 Hi, my name is David Rogers and I'm really great to be at the Cat Hacking Village to give this talk, talking about our hacking rig and yeah, let's get going. So my name is David Rogers, I own a company called Copper Horse, we're based in the UK. My background is in semi-conductors originally and then in the mobile industry for the past 20 years. I'm heavily involved in a lot of security related topics on the offer of the UK's Code of Practice on IoT security. I chair the mobile industries fraud and security group globally. I'm actually communicating to you from Google today actually from a GSMA meeting and of course I like cars and I like cats as well and I sometimes drive cars that are named after cats. So yeah, really, really great to talk to you and so how do we end up with the stuff that we're going to talk about here? Well, so my company got involved in a consortium called Secure CAV which was looking at future connected and autonomous vehicle security and with a consortium together with Siemens and a couple of universities looking at how we could at a hardware level detect security issues and also then actually prevent them in some way or report them and to explore what we could do around machine learning as well. So extremely interesting project, it's led to a lot of work with an organisation called Witch which is kind of like consumer reports in the UK and also we through the hack community, we've done some good work as a result of B-Size Cymru and Wales and we now have a partnership with Califew University who have actually sold one of these rigs to them and we're doing continued research on this. So our project was right in the middle of the pandemic and our university partners were due to create some demonstrators and we were due to do all of our security work on those demonstrators and of course the universities couldn't get into their facilities. So we wanted to do some cool things around some of the tools that I'll show you later in the talk but we couldn't do it and we basically had to build something up ourselves and so we went down this road, we looked at what was out there and there are some great things using adrinos and using canvas hacks, canvas hats and existing vehicle components so that's the road that we went down and a couple of really cool projects where they're using data from simulators from essentially from games and so we started to build this up and we decided well actually this is really really good and actually wouldn't it be fantastic if we can build this into a real car basically. So we're taking telemetry from multiple different simulators, multiple different games. Now there are academic simulators out there so probably people will have heard of the Carla simulator but the community of people who are supporting these kinds of simulators is actually quite small but the gaming community and the eSports community is absolutely massive and the cool stuff that's being created from hardware manufacturers through to sort of individual software developers is absolutely amazing and so one of the things that we decided to build in was a motion rig which we got from DoF Reality in Ukraine and has been absolutely amazing and really gives us a real realism of actually how to experience a vehicle being hacked. So we have this three DoF motion simulator which gives us traction loss at the back there so we see that motor number three there so you know if you're slipping especially if you're racing it gives you that real immersion and of course if you crash into a wall without any brakes you really feel it. So we've been gradually sort of building this up alongside all of our security work with this car network but then with all of this telemetry going to these different components that are doing different things and we're gradually sort of building that up. So we have a very straightforward canvas with some components on it so what else can we do? Well obviously we could put things like sensors on there, we can connect up other in-vehicle components at the time so we were alone some vehicles to have a look at and we also because we were in the middle of a pandemic we couldn't really access for example strap yards they were all completely closed so we started to go around down the road of looking at other sort of third-party components and we actually ended up with looking at some of the AOSP head units that are quite cheap on Amazon and eBay and found some some horror stories in those things but we were able to get them working. When we were building up the network itself obviously we needed to be able to take that as I say the telemetry from the simulators and then transmit that into the canvas and we found a good way of doing that. There's a really cool tool called Simhub that allows us to do that more easily because some of the telemetry is set over UDP or some of it's done by memory scraping and of course the games community have done a lot of the hard work so we took that into the motion rig and other components but when we were looking at the head units what we were really interested in was head units that were connected to the canvas itself and there's a lot of research to be done here I don't think there's been a huge amount done so far so you can see here that this is directly connected to our canvas and to our simulator and this little red box that you can see on the right hand side there is this kind of canvas converter box and a lot of these Chinese Android open source head units actually use these boxes and it seems there's a proprietary serial protocol going to these things and then they have the sort of pre-selected can dictionaries that are selected by choosing individual apps that are pre-installed on these units and these companies clearly all talk to each other because they all sort of co-support the different as the different manufacturers of these little boxes and these canvas adapter units and these devices these these head units are designed to be put into legacy vehicles so you can imagine the security risk and we're looking at you know what is on here what versions of Android are on there you know we can see that they've actually managed to hack in the Play Store onto there they've got Google Maps they've got Chrome browser so the question is like you know does does the Chrome browser auto update on a device like this and to what extent is the user exposed to existing vulnerability and you know what's the differential between what's going to be patched and what's not and really is it possible to cross into that canvas from a malicious Android