Car Hacking

Daniel Erazo, please introduce yourself. A big round of applause for him. How are you all? Good morning. It's a pleasure, a pleasure for me. I'm very happy to present this here. B-Sides is my first time at a B-Sides. So, how cool that I'm here in Medellín, where the company I work for is located. Before we start that helps people who think their car is safe. Just like their web app that they already audited. So, how do you go around the streets with your car? No, I'm kidding. Ready. Ready a little bit about me. I'm a security tester in Fluid Attacks, a company from here. I dedicate myself, as a hobby, to a little bit of hardware hacking and car hacking.

I also performed malware and forensic analysis tasks. I am also an electronic engineer and currently I am a collaborator in Automative Security Resource Group, which is an open group for anyone who wants to report vulnerabilities and security failures in cars worldwide. All this knowledge that we are going to learn here is a way of learning to know techniques in the sense of ethical hacking, that we dedicate ourselves to report security failures and thus be able to remedy them. So to be able to remedy them we have to know how attackers hack, steal cars. So everything that is intended for a different objective is already their responsibility.

So, let's see here, in an introductory way, a real robbery where it is seen that two people are entering through the front left tire of a Toyota car at night, this is in the United States, in 2021, and they manage to turn on the car, they enter and consequently take it away. So, at the end of the talk we will know how they managed to do this, just by accessing the left front wheel. So, it's super dangerous, super complicated. This post is from Ken Tindell. He is a person who founded his company to audit cars and give solutions. His name is Candice Love. where yesterday he posted on his LinkedIn where he talks about how he is

protecting the cars of the US military, of the US Army. to defend against all these possible armed conflicts that can occur. So, what he does is he's giving decoding solutions, decoding, authentication to the cars that the US military has. So, he talks about IDPS, which is the Intrusion Detection and Prevention System, We don't have that in cars, we have it in companies, we have it in our infrastructure, the typical IDS, the IPS, but in cars this doesn't exist, so he's implementing that. He's a crack at what he does and I have contact with him and I've also been talking about some vulnerability and he has given me the feedback. So that's the context of how this is happening. The military is putting security

because if there's an armed conflict, obviously another country can attack the cars through can mechanisms that we'll see. So how does car hacking develop? We have to keep in mind that a car is literally several computers on top of four wheels. Literally around 70 to 200 computers depending on how new the car is. But in reality there are several computers. How do we take these computers? Electronic Control Unit, the EQs. To give you an example, what is the main computer of the car? It's the one they call the brain, right? It's the Engine Eye Control Unit, which has the same acronym as "Eco". So, in the end, this is a computer, it has its processor, it

has its memory, it has its firmware, you can get the firmware, etc. So, there are several computers. Therefore, the attack vectors are very wide. I liked it, it caught my attention and it hooked me up to this field because this card hacking includes everything, all the possible vectors that we can see in the ethical hacking part. Yes, so it includes hardware hacking because we can do "foul injection", yes, there have been cases that in Teslas, via voltage injections, you can skip subscription controls and access subscriptions without paying anything, then via voltage injection, so it's hard-work hacking, just like finding vulnerabilities in the ECU's firmware, yes. Also binary exploitation, follow injection, as I mentioned, reverse engineering, yes.

We have in the car, there's a protocol called CAM, we'll see it, and reverse engineering is done to find out how it's working. It also includes Pentesting Web, Pentesting Mobile, because remember that now we can open and close the car from an app, right? So the app has an upgrade and a downgrade that goes to the cloud and goes down. So it's handled through APKs. Malware, yes. You can develop malicious APKs so that these malware run inside the car. Remember that the keys, the alarms, the Skype John also work through radio frequency, therefore it also includes hacking through radio frequency. Social engineering, yes, for thefts through social engineering. Social engineering is applied to all kinds. And also attacks through wireless, Bluetooth.

