 going to be a lot of fun. I saw a little preview of this this morning and this might be a horrible mistake. We're going to play around with some skateboards now. How many people skateboard in here? How many people think it would be a good idea to put a motor on there? Yeah. Turns out your mom was right. This is a bad idea. All right, let's give these guys a big hand. Hello. How's it going? So yeah, I'm Richard. This is Mike. Thanks, Richo. Richo works for Stripe. Shit. Go on. All right, whatever. I'm Richard. I work for a company called Stripe. I do security type things for them. I'm a duck enthusiast. I ran a conference one time. So I work for eBay and I really like Bluetooth, wireless stuff, wireless exploitation. And yeah, I'm occasionally the voice of reason sometimes. So like why did we do this to ourselves? The thing that first made me think like I'm going to buy an electric skateboard. I live in San Francisco, which is tiny. So I can kind of like skate around everywhere and save a bunch of money on Uber. This is now paid for itself. It's also basically impossible to get stolen because I can just take it with me into a bar. And I mean we kind of looked at it like the Kickstarter was pretty huge for Boosted and we thought this ought to be good. Maybe we should be the first ones to have a good poke at it. So yeah, I mean like maybe to hack it. I mean like why hack it? I mean because it's there. Vehicle research is cool. You saw Chris and Charlie just before this. That's a really tough act to follow by the way. Yeah, no, there's nothing like nerve wracking about this at all. But like not all of us can afford to brick a car repeatedly. And we kind of thought like maybe like through like somewhat stunt hacking research we could illustrate a point about the current state of like vehicle security and security research. So yeah, the boards. First up is Boosted. So this was the first one that we got our hands on. I ignored the Kickstarter because I'm an idiot and then I paid a bunch more money for it immediately afterwards. This is my daily commuter. I write it from summer to the mission every day. It's good for about 35Ks an hour, weighs 6.5 kilos. I can go forwards and backwards. That's 22 miles an hour in freedom units. And so next up is Evolve. This one's from an Australian company which actually would make a lot more sense for you to introduce it. That's Australian for skateboard. This one's made out of carbon. Like Richo just mentioned, it doesn't have a verse. It just goes forward and it has brakes. It also has a really interesting quality where since it only has one motor, when you hit the brakes, you tend to pull into traffic. Great design choice. And lastly is this board called the Ego which is right over there. This is more or less a Chinese knockoff of Boosted. It's literally as stiff as a plank. So yeah, you've maybe kind of noticed the design trend here. Evidently you make a blackboard with orange wheels. That's kind of how it's done. So the first board we wanted to talk about today was Boosted. So as I mentioned it kind of can go forward and backward. Has regenerative braking. So if you go down a big hill and hit the picks, you kind of like pick up some of the power that you lost. It's remote uses Bluetooth which was kind of interesting to me. And so like I would like to tell you guys a story. So I used to live in Melbourne once upon a time and I think this Boosted board is actually made to more countries than any other at this point. So I was skating around Melbourne one day and I went through Fed Square which is just like a notoriously RF noisy environment. It has like tram tracks. It has this thing called Fed Square which is just like full of various wireless signals in that like it has its own Wi-Fi as well as like every bastard having a phone. There's tram tracks nearby. There's train tracks. It's just really noisy. And twice in a row I was like skating along like ripping along in traffic because I'm an idiot. And all of a sudden the board just loses power underneath me and I like fall off and get hurt. And so immediately I was like, I wonder if we can do this like reliably. And so one thing leads to another and as far as we know this is the only CV that's ever been allocated to a skateboard. Yeah, I decorated mine. So anyway, like how did we get from like me falling on my ass in public to like convincing my dad that it was a really good idea that gives us a CV? It turns out that was actually kind of tricky. Yeah, I mean that was such an exciting, we'll get to that in a bit. Anyway, so like I had this skateboard and I kind of felt like there was something a bit dodgy about his coms. And I knew it used Bluetooth, but I sort of knew nothing about Bluetooth beyond sort of how to spell it. But I knew this guy. And I knew that Mike like knew a lot of things about Bluetooth. He owns the domain Bluetooth.expert. And so I thought like how hard can this be? It'll be like drink a couple of beers with Mike, do some typy typy, probably get a shell by lunch. It'll be fun. So I bought a bunch of ubertooth. Ubertooth, I'm still not sure what the collective noun is. It's ubertooth. Anyway, so I bought a bunch of them and I