app that's on one of these legacy head units and something that we're exploring with Cardiff University as well at the moment a very very interesting area of research I think what we also decided to do was to build in some functions to at least demonstrate to people what would happen if we disabled certain functions in the vehicle so for example we thought it'd be quite cool just to be able to cut off the brakes or to remove the clutch function or the accelerator so pretty straightforward just a hardware hack and you can see my sort of Heath Robinson wooden button with some nails in it at the top left there just to kind of prove it out and we built this we built this box which allows somebody who's next to the rig so this this is actually a beachside London to be able to disrupt the driving experience of the person in the car whether that's distracting them by turning on the wipers or causing disruption to other drivers by turning on hazards you know these sort of low level functionality in vehicles can sometimes have a very big effect we have evolved that somewhat so we've added in new functions and as I learn you know what works and what doesn't work I've sort of built in that into the rig so we have some at the moment we started out with logic G29 pedals logic G29 pedals and essentially wired all that in so that we can turn them off at will and then turn on other functionality if it's supported in the simulator of course because it depends you know what game you're playing or what simulator you're using but it's but it's a really really useful tool to actually see how drivers react and to really cause a lot of trouble to them so there's a sort of there's what you can actually do in a car so it's obviously you know it's not possible to reach some certain functions because of certain security that exists or some electro mechanical things so we need to kind of ground it in reality a little bit but it's still fun to explore the kind of what if scenarios around these things but to come back to like the core reason that we built this stuff in the first place was was actually to look at some of the the types of hacks that are out there or that could happen and I always like to look at stuff that is actually going on right now and what what criminals are actually doing something that we've done in a mobile phone world and so so one of the the kind of criminal mods out there is is around mileage correction so you can kind of get these essentially man in the middle devices that you can buy through online sites we could get these for about 300 euros for specific vehicles and we want to explore how they work what they're doing on the canvas and how they operate without obviously having to put it in a real vehicle because in most countries if these things are not outright illegal for example in the UK you would have to declare that you have this thing in a vehicle and obviously that's going to affect the resale value so it's it's not illegal to buy one but it would be illegal to essentially use one and not tell the new owner that you'd use one but of course you know people are using these things there is obviously a market for them so the way that they work is that you install this thing and then you flash the headlights four times and it switches the mode of the mileage corrector and gives feedback to the user because perhaps behind the dashboard and it flashes the hazard lights the number of times depending on what mode it is so you know you might get four flashes for a particular mode and what you see is that it's not actually stopping the odometer it's slowing it down but it's slowing it down because it's kind of manipulating the the speedo and essentially so it is clocking up the mileage more slowly so it's very subtle because there are databases out there that you know log your mileage when you take your car to the garage and so on and of course if that thing is static that's going to be very very obvious very quickly that you've been tampering with a mileage so and particularly for sort of more modern classics that people want you know people want to have a look at these these databases and actually check that they've got the vehicle that they have got and it's not unusual to see this sort of slow down in the curve of mileage anyway because obviously for something like I say a 993 911 it's a modern classic people don't want to put a lot of miles on them and it might be very difficult to see the usage of it and the reason that people are putting these things in is obviously to increase the resale value primarily because if you can I don't know take the 911 example if you can keep that thing under you know 100 000 miles that's that's uh it's going to get you a premium on the resale so um so we're able to install this thing in our network we're in this actually on our rig now and we can actually operate that using the rig and actually while we're driving along in the simulator which is really really cool and it actually is just an example of stuff that not only can we demonstrate how it operates we can actually monitor the canvas and see what the can traffic is obviously we can reverse engineer the hardware as well but it's a very nice way of doing that and we could potentially do that with other components for particular vehicle types and of course there are a lot of tools that are out there so if you just take OBD two dongles for example now some of them are completely legitimate but there's other sort of more nefarious tracking devices and so on usually they're accessing the same data and then adding a bit so they might add some GPS information and then send that over the mobile network but there's other more interesting OBD two dongles one example that I was told about is for essentially spoofing that add blue check it's for for lorry drivers so that the vehicle is fooled into thinking that it's that it's full of add blue and obviously add blue is extremely expensive and particularly for trucks so you can see how that market is created for those sorts of tools that exist so we can use our rig to explore these kind of devices and what they do to a limited extent so yeah there's a lot of potential in this in this platform for exploring different tools that are out there but in in the project that we were looking at of course we were actually so Siemens were actually looking at well how can we detect this kind of malicious traffic if you will or anomalous traffic on the network and then how can they secure it and they were looking at this a chip level and there were some really really interesting