What are our threats? Everything we can connect to the car, enter the car and the car handles this data are threats. So there are cars that we can connect through wifi, yes, wifi would be a threat. Also the K-Job, which is the alarm to open and close the car. It is a threat vector because in the end we are communicating with the car. The TPMS, which is the tire pressure sensor, is also communicated with the CAN data bus. So it is also a threat because we could cause a false denunciation and cause a service denunciation. The Infotainment Console, this is a very important concept, it's the typical navigation screen that is in the middle of

our cars where we see movies, we see the radio, we play music, we open Android Play, CarPlay. The USB, yes, we can install malware through firmware updates through the USB port. Bluetooth connections, and the CAN protocol. On the right side we see all the inputs, they enter the vehicle and finally it goes to the CAN data bus. This is also handled in planes, just the image in the middle is an infotainment console of a plane, so in the end this CAN protocol works in ships, in cars and in planes. So, to understand a little bit about Kahn, we have to keep in mind that all the brains, all the car computers are connected serially, through two physical lines, two cables. that handle 3.5,

2.5 and 1.5 volt voltages. But they are literally connected serially. So we have a resistance to an end of 120 ohms and to the other end, a resistance of 120 ohms, it is a serial circuit. and they are connected by these two little cables, but in the end these two cables are like a single cable because they are transmitted as if in the form of ANF, that is, if one is in 2.5 and the other is also in 2.5, then it is a logical one, and if one is in 3.5 it is a zero logical, and if the other cable is in 1.5 it is a zero logical, then It's a logic. So this is

a way to reinforce, because in the end it can also be connected with a single cable. It's a broadcast transmission. Each echo communicates with all the echos, but the destination echo is the one that receives the messages. Therefore, what can we do? Connect to this data bus and snipe traffic, right? . It's important to know the CAN, I always assimilate it with the Ethernet protocol. Those of us who study a bit of networks know that everything that is navigated on the Internet is encapsulated in Ethernet and there it travels, right? It is the lowest layer, it specifies voltages, plots, checksum, etc. So in CAN we have that the lowest protocol of the OSI model battery is the

The CAN protocol is handled in the physical layer and in the data link layer. It specifies how to encapsulate the plot, the voltages, etc. And there we see a plot of the CAN protocol. It has the data, in this case 64 bits, 8 bytes, I can transmit up to 8 bytes. The checksum, the CRC, the end of frame and the ACK. What is at the top of the CAM protocol? We have the OBD protocol. Remember that the CAM protocol is used in planes, in boats, in ships and in cars. What do we use? It's OBD. In planes it's different, in tractors it's different, but precisely in vehicles, in cars, it's the OBD protocol. which also has its own plot. So how

do we access to start the traffic? Through an OBD to USB interface, or OBD to D9 and then to USB. So, in order to access the traffic of our car, we need an interface like this. Yes, an OBD to USB interface. Now we go a little bit higher in the OSI model stack and we move to the 7th layer, which is UDS, Unified Diagnostic Service. This is a client-server protocol where we are the client and the ECUs have a server raised to which we make requests and it answers us. The requests have levels of authentication and we would have to do reversing to be able to start to skip that authentication. So, examples of use cases: start getting

logs, read logs. to update the firmware, we can also get the car temperature, that is, get data about the car, what speed, the RPM, the Vehicle Identification Number, which is the unique number of each car, where the manufacturer is specified, etc. So the UDS still has its plot, there we can see how its plot is built. So, in summary, for everyone to understand, we have the Ossip model stack, in the top layer is the application layer, that is, UDS protocol, encapsulated in ISO-TP, which is a protocol that allows more than 8 bytes to be transmitted. It simply handles a few sessions so that the plots can be transmitted and on the receiver side they can be gathered. Yes, after

this it is captured in OBD and finally it goes here and it becomes bit 0 and 1, yes, voltage 0 and 1, yes, voltage presence or no voltage presence. Ready. Apart from that, we have a database called DBC file, which allows us to read this traffic to be able to interpret it. So, this, generally, the dealers already have, which are the typical scanners, it's like they already have these files incorporated and it's like rules to be able to transform all the code that is like hexadecimal and not legitimate into something legitimate. And we're going to see some demos. Ready. So, let's start here to see some demos that we have prepared, super important. So, what can we see here? Literally, I'm with

my computer, with the OBD interface, I'm connected to the OBD port of the car. . So, that's where we're running Wireshark. What do we have in this Wireshark capture? We have the CAN plot, we have the CAN ID, it's from 02B0, we have the data length that will be transmitted, that is, 5... And from there we have the padding and we have the data. From there it is time to do reverse engineering to say what does this message mean. This is part of reverse engineering. Now, what do we do with this data? We apply this database of DBC file to transform it into legitimate data. What I'm doing is using an open source program called SAMDF. And there we see the data as

