 Thank you and thanks for coming to my talk from CTF to CVE and I'm going to talk about this team we call charity case and a little bit about how I Accidentally hacked a telematics app With a little bit of knowledge you too might find a vulnerability Who am I? I'm just some guy named will I lead a team we call ourselves charity case I'm a ham operator and you're gonna know when you meet a ham operator because I guarantee you within five minutes of meeting them They're gonna tell you they're a ham operator. It's it's kind of like an unwritten rule So my call signs kilo mic 6 echo uniform Victor. I am wearing a radio throughout Defcon So if you want to reach out and hit me up, I'll be on 2 meter call line frequency. You can call my call sign I'm also a CTF team lead for a few different years at Defcon's car hacking village in 2016 I won a little drone with the help of one other person in 2018 a group of people that I literally met at Defcon. We all grouped up and we won an ATV 2019 I want to test the Model 3 and that's a picture of it right there. If If you were here, you'll know that this car was beat up and by the time we left it had no hood and That car also got drawn all over. It's been great. We've had a lot of fun with it We've donated and done a bunch of stuff for charity because of that car 2020 we won also a trip to 2021 Defcon which we are doing in 2022 because of the hybrid nature and our Ohio folks not being able to come out this year I'm also a car hacker. At least I like to claim I'm one. I've got a couple CVE's you can check out CVE 207 605 2 and 207 605 4 both are for the telematics system. We're gonna be discussing today from a We're gonna refer to them as a OEM for the rest of this talk They did ask that I don't name their actual name There's also ICSA 17 11503, which this is a fun one for bar tricks and other stuff when people say something unique Or someone says are you on a list because you're a hacker? I have to respond I'm pretty sure I'm on a list but not because I'm a hacker but because there's a homeland security article that references one of my hacks I Used to be a car tuner and I say used to be because I work infosec full-time But for a brief part of my life I worked full-time tuning cars. My office was a car Usually a Corvette a Cadillac CTS V a Camaro one of those guys something with an LS powered motor And I made him go really fast. I worked on a six second car I was the main log review guy for that car and I did boost stuff and then I had a bunch of other records I did all by myself such as on the Camaro and the trouble laser SS And currently I know I say I'm retired from tuning But I still to work on the world's fastest key of stinger and we're one of the leavens in that right now verified at the strip One of the one of the neat things about that car is it's being tuned in one of the more hack methods I personally hack everything in my life like everything is a hack. I always like seeing the how do I make something do? What it's not supposed to do in a weird way and when we tune that Kia, that's exactly what we do We're using piggybacks and we're lying to the sensors and Shifting voltages to make the car think it's doing one thing when in reality it's doing another Really fun stuff the car tuning is what really gave me my first understanding of how can bus work in OBD And what systems did inside the car? I'm also really big in the self-driving stuff I drive a Tesla not the one you see in this picture, but a different Tesla I Love FSD though. I think Elon's a little bit too aggressive with some of his stuff level five. Is it going to be here anytime soon? And I also worked on comma AI projects So the first one I did is I was an alpha tester on the key stinger stuff which meant I had to build a harness with just wires and a soldering iron and I had to Reverse the can bus messages to figure out certain things like steering angle degrees and things like that And we learned things for example the steering angles are different on and all will drive versus a rainbow drive So the first time I loaded the socked where the car felt like it was drunk Where the other person's settings worked perfectly fine for him We figured out what that was with some can bus knowledge and we're able to fix that. I'm currently working on My wife's Explorer ST. She would love to have comma AI because she loved it in the Kia So we're we're going down that path right now see what we can do there There's some issues we ran into but apparently a guy has a hack and when I hear a guy has a hack I'm always on board Also did something else. It's a kind of unique apparently I didn't I concerted a Python script that just scored things and learned off of things But if you read the patent they call it machine learning I Worked on a patent for detecting bots inside of games based on certain components If you want to read more about it, it's called system and method for bot detection It was while I worked at the place set Is why I wasn't at DEF CON 2017 and that's a very important interlude to Me being autistic and never remembering which way I'm doing something I am on the spectrum I would have been I used to be classified as Aspergers, but in DSM be DSM be it's now autism spectrum disorder