things done but we were then going to actually look at how to how we could actually break their system if possible or their proposed system and and that's what we went about doing so so in the process of doing all of this because again we were in the middle of a pandemic and we had to work out how to do all of this remotely on multiple sites basically in people's houses and so we ended up being forced integrating a system where you could remotely test from anywhere in the world and the the rig or the or the car or the setup wherever it was placed and so I think that's kind of a useful thing and so we had a sort of camera setups we had a few switchbots for switching on the hardware remotely where there were physical switches and we had a bunch of VMs that were doing things like fuzzing and so on and in the cases where multiple tools were running we were able to set up some tools to essentially do OCR on what was on the screen and then auto type as to the next step so that we were eliminating sort of issues where we might catch something during fuzzing or some kind of crash or something in the middle of the night and then have to wait before we continue to the fuzzing we could actually automate that capture the crash and then do something about it so so really really cool and I think there's some real potential in kind of working on that stuff in the future for karma manufacturers and for anyone else really so so yeah so this is the this is the rig as as it stands and it was just kind of continuing to be developed there I've got some nice little bezel remove as it looks a lot better actually when you're racing you know your brain actually completely removes the the bezels there of course we could have gone for VR but we've got real real components on there so we want to see then a real data and how how those needles work and so on and and to be honest I'm a bigger fan of triple screens from an esports perspective as well and obviously from an audience perspective it's nicer to kind of see this so so we get this sort of full full visual experience and it really really is quite immersive you can see we've also got a stream deck on there as well which is used for for button control and so on so as as we've as we've developed the rig um we've we've you know I mentioned that we had the Logitech G29 pedals and steering wheel which is pretty much a sort of gaming a gaming device it's not that expensive really um but I modified the pedals um to to allow for the switching off um but you know there's lots of things you can do and there's a lot of community hardware modifications that's a set so actually the way that these work essentially they're they're potentiometers inside them and they're travel based they're not pressure based but there are some modifications out there that kind of create a more realistic feel so almost to emulate like a load cell break you know if I want to buy load cell breaks from say Fanatech or someone like that that's sort of real racing brakes they're really really expensive but you can actually buy some quite cool mods that turn your stock G29 pedals they put a linear potentiometer into into the pedal and and then have a much stiffer load cell style spring mechanism everything and it just just adds an extra layer realism to it I think ultimately we will actually swap out those for real load cell breaks but for now it just just definitely enhances things um the same uh for we've now kind of moved on from the G29 wheel itself um and put in a direct drive a DD Pro Fanatech um base and full size rim and you can see there's the size different there difference there and it really really again enhances that realism and immersion especially and you know what you want is for the person on that rig to actually believe that they're in a car because when things go wrong and when we start to do some of a sort of quasi cyber attacks on them or real cyber attacks um we want it to like be really really realistic um so that that's that's really cool and um works really well something else we did with the pedals as well um there's something called the Leo Bodner cables so Leo Bodner a company based in near to Silverstone in the UK worked with some motorsport companies and they can the cable essentially gives you a much better resolution so it takes it from 256 bits of resolution or 8 bits of resolution to 10 bits which gives you essentially 1024 bit smoothness to the original 256 bits we've put things like seatbelts on there one of the recent mods I've did was to put working lights because we had all that data from the telemetry um and so I put a set of 12 volt relays in our hacking box and and and put some just some motor bike lights that you I think I got them for 20 quid on there Amazon and just mount them on the back so when you put the indicators on or the running lights whatever it actually is on the rig and we can just keep adding that stuff really it's just what I kind of whatever wherever our major imagination goes the one on the right that you can see there is um I see a rear view camera so I mounted that over the rear view mirror the virtual mirror in and this is a set of course of competition so in in modern GT3 cars they actually have these screens in there in their cars so I just kind of repurposed this dodgy head unit to to put that in there um and the whole thing's actually transportable so I can put it in a four transit van and I don't have to kind of take it apart or anything and you can see the boss there pumpkin inspecting it as it's about to go to to to visit someone okay so here we have the the rig as you've seen in the presentation we'll maybe see a little bit of the motion you can see the lights here we're kind of braked at the moment and waiting for me to drive um we um on on the rig itself actually we've we've kind of expanded this with more expensive equipment so we started out with Logitech Logitech equipment so the G29 wheel and pedals we still have the Logitech pedals there although these are heavily modified now so we've put a what's called a Leo Bodner modification on there to increase the the resolution of the pedals and we've also put a load cell modification in there to make it more realistic of course we could spend a lot of money and put a load cell pedals set load cell pedals in there um but remember that we've actually modified the pedals so that we can actually remove brakes and clutch and accelerator but we probably will expand back in the future so we've got our head unit here which is connected over to the canvas which I'll show you in a