in, the same thing we see in Wireshark, but here as a little order, but literally it's the same thing we see in Wireshark. So the data is like this, like in hexadecimal, and we don't know what it means. So we apply these rules, it must be that each car model brand has, yes, it can be, for example, I don't know, a Kia, but each model has its different brands. And how do you get to that? Through reverse engineering, yes, so... It's like trial and error, trial and error until you find the rules. So, what I'm doing there is putting the rule that we already discovered and, precisely, there we can observe that we can already

see the data plotted. So, we have an X axis, an Y axis and we can start to see concise data and from there continue with reverse engineering to see what all this traffic means and say, "Oh, look, this traffic is from The UDS could be that I was doing a service to the server, I am the client, the server, it could have been the speeds, etc. So there we see a plot, yes, the speed, the engine RPM, the fuel level that exists. Done. So there is an attack to find out what services my car has. There is a tool that is open source called Car and Carry Bow and I'm running it right now in

my car. And as you can see, there is a brutal force attack until we discover all the services it has raised. This car had around six services raised, so each one has an authentication level and by default, the one we are going to see as a proof of concept is the one that is always there. So with CarriCarriBow we see what services it has raised and you say, "Oh look, I can dump the firmware, I can get information from the car, etc." So this is a brute force attack. Karin Karibog, there are other tools. There are in Metasploit, in Cactood, and we'll see it too. So within the attacks we have four ways to hack cars, which I summarized in four ways. The first is through the web.

It turns out that a German, David Colombo, was auditing an application that was in GitHub, which is the Tesla Mate, which allowed to see the logs of the Tesla. So it was like the users installed this application and could have a graphic interface of the logs and how the behavior of their Tesla was going. But he finds a vulnerability in this app that allows him to leak an API key. Super important. He tests this API key and it turns out that it gives him access to control around 25 Teslas. Imagine, he could open the car, he could go down the window, he could see the positions of the last weeks of the car, he could...

He had remote access, without even knowing how to drive, he had control of a Tesla, without even seeing Tesla. So, with this APIK, it was literally like a request, or when we make a request in Postman, the APIK asks us and we send the command and that's it. So this was in 2022 and they proceeded to patch. So imagine that you don't need to know how to drive to hack a car. The second way is through everything that is from the CAN protocol, the BusCAN. If we can inject plots, If we somehow enter this data bus through other media, through the infotainment console, through Bluetooth, etc. This is the second method, so I call it the CAN injection. This was presented at the 2023 DEFCON.

Precisely the LinkedIn post of the person, Ken Tindell, who I showed you at the beginning, was part of this investigation, he did this investigation. So the theft we saw at the beginning is precisely about this car. So, what happens? We have the OBD port, right? And what happens if an attacker externally accesses this port? He can already inject traps, right? So, if someone from here has his car and can access this port externally, as in this case, by the left wheel, underneath, as if they broke something there and pulled, then they already have access to their OBD port and they could inject KAN traps. So how did the attacker hide the hacker? This is a real case, it's a robbery, it's real robbery. The hacker what he did was

hide a JBL speaker, the circuit that he designed to inject frames. He could have done it with an Arduino, with an SP32. And what he did, literally, was hide this in a speaker and this speaker connects it there. So, it's fully camouflaged. So, it could have been his friend who has a speaker and it turns out that it connects it there. And it's not even a ball, it's an attack, right? So, he injects traps to open the car and finally it ends up being stolen. This is a tool that in 2014, when the CAN had no security, nothing, nothing, two Spaniards created a tool that hacked any car, through reversing the CAN protocol, through automatic way. So they expose there, we have the brain

of the car, it's the main EQ, and next to it we have the tool. They run the tool, it does a fusing, it does brute force, and it takes out all the possibilities that can be done in the car. Without one ECU well you know, it has a few more. So, and actually, it's really interesting because literally you can hack any car, we're talking about 2014, yeah. So, we're going to see a concept test to enter, to communicate through the CAN protocol. So, we're here in the car and we're going to advance it here. So, what do we have there? Yes. So, it's a concept of interaction. What am I doing? I communicate with the

