 Maybe many of you know the controversy between Bill Gates and the car industry that is, I guess, more than 20 years ago. Today things have changed and computers and cars have well melted together. So a typical car of today consists of many, many microcontrollers, computers and whatever. So they are devices that can be hacked as well. Yeah, that is, of course, something that has security implications. And I know that the speaker who will talk today, by the way, his name is Tilo Schumann. Give him a warm welcome. And he is here with a really old truck, nearly an old time, I guess. I'm not sure if he does so because he knows what can happen with modern cars if there's a hacker around. But maybe he will tell you in the upcoming talk. So that was my part. I would say the stage is yours. Good luck and enjoy. Good morning. Good morning. I'd like to welcome you. And as he just suggested, drink more water. Yeah. My name is Tilo Schumann. I'm not directly involved in the car industry. I'm somehow connected to it. I'm working with Ken for more than 15 years. So I have to do with all the different industries which use it and I have some insights into it. But just to start with my talk, I've brought a little video with me. So you may know something like this. So that's just a random video I found on YouTube. You see he's connecting the key to the car. Obviously not working. And then we just having a simple small device connecting to a diagnostics port available in the car, available in every car basically. And you see he's just learning the key to the car. It takes a little while. And then magically, ignition works. And that's not something really new. We have this working for years. That's just one car model right here. It works basically for any car model out there. You can buy such devices for cheap in China and Russia somewhere else. So that's the things what happens when we have with car theft. So the question what I was asking first is what really what is car hacking? We have it lately very important in the media, but what is it really? If we look a little bit back, we will see we have these clubs, people who are doing performance tuning via chip tuning, replacing firmware parameters, stuff like that to increase the power on their engine. That's actually car hacking. They are reversing firmware and replacing to get more performance of their car. We have others which allow you to enable new functionalities. Personally, I drive a Volvo. You can buy from whatever side small devices. You can connect to the diagnostics port and then enable new functionalities which were originally not intended for the car. It works. But for that, of course, they had to reverse the firmware to reverse the functionality of the car. But that's something we have not in the media right now. Of course, that's something what we have in the media. You can display arbitrary messages on your displays. Just two years, almost two years ago at the 30C3, we had a talk on this at the conference. Automated corrections. That's what some people like to do to increase the value of their car. Of course, that's also car hacking. Key programming. That's what we just saw in the video for those thieves. And just lately, wireless unlock, enabling of the car. So, yeah, it's very common these days that everybody has a remote for their car. In the US, even with the remote, you can also enable and disable the engine, not only open and closing the doors. Actually, that's not allowed in Europe. So, no car make is offering this in Europe. But it's possible. It's available. And that's the thing what you can exploit, of course. And what the thieves are exploiting. But the new level is now coming with, yeah, you can do all this via the internet and you can access access on a website. And the first remote is not only anymore you have some kind of a wireless remote, but you are having an app on your Android or iOS or something else. You can do it on a website. So, every Tesla you buy, basically, you have access on a website. And you see on the website where your car is, what the charge of the car is. You can open and close the doors and stuff like that. And that's the new level because everything is available remotely. Yeah. But what's the reason behind how this happened? I said I'm working in this industry for more than 15 years. And the thing is, what is basically the heart of every electronic in a car was established somewhere in the mid-80s. In the 90s, there were coming a new network which was Linn, a local interconnect network. Because it happened that CAN was way too expensive for the automotive industry to connect simple devices. So, they wanted to have a simpler network. And then in the 2000s, we had other networks coming by which were a little bit more complex than CAN, which were a little bit more expensive than CAN, offered more data throughput, stuff like that. That's basically ByteFlight, which was used by BMW for some time. We had FlexRay, which is used in different cars from Daimler. And now we have Ethernet in our cars. It's called ProtoReach, but it's actually Ethernet. It's currently implemented in the brand-new BMW 7 Series. ProtoReach is a little bit different to Ethernet in a way that it uses a different physical layer. Different physical layer, it's required because it has to be more robust. It