minute and then this is our new wheel which is a fanatech wheel and this is the DD Pro and the reason that I've put this on here as well is it gives you a really really realistic driving feel so the feedback and the force that you get probably on the Logitech wheel is probably up to maybe less than two Newton meters of force in this you're getting over eight Newton meters and you definitely feel this I do a lot of sim racing as well and the the feel that you get of the road is much greater so this gives people a more realistic driving experience I've got a TH8A shifter on there it's the first master it's actually quite a nice shifter I like it we just put a custom gear knob on there and all of this is connected to a different software in the rig so we have something called sim racing studio which comes with the motion platform and that's a really excellent piece of software we also use sim hub for translating some of the telemetry and we've got some nice scripts and software to go with that I use a bunch of other tools as well some tools that we've written as well and yeah so we also have a handbrake here as well the emergency stop button is for the motion rig because it can get a bit crazy if you ever use beam ng driving the car off the cliff is a somewhat of an experience this is the stream deck here so you can see here that we've got the different controls this is for the truck this is a shortcut button I have here for for doing a mileage correction that's just going to flash the lights four times but we can cycle through we've got loads loads different different sim functions on here and it's really nice to be able to to to use that it's a very nice feature and this other tool here is something called sim dashboard this allows me to send the telemetry data into another kind of visual tool which is very very cheap it's an android client for it's really really nice you can build your own dashboards you can build other information as well again just touching the surface of that but we can probably do a hell of a lot of things in the future so okay so let's have a look at some of the equipment that we've got here so I'll start off with the mileage corrector so that's the that's the device that you get sent when you buy it and this is actually plugged into the back of the of the instrument cluster here you can see that we have another one here and so that would be hidden behind your dashboard and obviously if somebody was buying the car they might not know about it but you might want to take it out before you sell it as well we built alongside the custom hacking box for removing the the accelerator and the brakes and so on we also have this sort of custom box here so this is the Arduino I was talking about with the canvas hat we've also got an OBD2 connector here which is useful for us for managing the cam data if you want to use any of the sort of tools that you can buy out there for car stuff we also have this is just a relay board here so we're just using the 12 volt relays I did originally look at using MOSFETs but the the lights that I've gotten here are just basically sort of third party motorcycle lights that I've repurposed for the rig what they were expecting is actually an output from a relay not from a MOSFET it would be wired differently these boards are really really cheap and it's really straightforward to integrate so you can see we've got a selection of head units and things that we've bought we'd be looking at reverse engineering these things this is one that blew up on me blew up a power supply as well so what a lot of these come with when they have a canvas connection is a canvas decoder and it appears to us that there's some sort of proprietary serial protocol going to these and then through software through the sort of pre-installed apps that they've got on these things they you will select a decoder for a particular vehicle platform and that will essentially have a sort of pre-programmed CAN dictionary to enable it to talk to the canvas and so somebody would just plug that into their car and and of course I've seen lots of complaints about these things because of course they're not perfect what we're more interested in is seeing like pre-installed malware and what type of state these things are in whether they're going to get software updates and so on so you can see this is one here it's just a one of these head units and they often come with this kind of car menu and different car settings and so on so in this case we can see some of the data so this is actually will change it's connected to our cameras here at the moment which is paused so yeah very very interesting we've again only touched the surface of some of this stuff but it allows us to play around with that and see what kind of things we can do so the last thing I'll show you here is actually some of the extra components so I told you about the rear-facing camera but interestingly we got a TPMS here so tire pressure monitoring so one of my sort of little future challenges will be to add the TPMS into the rig as well and see how good or how bad these third-party devices are these are just the pressure caps okay so let's get on to the interesting part so I would love to bring this rig to Las Vegas there's probably not going to be possible so I'm going to show you some driving I also do some drive-alongs and stuff so let's let's get going so this this simulator here is a Eurotruc simulator 2 I'm actually in the middle of a delivery at the moment you'll see that I do a lot of sim racing and stream that online that's with exactly the same rig and with the motion and everything and I'm just going to drive along here I'm just going to I've got the motion turned off right now but I'm just going to show you very quickly how the mileage correction works so you see that I've got the full beam light on here I'm driving along into the early morning what I'm going to do I'm just going to do the four flashes right and what you'll see is the response back from the hazard lights as it switches modes and you'll see you'll see the speedo do something as well these things can be a bit flaky as well so so it takes maybe a couple of times to actually activate let me get it to go this will be the one time that we can't get it to go so what I call david's rule of demos the demos never work there we go so you can see it switched modes there and you can see also the speedo has dropped down because what it's actually doing is causing the speedo to misreport I'm just going to move outwards there you can see the indicators so I hope it's