and because I'm a high-functioning person and have the savant this I like to speak for those who can't because I understand What the sensory overload is and how it feels and you know what it does to you? So if you want to help out if you take a take a picture of that QR code right there You get the opportunity to donate be a go fund me and it goes directly to autism speaks I'm not taking anything from this. I'm doing it 100% for charity So we got a word of warning. There's a reason I wasn't at DEF CON in 2017 and that's because I found a CVE And and that may not sound like it makes sense, but here's what happened for me And why I have this word of warning. I Spoke to my work. I told him what I was working on I told him I thought I found a vulnerability that could be a CVE and this is before I ever tried to engage the OEM My work was super supportive my my boss and my boss's boss were like yeah awesome fine good bug, you know There was like, you know, congratulations and things were great They had one requirement and I stuck to the requirement, which was they did not want me to speak to the media and I did not at all Unfortunately when you do a bug find a bug like this and It's so widely seen and it has such a wide effect to things that people don't normally like think about or things that are easy to make Sensational It's gonna get picked up by the news my event was picked up by Most of the major news articles PC world Tom's hardware It was super neat to see my name on those sites because these were all sites. I've read for a long time When that happened the executives at the work were not happy at all very unhappy to be honest and They took actions against me because of this one of the actions was a verbal dressing down, which I didn't enjoy The next was They prevented me from going to Def Con and told me if I did go it would be bad for my career They were sure even though I told them that I wasn't going to they were sure I was gonna give a big talk at Def Con and whatever And I didn't I didn't even have like I hadn't even ready to talk at this point. So they were just worried about nothing Because of all this When I got invited on to GMA good morning America I was not able to accept because I decreed not to talk to the media even though they hadn't kept their side of the deal I was keeping my side of the deal. So make sure if you're gonna do this make sure your employees Okay with it get in writing, you know, I can't stress this enough Before giving your talk Make sure the vendor is okay with it unless you don't care and you want to burn bridges. I personally don't want to burn bridges I still have a great relation With my vendor I still talk to them on a regular basis. I'm gonna be meeting them for dinner actually here during Def Con. I believe The only reason their name isn't in there in here is because they asked me not to and I kept to that And that way we have a great relationship if I decide to do any more research on their cars in the future Only hack your own cars and items There's a caveat to this you're at Def Con. You're in the car hacking village There's all kinds of things around here to hack that you have permission to hack do that and Responsibly disclose. So this isn't the don't try this at home warning This is the cover your butt warning get in writing. Make sure your vendors. Okay, and hack your own things It's inevitable when I tell somebody I run a car hacking team for charity They're like to look at me crazy like cars can be hacked and they like point to some 90s car and you know I look at it go. Yeah cars could be hacked modern cars are basically a Lexa with wheels their IoT devices. They've got networks. Some of them are interconnected to the internet I mean there the every bit is a hackable device as your laptop some in some ways more The next question is always why would you hack a car? What's the point and this one's my favorite because to make it faster was always my response back in the day because that's what I did When I was hacking on cars I was pulling the ROMs out and modifying the ignition tables and fuel tables and Optimizing them for the parts to get optimal performance. You can also do things like enable hidden features on Dodges for example, you can enable SRT pages on cars that are not SRTs You can add features. Let's say you got a BMW. They call it coding. You could do something like add a Radar cruise system and then you just code the ECU for it and it works Pretty neat stuff And the last but not least is I like to hack things for the fun of it. I enjoy the chase So I'm gonna talk about the attack surface because I mentioned that attacking cars is Actually easier than a laptop because the attack surface is insane and some of them they never really thought about security on So let's start with the OBD port the OBD to port is where you can do data logging You can check codes depending on the manufacturer and setup you can flash modules You can send can bus messages. It depends on the layout of the car. Every manufacturer has a slightly different setup You know, you'll have to look into your specific manufacturer You can tap in the can bus at different points in the car for comma AI We tapped into the can bus at the camera that was