 going to get started. Uh, we are going to talk about how your car isn't. Uh, my name is BitBang, there's also some who call me Tim. Uh, I am a largely recovered software developer. I spent most of my career writing embedded systems for planes and the types of planes that you fly from the ground and cars. Uh, somewhere along the way I've become a hardware guy. Still not quite sure how that happened but people keep asking me questions about hardware and I know the answer apparently. Um, so I've been doing that a lot recently and I still get a bit twitchy around a certain aircraft. Alright, I'm N2. Um, in meat space most people call me Mitch. Uh, I am also a recovering software developer. I'm not quite as recovered as Tim is, but get in there. Um, I've had a passion for embedded development for a long time but for many years I was paying the bills uh, doing web dev. Um, it's a lot more fun breaking stuff. Uh, so that's what I do now. Full time. So this is uh, this is your car. Uh, this is what it looks like now. There's a lot, there aren't things like carburetors. Uh, don't replace your jets and uh, tweak your idle screws to uh, tune your car anymore. You do it a little bit differently these days. Uh, your car is actually a network. Uh, bunch of different components connected over typically can bus, other types of buses that we'll talk about later. Um, and actually we lied again, your car isn't a network and it's a whole bunch of networks. Uh, there's a bunch of stuff on there like uh, you know, CAN, Ethernet, Linn, there's wireless, Wi-Fi, uh, Bluetooth, uh, cellular radio, uh, wireless for your tire pressure sensors. They're gonna be putting another radio on there for autonomous driving called a DSRC radio. Um, I just see a tax surface. So, they're just networks. We've been protecting and working on networks for dozens of years now. We know how to do that. No, not, not quite. These are not the networks you're used to. So, there's a bunch of standard uh, techniques that used to be employed and are still employed for standard like TCP IP networks that don't work on CAN bus for a variety of reasons which we'll talk about now. So, CAN bus has a tiny payload. It's 8 bytes and a packet. Now there are standards like ISO TP that allows you to send more traffic on the CAN bus, but CAN bus is also slow. Um, about 500 kilobits per second is typical in a car. So, and there's a lot of data on a, on a CAN bus. So, if you hook into a CAN bus, we have our demo out in the car hacking village. You can hook into the bus, see the traffic. There's a lot of stuff going on there and making it longer and making it take longer to process isn't always an option. Your processors on a lot of these ECUs are 8 16 bit micros with, uh, I can count the flash and ram on my fingers in kilobytes. Uh, very, very small processors. It also makes things like authentication. Um, a lot of these things are also very safety critical, very time-sensitively safety critical. So, you had a bunch of overhead, uh, had a bunch of overhead to do authentication, had a bunch of overhead to do your encryption. All of a sudden you can't hit your timing requirements for safety anymore. Um, you also have the question of protecting the keys. We actually give cars to people. I don't know how many of you realize this, but everybody who owns a car owns a car and they have access to all these things that are in the car and if you're going to ship the key with the car, it's only a matter of time until somebody rips it out of there. Traditional networks use things like firewalls. Uh, they tend not to work quite so well in a CAN bus network. Um, if you have any sort of, uh, message passing ability, lots of the time the messages which are normally passed in the course of normal operation can be used against you. So, on most vehicles there's some sort of diagnostic methodology where you can actually pulse the ABS modulator to bleed brakes. That's a normally allowed message. So, it gets through a firewall. Um, on the CAN bus there is no way to determine what node on the bus is sending a network. So, once the message gets on the network, it's indistinguishable from any other node's messages. So, if the message can ever appear on the bus, it's basically forced to be treated as valid. So, an intrusion detection system, something a little bit smarter than a firewall that's able to say something like, hey, you know, uh, we're trying to break the, bleed the brakes and we're going 70 miles an hour down the interstate. This probably shouldn't be happening. And while I'm not denying that this could be a part of the solution, what do you do? I mean, you can't just disable the ABS module because you kind of need that. Um, you can't just pull over the side of the road because that might not be a safe thing to