 My talk is a bit about hacking into clouds, but more into the automotive area. So my expertise, I come from more hacking into different factories, different suppliers, different areas. I have my, if you can see my job as I work for a company called CYMOTIVE, it's a company owned by Volkswagen partially. And what we do, usually we do lots of end-to-end security testing, breaking into clouds, breaking into different infrastructures of the different OEMs that we are working with. We are also creating and bypassing ECU protections and showing how we can hack into the ECUs and also building different security products. So in the last year, I've been defining and helping with building different security products with my knowledge of how to hack into stuff. So about myself a bit, so I was, I was playing a lot with robotics in the past. From high school, I won different awards from the FRC. For the first robotics competition, it's a NASA competition and eternity firefighting competition. I won the most bugs awarded in car hacking event that was last year. And last year, two years ago, I was traveling with my daughter and wife. We were just taking a year off life and traveling Southeast Asia with Switzerland and stuff like that. So about a bit about what I'm, what I will talk about and what I won't talk about. So because I'm working with all these OEMs and different companies and they have very strict NDAs and they don't allow me to expose nothing. So I did want to expose a few stuff and what I decided to do, I don't put any names of any of my clients. I don't put any knowledge of what's happening and they played around a bit with the vulnerabilities in order to not to have a full chain of exploit. So, but first, I think you, anybody here knows about the automotive industry? Like a bit. Okay, so most don't. So I want a bit to talk about more about what is inside the automotive industry and what changes, what changed in the different evolutions that we're having. So the first evolution, we are using the key. So the key in the past, it was like a very low tech key that is very easy to hack. And what happened is the became a requirement to have more security and more integration into the key. And we got this key that has RFID and it has different kind of connections with the systems in order to make sure that nobody can steal a key. And we have like now keyless systems and different systems like that. But for this, the automotive industry isn't working by itself. The OEMs are working with different suppliers. So every supplier, so every technology that we are using, we are using a different supplier. Over here, I saw some Siemens and some Lear and we have Continental and we have Bosch. And we have lots of different ECUs, so the suppliers that are going into the car. And this means that we also need to connect to different suppliers and need to connect to everything. But if we are looking in the future, now we are planning putting keys inside our mobile phones. And in order to have keys inside the mobile phones, we have to have a way to download it to the mobile phone. So we have to have trust anchors with Apple and with Google and with the different like varies on the seller providers. So we are now getting connectivity not only to the suppliers of the keys of the physical like Siemens and Lear. We're also having connections to the different mobile providers. Again, the same thing is happening with gas. So with gas in the past, like this was from Thailand, I saw lots of gasoline bottles. This was very low tech. You just filled in your vehicle, nothing happened. But then we are going into charging the pumps. So I have a fuel pump. I want to have Payless like plug in the plug in charge and plug in fuel devices. So I have usually they sell some kind of fuel payment IDs that I can pay with. And now in the future, we are also looking at the full electros is the charging. So we have connectivity to the different back end the third party vendors that know how to charge me and know how much power I consumed. So I'm having all these connections to the different OEMs to the different suppliers. With diagnostics, the same happened. So the automotive industry is using lots of lots of diagnostics capabilities. You always want to make sure that your car is running up and you want to even give give access to third parties like the right to repair. And other every garage has diagnostics. Over here, we can see in the past, we have all the diagnostics. But then we went into the new new kind. This is a diagnostic at the regular garage diagnostics, they connected OBD port OBD port every every car and has OBD port under usually under the steering wheel. And you can just connect to it and get diagnostic data from the car. But you can also upload data, you can download data from the car, you can do different stuff. And this is the garage is usually have it to another to support and another to software upgrade. So these devices are in order to work, they have to be connected to the different to get downloaded data. So in the middle, you can see it's already connected. It's connected to the internet or through Wi-Fi or for whatever. And it does open me a connection to the car. There's also OBD dongles that insurance companies give me that they are getting me a direct connection from the internet to the car. So we have all these different connections. And when we are looking in the future and the future design, we have like diagnostic over IP, and we have different capabilities inside the car that it's always diagnosis. So when I will want to diagnose a car, I will just need to request access from the provider that or from the OEM or from the supplier, he will open the access and I will be able to send diagnostic messages through the free G or from the cellular connections. So in order to bypass all the connecting stuff and so this is a bit of a map of how how connected the vehicle crowd looks like. So we are we are we're going into a way that everything is starting to be connected more and more. We have media agencies, we have insurance companies, we have content providers that have different applications and different mobile apps and service apps that I want to use even even for mapping functionalities, but also for buying stuff and for consuming and making my my car a bit more faster for the weekend if I want. So there's different different capabilities. We have support centers we have repair shop connected. So we want when someone wants to fix my car and we have like fleet companies that have like Uber and Lyft and the other other types of fleet management so they can manage my fleet. So everything is starting to be connected. And this is how we are giving access to all of these different players