 Hello, everybody. Welcome to the car hacking village TurboTalks with Samir and Vlad. I'm using smart cars with QR codes. Welcome, everyone. My name is Samir. I'm the senior director security consulting for Spartan security labs. And along with me I have Vlad. Hello. My name is Vlad Gassimelski, senior security consultant at Spartan Federal. Samir and I work on doing security assessments on various devices, smart vehicles, scale systems, wide scale distributed networks, satellite systems. That's our thing. Applications, mobile and anything in between. So let's get started. We have for today's agenda we are talking about abusing smart cars with QR codes. And for you, we'll talk about history of QR codes. QR codes have been around for over two decades. How QR code got ventured into the automotive space? What are they being currently used for in automotive industry? Especially with smart cars. What are some of the security challenges around it? And some of the trivia questions that we are going to have. So please listen in carefully. You are going to win a t-shirt that I'm wearing. Do good, no evil. We are not going to give it in the talk. So whoever wins, please collect it with Tej. He's sitting right in the end. You can see his hand right there. So let's get started. So history of QR codes. As I said, right, I mean it's been there for over two decades. It was born in Japan with the two people team, Mashahiro Hara and one more team member. Denso Corporation was sort of the owner for that. It gained its popularity in 2002 when it started getting used for general purposes, for ticketing systems, for advertising, for various other things. So previously when the QR codes were used, people were using dedicated readers for them. Just like the kind you see in the store for scanning prices of various products. As smart phones became more popular, it was not able to, it was not possible to capture with your phone scammer and decode it. So it really opened up the market for everyone. Home users were now able to open up hyperlinks, their instructions with their smartphone. They're able to follow directions, check in at various locations, do their own inventory control. Alright, that brings us to our first trivia question. Which automaker first started using QR codes and when? Alright, when? Alright, you get half of a t-shirt. Anyone else wants to take a stab at it? 99? 94? Alright, you get the other half of the t-shirt. Yes, so you're right. Toyota started using them in 1994 for actually tracking the parts and the cars that they were making. So please make sure that you get your half-and-half t-shirt frontage. Current use of QR code in transportation industry is sort of like now widespread, right? They are using for, just as I said, tracking cars and its parts for inventory control, for fleet tracking. Also, Michigan Department of Transportation recently started using them for signal repairs. So the image that you see is actual image where instead of having a big log that they used to store in the signal repair box itself, now instead of that they take their smart devices, scan the QR code and then through that they are able to gain all the information that they need to have for repairing the system. It's being also used widely in automotive sales. It's sort of like replicating the good salespeople because you can actually scan a QR code and get a consistent message about what this vehicle is, what are its capabilities, engine, et cetera, et cetera. And marketing and promotions have been around for ages. So can anybody tell me if a QR code can be hacked? Do you want to elaborate a little bit on it? So you get a negative T-shirt? Yes, gentlemen in the back. Absolutely. You do get a shirt. The overall answer is no. I mean, you do have to physically temper the black and white to kind of make it so you can you get a full T-shirt. So now that it cannot be hacked, what is the real problem? I think the next few images will tell you what the real problem is. When we start really using them for telling directions to smart cars and autonomous vehicles. And this is happening in California. California Department of Transportation is the first one to actually start rolling out QR codes on the side of the roads. That's because it's the number one location in the United States right now. We're autonomous and semi-autonomous vehicles are on the roads. Right now they're using them to signal the construction zones ahead. They're starting to roll out speed limit signs in the form of QR codes. So anyone want to take like a guess on what are other problems that can happen in a smart cars with QR codes? There are more T-shirts to give away? All right, I'll make it easy for you. So the first thing is right, I mean, you could have a QR code that maliciously directs you to a link that gets you, that gets a malware onto your moving vehicle or for a particular component. Then there are issues with physical manipulations. If in the night someone switches the QR code from stop sign to speed at 50 miles an hour, that could be an issue. So you could cause a lot of havoc. And then some intentional and unintentional removal of the code. If the next generation cars are going to rely on QR codes for V2X communication, then you have an issue. Because if there are lighting issues, if it's unable to read the sign, if it's, if there's too much bright light, if there's raining or other environmental factors, that could be an issue unless it's been coupled with other technologies like GPS and others. That's right. So for example, if you're, when you do V2V V2X communication, you're using a radio signal, the signal could be monitored. There are actually ground listening stations that would observe that communication and notice if something is happening that possibly shouldn't. As a police officer drives down the road, they can physically look at the signs and they will know if something is missing. But if it's a QR code sign, since it's not human readable, a human can't actually immediately recognize if the sign has changed or has