart they had both compromised them and then they both checked into their ircbot and they then had the car you know play play noise I mean so you can imagine now that they have access to your OBD2 Cann bus connection uh pretty much they can do anything they'd like and so they were just doing that's just a benign attack but they also had it tweeting the

location of the car every you know few minutes so there there's there there's a lot of things that that are out there and so that's why I say I feel like this this field is you know right for finding out finding vulnerabilities and so here this is a screen I mocked up you know this is actually from a botnet but this is not not real obviously but do is it that farfetched to imagine a service I don't know if you ever follow prbs on security he talks a lot about botn Nets and and different things like that so I think I can imagine a system where you know you have these Bots installed on cars and then as

a service a guy you know they subscribe to you and they pay you to unlock the car and you say I want the car unlock at 7:00 or 9:00 the guy gets in pays you 200 bucks and he drives off with it and deals with it it plausible yes no or is it made up so it's made up now but I don't see why why why it wouldn't happen so to me that is the first that is a real you know this term AP right I hate that term so I figured a better word for it is Automotive persistent threat right rebranded is that so uh this is from that paper comprehensive experimental analysis of

Automotive attack surfaces a great long man there but I think you can see that same sort of migration right just like our phones you know from Individual attacks Mass exploitation worms and viruses to third parties selling compromised hosts as Services I I you know I can see that progression same progression happening here so here's an example uh this happened I think a year or two ago where uh an employee was working for a company and they used this for uh repres possessing cars so it's for you know people that may not always make their payments so what they can do is pay by the weak places what's that pay by the weak places like J Rider and stuff you

know you buy the car here yeah and they shut it off and they bring it back and they sell it to somebody else right so they can and they so they can beep the horn shut the car off uh flash the lights all those kinds of things so this guy got fired he didn't like how he was fired and uh all of a sudden you know all these cars weren't starting their horns were going off and so it was just simp access they didn't revoke this guy's access to to the web portal that disabled it and so now he's disabling his car so that's one of the you know more recent examples of what what could

be happening here so this is my friend again's talking about I said because my question to him was how how concerned are the automotive manufacturers with canbas security are they thinking about it and he said absolutely they are thinking about it um and so here's an example of my Ford touch anybody drive the Ford with my Ford touch I don't but um so I'm going to show you some examples from Michael Wester he was uh he works for Forge security and he gave a really good talk on a bsides up in Michigan earlier this year but uh one of the things that they said that they did was earlier this year they had to do an upgrade because there

were some usability issues with with my for and so to each customer they sent out a USB stick you know the letter saying here's how you upgrade your car right so I thought of you know know here's couldn't we couldn't we just how I was thinking all sorts of things with that but you know why couldn't I just print up a letter saying you know from Ford please upgrade your system and hand them the you know mail them the USB and and what they plug it in and what they upgrade their system I probably think yeah um and I was just on their website today and so they're recommended you way to get updates firmware updates is download the

firmware from the internet stick it on your USB drive then go to your car and stick it in that's how these upgrades take place uh no possible problem for yeah I I think there's I think there's some OPP not opportunities but I think there's some things that could be could be looking at there has anybody registered the website for. CM I it's a good idea right uh they also came up with this open XC architecture and you'll see that a lot of this this is uh you know going back to that same type of Chip that I was talking about here microchip but essentially having a set of apis that would tell you the state of your

computer I mean well of your car and then you know they're being like this sort of firewall of sorts and a you know like some restful apis that your phone would talk to and that would be exposed um so that that's called the open XD arure I don't think that's going to go anywhere because I just looked at their site again and they haven't updated anything there so again it's like they promised to be open but then it didn't actually happen from what I can tell or or maybe something's there so so here we can see a parking brake activation and then it's actually sent off to the so to your app which would then read that that

part right there so this I took from U Mike Wester when he was speaking so these are the kinds of things that Ford's thinking about so so the car manufacturers do have this on their mind they are looking at security right so they're saying a a successful attack should require physical access to the internals of the module so they're saying if you have I mean just like any device if you're if you actually have physical control it's really hard to to defend against attack you know it shouldn't be able to immediately transfer from one device to another uh kind of like a worm but I think that vehicle to vehicle communication uh might possibly lend

itself to that in the future uh General perimeter security architecture including Hardware you know we should protect the most important components you know so it's kind of getting into that you know let's since we can't protect we have to open it up here let's protect what we can as well as we can so that's what they were looking for uh external or external non- hardwired or user interfaces should be hard with multiple layers of protection so Ford definitely is uh I think I mean they have a security program for this I don't know about the other cars manufacturers but I know Ford is definitely out there and they actually doing something about that uh protect the vehicle interface at all

costs so really if you get onto the canvas Network I mean it's game over from a security standpoint so you have to protect that as well as you can and so there's going to be like these interconnects uh my for touch uh they're going to try and firewall off and only allow certain access to to the car Network I mean because you can imagine you know you've got du and we're having quad core processor phones coming out I mean what kind of denial service could your phone just do on your car Network I mean because you're looking at like like the chip on here is uh you know it's only running at maybe 16 MHz so you can imagine it would be

very easy to overwhelm that canvas Network and so they're only trying to give that you know only do what's mandated by law and really if any of these manufacturers fail gives that that gives their whole industry a black eye so the uh this company uh is it B Bon I can't remember the name of this company Batel is anybody familiar with Batel I hadn't heard of Batel but Batel is a large research company and evidently they're doing a lot of research into car automotive packing and so just this last uh in September they sponsored where they had high school and college college students come and work with their their technicians and they kind of had a car hackathon which I