like tried to sniff some packets and it didn't go very well. So I like called Mike and said, hey, how does this work? Yeah, so before this research, Richo knew nothing about Bluetooth. At this point, he's starting to use the right words, not always in the right places, but he's making some progress. But so he purchased some ubertooth and had no idea what he was doing. So I kind of guided him through the process. And so the way an ubertooth works is it's got a microcontroller and a small radio on it that can be reconfigured to talk like Bluetooth or in this case, Bluetooth smart BLE. So we've got some code in the repo for following connections, hopping along with them and putting the data onto the PC. So we fired these guys up and got some packets out of it. So the interesting thing about modern Bluetooth is that it's crypto is pretty good. The interesting thing about this electric skateboard is that they decided not to use it. Go team. If they had actually used it, everything we're about to show you would have been a lot harder. So yeah, that was a poor choice. So because of this lack of crypto, we were able to look at the packets directly and start to try to understand how this board worked. So BLE uses a protocol called GAT. It's a handle-wise communication. You can kind of think of it as a key value store. And normally it's like you make a request, you get some data back. That's not actually how they used it if you take a look at the next slide. So this is what we first got when we dumped some traffic straight off the board. And so this is going to be a little bit hard to say. It's not super important. The part that I have highlighted there is actually the value. So like inside of like a BLE frame, there's like a header and then a product and there's a bunch of chunks of data. The value is basically like the payload that gets actually seen at the application layer. And this one says RC021F2. That's ASCII. It is ASCII. Everything is ASCII. It turns out their entire protocol basically just talks ASCII on the wire, which is sort of bizarre for talking to an embedded device. I guess like most people would use like TLVs or just fixed with messages. But it turns out like ASCII is awesome because instead of having to like look at these magic numbers and try and work out what they do, like most of them actually say it right there on the tin. And so we missed a lot of them when we were first trying this. Mostly because of the sheer amount of noise that these, this is a throttle packet. Because the sheer number of them, if you're kind of just like spelunking through a wire shock, it's sort of hard to find anything else. But so we, you know, we drank a bunch of beers and kind of poured over wire shock for a couple of hours. And we discovered that it talks to this simple duplex protocol where the controller sends messages on the handle OX1A. And it reads the responses back from OX1C. And so having pulled the board apart and actually just like looked at it, we know that this is a blue radio part that basically exposes a serial port over Bluetooth. But, but not an actual Bluetooth serial port, which is a thing that exists and they did not use. So this is like the first batch of messages that we got. We had like, we took like a five minute capture of just like, you know, fiddling with the board a little bit. The firmware that we did this research on, which was current at the time, has a beginner mode and an expert mode. And beginner mode, it's not very fun. And an expert mode, it's a lot of fun. But so there is these AC0 messages which let you control the speed, fuel, which lets you ask it how much fuel it has. And it will respond with gauge one through five. Fun fact, we looked at it and we're like, one through five, huh? We send it gauge nine, just hoping the thing would crash and we could call it a day. It doesn't do that. And it doesn't do anything. Rex spin RBGN for switching between beginner and expert mode. So like, this got us as far as like, we know the language that the board talks, but like, that didn't get as close to actually talking to it as we thought we would. So, yeah, Bluetooth is actually a little bit complicated if you're trying to do really basic stuff. So we've got some old school tools for trying to speak Bluetooth. So, Ubertooth's transmit support, Richo generously described as minimal. I would describe it as non-existent. Blue Zee is Linux's official Bluetooth stack. It's pretty good, but it's a little bit complicated to do the right thing and actually quite challenging to do the wrong thing. Yeah, Blue Zee has this like, bizarre fascination with sending like, valid packets that actually are as long as it claims they will be and kind of just like doing other things to spec mandates, which isn't very fun. So we were trying to do some work in this old system and we realized it wasn't going to work out. So instead I dusted off some code that I had written in some previous research for fuzzing Bluetooth. Originally I thought, oh, I'm just going to, you know, send some data to this Bluetooth dongle and like, fuzz like, man, that's how it works, right? Yeah. Just like, convert some zeros to ones and stuff. Actually, in