do at the moment. Um, so there's a question now. So, you have this IDS that alerts you, which is great, but what do you do about that? And what do you do with that alert? It's like a check engine. Like, you're going to take it to the mechanic in three months and, you know, see what's up with that. So what can we do? Um, segregating networks is a great first step. Uh, you can't hack or influence what you can't talk to. So if you have dedicated buses for, uh, just talking between the power steering and I don't even know what needs to talk to the power steering most of the time. Usually the engine controller for speed related messages. Um, there's a lot less attack service on the bus. So if you can't talk to your, uh, brake module from the head unit, then no one who gets into the head unit from some sort of internet connection can apply your brakes in the middle of like driving. Just good things. Having some sort of internal sanity checking on each module. So I'm going 70 miles an hour down the highway. Maybe not really is not the right time to try and lead the brakes. Um, some of these we're starting to see in modules, not as much as we might hope. Uh, for all of these, like, it's just a part of a broader solution. Um, the end solution is probably getting rid of can altogether, but eventually maybe. Uh, that's going to take a while. So what does it mean to hack a car? Is this car hacking? This is actually more expensive than a lot of forms of car hacking that we're going to talk about. Uh, those things probably cost 20, 30 bucks a piece. I mean, that's a lot of money, uh, going to that, that, that Audi there. Packs are cheap. No, they are not. So hacking a car, what, what does it mean? Uh, that depends on who you're talking to. Who's doing the hacking? Uh, what systems are in scope for the hacking that you're doing? What are your goals? Um, you know, are you trying to, like the, like the, for the, for the moderate community, like they're trying to get into the ECU and do some performance tuning. Like that's the hacking that they're doing. You know, there's nothing malicious about it. They just want their car to go a little bit faster. Um, on the, uh, there's plenty of other things that we're going to talk about too in a couple slides. So, uh, hacking a car can mean a lot of different things. Uh, like Mitch alluded to earlier, uh, a lot of stuff that we found is, uh, diagnostics are left enabled on ECU's that can be enabled at times that would be somewhat inconvenient for the driver, like the brake bleeding at 70 miles an hour. Um, sending CAN messages to control the vehicle, doing enough reverse engineering on the CAN bus to figure out what different messages do. Uh, taking over the infotainment system via the internet or SMS. This is kind of getting more into your, uh, you know, more standard Wi-Fi type hacking, uh, where this is just a, the infotainment system is a full-fledged operating system. It's, you know, Windows CE, QNX, Android running Wi-Fi, running Bluetooth. This is a lot of attack surface. A lot of, but very quickly becoming very well-known attack surface. Um, and by the way, these are also almost always connected to the CAN bus. Now, the segregation is, is, is actually happening. It's like we're seeing happen in the real world that the, uh, infotainment which used to be on every CAN bus is now only on a couple of them, which is great. You know, especially isolating it from the safety critical system to something that we're seeing happening now. Um, so now you still have to pivot off something in order because there are things that are connected to both CAN buses. We've got to find a device that's also vulnerable to compromise to pivot then onto the bus that you want to get to. Um, and I mean GPS, a lot of the cars have built in microphones for your cell phone, uh, using the TPMS sensors and how I'll have a unique ID to track a vehicle. Um, yeah, lots of other concerns as well. And all these different types of packers, uh, these, you know, would have been different, uh, different goals in mind are going to employ the various of these and other, uh, attack methods. Something that's useful to know when you start actually looking at hacking cars is that the OEMs, so like Ford and Nissan and, uh, Volkswagen, they don't make cars. They put them together. So they subcontract construction of pretty much every assembly in the vehicle. So the primary subcontractors are called Tier 1s. Tier 1s employ Tier 2s who employ Tier 3s, many levels deep sometimes. When you're dealing with security requirements, there's some high level requirements that the OEMs specify when they're designing the car. This must be secure. Who knows if those actually get implemented down the line. Um, some of the stuff is really hard to verify experimentally. And