up by the mirror on the OEM car USB ports now I'm gonna pick on Mazda or Mazda was genius So either Mazda did this on purpose or they just sloppy But you could basically put some scripts on a thumb drive and plug it into some of the Mazda Telematics units and you could get root access and do things like load Android Auto So if they did it on purpose thumbs up to you Mazda if you did it on an accident improve your security team Removing the ECU this is what I spent years doing full-time flashing the calibrations There, you know, not just performance things can be done You can make them faster, but you could also do security implications For example, you've got a new shiny car that has a transponder base key And you have an ECU that expects that transponder base key What if you just turn all those features off and make it so it'll start with any key? That's a thing you can do Some manufacturers have been really sloppy and left root logins just laying there on serial ports You just plug in some port to some ports on a motherboard. Voila Here's one of my favorites Charlie Miller's attack on Jeeps is super neat That was an attack that took place over the internet because of an issue in the you connect systems I encourage you to check out Everything on that attack because it sounded like sci-fi the first time I heard it But the infosex side of me was like no, dude, that's totally possible You'd have to do is read the first system then writes pale, you know, I was tearing it apart in my head how they could have done it Super fun great read and then today's less fancy, but still fun considering I found this by accident Is the attack on a telematics app? How did I get in the car hacking? Well, it's deafcon 2016. I'm walking around in the villages I typically hung out like the lock-picking village and the tamper village previously because those were always neat to me and This year I noticed something new the car hacking village So I come in the car hacking village. I'm a car tuner by hobby. I'm a infosex engineer by trade and After doing a couple questions once you got a certain amount of points, you got a copy of the car hackers handbook During that deafcon and so had a copy of car hackers handbook, but still what trends do I have? I knew from previous stuff that you need a team And I've never competed at a level like this, you know, I've only done CTFs for fun at this point And you know, I've done them at the office, you know when we would hire a company and do it But I had never done anything really hardcore yet Still I don't have a team So I start hacking away and there's there's super nice people that were encouraging me and when I would get stuck would You know, give me hints or sometimes tell me like go check this chapter in the book and things like that And it really kept me engaged But I still was by myself and I noticed another gentleman who had similar tools to me laying out You know, I noticed the Tattricks cable and some things like that and I'm like this guy's a tuner I can talk tuner So normally autistic will that doesn't know how to talk to anybody has the opportunity to now talk to People because it's about a topic that I'm obsessed with cars. I start talking to this gentleman. Yep. He's a tuner. He's a CISO for a company He's he's definitely in it. So we decided to name ourselves acid fingers and we just are plugging away for fun and Little did we realize until the last day that we were like in third place and we had the opportunity to stay in third place We actually were in second at one point and we were close to first and we you know We just didn't make it but either way there was great people there We had a great time and we still won our first third place win, which was the encouragement to continue doing this So if you are trying to learn more about car hacking check out this book I encourage you to buy it on the no-starge press, but there are there is a free copy available on his site. I believe So why do we do it for charity? Really the truth is have you ever tried to cut an ATV into five equal pieces You don't get a functional anything at the end And this is what happened to us in 2018. We won the ATV with this team that we built on the fly at DEF CON We were not for charity that year. Well, I was but other people were doing whatever they wanted And we decided to go at it We we won but we lost the title we took second place that year We got the ATV we lost the title and that meant we had to sell the ATV really cheap. I Told myself never again. I'm not doing this. This is frustrating So in 2019 we decided to go at it way more intentional We decided to build a team with the right skills that we thought we needed to compete at a serious level We also made an agreement with the team that Someone on the team would buy the car and that would give us the money to donate to various charities We ended up donating over $9,000 just to this school, which is why you see this picture here. We saved art They were going to cancel art programs at this local elementary and it does happen to be my my daughter's elementary, but they were going to kill art for the whole school and We figured what it's a local area. Let's let's go out. Let's do it so we found out how much to save