going to switch modes again to change there we go so it's flashed twice it's moving into a different mode and you can see there that it's flashing again so that's how that works if we move back I'll just show you if you just show the lights um so on the rear of the vehicle if I just show you how that that's so I'll put the hazard lights on now and uh obviously I can put the indicators on as well so um so there we go and um what we can do now is perhaps um just pause for a second um so uh that's really um you know what the rig's about but I just want to talk about this whole thing about the future security in cars so obviously we're demonstrating using older vehicle equipment and canvas hacks that of course we all know about we all know that the canvas is not integrity protected and there's no authentication so but it is quite nice I mean it functions as a thing but obviously there's a lot of work going on in the standard space but also in the hardware security space to actually ensure future security incomes but that's not going to make frets go away frets are evolving and um some really unusual things are happening and just really like the mobile phone space where we've gone from just having uh it's kind of mobile phone calling and sms capability um you know all this extra functionality that you never expected to be in a car is in there so all the functions for uh communicating outwards and there are multiple sims and cars um need to be secured and they're all coming from all these different vendors so um it's impossible for the OEMs to to understand everything that they've got and even for them they're not really o-f-a about things like hardware security and how to implement TEEs and and trusted execution environment type technology and how to how to properly implement secure boot build all of this together into a certain current hole but the technology is moving so quickly um that you know they're jumping into to launching automotive ethernet uh on top of legacy technologies um they're launching uh v2x type stuff so but multiple new interfaces coming into vehicles and and that is going at pace so while we can bring a lot of our knowledge into into that domain and there is a lot of transference of knowledge um everything from uh the stuff on s-bom uh through to like as I say hardware security um through to mobile security uh improvements and to protocol security so that is all coming together and and they can kind of stand on the shoulders of all of that work and benefit from it I still don't think there's a level of maturity in the automotive industry uh that is commensurate with the threat and and of course you know this is a these are vehicles that are essentially uh weapons and and can kill people and um it's a very very unusual sort of moving IoT device so I still have a lot of concerns um and I I think that uh you know the security research community has to has to really help these guys to understand they're still coming to terms with you know what what cvd is what vulnerability disclosure is and how to handle vulnerabilities um in multiple places uh and there are some sensitive ones so of the obvious one being a lot of the the khaki hacks but ultimately they they need to the security research community and they will benefit from our input um and I think it's just a case of kind of waiting for them to get to that state and they are getting there uh and helping to point out to them uh the stuff that we see um that maybe they're not going to see in the development center and they're not going to think well that or they may think you know why would you ever try this particular attack no one would ever do that when actually we know that of course somebody would do that so we bring a kind of hugely different skill set um to to what they have in engineering um but both are equally valid so um yeah I mean I'm a little bit skeptical as to like how uh um sort of attacks can be really detected in future vehicles on board um because as an attacker I probably am going to want to disrupt that and I'm probably going to know that that there's going to be some detection mechanism in there so we really need to think like well one step or two steps ahead so how does the attacker react to a particular defense mechanism um so in the case of the the mild correction there um we were able to actually kind of attack the defense mechanism and really really screw around with it and um you know for the defender they have to make sure that everything's right but as an attacker I can just make sure that everything just dies uh and they still you know reach my objectives so um I mentioned sim racing so uh I've really really got engaged with sim racing during the pandemic and um and actually utilizing this rig and it's been a really good way of actually talking to people who are in the car industry as well about um the sort of threats and so on and um competing apex online racing a set of course of competition only gt3 leagues and and other leagues and uh uh they're really they're really really fantastic and um uh I think the more people in the hacky community that get into sim racing are absolutely fantastic um but in a kind of another vein here so I'm racing with the rig but it's absolutely incredible to see that sort of line between uh real world racing and sim sports uh being crossed uh so this is a sort of real mixed reality that's going on and that's what we'll see in the future it's really a gateway into the future all of these circuits are laser mapped uh the equipment the fanatec wheels for example they're in the actual cars uh so this this is a real real mix and of course um even these e-sports communities uh suffer cyber security issues and um there's been a lot of d-dossing uh of of servers and the suspicion is it's actually gambling syndicates um there's sort of um betting on races and disrupting them so uh really really interesting in itself um if you want to find out a little bit more um well of course um uh so you can go to my twitch and uh I've got a few uh live streams where we do drive-alongs in in the trucks that's your truck simulator too there um and we do different things in the simulator and we go out on the rig and explain what we're doing so so have a look on there and there's quite a few more videos for for defcom here for this event um and that's really it so uh thank you um very much for listening um I'm going to be in the room uh so for those of you who are in the car hacking village uh listening to this uh have a look around for me because I'll be standing there somewhere thank you