as we mentioned, the relationship between OEMs and their Tier 1s and their Tier 2s and their Tier 3s, uh, isn't always necessarily a completely healthy, open and honest one. Um, which in some ways makes sense. I mean, these Tier 1s are working with more than one OEM. They have their secret sauce that makes their stuff better. Or so they put on their marketing glossies. Um, so they honestly want to just give the OEM complete access to all of their source code, all their information. Um, because they could lose out on competitive advantage that way. Uh, so, now that's the question, that's the question. What, what, what exactly do you do about that? There, there's a lot of project manager chicken being played. Yes. So who's doing the hacking? Like I mentioned, modders. They want to add cool food teachers. They want to make their car go faster. They want to turn their LEDs blue instead of yellow in their car. Um, you know, all those very vitally critical safety, safety critical features, um, in there. Uh, security professionals. Uh, I hack on cars too. Uh, what, to protect and against what? Like, what's actually important? Um, where should the focus be put? Um, and how do we, uh, address some of these fairly complex, uh, issues that face the automotive industry? Uh, expedition engineers, uh, code execution. Uh, like I said, these are often very, very small micros. They're running, they're not running an operating system. There's no data execution prevention. There's no ASLR. You find a buffer overflow, you simply take your cell code on the stack, overwrite program counter and dump to it. It's, uh, back to the 90s in terms of security because these small processors that are in use just don't have these features. Um, or the operating, there is no operating system in use to, uh, add these features. Uh, organized crime. This is actually the one that kind of, uh, what keeps me up at night isn't so much, you know, hacker, you know, fast and furious eight hacker taking over the world and crashing all the cars into each other all the time. Um, it's more targeted stuff, uh, targeted assassination. You guys, uh, one of the saving graces of the automotive industry is that there is so much difference in a car. There's different, every car has different ECUs. Like, even between model years, what you find out on a 2012 focus, like what we have out there might be different and at least in some critical ways between 2013 focus. So the, the, the hack that hacks all the cars just isn't going to happen because of that difference, but the hack that hacks one car is a lot, a lot more in reach. And of course, nation-state level stuff that I'm not going to, uh, get into. In, in terms of organized crime, uh, larger, like crime rings are starting to figure out, oh, I can actually use, uh, like relay attacks to, uh, do a remote, uh, replay, not replay, relay attack against most keyless entry dongles and steal cars that way. It's actually pretty easy. I think something, there was a good talk on it last year at Def Con. I'm not sure. Yesterday, I missed that one. So how are all these various people hacking into cars? There's a lot of different interfaces you can actually get into. So all of these are networked at this point. Um, your on-star uses like a 4G AT&T connection that's always on. Uh, the Uconnect system is on Sprint. Um, I don't actually know off the top of my head what other cell networks the other OEMs use, but most, uh, modern infotainment systems will be, uh, connected to a 4G network somehow. Um, there's much lower level, like, uh, debug interfaces. So you've got JTAG and SWD interfaces. If you can actually take the time to pull a module out of the car and tear it apart. Um, if you have an active debug peripheral, you can dump whatever firmware, where you want most of the time. Uh, there's, even if you don't have a debug peripheral, there's other buses you can attack. Uh, if you want to reverse engineer the operation of, like, sub subcomponents, uh, you've got SPI, I2C, and UArts, which are commonly used to talk between modules on the same board. Uh, firmware updates are less secure than you might hope. Um, there's, I don't think I've yet encountered a, like, submodule other than, like, head units that use code signing or any sort of decent, um, integrity checking. There's lots of different radios on your cars. So you're, uh, even, like, your FM radio, just listening to FM. Uh, if you take a look at, like, your head unit, it'll display, like, station names and track names. That's done with a system called RDS, the radio data system. In addition to just displaying, like, short strings of text like that, there's an entire subsystem for distributing traffic messages. So it'll actually update, on my car, at least, that's the method, uh, method