the process I accidentally a Bluetooth stack and that's Pi B.T. And so we implemented a bunch of stuff on top of this. And so, I mean, for me coming in as an outsider and like, I mean, if we're on a still not knowing a whole bunch about Bluetooth, you know, Pi B.T. was actually like remarkably usable. It kind of reads like pretty idiomatic Python that also just like happens to send messages on the wire. And in contrast to when I was like desperately hacking on Blue Zee and like the inscrutability of whether or not my code was even running, made Pi B.T. like this kind of like welcome change. So we actually sat down, we reverse engineered this protocol and we coded up some Pi B.T. code that could actually talk to the board in the language it wanted to and we successfully spun the wheels. That was a very exciting moment to see the wheels spinning up to maximum speed. Because we'd already committed to talk about it at KiwiCon. And the wheels continuing to spin even after we hit control C. So anyway, you know, we like patted ourselves on the back, we were like great, we can talk to the board. But so the trick is that like Bluetooth will only allow one device to be connected at a time. And this is problematic because people typically bond the remote to their boards. It's kind of the whole point of the thing. And so that meant that, you know, it wasn't immediately obvious how like, given that Mike is riding along on his board, like how do I get control of his board and you know, I can mess with it. So I was like thinking back to getting thrown off at that intersection and I was like, well, you know, obviously there is some amount of noise that if you make it, like everything stops working. And so I went to Mike, naive as I was, and said, Mike, why don't we just jam Bluetooth? So it turns out jamming, it turns out jamming Bluetooth is actually really challenging. It does a bunch of things. We did not kind of consider that outcome. No, that's categorically the right response. But so we were thinking about it and we're like, great, we will just like make so much noise that like literally nothing can talk. And then like hopefully in the confusion, we can like sneak in and do a thing to the board. And so it's jamming Bluetooth is not actually that easy. Yeah. So Mike is like, it's not that easy. And he maintains that he never said impossible, but he definitely said to me that it was, and I quote, literally never going to work. So, you know, we kind of did some yellow science that looked a little bit like this. It also looked a bit like this. So this is a spectrum analyzer showing all of 2.4 gigahertz ISM. Ordinary Bluetooth connections are going to use all of the entire spectrum, but for very short periods of time. So using a hack RF, we just configured it to shout a bunch of noise in the maximum possible bandwidth that it can, which unfortunately is only limited to 20 megahertz, which math is hard. Is that a fifth? No, it's a fourth of the spectrum. Yeah. Math. So that didn't work. So we... Hey, how are these guys doing? So, you know, I figured it was appropriate because these things have wheels. We also have one of the, one of the Tesla crew up here. This is Jeff. Everybody say hi to Jeff. All right. Now I don't know about this shooting Glenn Levitt stuff, but we're going to give it a try. What do we do with new speakers? He says that was pretty lame. What do we do with new speakers? Okay. I heard a few other choices out there, but we're just going to do a shot. Thanks. We do not kill the speakers. Oh, you need it. Gentlemen, Tadafkan. Tadafkan. Well, thank you. All right. Yeah, shooting Glenn Levitt. Nothing quite like it. Yeah. No, please give that back. Where's the guy who's riding the skateboard? He really needs to drink. Yeah, actually, can we get someone to give a shot? I think we should get someone to give a shot. I think he needs to drink a shot. I think he needs to drink a shot. I think he needs to drink a shot. I think he needs to drink a shot. I think he needs to drink a shot. I think he needs more than one. Everyone meet Dominic. Dominic is probably going to get hurt for your entertainment. Dominic has made some exceedingly poor life choices leading up to this moment. Everybody say goodbye to Dominic. Yeah. Give it up for Dominic. Yeah, it burns. Not the good way. Anyway, as we were saying, so we had our narrow band or our officially supported configuration of HACRF doing this. We just had to do a little bit of a little bit of a little bit of a little bit of a little bit of a little bit of a little bit of a little bit of a little bit of a little bit of a little bit of a little bit of a little bit of a little bit of this. Ummm we took the kid gloves off, wrote a little bit of custom firmware to disable some filters and just absolutely scream as much noise as possible. Doesn't matter, we're trying to do bad things here. That also still didn't work. And so, you know, I was talking to Mic and it was like it was like they literally designed the protocol to stop us from doing this exact thing and Mic was really getting sick of me offering suggestions at this point. So, we went back to the drawing board... So I actually had done