art and we made a donation of $9,001, which was over 9,000 which was the goal and Saved art and as part of it we let children draw all over the Tesla Kids got an absolute kick out of this like they blew their mind They got to draw on a Tesla and it was all going to stay on there and it did it's still on there to this day 2020 we won again That that year we decided to go ahead and just see if we could take the toy drive that I've been running Which usually would make you know a thousand to two thousand dollars and see how crazy we could get it if we threw In our art are about so when we were all said and done we raised over $7,000 for charity. We ended up donating tons and tons of toys. There's pictures on my Twitter and you'll see that at the end This year we're taking a break. We want to give other people a chance to Really explore and we wanted to help out So if you need help we're helping people out the CTF in exchange for charity donations Let's talk about the timeline of CVE and I got a quote golden girls here, you know, like like the old grandma lady picture it California 2016 the time before masks I'm working at a local company in the Bay I'm leading a security gaming group Basically, we did CTFs for fun and what that entailed was I would do a CTF and then other folks from the company who were not on the security team would come and They would participate and do the CTF and they would use me as their knowledge base So when they needed to do a man in the middle and they knew that they need the man in middle But they didn't know how to use burp sweet. I was that so what I would do is practice all the CTFs at Home when my spare time so I could always be up to speed on them. So An upcoming CTF I was going to do needed me to set up some man in the middle of an Android app Which is the setup for all this and how I discovered it I had recently purchased the 2017 plug-in hybrid sedan with a really advanced telematics system And I'm practicing and I discovered a flaw then 2017 I spent a Large amount of my time trying to talk to the vendor initially I ran into So much trouble trying to get a hold of anybody I make a phone call the help desk tell me I was like silly and Try to help me reset my username and password. I don't know how many times they offered to reset my password for me Initially, I tried some emails. I found a line that didn't go anywhere. I went on LinkedIn, you know, I Figured I could find somebody there. No one responded to me on there What I learned is responsible disclosure is really hard really really hard, but later you'll find out how I solved that Once once I did get the event they vendor engaged They fixed the problem in three days. They didn't even tell me they had it fixed I just actually opened my phone. That was an update for the app and As soon as I pulled down the app, I noticed that all of that stuff that I'd previously found was gone So what's the setup I was talking about what what led me to finding it? So I was doing man in the middle of an Android app So what I would do is build a Linux for virtual machine with a USB Wi-Fi adapter and host AP mode Which basically means that my Linux box was acting like an access point Then I would set up some IP tables rules to route all of the common non SSL web ports over to Burp suite and I would set burp suite up and non intercept and I can't remember if they call it passive mode or Basically, you can blindly receive do proxying for you and I had it set up like that So I'm in the middle man in the middle here. I'm testing away on the app for the CTF You know, I'm finding little bugs and I'm looking at burp suite and seeing what it does and Biology happens, you know, I'm hungry and I need caffeine so Close the app. I'm working on open up the application for my OEM car and Tell it to start cool. Give the car a couple minutes go outside go to Wendy's get me some dinner I'm back enjoying my dinner and I'm looking through the logs I realize what the heck there's an HTTP request going to an IP address Just one just one request like this and every other request in burp suite was DNS So it's stuck out like a sore thumb Here's the request I seen Pretty quickly I was able to look at this and obviously my OEM redacted Was the OEM's name The next thing I noticed was the three point nine four was the same version as the apple my phone and At this point, I'm like, ooh, I think I found something strange At the very least the encryption looked weak to me now I'm not a cryptography person to be 100% clear I am horrible cryptography, but I do know that like There's like the block stop or message style There's different ways you can do it and it appeared that part of the data above was definitely being done the same way every time Which led me to believe that it might be breakable So My next steps I've got to figure out. How do I replicate this web request? I need to make it happen Preferably happen at will Next I want to know about this IP address. What is it? Like where is it who owns it all that stuff Last but not least I want to understand the app better and I had previously played with a tool called jadex And I knew I was going to use that tool for this So let's start with replicating the request This was giving me a lot