used to add accident indicators on, like, the navigation system. And if you get really dedicated, you can start decapping chips to try and break into hardware security modules. So general analysis is a lot of fun, too. Yes it is. And car hacking doesn't have to be all that expensive. Uh, the can-tact cannibal are, what? If you want to build your own cannibal, I built them in, like, 15 quantity for, I think it was eight bucks each. That's pretty cheap. So the cannibal and can-tact are a, uh, open-source hardware can adapter, uh, built around a small SDM32 microcontroller. The default firmware exposes it just as a UART using a standard CAN protocol. Um, they're really basic hardware, but they work really well. Um, yeah. Yeah. I, I have a bunch now. I can do a software defined radio. These are obviously a little bit more expensive, but still pretty reasonable. Like a Blade RF or LIME SGR is three, four hundred bucks. Uh, do a whole bunch of different types of, uh, wireless hacking with those. Uh, in addition to your standard on Wi-Fi, just you know, your laptop has a Wi-Fi chip, but it just uses wire shark. Um, for the more esoteric ones, like, uh, your TPMS sensors or, um, TPMS, uh, and, uh, the SGR works really well for that. It's also the yardstick one and, uh, the PANDWA RF, which are slightly less capable, but then, uh, a SGR like the Blade RF, but still definitely quite useful. Um, like, the yardstick one was used in the roll jam attack against, uh, your car's key fob, which is a very, uh, very interesting, uh, attack. They're less capable, but they're a lot easier to use. Uh, that too. If you want to use SGRs, the most common way of interfacing with them is with something like, uh, GNU radio companion, which is a very complex, uh, flu- flowchart-based radio setup tool. Uh, the yardstick one and PANDWA RF are all in hardware. So it's configurable and it does multiple modulation types and encodings, but you set the hardware up and you just do the data transfer. It's much simpler to use. I also though... Is that my question? Yeah, the, uh, the CanTax USB to Can. Yeah. Okay. Yeah. So you're saying those are actually cheap to make? Some- I'm seeing the ones for sale for like $3.95 or $2.90 a time. All the commercial ones are way overpriced. Uh, if you want to pay, uh, I can't tell you, you want to pay a vector that much money, then go right ahead, but you really don't have to. So the CanTact, I think the website is CanTact.io. Uh, I'm not sure if you Google it, you'll find it. It's it's a unique project. If you Google Canable, you will get Google auto-correcting it to Canable and that's not what you want. But if you actually tell it to search in verbatim mode, you'll find the right project. Um, they're based on the same schematic. So CanTact was a project from Eric Ebenchuk, uh, writes for Hackaday. Um, it's it's literally just a micro controller that has like a crystal on the side and a CanTransceiver. It's super basic. The one thing you don't get in this sort of hardware is any sort of galvanic isolation. So some of the more expensive Can Tractors will actually protect your PC from high voltages that the CAN bus might experience if something goes wrong. These are just directly connected. Um, I've never had a situation where that's important, but it's it's something to be aware of. Yeah. Still, a CanTact and a USB hub is a lot cheaper than anything you buy from Vector. Yes. I also have the CanCat. That's a tool we've developed in house. It's an Arduino Dewey with a open source. If you want to see a demo, we have it at our car hacking lab out in the car hacking village. Um, slightly more expensive than the CanTactor Cannonball, but also has two CanTransceivers on it. So you can do uh, CanCat supports what we call Can in the middle mode where you can isolate a device, basically use the two CanTransceivers as a pass-through. And you can also do filtering or modification of messages or block certain methods or whatever you want to do to screw with it. It's also really nice to have a source IP address. If you don't, our source address as part of the packet, if you don't know which device is sending a message, you can use that to isolate a specific device and then see which messages that device is actually sending. Um, otherwise the CanBus is just nothing but messages going back and forth and no idea where they're even originating from. Uh, McKenna M2 is a Kickstarter project. I don't, they're not, I think they're gonna start shipping a couple of weeks. Yeah. Um, yeah, it's gonna start shipping a couple of weeks. It's uh, also based on the Arduino Dui and our CanCat firmware runs on it. Uh, same deal, you get two CanTransceivers. Uh, you also get uh, what I'll do get on it. Uh, it does 12 volt I.O. It has uh, single wire can. Also called