a little bit of bluetooth jamming in the past. But it's easy to jam connections as they're being created. It's a lot harder to jam already existing connections. But I was able to work on some old ubertooth code for doing promiscuous mode, recovering connections, and then throw and sprinkle in a little bit of magic to jam those guys. And that actually turns out to be quite effective. But the problem is promiscuous mode works by capturing a bunch of data. Oh man, that scotch messed me up. You can do it Mike. I believe in you. So there's a lot of state that you have to recover from the air in order to actually follow a connection. So we have to capture the access address which is probabilistic and the least reliable part of this process. And then after that you have to capture the hop interval and the hop increment so you know which channel it's supposed to be on at any given time and what order the channels are traversed in. So we coded this up and it looked a little bit something like this. Yeah, that's a little, this was surprisingly a lot more effective than the previous things. And so I mean in case it's not clear, like the bottom graph kind of like, if you look at its magnitude like it looks lower than the top. But specifically in that top chart it's like the red parts is when the radio is like screaming its little heart out. And the reason that it's kind of like got this stepping pattern is because it's successfully recovered like what frequency the other radios are on. And then it like just jumps along with it being like, ah! And then no one else can hear anything. And then we win. Which brings us to, hi Dominic. Yeah, so Dominic's never actually ridden this thing before. Where's this thing on? All right, so the plan is we're going to set up these three jammers here. We're going to configure, I wrote a REPL for the booster board. I'm going to wait for a Hapla skateboarder. I'm going to jam his connection. I'm going to connect in the meantime. I'm going to do some stuff to it. Wait, I'm not ready yet. Yeah, oh yeah it does. So then I'm going to slam it into reverse and then Dominic is going to go flying. Would you like a cigarette Dominic? Perhaps a blindfold? He says tell my family I love them. Come on Dominic, let's do it. Man the Demogods are dicks. We have three for three jammers. Yeah, we tried this so many times in the green room. Just keep skating your own for a bit. Come a little bit closer. Come on Dominic, come close. Don't be shy. You're being shy. Just go back and then come close. Fuck's sake, why are you doing this wrong? This is very embarrassing. Ah, it doesn't look like it. I hate live demos. I hate them so much. No, just don't hit it. Just instead of hitting it, just don't. Fuck you demo. I hate demo so much. This is really dissatisfying. Come on, go back and forth once more and then we'll quit and probably drink very, very heavily because this sucks. I don't think they're actually coming up cleanly. I agree. I fundamentally agree with you Mike. This should be working. All right, fuck it. Let's just pass me the board. I'll just flip it up and do it right close to the thing. Yeah, actually. No, it's actually jammed. Bye Dominic. All right. Well, that wasn't a roaring success but we tried. So we'll talk a little bit about what was supposed to happen and what actually did. We've kind of like historically had interesting times trying to jam things in new and RF noisy environments when we filmed the thing with Wired. One alleyway worked great, another one totally didn't. Evidently this alleyway is a lot like the one next to Wired's office. Yeah, it turns out people are using a lot of technology in this room. Stupidly. So anyway, he's got it. He was like really serious about using the clicker on this talk. No, I'm so excited to have this thing. It's amazing. So anyway, so we had a demo ready. We actually, we concocted this like new demo the other day and we weren't sure whether or not Defconn were going to let us get away with it and it turns out they absolutely were not. So as you probably gathered like one of the problems with this was that you need to be quite close to the ride out. You know, if you're too far away it doesn't stick and you look like an idiot on stage. So we're like, how do we get close to the rider? So we strapped our exploit to a drone. And then we tethered Mike to the board because we were vaguely concerned about the board winding up over the edge of this hotel. So this is about where we turned on the JMA now. And so it turns out strapping a Raspberry Pi and a Bluetooth dongle and three Uber teeth and a whole bunch of other shit to a drone causes some weight issues. So specifically a drone that uses the 2.4 gig spectrum to communicate with this controller. This is not the best idea we ever had. Speaking of, so is Agent X around? Because he told us that like we couldn't do this because it's crazy. And it turns out he was dead right. This is a different thing that happened while we're testing this. It's really easy to get people affords. That was honestly one of the most terrifying things I've ever seen. A massive drone with four huge carbon reinforced propellers flying straight at you. So