server, on the right side I'm doing a grep of the answer I have to receive and on the bottom I already have an answer. So it's a proof of concept that you can communicate with the Data Bus. From that, if you discover the services you have, you can send commands and start that. It's not that easy, it's not easy at all, but you have to do like reversing, you have to skip authentication, etc. So, this is not that this is worth all cars, no. Ready, if we don't have a car, how can we practice? There is an open source tool called ISE SIM, which if we can see it, it simulates a car, no. We have CAN traffic. The

left part is CAN traffic. So, then you see that I start turning on the left directional and then the right one. And on the left, I see that this is from the CanID 188 and it's from the 01. Then I turn on the right directional, it's from the CanID 188 and it's from the 02. So I identify, "Ah, my directional is from this CanID." So what happens if I send the value instead of 01 or 02, I send 03? It turns on both directional at the same time. So, things like that are not trial and error. And what happens when I accelerate? I discover that the KanID that is acceleration is 244. and it has a value. So what happens if I do a

while true to keep it constant? So I could inject tramas cam so that... I just injected a trama cam so that the speedometer stays at a single speed. They are like proof of concept that can be done. So this is on GitHub, you can try it. So from there you can start doing reverse engineering first to this car. There is also another tool called UDSSim to simulate this. So right now we are going to do a reverse concept test in a real car. What are we running here? It's the same data that we see in hexadecimal. We see through a graphical interface, through a tool called Can Explorer, which is the same as it can

see us, but it looks at us like in graphics. It's easier to see because if we only see numbers like It's super hard. I was doing screenshots, screenshots of the time before and after, after I put the directional, screenshots. But this helps me to see directly on the screen, in graphics, what is changing. So, there I turn on the headlights of the car and it turns out that the CAN ID is from the 544, it seems to me. So I notice it, I say, the headlights of my car, the moment I turn it on, it's the CAN ID. It's from 549. So it's like a concept test of the can reversing. So there I move the headlights

from medium, medium lights, intense lights. And what do we see on the Kia screen? That's it. If I don't have the graphical interface, the option is to check it. So, for example, you'll see that there's one more line, so it's the canID that we're seeing that we have to detect. So, this would be the other way. Ready. Did you know that in Metasploit there are payloads to hack cars? Who knew that? Good. Two people. In Metasploit there are tools to hack cars. So here we are doing a flow. Here we are getting up from a session and we are doing a can edition to make a denunciation. That is, I send garbage to the data scan bus, I send garbage, too much garbage, until I literally cause a

service denunciation in the car. So what I do there is to raise a session. Yes, I raise a session. to be able to communicate with me. It's a hardware bridge. So this is done to start doing the concept test. And that's it. You put "search automotive" and you get the entire list of attacks in Meta Exploit to hack cars. So there we have like 9 or 10 attacks. Ready, I put option 0 to do the "camflood attack" and I choose the session and I send the attack and on the right side we are going to see that I am sniffing the traffic and from what there is no traffic, from the data scan bus, it starts to come

out full garbage, so we are causing a service denial. Look, on the right side we are using like a plot of whatever and in the end it is like the ECUs are going to want to process and we are causing a service denial. There is also something called Cantut, where Metasploit receives or, as they say, I, as Automated Security, am sending this to get into Metasploit, and sometimes Metasploit rejects. So all the rejected attacks are in this Cantut tool. So what do we see here? We are killing the engine of a Ford car. It could be a service negation, it says "this module will kill the engine of the Ford xx car and execute the attack". So it's

a kind of framework, like Meta, but it's specific to hacking cars. So there we can see that I'm sniffing the traffic, I command and everything we're injecting starts to come out. Now let's go to the car keys part, which is super important to know. How is this about car keys? We are usually in a frequency of 43, in UHF of 4433 MHz. We run the open button, there is a receiver, it compares if it is the The code, at the frequency of 433 MHz, sends a code, compares the code to the receiver and opens the car. So, what happens if someone is sniffing the air and manages to capture our signal? Let's keep that in mind. Ready. So