uses not four wires, it uses only two wires, unshielded. So, it should be cheap. That's the reason why they built a new transceiver technology. But on the other layer above, it is just plain Ethernet. So, what's the difference between CAN and plain Ethernet? Because all over the world, all over the media, there is no security in CAN. So, what takes CAN apart from Ethernet? Both are basically a broadcast transmission. Broadcast in Ethernet, of course, it was all those all Ethernet cables, these PNC cables, that was the original plain Ethernet. That was also broadcast, of course, these days with 100 megabit, with 1 gigabit, maybe 10 gigabit. We don't even have a broadcast network as such anymore because we have just point-to-point connection which is managing all the stuff in between. But if we have a broadcast connection where everybody is on the same line, how do we detect if someone is able to speak? How do we allow that someone is able to speak? And the difference is here between CAN and Ethernet. CAN is non-destructive. So, in CAN, always the most important message is getting through versus in Ethernet, if two devices are communicating at the same point in time, it may happen that both messages are being destroyed and have to be repeated afterwards. So, we have delays if we have collisions. That's not happening in CAN. What is the data definition used in those networks? Actually, in CAN, we have no data definition. In CAN, it is only defined, we have eight bytes of data to be transmitted in future with the extension of CAN where we are currently developing on it's possible to transmit 64 bytes of data, but we are only defining to transmit data. We are not defining the structure of the data, what the meaning of the data is and alike. And to be honest, we don't have that in Ethernet at all. We don't have those kind of definitions in Ethernet. A de facto standard has become on Ethernet TCP IP. But if you remember in former times, we have different definitions on Ethernet which was Net Buyers, Apple Talk, you name it, all those different things. These days, we have only a de facto standard which is basically TCP IP. And we don't have this de facto standard in CAN. And the same is in security. Of course, we have no security in CAN because we have no data definition. That's the same in Ethernet as we have no data definition of Ethernet. In Ethernet, we have no security in Ethernet. The security is not even in TCP IP. It's a little bit above of TCP IP is the TLS layer. So you see, CAN and Ethernet are somehow comparable. And the use case, of course, is originally a little bit different. CAN is intended to be used in embedded networks in cars originally. And these days, we have CAN basically everywhere. We have CAN everywhere. In every system we use daily, like every elevator, maybe also these electric bikes from Bosch, Ubi, in medical equipment, everywhere we are having CAN these days. So it's in an embedded network. And Ethernet originally is more for IT infrastructure for connecting computers to transmit high-level data. And, of course, these days Ethernet is also going into some kind of embedded networks, as I just mentioned with the BMW. And all those different networks I mentioned, like LinenLocalInterconnect network, ByteFlightFlexure and so on, they have basically there some variations from CAN because of different requirements. So what protocols are used on CAN then when there is no standard? If you are looking into the cars in the in-vehicle network, there is no standard protocol still. Every car manufacturer using different proprietary protocols and you don't get any information on them except you are signing thousands of NDAs. It is a little bit different because we are talking about the diagnostics port of CAN, the so-called OBD2 port. There is an ISO standard on that and it is required by law that every car has this diagnostic port equipped. In buses and trucks, we are using a protocol from the Society of Automotive Engineers, which is the J1939, and maritime equipment. They have their own definition. It is called NMEA2000, but it is basically a variation of the J1939 protocol. In industrial networks, we are using CAN open, and also in some cars these days, we are going to use CAN open. What we can see data exchange is for almost all of these protocols is broadcast. We are just broadcasting our data to control the system, except for OBD2, there we are having direct access to inquire data directly. That said, are we having configuration in our system? No. Any car, any truck or whatsoever is not configurable. That means the manufacturer builds the system and it is deployed as it is. If they want to change something, they basically have to change the firmware. They can't configure anything. That's a little bit different in an industrial world where we are deploying stuff and configuring stuff later on. So what's about security again? Some car makers have started to implement security in their cars, like for automator correction, like for test control and so on. So there are some proprietary security deployed, but it's not that hard to crack. OBD2 basically has also not really a security. They have defined a simple access control to devices, so you have to write down a magic number or whatsoever, and if you know that magic number, you basically