GM LAN. It's used for lots of the lower speed communications in GM vehicles. Um, it does K-Line. Um, basically if it's a protocol that a car speaks that isn't automotive ethernet, it'll do it. Uh, J-J-19-15? Uh, I think it does J-19-50. Yeah. So, whole bunch of stuff, uh, especially if you have an older car you're hacking on. Um, modern cars mostly just have Can, uh, and the single wire can if it's a GM vehicle. If you're hacking anything before about 2008 though, then McKenna's awesome for that because it has all of these protocols that aren't in so much use anymore. Um, but we're in use on those older vehicles. It's a great tool for that. And what's the fun in giving a talk if you don't actually introduce something new? So, over the past couple weeks I put something together we're calling CanFly. Uh, it's based on the ESP32. Has anyone heard of the ESP32? It's a, uh, IOT targeted module. It's got inbuilt Wi-Fi and Bluetooth. Uh, it does both Bluetooth classic, Bluetooth low energy. It has a Can transceiver on it, thankfully. Um, it does, it has two 200 megahertz processors. It's a little bit of a weird architecture, but the tooling is a lot better than it was a few years ago. Uh, so you can actually run a modern GCC on it. Um, which is great. No crappy proprietary compilers. Um, the way the CanFly uses the hardware is it exposes a Wi-Fi access point which you connect to and then you, um, at the moment the only protocol it supports is the Metasploit hardware bridge because that seemed like an interesting place to start. Um, it's a, the Metasploit hardware bridge is fairly new. Um, if you see, uh, Craig Smith around he's put a lot of work into it. Um, yeah. Uh, soon we're working on adding you're working on adding support for our existing tooling for CanCat and I'm working on putting together a socket can adapter so you can use it with whatever socket can stuff and Linux you might want. But the main advantage of this is that's really cheap. So being an IOT targeted module, the ESP32 you can buy it for $1.50 from like AliExpress or several other Chinese sites. Um, and then all you need in addition to that is a Can transceiver which you can find for as little as like $1.50 on a breakout board with all the bypass caps you need. So this is what the hardware looks like. It's not terribly impressive because it's really simple. All you have is the ESP32 module. You've got the Can transceiver hanging out in the middle of the screen and then I have it hooked up to an OBD2 connector. The only other thing you need for this is a 5 volt power source. Do you have anything I wanted to say? You usually supplied over a micro USB cable on most of the ESP32 breakout boards. Yeah, for most of my testing so far I've just plugged it in the USB power bank and let it be. At some point in the near future we're going to put together probably a separate breakout board that you can plug it into and actually power it from your car. It was really simple voltage regulator. So the demo is not particularly impressive because it's just a screencast of using Metasploit but I was originally going to try and put together a live demo on something in the car hacking village but I didn't want to risk Wi-Fi at Def Con over that much distance. It's not a good idea. So here we just launched Metasploit we're going to actually start using the Metasploit hardware bridge client. We'll configure it to connect to the 192.168.4.1 router access point. This is exposing. Set up the port connect with run and we have a session with the can fly. The can fly is exposing just one bus at the moment. If we need two in the future we can probably attach something to be a spy. Now I'm going to run one of the standard Metasploit hardware bridge payloads. This is just something that scrapes out a bunch of vehicle info over OBD2. So it lists all the bunch of like OBD2 PIDs you can fetch via standard commands. It's grab them. We got the VIN we got the calibration ID which is one of the standard parameters on a OBD2 diagnostic connection and we have an ECU name. So this is all running on a 3PO our mobile car hacking lab. So some of it looks a little bit weird. Engine temp is negative 40C there's no engine there's no engine temperature sensors it looks a lot more normal on other things. The engine light being off is a little bit weird. I think I might have a few more bugs to fix. Being so new the Metasploit code is still a little rough so I actually have my own branch right now I need to get some pushes fixes pushed upstream but soon. So we talked a little bit about what you need but here's a slide with all of that you need the ESP32 board. You need a can transceiver this can transceiver actually if you can find it get the 232 not the 230 there's basically just one fewer pin you have to mess around