anyway, we reported these bugs to Boosted before Keebecom last year. We got off to a pretty shaky start with them. They had never dealt with security research just before. I sort of hate vendors in general. But they were actually really surprised that they weren't using crypto. They were quite sure that they were. And we were like, oh, we are quite sure that you are not. So we like took a laptop and were like, yep, these are packets anyway. So we did wind up working with them actually quite closely towards the end. They've implemented a fix. Our exploit doesn't work on a version of the firmware that I assure you will be available soon. They published a blog post yesterday saying it will come out soon. They'll just be testing it. Awesome. We fix the thing. Go us. Yeah. Security research. Making the world a better place. I can't even say it with a straight face. So next on the hit list was Evolve. We didn't bring this one to Vegas because it's huge and unwieldy. So it has a better range than Boosted mostly because the entire thing is basically made of batteries. It's got this like very odd looking remote that instead of having a thumb trigger it has an index finger trigger which it could work if they didn't use a really shitty potentiometer. But it's made of carbon so that makes it awesome, right? I used to race motorcycles. I took one look at this thing and I was like, yeah. And I got on it and I was like, hmm. So anyway, it's kind of neat. So a friend of ours lent us a board which should seem like a rookie mistake by about this point. And it says Bluetooth in a lot of places on their various marketing material. And we're super convinced that we're good at this by this point. So I get home with this board and I pile a bunch of uber teeth on top of it and I'm thinking this ought to be easy. I don't even need mic. I've learned everything I need to know from that choker. So we had the same harness we used last time. This is their slightly janky remote. Hooked them up and got exactly nothing. And that made me sad. I love packets. But so I spent a little while trying to work out whether or not it was just the environment again. I live in San Francisco in a giant concrete cube with a bunch of other startup hipsters. All of whom just fucking love Bluetooth things. And so when I was just sniffing without the board on, there was just so much noise going past. So by this point, I could sort of become desensitized to be giving them bad ideas. And I was like, why don't you come over and build a Faraday cage and then we'll just sniff out of that. It'll be fine. This is our Faraday cage. It's a snowboard box wrapped in a single layer of tinfoil. Two in places. The terrifying thing is it actually worked pretty well. With the remote inside of the box and the board outside of it, the remote wasn't able to bond with it. And so we're like, great. So we're capturing all this data from inside it. And we're thinking like the Bluetooth ought to be in here somewhere. And seriously like still nothing. Like nothing at all. So we're kind of like puzzling over this for a while. And so I know if Moran is actually in the room. But so he's our dear friend who lent us a skateboard. And we thought we should probably pull it apart. And it's still unclear if we ever told him we were going to do this. So hi, Moran. If you hear, we pulled your skateboard apart. So this is the inside of the controller. So we looked up, it's kind of conveniently labeled RF part on it. And we looked up the name on the datasheet. And it was a little bit bizarre. It was this chip called the NRF24LE made by Nordic. And despite having LE in the name, it is not BLE. It is not a Bluetooth chip. Which like led me to ask some questions. So I mean this is kind of small. This is a bit bigger. This definitely is the word Bluetooth. And so I had some confusion about this. But so fuck, I went too soon. So it talks this thing called power thrust. Ah! Energy! No, it actually talks this thing called shock burst. With the trademarks, they're actually in the datasheet. And so we were like, ah! Okay, this is not Bluetooth. We don't know anything about it. That's weird. So I mean we're still at my place hanging out with that Faraday cage. And it was like, sorry. At this point we had also very clearly had too much beer. And so we didn't have a hacker RF. Ubertooth was obviously not going to do us any good. Well, it could have done us good. But not the way they use the chip. And so we couldn't fiddle with this radio. But we did have the board pulled apart. And Richo like impulse buys shit all the time. Yeah. So because I work at Stripe, I just buy things that Stripe merchants make for no reason. So I had this sailor that I got as far as like sniffing some USB with once and then put in a drawer and never looked at again. So we hooked it up to the logic analyzer. And we like dumped a bunch of traffic. And we still got nothing. And we looked exactly like that shrug emoji at this point. We just had no idea why we weren't getting anything. Kind of an aside, don't yell it out because no one likes that guy. But if you come up to us afterwards and you can guess why this thing is strapped to the back of the