the protection against that is called Rolling Code. So that if someone is sniffing our car when we open it, variable codes are needed so that this code that has already been used cannot be reused. So it's called Rolling Code. Basically it uses a pseudo algorithm to be able to generate codes every time we press. through a seed, synchronizes at the beginning and has a memory of 100 to 1000 rolling codes that are acceptable. So, from what I've been doing the studies, this is a Mazda and it has a rolling code of 140 bits. So, 140 bits, how many possible combinations are there in 140 bits? 2 to 140, right? That's a huge amount that breaking that will take us

years. There are other rolling codes in devices like garage alarms or other types that only use 16 bits. 2 to 16, 65,000, and 236, so that, through brute force, is fully breakable. But usually cars use 40 bits up. So, as we can see in the image, we have a start, a preamble, and the rolling code that changes every time we press it. So, if I sniffer, it won't be useful because the rolling code changes. It's a single-use. This is from a Suzuki car, it uses FSK demodulation. What I do is sniff using a tool called HackRF, which is precisely, through a Defined Radio software, we sniff the network, the air, literally the air, and we start

demodulating the signal. In this case I do FSK demodulation, it can be ASK or PSK. And here we have it using, also, Rolling Cove. We have here the one from a Renault, it uses 40 bits, so 2 to the 40 is super complicated, we have a preamble and the rolling code is 40 bits. So it would take us too many years to know all the possible rolling codes. And we do an FCK simulation. Ready. How are there attacks that break the rolling code? And these are categorized as CVE. In the attack we see here, the attacker manages to make valid some rolling codes that I already pressed, opened the car, they should not be valid anymore. But he did a rollback attack so that from

the sequence of rolling codes, he can return and that all the pressures that I, all the codes that were already pressed and opened the car, they return to be valid. Playing back previously copied codes from K. Joe will be valid. So they discovered that by sending two specific sequences, they managed to reverse and make it return to the initial sequence of the generation of Rolling Golds. Therefore, all the defiable codes were going to be valid. So there we see how the car opens. So, totally hacked the car. This attack that we're going to see here is vulnerable to all cars. All, all, all cars. There's no way to protect this. It's more or less like when it's

a man in the middle. If someone does a man in the middle, there's no way to protect it. So this is called the Roll Jump Attack. What happens? There are some devices that, or the process is called "call". That is, the signal of the cars that we send does not reach the car, therefore it only reaches me. So, since it never reached the car, this code that I recovered, I can reuse it. It's super simple. I call the signal, that is, I make this signal that the user presses not reach the car, therefore I get it and I can reuse it and open the car. So, this is the typical thing we see in the

flipper 0, right? So, let's see. Here's a concept test. Originally, the flipper with the normal firmware is not worth it, so we need to install the only-hf firmware that allows us to transmit frequencies in the UHF and UP frequencies. So, we're recording the signal on the flipper. This is 433 MHz, we save it. Super simple. We head to the car and we proceed to open. As I said, every car is vulnerable. Unless the rolling code mechanism is changed. I was just talking to a colleague about how to protect this, but for the moment everything is vulnerable. All cars. One, two, three. Yes, there this Mazda car opens and we are already inside. This was recorded yesterday, we tested it in a car, we won't tell

you who, where, when or how, but it's here in Medellín. So, we're with the Hague RF, yes, the car opened. I close the car and I proceed to close it with my own signal. And there it closes. I close the car, yes, and that's it. So, yes, all kinds of cars are vulnerable. Ready. This is a bit of hardware hacking. I disarmed an alarm, I started to check the circuit and the components that I had, and I discovered that I had an integrated circuit that is the HS2240. I googled a bit, the whole datasheet was in Chinese, everything, but I discovered that this integrated uses learning code. What is the protection of this? It's rolling

code, right? Everything that doesn't use Rolling Code is still more hackable. So this uses Learning Code, which in the end is translated into fixed code. It's basically like the reception alarm manages to show the alarm that emits the signal a code and that code is fixed. In the end it's fixed code. It uses an LR370 oscillator, therefore it is in the frequency of 370 MHz. Why did I disarm this? Because I didn't get the signal in flipper 0. I said, "Let's see what happens." It has a board like this, and we have it there. So, the oscillator enters the 370 MHz, it comes out through the learning code that is already fixed, and it comes out through pin 3, through