with to get the 232 working just make sure if you do get a can transceiver the ESP32 is a 3.3 volt part and most can transceivers that I've seen are 5 volt parts just make sure that you get a 3.3 if you just pick up a random can transceiver you get a 5 volt part so make sure you get a 3.3 volt transceiver you get a 5 volt power source to usually a voltage regulator on the ESP32 board to step down from 5 to 3 volts to power the micro wire and possibly a soldering iron and the total cost of all this assuming you already have a soldering iron on a power source is less than 10 bucks so the firmware for this uses a IOT framework called Mongoose OS it's absolutely miserable from a security perspective so when you spin it up don't run a port scan like it's terrifying how many ports it has don't do that it also crashes you actually compile the source at the moment by it's like compilation as a service I think their goal was to enable people to compile firmware downloading a toolchain so you post your source code to the cloud and it gives you a zip back we're going to be rewriting this soon so it doesn't use this framework it's not good but it is simple so the entire firmware runs in 250 lines of C it's pretty straightforward as C goes I wrote most of the query string parsing code at 3 a.m. without beer so it's probably not it's anything but bullet proof but it works it works as soon as we get some time this will be rewritten to not depend on the cloud looks like we are significantly earlier than I thought we would be so anyone have a question yeah, what about like other software, is there stuff that's out there that's cheaper than like the cars buy there's still loops so like the vehicles buy I don't do a whole lot with GUI's but there are a few open source projects working on that do you remember any of the names savvy can is the one I was thinking of pick up craigs miss car hackers handbook seriously for real I need to start getting a commission from him because it's an awesome book monitoring products like Verizon progressive make sure we'll prove your safe drive but they're putting these products in there and I'm going to go out on a limb and get to have nothing fully vetted as far as security some of them have been vetted and taken apart so if you stay here Cory Thunes giving the next talk he's the guy who did the progressive dongle hack 34 years ago so yes these things are not my insurance company offers them and my car does not have one I'll put it that way and you can get on the can bus you can do whatever you want to do it whatever can you want to run it on so I've been connecting it to the OBD 2 port out of convenience if you have some under hood can line or something that you want to connect to it work for that too elevators often run can whatever you can tap into I've used it I'm a bit familiar with it just a windows API pass through layer to get on whatever bus you're using to flash which in modern vehicles is almost always going to be can you only hope what's going to sunset what's that going to take for higher speed stuff or latency critical stuff automotive ethernet is starting to get rolled out it's actually kind of an interesting physical layer because it still uses two wire pairs but it runs at I think they're even introducing gigabit speeds over it it has robust enough that it actually works in cars and you get all the benefits of a ethernet system yeah the car hacking village badges actually have a TGA 1100 automotive ethernet transceiver on them so it's interesting because it's purely point to point much like gigabit ethernet there's no way to passively tap it in the middle you actually need to to explain why the way the it's a full duplex protocol you can talk and listen at the same time and the way that works this grows over simplification you send messages and you subtract whatever you're sending from what you see on the bus so you if you try and tap it in the middle you can't tell what's being sent because either side might have sent that energy so you have a lot more security in that sense there's no question what node something came from yeah so can fd is a protocol which is it was finally actually finished standardization this year I think it's much like can it's somewhat compatible with traditional can devices on the same bus it expands the data payload to 64 bytes instead of 8 so you can fit a lot more in a message it's also 8 times faster so you can get the same number of messages through flexray is something I actually haven't worked with a whole lot but it's a bus designed for communications it uses a bunch of complicated time slot management techniques so there's actually like a synchronous clock and each module on the bus gets a slot within the bus to talk anybody else cool alright thank you very much