thing, I'll buy you a beer. It appears to be a piece of foil tape. I've asked several different RF engineers what it's meant to be used for. And I got several different answers. It's fascinating. So anyway, we didn't get anywhere with the remote. And we thought, fuck it, we'll pull the other thing apart. Hey, Ryan. So the inside of the board is actually a little bit odd. About 95% of the surface area is taken up by battery. And there's this little tiny compartment in here that is just cramped as ridiculous. But we pulled everything out and we could trace through it. It's a bunch of off the shelf parts. Curiously enough, the RF module is not in that little compartment there. It is above the front wheel, which kind of makes sense from a design perspective. But it's just a bizarre design. It's kind of like they didn't know what they were doing. So they have this video on their website explaining how to fix a flaw in the like if your remote isn't bonding properly. And it involves sticking tape to stuff. And it's a little unclear like what they were doing at the time. Our hunch, given that it says Bluetooth but doesn't have any in it, is that they just shipped it off to a contractor or whatever. So anyway, shock burst, we did a little bit of reading on this simplex protocol. So it's like the remote yells at the board and that's kind of it. Which is why we weren't seeing much data from the remote because there was kind of nothing to see. It's not crazy complex but it does have a nine member bit field in it just to make everyone who's ever tried to implement a harness for it really miserable. So we went ahead and looked at this. We knew we weren't going to be able to use an Uber tooth to poke at it. So instead we looked at Travis Goodspeed's next hope badge which has the radio version of the NRF chip that was in the remote. And I was looking into this, googling around, trying to figure out how to recover some of this data. And I found out that Travis had already done exactly the thing I was trying to look to do. He also wrote a very thorough blog post about it and had a bunch of code in the GoodFret repose that do exactly the right thing out of the box. So high five Travis for making my job really easy at this point. At this point I cracked a beer for a job well done. So we additionally wrote some code to actually sniff evolve using this device, a little bit of code on top of GoodFet. And at some point perhaps I will actually send in a pull request for that. So like we said, we didn't bring the boards to Vegas. We came up with this like workable jamming attack but it wasn't really that amazing. We kind of figured it wasn't worth like taking time out of talking about packets and shit. But beyond that there was sort of nothing to do. The board just like didn't know how to do enough stuff for it to do mean things to it. Unlike Brewster which had like a bunch of like hidden functionality for us to fuck with. This thing had like a throttle and that was it. So we successfully jammed it. We like made one roll down the hill on the contrary. So anyway, so that brings us up to the ego which I mean if you come up after the talk you can see that it looks almost exactly like a boosted board. This one also says Bluetooth all over it and in fact has a smart phone app that communicates with it over Bluetooth. So you'd figure at this point it's got to be Bluetooth, right? Which means you can probably see where this is going. So Richo pulls out a couple Uber teeth and at this point still doesn't actually know how to use them properly. But there's no shame in that mind. So he attempted to sniff it. He didn't see any packets and we still were just at a loss. What the heck is going on here? So like the next thing I did was you know I was attacking the remote because that was kind of like you know the thing that we're really interested in digging with was like the default configuration of the boards. But you know they did say it had the smart phone app. So I downloaded it from the app store onto it and I think and I like turned it on and it said searching for a device and like still nothing. And then I was looking at the board and there's this dinky little switch on the side and I've since lost the grommet but the grommet on it said BT slash Wi-Fi. And I was like no. Surely not. No one would build a skateboard that talks Wi-Fi. That would be crazy. So it actually turns out they didn't. As with all of these things like they just put words that don't mean the things that are inside the boards on them. So I looked at the smart phone app because I was kind of wondering whether or not like as the board I could like dig with people's phones and like extra trade like address books and shit like that would have been tremendous. And there wasn't a whole lot in there. It does turn out that iPhone Bluetooth is crazy hard to jam there. Yeah so iPhones talk to the Bluetooth chip and tell it to avoid the channels that are being used by the Wi-Fi connection and some of the LTE connections. So they don't use all the data channels and the promiscuous mode jammer that we talked about with Boosted which worked super well didn't it guys? That one doesn't even work at all with