to my car to my vehicle. And this is a bit scary. And we need to understand that what's the meaning of all this. And the other side we have V2V and V2I and V2X different communication between the vehicles. But what I'm looking at now I made a simplified view of what I look at. What is the car industry and how how just inserting a key into a car affects everything over here. So we have a key and we have the mobile we have the mobile phone it's connected to the TSM enrollment. So I can enroll a key I can enroll keys whatever whenever I want. But in order to do this I have to have a connection between the OEM cloud and the TSM mobile provider. I need to I have third parties also because I'm the OEM I don't do everything by myself. I have third parties like rental platforms and fleet platforms. So when I rent a car he will need to get give access to the OEM cloud to open the key the OEM cloud will give access to the TSM enrollment will download a key to my car and then give me access to the key. So everything is starting to be connected. But in order for everything to work we also will need connections to the production plants and to the OEM IT and different suppliers that giving the physical key the transponders. So this is a map of showing that everything over here is connected and now my mission is to try to hack it. So what about technologies we have lots of MQTT and AMQP and HTTP requests like REST APIs to the cloud we have a property protocols between the key and the car we have also between the key and with mobile phone. We have different like VNC even sometimes through suppliers we have Citrix we have just in time debugging through usually to scatter devices and the production plants. We have SOX proxies between the OEM cloud and the third parties so they can access different resources and this is how how stuff works. But my thesis in like I'm looking at if we see this is a way a very simplified way of the cloud connecting to all of these cars these vehicles and I'm looking at if I would be able to hack into the car and I will send over their updates to the different vehicles then the next day I will have something like this and this is very bad for me because when I when this will happen then all the cars will start talking with me and the only way to go back from this it's just totally recall. So that there's other ways maybe like to send a I know in the Jeep Cherokee they send the USB keys to people and you can do different types of recalls but it's a it's a very hard way and because you have if you will have connection to the cloud itself you can just impact 10 million cars 20 million cars just like that. So I'm a hunter I I like to hack stuff so let's let's start hacking. So in order to start hacking I'm a bit searching for clues so I I like to look at embedded areas I like to look at applications on the internet and also different automotive resources like NASTF. So but to start I usually go to the easiest place for me and the hardest place for the automotive industry. So if I go to the low level collection I go to I can buy a EC on eBay I can buy different types of components from the black market or after sales market and when I go over the end I find chips and I download the memory I can download memory from them and if I am able to download the memory for JTAG and different kinds of exploits I find I can find the secrets itself of how is the chip communicating with the back end. When I will see this I will I will find different URLs different secrets different types of information because the vehicle is connecting and talking with the back end and usually it has single static keys for all of the components because it's very hard in production to make different keys and because of this when I will have access to some kind of memory and get access to the URLs I find attack points that are not checked not verified they nobody believed I will be able to get access to this and this is very interesting. Furthermore if I want to go and I don't have the hardware capabilities and then I want to go through the net then I have APK so I have I can go to APK pure or to other like to go to Google Play Store or iOS Google is easier because of Java and it's just much more easier to decode stuff but then I can find different secret keys and for like I started doing one app and another app and a third app then I decided I want to do them all so what I did I wrote a kind of a lip search it's a program of mine I open sourced it that what it does it downloads all the APKs I want it downloads everything and extracts all the resources all the metadata all the keys all the everything I can find from it and just dumps it into elastic search so I can search it much easily much easier and what I did what I found over there I found lots of backend URLs and PHP and ASP and some lots of stuff that are connected to these OBD apps to these OBD apps to this a fleet management apps to everything and over here this is a good attack surface because it's again it gets you in into a way that usually people don't like want you to go in I found some secrets so just by exploring secrets in clear text I connected to one of them it was valid we chat API is very nice because you have also payment API it's not only in a chat and you can access different stuff but I wanted to continue and I wanted to go in photo mode so where there's a tool called DNS dumpster you can also find it just manually subdomains and I just looked for all the subdomains of different car companies and I found so many it's like I don't know what to do or so I can now start scanning them all or I can start like I there's different HTTP requests over here I can start scanning and finding my endpoints and where do I want to go so I can also use showdown showdown is just a scanner of the internet that looks for other stuff and I'm looking for different stuff not even the OEMs I'm looking for the supplies themselves so if I look for continental I can find like a ftp of continental usually they host software for the OEMs or they this is a way that they are giving them a software odysaur is also a protocol it's a kind of requirement in vehicles vehicle development so I'm looking at all of these but then if I want to go deeper and I want to go to the automotive area so I have NASTF NASTF is they concentrated all the tool set that I want that I can have to access different diagnostics software so over here there's a list of all of the OEMs all of the car companies and all of the software that you can download but usually it's sometimes it's paywalled so sometimes when I when I want to access some software update I can download it right so I can have download updates for the software but sometimes it just costs me money so it's easy