the blue emitter LED. So I had done this with a logical analyzer to test and I came to the conclusion that this car is a KIA and uses fixed codes. That is, if I get to hear the signal, I record it, I can open the car as many times as I want and close the car as many times as I want, I don't need anything else, it's like duplicating the key. So I module the signal with ASK and as we can see, it is a repetitive pattern, obviously I cover everything for safety, but it is a repetitive pattern. And here we see, to finish, I'm here in Quito, I'm from Quito, Ecuador. I went to an abandoned building, I'm on the fifth floor. I managed to capture the

signal from the fifth floor and I managed to open the car from the fifth floor and the car is on the ground floor, not on the first floor. It's a car from 2023, it's just from the alarm I disarmed. So, this alarm may have the same shape as another integrated one, so it's not that if we find this same alarm it will be vulnerable, yes. So, it depends on the integrated one that it has inside and we have to do these tests to find out. Behind is the pan, who has been here? Who knows the pan? Yeah, that's the pan. So, since we are full high, right? On the fifth floor. So, there I focus, the car is just below. I use the Hager Ref,

I raise the antenna, the Hager Ref has a super good frequency range of 50 MHz. Yes, we hear there. Maybe because of the audio we don't hear, but there I managed to open the car and I also proceed to close with the... Yes, I also proceed to lock the car. So basically I cloned the keys, so that's it. Ready, to finish, right now we have the physical robberies. Who has been a victim of a physical robbery? They steal the brain of the car. I'm going to give a tip, there are several ways to open the cars. It's super simple to open the hood, it's too simple. What do thieves do? They enter through the front left tire and

make a hole. It can be manual, with a drill, they make a hole. And just in the image on the left is the button to open the hood. How does this work? This is not safe at all. It's just more or less like the bike brake, it has a little cable and inside there is the tensioner. You pull it and the hood opens. It's like a little rope, yes, it's a simple rope. So what do thieves do? In the image on the right, they access this cable that I'm just locking there. And since they break underneath, they just pull the cable and that's it. They already opened the hood. So that's my presentation. Thank you very much. I hope you liked it.

Thank you. Questions? Thank you. Danilo, we still see very physical attacks, because you have to have a lot of access to the vehicle, maybe except cars hyper connected like a Tesla, but today when we see interfaces like Android Auto, Apple CarPlay, how much has it been proven that through a vulnerable device you can get through that interface to vehicle vulnerabilities? That's a great question. So, I haven't seen attacks like that, but I have read that the car connects to the internet. Therefore, it is prone. Anything that is connected to the internet is prone. Now, on the side of APKs, it is also very important. If you have a malicious APK on your Android, or in

the case of the iPhones, the respective IPAM, this malicious APK can hurt the car. In fact, there are attacks that are this malware implementation where you create a malicious APK and you put it... Infotainment, not console, is an Android. In the end, most of the time it's an Android. - The Ukrainian flag, for example, was also there. And the charging stations. So, yes, it's vulnerable. It's like, you have to be careful about that too. Daniel, what else? My question is, in the rolljam attack, how do you avoid the original signal to reach the car? How do you intercept it so it doesn't reach the car and you can replicate the attack? That's the jamming process. You manage to emit frequencies, not to say the

same frequency, so that it can be canceled. It's more or less the waves, it comes like this, if you put another wave, you can make it linear and it cancels. So you can do that with an SP32, an Arduino, manually, you need an antenna, an emitter, and that's it. So, the jamming, there are full cases of jamming, in fact, there are videos on the internet where they go with antennas Uh-huh.

Thank you very much for the talk. I ask you about the jamming too. I cancel, I hide the signal of the original control, but I saw, or I got confused, that you managed to open the door. What signal is the one I send to open the door? As you showed us in the video. Yes, just the attack that is called replay attack, that literally, the signal, the car doesn't reach it anymore, so it's going to reach me. And I read that signal with the Hager Ref or with the Flipper. - - How do they communicate? Is it an internal server of the car? Or are they always communicating with an external server? That of the servers, it happens that each ECU

has a server that is from the UDS. Not all ECUs, but in general this is raised in the ECUs. So there is the server. So you as a client can connect with your computer and simulate the communication process, which is what I do. So what I do I detect that there is a service, I detect that an echo is responding to me, then I start to ping it and it responds to me. So each echo has an UDS. Not all the echos, but if it has it up, then you can start to... Good morning. At the beginning of the talk you asked us who we were sure that our car was totally safe. You raised your hand. We