ego running on iPhone. It's just there's too many unfixed variables that you can't recover. So we went back to the remote because like it definitely, I mean like it works. It obviously talks something. So we like had a good look at it and we're like what even does this thing talk? So you're based on the position of the phone, it's Bluetooth and paired with the remote. It's the shrug emoji again. So we like pulled it open as we want to do. And we identified the radio part kind of except it had the serial number scratched off. Yeah and it's kind of unclear whether or not this was an obfuscation technique or just like damaged in shipping. But so you know we were at this for a little while and then we had this like pivotal moment where Mike offered maybe a single handedly biggest contribution to this research. So this is a HackRF porta pack which is do you want to explain a bit more detail? Yeah the porta pack is a shield that sits on top of the HackRF and has an LCD and a jog wheel and basically turns it into a handheld radio and for what we used it for is a wideband spectrum analyzer. And so we're looking at the trace. I know if you can hear this. That's not Bluetooth. Ladies and gentlemen it's not Bluetooth. But so we started digging into a little bit further. And so using the HackRF in the regular HackRF mode we pulled a packet off the air and it looked something like this. And it's kind of hard to see on here but if you look at it closely you can see it's FSK. So one frequency for zero one frequency for one. And we were actually able to do a little bit of GNU radio and demodulate that into something that we could actually look at and count the bits. And so using this we were able to recover the FSK offset and the access code used to identify the packets and the bit rate. And so using all that we could later plug that stuff into something like an Uber tooth so that we could sniff it. But before we could actually get to this point we had to fire up GNU radio and connect a bunch of boxes with a bunch of lines. I don't know if anybody in this room is actually use GNU radio but it's quite difficult to work with especially if you don't know anything about DSP. Kind of felt like this when I was using it. But in any case we could actually see the packets. We could see how frequently they were occurring. And so we could also, wow these slides are way out of order. Yeah this is my fault. So we had our, we had, yeah that'd be great thanks man. So at this point we had actually plugged this all this stuff into an Uber tooth and we could sniff individual packets on individual channels. But the device used, it used different channels and the time between packets on a single channel we could measure and we could also measure the time between packets on a different channel. So we could try to identify all the channels that it was using and then we could also figure out the hop order between those channels. So first up is this histogram here where I sat on a single channel and waited kind of the time between consecutive packets using the high resolution timer on the Uber tooth and you can see the cluster very neatly into these buckets that are 44 milliseconds apart. So on a single channel you always get two packets 44 milliseconds apart. And then next up you can actually see three of the four channels that it uses here and the first packet, the second packet, and the third packet and it turns out there's 11 milliseconds between those guys. So we had found out that there were four channels that this thing used and the time between the three channels was 11 milliseconds. Guess what the time between the next channel was? 11 milliseconds. So at this point we had actually black box reverse engineered the way that the protocol hops through the channels, the channels that it used and actually have some code in Uber tooth to do all this. So I think this says upstream. I'm not sure if we've actually pushed this yet. We're going to like get all the card out kind of in the next couple of days coming out of this. So like, great, I mean we already know a bunch of stuff about making lots of noise with Uber tooth. Like, why don't we have a staff at jamming this thing? And so as we mentioned, this thing doesn't have a reverse, which makes it kind of like... We're going to talk about the jammer first, Richo. So this is what our jammer actually looks like in practice. You can see the first packet, so the jammer works by listening for the sync word of the packet and then instead of sending the data around into transmit mode and spews out a bunch of data, then it hops to the next channel, waits for the sync, spews out a bunch of data and if you do this for a while, after about a half a second the board gives up and it loses the connection. Sorry. This time it'll probably go way better. So I'm going to spin the wheels here and Richo's going to drive the jammer. So as we mentioned, the thing doesn't actually have a notion of reverse, which is impractical because it means we can't throw people off directly without what we're about to do. One thing we can do though... Oh, you have to be shitting me. Nothing, Mike. Nothing happened. All right. Exactly. And so finally