have full access to that device. In all those industries, we have no security these days. And as I said, the use case is in vehicle networks, we are controlling the car. On OBD2, we are doing diagnostics and all those other networks, like in trucks, maritime, industrial and so on, we are doing control and diagnostics. So the question, why we have those security problems in cars? That's just some numbers. The first Mercedes E-Class, and that's some kind of official numbers. The first Mercedes E-Class, Series W124, had only one CAN network and seven devices with about 100 messages. So that was basically a small group of engineers could handle that kind of network, and you can find bugs, whatever you... you can develop correctly basically. The next version was also somehow simple, but then in the 2000s, there was a Series W211 deployed, which had already five different CAN based networks with 52 electronic control units and over 4,000 messages. Now imagine that one engineer and a small group of engineer could handle such kind of networks, fully distributed. Everybody talks to each other and we have more than 50 different types of messages to handle. So nobody can oversee this and you can never simulate or you can never really test such systems. So obviously in those kinds of systems are bugs. And if some of you may remember, at the 2000s when the new Mercedes E-Class was deployed on the market, they had lots of electronic problems and that's the reason. They moved so hard forward in electronics and implementing electronics that they missed out bugs. And of course these are available today and they can be used for not-so-nice things. And just another image what I got from car manufacture. It was an estimate around from 2010. Originally we had only mechanics and cars. Right now we are talking about 30% of the functionality in a car is pure software. And that is going to increase. So we are having more and more software in cars. And how that happened, if you take a local regular network, then we see different areas in the car. We have a comfort network where we have connected all the lights, the turn indicators, stuff like that. We have another comfort area where we have connected the air conditioning, the seat position control, stuff like that. We have the trivetrain, which is responsible for our engine and for ABS stuff. And we have our multimedia network. And originally as you can see here, everything was connected on the very same network. So if I have access to any of those devices, especially in the multimedia interface, I have basically access to the complete bus. Sometimes ago the first car manufacturer started to separate those networks. So I have in a dashboard my central computer which provides some kind of a firewall. So that means if I have access to a network on the multimedia interface, I have not so easy access to network in the engine interface. Of course, those firewalls are not good. They have bugs. But they are getting better over time. And just to mention, the most current implementation with Ethernet in the BMW 7 series, what we have seen, we have now Ethernet. So the upper link is basically replaced with Ethernet links. And of course then for each of those different subsystems I have dedicated gateways and firewalls. So that means car hacking, getting more and more complex. But of course there are some car makes which making it not so difficult making it not so difficult for car hacking than others. So these systems what we have seen, what we are seeing right here with these different firewalls, that system what we can find currently and basically in German car makes. But if we are going to other car makes from US, from Italy, then we are still basically at this level. And now there is no wondering why we have those kind of problems. And just to reiterate, to get what happened in car hacking in the past, car hacking is done since some years. We have of course different law enforcement agencies undisclosed, I know some of them who are doing car hacking since years. So if you are, let's say, a hostage in a robbery, the car has some modifications on it. Assume that. We have in 2006 there was a paper, State of the Art Embedded Security and Vehicles. We had, at Safecom 2008, a paper on security to automotive can networks, technical samples and so on. The most important car hack I have seen, which was really a remote car hack, was at Youth Snakes at 2011, presented by the university in the US. It was called comprehensive experimental analysis of automotive attack services because they managed to attack a car via the GSM network. They just had an audio file called the car, played the audio file, reprogrammed by that, the firmware of the multimedia interface and had access to the car. Then, yeah, I said two years ago, almost two years ago, we had a small talk on scripting your car, which basically was displaying messages on your dashboard. Then we had, yeah, at Blackhead, Chris Wells and Charlie Miller presenting their paper, which basically was not that big of a topic because they had direct access to the car and did anything directly. We had just earlier this year this car hack of BMW Connected Drive and just last week, the same topic appeared to you connect to General Motors, to whatever, with all those different apps. And what we had, I