you go to some forums for car hacking forums or some more repair car repair forums it's much better because these guys are doing it already 20 30 years they know all the software they are they are they have the right to repair so they just and you can find over lots of software over there that has that is connecting also to the cloud OEM cloud and it does also connecting to the vehicle itself and this is interesting because when you extract data from there you can find different back-end your as a different access points I found some stuff I have a p1 aka with bug bounty and one of the suppliers just waiting they stood and fix it so I'm waiting for them to fix it in order to properly disclose but then we have we have so much information over here that you can download just look at the nstf you can find lots of back-end input and lots of stuff but what I did I took a list of a a list of all the keywords I could find from from these websites and I just created a dictionary so I can search for interesting data and interesting stuff inside so you see like CV tech info and OEM software and OEM repair info and they see a list of all of the OEMs itself and I started I started searching like github and different other areas and what I love to do is like people don't know usually how to use github they don't know that when you delete stuff from github it doesn't get deleted so I'm just searching in the comments I searched in the comments for deleted secret keys and what I want and then you can find yeah he deleted secret keys he did a push and then he sorry but the github shows you what was previously and it shows you it very nice in red exactly what was previously what keys were used so you can just connect I found some different keys some worked some didn't some do change it after they understand they by mistake say publish the keys some don't and but I did find for one of the suppliers that I wanted to target so I found like a telephone configuration and from this telephone configuration you know you can do a lot of stuff I found the keys and the secrets and next thing you know after I understood what is telephone and how do I use it so I just ran access keys and I got about full control of about 100 servers in production so this like a production of one one type of supplier so one supplier so many servers they have we had test servers we have production servers we have we had different stuff over here and this is a good point I want to go into and this is my starting point so until now I just like did recon and I found different areas and I have different areas to go over to get over here but this is the way place I want to be I want to be inside some kind of third party just not in the OEM cloud no not not connected into nothing but just outside so it's out of the comfort zone they don't secure it properly the OEMs don't even have they're not able to secure it because it's not theirs so this is a good place to be and now the game is to start moving and lateral movement from third party to OEM cloud and to other places so if I'm looking at the third party and OEM clouds they are usually working with ftp and they are moving files from each other they have different types of vulnerabilities but what I did find eventually I found one ftp open very basic it was a dump server they just dump different configurations different softwares over there from the third party to the OEM and after boot forcing a bit the ftp I found the name the username and password was the same of a name of the supplier so 50% of this some it works the other 50% you need to add like one two three four or something else instead sometimes it's a bit more complicated but usually not not not much more and you can just play with it so over here I got a ftp access because the ftp was also open with a ftp server I uploaded a php file and got shell access to the different to the other cloud so now I have like access to the cloud but it's like a ftp server that not really connected to nothing it's not connected to anything I don't have any connections at all from it they try to think what what I can do with this and then I understood there's a monitoring server so after playing with the server a lot I found out that every midnight there's a monitoring server that connects to my to my server and it does the following stuff it logs in it runs code it gets the result of the code and and then uses it in order to show the whole omit what's the status of all the servers so it's a pretty basic thing the problem is how does it log in so there are different ways to log in usually I would want everybody to log in with a ssh certificate but in this case they logged in with a username and password so I ran s trace on myself I on my ssh server I waited till midnight and I just saw the password so after seeing this password I was just I looked and I found out I got into the monitoring server because the monitoring server was also monitoring itself so fun and then you can just access different or different areas over here also putting a funny in this specific scenario the password I wasn't able to use the password the next day because okay because the password was changed every day because password policy they wanted to change it every day and what do you do when you change the password every day you do the date so the password was a name and then the date so the next day I came I tried the next date and it worked so I was able to connect to all of these different areas and and I was able to see also that I'm I have a bit of access to the production plan to different kind of endpoints and this is a good place I want to be and now I'm trying to find out what what do I want to do so I'm inside I'm inside the network I want to see and I'm now trying to find out what targets are interesting inside the automotive area so one thing is jump servers lots of suppliers use jump are restricted in order to restrict them we use jump servers to let them access the our network the problem of jump servers they they're not clean they usually even there's a rule you never you never stop production so you want all the suppliers always to connect to it so you never upgrade them and like basic exploits that you can find over here there's Internet Explorer there's lots of stuff over here and usually it's very easy from a jump server to go out from a Citrix server to go out get shell access and find out different types of and see what the suppliers can do and the suppliers can do a lot and they also put some notes in the parcels.txt and the fires and different stuff and then desktop but then I wanted to continue and go see more so I I found out a server with lots of printers and I thought to myself what is what is this why are there so many printers