think is really cool to to Spur some more innovation in this area as far as security researchers uh are concerned so here's just an example BMW app center right so I can you know use I can Twitter out you know right from my car I guess I don't know I don't know why I want to do that subscribe to that what's that who would subscribe to that Kevin Smith he's too fat to fly we already have Tex Drive walls why do we need Twitter and the car itself yeah well well it's controlled with your uh you know steering wheel buttons you know that's just what I want to do uh here's Cadillac Cadillac has Q so

these are the different systems um so we were talking you you mentioned the the Google car right camera y so this is yeah so this this is actually one of those self- drivable cars which they say is not had too many

accidents yeah so this this is using that yeah the lar right that was a human d one yeah a human driven yeah and there was a deer standing in front of the camera behind called the deer laying on the road

nice so this is the liar on top this is uh doing you know the Imaging providing that 3D model with a lasar I think it's using 60 points um and so in Nevada recently right they just did their hey we you can allow cars to drive on the road right now it has to have a human but that probably change at some point um yeah and then I I found this just just recently there's this other it's got the dumbest name webos is anybody heard of that operating system that is D what's that you're right that is Dum yeah which operating system it's called it's called web webos and uh the other term that they're using

is secure web operating system application delivery environment it's a mouthful so this is BMW's integration of that um so that's another standard out there that's evolving that wants to connect your interface interface this with your car system just another Avenue uh one of the ideas that I thought about was what what would happen if you were able to jam this this system right here you know would this car stop could I could I use it you know I I've been to Kenya a lot what they do a lot over there is uh thieves will just put roadblocks out right and then they'll they'll take the car from you so I guess a modern version of that would

be if you jam the laser then the car stops now you have them right where you want and so you don't even have to put out a physical barrier essentially put out you know a virtual barrier I don't know I'm just thinking of different scenarios of like what happens when these cars can drive by themselves uh you remember uh good old monk I remember one episode where you know they they modified the GPS system and uh the guy followed dutifully followed his GPS into a um he he f it into a warehouse or this you know parking lot in the side you know bad section of town and then the guy rolled down his window

for whatever a reason he's a movie right anyway the guy got shot right and and so you know he's saying I'm going to Skyline Resort and so so it with with our interconnect here is it possible to obviously yes like we can hack the GPS system on a car especially a self-driven car and all of a sudden it's going where it's not supposed to go can we do those kinds of things one of the other things I want to show is there's lots of different ways to um if you're if you're into Electronics this is a um this is an analyzer so I can do canbus sniffing with this uh I mean this will pretty

much look at anything any kind of electrical signal uh this is put out by saay Logic um but I can decode and it's USB based so I can hook this to the two pins on my car and I can look at all the uh can buus traffic and it'll decode it for me now I can't inject in there but uh I can look for a lot of things and then I can write my own API if I wanted to off of it so that's just another way to do it if you have a logic analyzer uh you can can access that so that's pretty much uh my talk I mean my real goal of this was to get

people interested in this and that it really is a low entry and oh just one more thing I'll take your question a second um you can also we were talking about this earlier is you know you could buy an ECU you know like the the actual main controller you know from a from a junk car right and you could set up in your own lab and some people do this where they have it set up in their lab you could set up your own little lab to you know actually fuzz certain um you know manufacturers because that's the that's the problem is I I wouldn't recommend fuzzing like I said I would not recommend fuzzing your car you just

never know that's like a really bad idea yeah have you read much about the the two wire instead of I've looked at it is that the flex Dray or is that some a different protocol so yeah I've looked at it and that's as far as I've gotten with it yeah have you read the white paper on auto plug engineering department did I think the wireless Plug and Play system that interfaces with all the ECU no I I don't think I've read that one yet the other thing if you look at Batel Batel doesn't have any operations in Michigan they're all down by Atlantic City Airport and in Virginia and other places where Aver improv grounds so they're not

really working for the Auto industry they're looking at a way right right they're probably looking to ways to disable vehicles to clear them out for things that are coming out of the Grand Challenge to get around okay so if you've got autonomous vehicles delivering supplies to a war fighter you want to have a way of shutting down the other vehicles on the road so you can get around them yeah that's probably what the tell okay Patel is trying to get Detroit's business that's why they put on is that or obvious is going to mandate they be to have it I mean that's that's goinging down the line too and they see a market there so that's what

they're trying to do that a lot of those a lot of those are actually teaching Scout missions and things like that they're they're doing uh that on somewhat protect also usually larger scale uh more complicated non they're not and they've got redundant sensors a lot of them they're also doing

offro with some of the current self-driving cars they actually do disable themselves when an accident do they at least the self-driving challenge uh somebody rammed the Microsoft escalate not where the stop sign and pushed into the intersection and nice

nice to expand on what you said about the GPS there have been instances of actual military and VHS grade drones getting hacked with like $1,000 worth of equipment right so if that's getting hacked with $1,000 wor of equipment just getting all up but the fact of because of the distance from the flight controllers going up on a SEL down the problem was most of the stuff on the drones wasn't encrypted right so you could pick up those camera feet and everything without having supposedly it's still not encrypted it is because of the distance from now up the satellite back down and that's how you you took the re you took the um s yeah it's a program that once

they lose the controller signal they fly back to the Airfield they launched from So You SPO GPS and make it land at a different field yeah nice they're not all right well thank you