think also last week just presented, I haven't seen that right now, but they had a talk on that. Again, Chris Miller and Charlie Wells said, they first, and I think that's much more important than their talk from last year, their presentation, their finding, is they done again a complete remote hack because some cars, as we may remember, in some cars, everything is still on the same care network. We have no firewalls and they managed to, yeah, to find some bugs in the multimedia interface and basically then had access to the full car. And that, I think that was just 30 minutes, so a small overview on car hacking, what have been done, and I think we will see a lot more over the next years, mainly by some obscure car manufacturers, but what I've learned is many car manufacturers these days, especially the European ones, the German ones, are aware of these problems and doing something because I'm working with them on some interesting things, like, yeah, we are converting, for example, taxis, police cars, emergency vehicles, stuff like that, and for all those cars which have a blue light on top, we have to manage to keep the engine running, which is something which is not intended by the people who are building originally the car, but we have to do it, we are required to do it, so we are doing some kind of car hacking inside of those different companies. And, yeah, and that's something what I would like to finish and if you have questions of topic, I can go in a little bit more details later on, yeah. Thank you very much. So I guess as we have many drivers here, you have something to think when you travel back home in the next days, and, yeah, maybe, as the speaker already said, you have some questions for him. There are microphones on that side and on that side, you just can go there, take the mic and ask a question and hope that the guys from the audio make sure that you are here. Yeah, any questions there? Will car manufacturers will they be implementing over-the-air updates for the software of the car to your left? There are different car makes which have currently over-the-air updates. It's basically Tesla. You know, when they just release the public note, we enhance our safety of the car by just deploying a remote update. As of now, I'm not aware that any other car make is doing remote updates. They are looking into it, but they all have those security implications. All the established car makes are aware of the security implications, so they don't want to do software update over-the-air. Some are looking into it, but have not decided on it how to do it. The only one I'm aware of is Tesla. Okay, thank you. There's a question on the other side. What the European key cards like in Renault and like Volvo have those in Euro? You don't have to have a key, but you have a key card and a start button. Is that an access point to the gateway, or do I have to get to the gateway? Or could I use the access card, the key card as an access point to hack the car? There is an additional firewall. These days, if you have those key cards, or it doesn't have to... In some cars you don't even have to put the key in a slot. You're just weird in your pocket. These keyless entry systems, basically. They're having established measures that those different ECUs are talking on a dedicated communication link to exchange data. But what we just learned is because all those comics, nobody really does develop anything by their own these days anymore. Everything is from Bosch, Delphi, Conti, whatever company. And it just happened that... Yeah, in Germany it's commonly known as the Volkswagen hack. The underlying company who provides the security of the key fob has a big problem in their implementation. And the problem is this technology is being used not only by Volkswagen, but also by Chrysler, by Volvo, by different. So there is a huge security implication currently going on when the paper for this hack basically will be released in September at the next use-next conference. Okay, thank you. Do you know how they handle priority in the Ethernet broad outreach? How they handle... priority-based communication in Canbus. But how they handle it in broad R. Ethernet is not priority-based. Yeah, that's part of the original design. You originally have to design your network. As an engineer you are starting your design. You are thinking about what is important, what is not so important. And then you are basically defining it all in the system. That's also different between, let's say, the IT infrastructure design versus an embedded design. In the embedded design, you basically know what you want. You know what the network will be, what the device is connected to the network will be. There is no arbitrary device is connected ever to the system, which is different in basically IT networks, where basically everybody is allowed to connect arbitrary devices to the network and then should be able to talk to the network and you're getting your IP address via DHCP. And that's not really part of the embedded network. That's also, if BMW, for example, when they use Ethernet in the car, that's not... You will not have TCP IP on that network. You will not have DHCP. That's an embedded design network. Okay. Thanks. So I guess all questions are answered. So once again, thank you all for the lecture here.