see a series of measures that generate attacks that harm us. What would be those hardening measures that you have or that anyone could have to guarantee, give it a little fortification? Not going out on the street, no, I'm kidding. Yes, I mean, the most basic thing would be No, I'm kidding. The most basic thing would be that our alarm, knowing that our alarm uses Rolling Code. That, I mean, look, because as we saw, this car is assembled in Ecuador, it's from 2023 and it doesn't use Rolling Code. I mean, it's like anyone could open with these techniques, with the flipper, with the HGRF, or there are other, there are an infinity of hardware, yes. So, the

basic thing, like making sure it has Rolling Code. How do we do that? with these techniques, I mean, literally, I would have to hack it to know. That, one way or another, googling on the internet, but sometimes you don't find information like you put an alarm, a series, you won't find it. I've done it, you won't find it. So, you won't know that it uses rolling code until you hack it, literally. So, maybe, here's someone with a car that uses fixed codes, because... It's like there are several people. That's one. The other is to avoid the role jam attack, the part of the jamming that interferes with the frequency, is to use the typical Faraday's cage, which is...

putting the keys in a Faraday cage that can be different, like there are processes with aluminum, etc. where they can no longer intercept the signal. That's like, maybe no one is going to do that, but it would be the most recommended. And be aware that no one around us is sniffing, it can be difficult, but it would be measures. But in reality it is complicated.

You have said about opening vehicles. There are vehicles that use proximity keys that you don't need to press to open the vehicle. You have had the opportunity to review some of that and those same keys are the authentication control to be able to light or do any type of activity in the vehicle. I don't know if you've had the opportunity. With NFC? You just get close and it opens? Yes, there are times when you just get close and the vehicle recognizes the key close and it opens. If the key is not inside, the vehicle does not light. There are some that allow... The one that is inside the keys, that is, literally the keys, that

is, the physical part. Well, let's say the token, the square, this, the circle. That's a great question. And just this, as I had exposed it in Chile, And after the talk, someone came up to me and told me about it. So, that's super hackable, you see. There are people in the underground, literally, it's the underground, that are dedicated to duplicating keys, by emergency, no. In fact, there are services like that, where, "Look, I lost the keys, I want to duplicate it." So, that, how is the code, the NFC, or the token, which is literally like... induction, I send induction and it opens. That's what some cars have, that's what you just told me. That's duplicable, super duplicable.

What someone needs to duplicate that is to have manufacturer information, the manufacturer, the OM, exactly. And that's not just because that information is on the internet, but because it's literally in the underground and there are people who have it and can duplicate any key physically. So that would be it. And in fact, they program it, they go to the micro, they program it to the micro, in fact, they build the alarm, they pull it and everything, they put the same control, the same sensor that you say, and yes, it's hackable. through this database. It would be a database of information on how to replicate the construction of these keys. There is another, a last question,

I think. There we have a last question. My question would be, how focused, if this is already something known in the industry, because, let's say, in these OT systems, knowing that there are already digital communication solutions, they have not applied it to this industry. Great, Bras. We're going to put the diapo here to finish. What happens is that the data scan bus has to be super fast. It has to be too fast. Why? Let's say, in the case of an airbag. When there's a collision, the airbag has to come out in less than a second, right? So that's the complication that at higher encryption or authentication, it's less speed. So, starting from that, that's why it was the

opposite of that. What it does is that in Tindle, there's a crag in this, in the CAN injection and all that, he's making protocols of authentication to authenticate the CAN data bus, but it turns out that he realized that he can break this. So, he sparched again and he broke it again. And that's just in the information he gives in the 2023 DEFCON talk. And the security he puts is this, look. It's a...

a IDPS, it's an intrusion detention and prevention system, it's a network index to sniff and from there, look, they're hacking me, look, this CAN plot is not normal that I'm here, so they're making a CAN injection. So, that's where it goes. I don't think they increase authentication and things like that, because the protocol has to be very fast. That's it, brother. Ready? Perfect. Thank you very much. Thank you very much. Daniel, thank you very much.