of problems. I struggled I didn't know why it would happen I knew that it would happen at least once per day. I figured that out over the course of a week I also figured out by building my own receiver tool That if I routed the web request to my my Python script that took the web request that I could make it download the file But tell it it didn't finish and it would cause the phone to do it every single time So at this point I knew that if the phone would open and try to upload the file fail That it would continue to try every single time it got on wi-fi um I also knew that on occasion I was able to make it happen In certain air scenarios, but I I could not reliably make a new one happen like I will So in other words, I'm stuck. I'm like really frustrated and Time for more caffeine So let's look at the ip First we tried some google dorking Not much there duck duck go every search engine I can think of I hit it Nothing hit it with a browser basic web request I looked at the burb suite logs to make my Responder tool that we wrote in python Uh, I in map it. I want to give a word of caution here. Please only in map with the correct settings Don't go at it with dash capital a or anything that could use harmful nse scripts Still nothing. I knew basically that was a piece of middleware receiving a thing. Nothing else interesting. What do I do? So jadex What is jadex jadex is a java decompiler and it does a really good job at most code I've thrown at it It basically you give it an apk It spits out some code Won't lie. I'm lazy. I didn't even download the tool and figure out the command lines I used a website and just uploaded the apk file that I pulled off pure apk And uh pulled it down the code Why is this useful man plain text code can tell you a whole bunch What's it at? What do we find in this code? Well, the first thing I did was search for that ip since I knew that was unique And that told me Everything I needed to know at that point logs It's basically a log handling system. So whenever the system has a log that needs uploaded I learned from the code that once per day It will upload the log when it gets on wi-fi the first time Um, it will not do it unless it's on wi-fi I learned what makes the log get written to Basically a logging into the app using the app anything you could do in the app makes it right to the log So if you use the app the next day the first time it gets on wi-fi, it's going to upload it Next I want to know What is this encryption? Pretty awesome right near the code is the encryption key and the library name it uses and the method So literally we know everything we need to need at this point to write some java code to decrypt the log What's in that decrypted log? Oh why At this point is when I'm giddy because I realized that this log that they're sending to a random ip on the internet Which wasn't random. I did learn it was one of their servers Hosted somewhere random um It's sending a username a password your vin your last location of the car gps coordinates the address of the owner of the car All the features the car has you want to know if the car has heated seats? No problem. It's here call or make and model Everything you need at this point to take over the telematics app So I don't even have to like get fancy and write cool web requests and anything and send them to a server I can just launch the app on another android device and log in with everything I have here to verify myself Here's the payload I've obviously censored certain things. It's not a big deal. I don't even have the car anymore Uh, but as you can see here my address is in there It's down the block Even more the access token is here the client ID the client secret Everything you might need to attack this in Multiple ways, but why go difficult when you could just load the app and literally log in as the user at that point Now you might think oh, you need to be on wi-fi blah, blah, blah That makes this attack not very useful You would be wrong because if you go to any of the hundi dealers that I looked at locally And a couple that I had a friend check in another state Um, they have all have open wi-fi all the dealers That that I looked at would have open wi-fi and they tell you to use it. So when you do your first registration of this app It's going to uh be on open wi-fi Okay, that's not that dangerous is it well it is because in for fun and profit I made a version of this and are out of an Access point running on a raspberry pi using fruity wi-fi that basically I used against myself That would patch of the walls when the when the user came by So if the user were to be if you were to put this near a dealer or anywhere else That there might be a user that might do it malls or if you're attacking a specific target you could put it outside their house They're just going to end up moseying on to that wi-fi using karma Now we're talking about a wi-fi pineapple, but I use fruity wi-fi instead But they're going to use karma and they're going to get Caught on your your your attack network here and they're going to send their data So it did have some danger, but at least it was isolated It had to be targeted So let's talk about reporting the flaw This proved more difficult than I really expected. It