been tampered with. Even if somebody walks up with a sharpie marker and draws on it, it'll A, modify the sign or B, make it unreadable. And somebody driving by 70 miles an hour will not be able to tell the difference. Now, this is one of my favorites. So I did mention speed limit signs. If somebody were to swap out speed limit signs for 25 miles an hour school zone and 75 miles an hour on the highway, they're both valid signs. But transposing in different locations, you're impacting the school zone as well as the highway for the smart vehicles that would actually be designed. And of course, you look like an idiot to the normal vehicles going on the highway because your town would be called sudden slowdown or is barreling through the school zone. Other fun signs to move around are the one-way signs, traffic keep left, keep right, or if you're trying to merge the 287 north or south and the human readable sign is very clear, where's the QR code that's selling your smart vehicle to, again, the wrong lane. Obscuring QR codes, right? That brings a lot of issues. So like, if there's a mud splash on the QR code, you cannot read it. If there's stickers, someone put, and graffiti, graffiti artists love to draw on signs that are on the side of the road or overhead, that could be an issue because then it becomes unreadable. There are lighting issues, as I talked earlier. Rain or snow can affect the visibility of those signs and our readability of those signs. And then also other environmental factors like sun damage, they can get faded over time. Those are some of the valid use cases. And then, obviously, the thieves, like the guy, this one, he likes holding these boards for some obvious reasons. Yeah, so as we were looking for an image for the slide, the first thing that struck me as I found those images, oh man, I don't have one of those signs yet. And having lived near High Street, you wouldn't believe the number of times that sign disappeared. And if that sign is removed, this is what you're expecting. So the kind of things you typically wouldn't think about as a human driver, a sign for a boat ramp or a sign warning you to stop, is not necessary for a human driver because you see that there's a boat ramp. Whereas a semi-autonomous vehicle can proceed going down the road because it's a nice paved road, nice gradual decline, and a parking spot at the very bottom. Malicious links. We did talk about how a smart car can get itself into a situation where a malicious code can be downloaded on it. It could be a malware or something. So it scans a QR code, QR code then directs it to a malware site and then malware gets dumped onto the vehicle. So that's again a possibility with the QR codes as an issue. Exactly. So as we mentioned earlier, we have not seen any successful implementations of an actual buffer overflow within the QR code. But the gentleman in the back left correctly pointed out, if you tamper with external things the QR code actually points you at, whether it's a URL shortener or another resource, you can actually then push across a malicious code via that avenue. And as Vlad mentioned earlier, these changes are not really noticeable by human eyes. So it's a machine readable code only. So if a stop sign gets changed by the yield sign, you would not be able to tell unless you have a QR code reader. So that also brings issues with both intentional and unintentional attacks because someone who's trying to actually just be on the side of the road, try to service them and switch one with the others, that could create a havoc. So one of the best attack vectors is the human. If you've ever seen the fine paving job, the Department of Public Works sometimes does and the way they put up signs, you know, imagine if they're putting up QR code signs. It's very conceivable to actually see them putting up the wrong sign because they were pretty sure they were holding the right sign. They'll put up on the side of the road and move down to the next mile marker. One of the funniest things I found, somebody who was doing a little bit of experimentation with the camera systems on the semi-towners vehicles. So this is actually a non-stop driving car. But this is a car that has lane assist technology and it was turned on. And they had a little bit of fun with salt. And they actually made a solid line, a dotted line around the vehicle and the vehicle refused to drive out. So they essentially made a smart trap. You've probably seen it previously in the movies in the voodoo acts that spray salt around and things go away. I use it for driving ants and killing them around my house. But you can also do that for smart cars. So now that brings us to kind of like towards the end of it, which is the solutions. There aren't really very many solutions because first of all the technology and its implementation in the automotive space is very new. And one could do like a unique signing of the QR codes to say only autonomous cars or self-driving cars can actually read it for its authenticity. The other things that you could also do is like cryptographic validation. So essentially for example a California Department of Transportation can create a signing key and sign their signs. And then somebody would have to either produce an identical sign which would kill off one of the attack vectors. I think the most interesting one is actually GPS validation. And that's encoding the correct GPS location of that sign within the QR code. So then your smart car would actually compare its current GPS location, have a bit of wiggle room and interpret the sign as valid or invalid. But then of course you would have to depend on the trust within the GPS system and the fact that there's no GPS poofing happening around you or the fact that the GPS is actually reliable in your area. And of course attackers could also refactor their own signs. Once a standard informant is known it's only a matter of time until the attackers advance as well. So does anyone know what is a SR code? What's the full form of QR code? Quick response. SR code is a