this thing stuck. Normally it's a lot quicker than that. But we're able to remotely disable the brakes and the throttle on the board, meaning that if you just grab someone on the way past the hill, they're now just on a mechanical spear. Hey, let's run this one again. Every time, 90% of the time. Oh, yeah. Hey, we had a slide for that demo. Yeah. No, it's out of order again. Nice. So yeah, I mean we kind of ran into the same issues that we did with Evolve. We looked at it and it was really fun to dig with, but by virtue of the fact that its only interface was just like take messages off the wire and pass them to the motors. There wasn't a whole lot that we could do with kind of interfering with other functions of the board. It also means that it's extremely unlikely that the vendors will be able to patch against these things. Yeah, demo slide. Anyway. So right towards the end, we were kind of working on this thing and we thought you know what, fuck it, there's probably some more stuff in Boosted. And since the very start of this research, I just wanted to shell on a skateboard. That's the thing that I wanted. So we got to thinking what if we could execute arbitrary code on a skateboard? And so we pulled the board apart. We knew that it was using this particular chip. We didn't have much like trying to find debug ports in the first case. But like as we started to dig into it, we actually found them later. But a couple of months after we started this research, Boosted released an app. And if you look at the bottom there, says there's a firmware update available. And we're like, huh, neat. So we were like, great. Firmware update facilities are pretty good. It's probably a good way for us to like get some code, have it executed. Sounds like fun. So we took one of the boards. We dumped the Bluetooth traffic that was heading between the phone and the board's Bluetooth interface, as well as the HTTPS traffic between them and their back-end server with Burp. And then kind of stitching this together, we figured we could probably work out both like how to send firmware to the board and what the firmware actually looks like. And so like a lot of hours later, we'd finally like stitch together like a firmware blob from a combination of these two things. And you know, there were some slightly quirky things about it. The strings had a bunch of weird interior nulls. We got ourselves a list of all the possible things you can do with the board. Interestingly enough, you can get the Git revision, ping it, get its current version. The numskull command, our favorite. I worked out what it was, finally. It's the number of skill levels it has. But so with this in mind, I threw away original exploit. That lets you interrogate all of these facilities. And in doing so, our dear friend Niko also worked out how to unbrick a skateboard when the inevitable happens. So this is where I'm going to throw the REPL up after the talk. But so finally, we wanted to know, like, how do I actually get new firmware on you? That's the key thing that we really wanted to do. And it winds up being a protocol that looks a little bit like Intel.exe. So this is the firmware that we unpacked to Hex. And this is a Bluetooth packet. They're exactly the same bytes. And just before that, we discovered these, like, extra four commands. And so BTLD actually says, like, give me your firmware. BBLC, like, so BBLD accepts a region. BBLC says, like, give it to me. BBLR is the thing that we're really interested in, which is, like, how do we actually move the blobs around? And SND is just, like, a sigil for the end of the thing. So we're like, what do we do with this, right? I mean, you could probably do something shitty to a writer. I mostly just, like, believe in owning my own hardware. I feel like maybe my board should go faster. Unfortunately, at this point, we break the board. So we're down to one minute. So we're going to briefly talk about the golf board that uses the exact same stuff and has really hit people writing down golf courses. We didn't get a chance to hack one of these because it was really inconvenient for us because neither of us actually plays golf. But it would be interesting to play with these. I want someone else to do it, basically. What should hack a golf board? So, throw out some greats and thanks. Thanks to Nico, who, like, did a lot of great stuff for us, helped us out with the hardware and the drone. Marine for poorly choosing to lend us something and then having us take it apart. Jared Boone, who helped us out with the Hacker, with the Portapak and the 11th hour. And Safe Hex, who is well going to come up as they're escorting us off the stage for running over time. And finally... Yeah, so I really want to shout out, in the sense that they didn't try to ruin us financially, but also that they were extremely cooperative, listened to us, and then subsequently implemented a fix. And if you're going to buy an electric skateboard, buy a boosted board. So finally, this is kind of like the stuff that we worked on. We're releasing everything. It'll be up in the next couple of days. We'll tweet the links to these slides and to all the resources. Thanks for having us.