inside the server and eventually after investigating and understanding what happened so the production plants have a QR code printer because when you want to put a part you want to scan it so you scan it and then you know which part to put to the body so if you have a door you want to combine it with the body you need a blue door with a blue body you need a red door with a so you scan you scan the part and then you can know exactly what to put it so these are the printers that are printing the QR codes for the technical for the technicians to know which part they are they need to put in and if I'm able to disable one of these printers then the production line just stops and because it's a line then if one station stops everything behind it stops and we we change the whole production line but then also I can I can go and I can change the QR code and then maybe put a different part or and even they won't know about it like let's say the screwdriver the screw we can put a different screw what will happen so this is like a very interesting area that you can play with another area is robotics I want to go into robotics so when I want to go into robotics I try to find there's lots of lots of robotics in the shop floor usually there's a rule don't stop production so the parcels never change and the so I just looked in the internet I can find the different different parcels of the robotics the fun part over here is that robotics the parcels usually are embedded into the robotics themselves so you cannot change them if you change them you stop production so it's like a way that it's a different password everybody knows it nobody can change this and this is for the next thing but I wanted to target more I usually I go to the development because developers are lazy they're weak they have so I went to the svn connected to the svn found a user went to different areas found a private key of one of the servers and then connected to after looking at finding a iot hub connections I connected to one of the servers mktd servers that have access to all of the vehicles and this is nice because now I can subscribe to events I got like all the events of the live vehicles when they are running I also got some I was able to send them commands I didn't continue and see what commands I can do because they stopped me but I continue and they're looking and then when you're inside you're inside so you can do whatever you want you can I want to do a confluence I want to get a connectivity organization to look who is the targets I want to hack so I went over and I went to the desktops and through the desktops I went to different areas like I found different notes so but if I want to conclude a bit so there's lots of lots of different automotive clouds now coming up popping up everybody is different there's like Bosch and fca and Volkswagen and everybody has its own connected services but it's relying on different suppliers it's different relying on lots of things outside because the OEMs currently are not in a state that they're building themselves stuff they are outsourcing most of their stuff and then we see the vehicles are also connecting to outsource data so it's mainly in the suppliers and you have to know how to attack and and to see the whole ecosystem and not only like usually clients come to me can you attack this server and I would want to say the clients the OEMs yeah the OEMs to ask me what how would I go in and then usually it's from the supplier or through other areas and these areas are out of scope so you have problems so we we are working with them and they're working closely and trying to figure out how the best way to attack this area without breaching like without getting breaching I don't want to attack Bosch I don't want to attack other companies but I do want to verify that the automotive area my automotive automotive company is secure so there's lots of multi-connectivity I need to put in lots of effort into secure architecture from the beginning understand the connections and usually understand what happens when I want to put in a keyless system what does it mean all the connectivity areas now we're going into electric charging you know it's a big thing we need to understand everything over here so maybe I can I we had four minutes so I think of three minutes so just if you have any questions yes yeah we I've done some stuff not in Starlink and not in this area but yeah we did have like access as a user so usually we had a project that we went we got access to the infotainment system in order to impersonate ourselves as an infotainment system and then access just as a regular user has access to the connected cloud and see what what the vehicle can do and yeah yes like of a full scenario so it depends we had a case that it was I think from from nothing to everything it took us two three months but it's also lots of waiting for approval so I had access I got like a shell access to some server now I have to wait two weeks to wait two weeks to get approval to see how can we continue and sometimes they gave us they didn't give gave us to access the same specific area they created another server inside the network that I can have access to it and then I continued from there so it's always like it's working with the companies but it can take you in the best case it can take you even four five days to access if you don't have these different constraints yeah yeah yes so we are working with a couple of companies they are using us to secure the infrastructure it's always a game and to understand when when is the best to secure it if we want to do it pre SOP like just before SOP starts a SOP startup production or we want to do it from the start from a development phase but then we have we have more impact but we don't verify it as much and if we do it too late then we know the problems but they're already on the road so it's always a game of when is the best thing and when is the best time to secure stuff they were public they were removed the moment I told them they removed everything yeah yeah this is usually there's lots of public GitHub information you can just search there's lots of way to search GitHub but there's also other also a ci environments circle ci you have lots of a nice advice nice findings over there I have like a list of stuff that I'm always looking for sensitive information that was leaked that's the question um I own no I don't buy school no I own a regular connected sit one I don't hack myself my car usually it's a problem if you play with your car sometimes you can break it like it's very easy to break it by mistake and then you need like a have a friend of mine he played with the car and then the gearbox just didn't talk with the car anymore and then what so