slow response code. So when you add cryptographic overheads to it, it can make a QR code into an SR code and it will look like this. All right. So onto again trivia questions. Who can name a few ways that QR codes can be manipulated? Yes. Who remembers the first wide scale marketing deployment of QR codes? Yes. Actually it was a federal agency. Here's a hint. They were putting up pictures of zombies asking are you prepared? So a certain agency that's interested in people making sure that they actually have preparedness kits at home and that they know how to deal with a pandemic outbreak was putting up posters and QR codes on New York City bus stops. And then some enterprising individuals started putting up QR codes, perfectly covering up the QR code that was put up. And we actually did, yes, I have a question in the back. Yeah, essentially negative space attack. Yes. That would absolutely work. But these individuals were actually putting up links to a malicious website and to spam websites. And it's really bored. People were sitting there at the bus stop would take pictures of it and follow those links. Can you answer your questions? Yes. So we've been playing with a few HUD units. We've been able to observe crashes with malicious codes. We've been able to craft up. We have not been able to get code execution. I don't think anybody else has been. But the fact that you can get a system to lock up and reboot isn't indicated that there's definitely avenues to be explored there. That's why the talk is kind of like futuristic looking because we have we have seen the smart cars trying to use it. There was actually a news article on it which I which was the reason why we did this talk. This was almost like a month or two months ago. That's right. So what happened is the California Department of Transportation said they're going to roll out the system. So any autonomous vehicles that have cameras on board, it's just a matter of firmware update. No many factors are doing it because science haven't shown up yet. But as they started turning up next few months, next few years, they're going to see firmware updates coming out specifically to be able to read them. We do have an advanced HUD unit that can read them right now. But I do want to say that I don't believe that it's going to only depend on just the QR code scanning. One, they probably would be smarter than that. Not to rely on that. We really hope. So we do see that, especially in inner cities. It's very popular. In inner cities, where people may not necessarily be friendly to police officers, it's very common to take a street sign and turn it at 90 degrees. So that somebody trying to orient themselves or somebody trying to respond would get the street cross section wrong or they're going down one street and the street they're going down changes. So now imagine being able to use two autonomous vehicles that are supposedly immune to this. But if you're going down the road and you see that somebody was really bored and shot at a stop sign and it has some buck shut holes, you still know it's a stop sign. But if you're missing a eighth of a QR code, the error correction will not make up for it. You simply have a sign that doesn't readable to you. And it could be a construction zone, a head sign, it could be a 70 mile an hour sign, or it could be a stop sign. And that's why I commented earlier, right? When the autonomous vehicles become a reality, which is very close, I don't think they will rely solely on the QR code and that's my hope. Because again, I mean, we just shared several examples in use cases where it could fail if it just relies on a QR code scan. Exactly. So what happened is once we saw the California Department of Transportation announcement, we were able to grab the specs, we were able to grab some of the sample signs. I had used with some of the first firmware that is supposed to be able to read it. And that's all we had to go on because that's available right now. It's in a proposal phase and hopefully it's going to go through a few revisions before it actually becomes mainstream. Has anyone, and this is a curiosity question, it's not a trivia question, has anyone been able to or doing any research in doing a man in the middle attack for with QR codes? Doing a remote attack with a man in the middle? In the room? In the middle. Something where you are sort of be able to intercept the image before it gets read by the device. Yeah, so that's another one thing that they could do to at least minimize the human, what you call the physical tampering. But yeah, it opens up other issues because again, with the digital image projections, then there's lighting issues, there's like depth issues of the colors and other things. So there's other factors that needs to be taken into consideration. So the funniest thing that I've been able to play with is those of you that remember those little badges that you had as little kids with googly eyes were depending which end you look at, it's a different image. It's actually possible to print out QR codes. So if you're in the left lane or the right lane, you're seeing a different QR code. And they actually appear to be read really, really well. The fact that you have a prism facing out actually means that you're getting less interference from the rain and snow and less grime on it. So they actually become less readable than real flat QR codes. Any other questions? All right, so last housekeeping slide, if you guys have any other questions that you haven't asked yet or you were a little bit shy and want to have a private conversation, you can reach out to Vlad and I at spiron.com or Vlad at spiron federal.com. And then you can reach out to also security labs. We will be in Car Hacking Village booth, so if you have any other questions that you want to get answered today, do reach out at Car Hacking Village. And thank you for attending. And please, whoever hasn't collected their t-shirt, those two guys in the back in the pink, they should be able to get your t-shirts. Thanks, everyone. Thank you.