was so difficult. I was so frustrated The help desk calls were really frustrated when I tried to go care in mode Oh, that went even worse. I had managers do call me. I was mistaken They used much harsher words I had managers hang up on me I had managers tell me to stop wasting their time I had one manager threaten me saying that he would report me if I kept calling in I'm like I want to speak to somebody and I was documenting and I wasn't calling like back to back I was calling like Monday Tuesday Wednesday Thursday Friday Um What it what it goes to tell us being the good guy from really hard So during 2016 def con I met some folks from rapid seven who were at the event And uh, I'm super frustrated. I don't know what else to do I ping my guys at rapid seven and they're they get back really quick and like, yeah, we know people at that oem Let me uh, let me reach out. So they contacted the vendor three days later after they they got engaged and and sent the first example of the payload decrypted And I sent them their code and showed them where the flaw was Um They had it patched and that was super cool. I thought that was neat about a week later They did an enforced patch which they made all the old versions stop working At this point they engage with me one on one and we talk a little bit back and forth and they Do some due diligence to confirm that it looked like no one else had done what I had figured out how to do which was good Um, last but not least The vendor which he wants to remain nameless Wants me to tell you that they added a phone or just phone 30 disclosure program So I'm not quite sure why they wanted to make sure I include that in the talk when they don't want their name But it's in there Oh my god, a pop-up during the middle of the talk. Sorry. I can't be team charity case if I'm not hawking some charities, right? Um, and I like dinosaurs and so is my toddler. This is donate life. Donate life is an amazing charity. They uh They help folks who are on like dialysis get kidneys and help with the funds or hearts any organ and soft tissue donate life is uh, the group that's Out there helping out. They're really a great cause Um, if you can drop some coin to them do so if you can't, you know, tell somebody else to do it All right after that brief interlude there. How can the know we am improve? Train your staff. I can't stress this enough what I'm calling Consistently and telling you that I have a problem that's that's serious Have your staff at least know how to escalate to infosec If they don't know how to escalate for infosec because a guy's calling in and describing, you know, very advanced things to them They also don't know how to escalate to infosec when they get a phishing email. So to make this clear This is a thing will help your whole business publish your public contacts for your ir and security team Below you'll see a method that's commonly accepted. Please Hey, nothing existed if I could have got a hold of somebody on the security team This could have been solved in three days not almost three months Participate in bug bounty programs. I have personally Uh led bug bounty programs for places I've worked and they've always been beneficial For us car hackers that are amateurs. I hear having fun We love to look around and find bug bounty programs last but not least Participate in the car hacking village and I'm going to pick on tesla a little bit here Just because I like picking on elan's company And i'm a fan Don't be tesla in 2018 tesla brought out a tesla to look at They also banned me from touching the tesla when I started poking it and trying to make it join my wi-fi and do things So if you're going to bring a car here understand that people want to poke it and explore So be a good vendor. There's been great partners. There's lots of great partners in this Or that bring cars and even bring like tesla ECUs and things to hack on take advantage of it and if you're an oem and you want to do it It reach out to me. I can get you in contact with people or reach out to the car hacking village direct Don't be afraid. We don't bite that much All right, thank you so much for coming to my talk This picture here was a picture. I wish I could have been there for but I didn't expect to win in 19 I expected us to do a good job But so my plane flight was back. I was I was already on the airplane at this point and pictured here is wilson Who is uh, we were we were super excited to have on our team He actually competes on the rpi main def con ctf that year. They ended up not qualifying So we got to steal him and the back is eason. He's super cool He drives this car around and it looks not like that the hood's different now with all the writing on it instead Because that hood wouldn't stay closed. We had to take it off And the other gentleman here southern him and I we met at this def con and he's competed with me every time since He's here at the event with me. Uh, we became really good friends And we're even building a 24 hours of lemon scar under the charity case name So if you want to find out about that you can follow me on twitter or on youtube most of my stuff on youtube is about tuning, but it's car related and uh Check out these links again hawk and my donations. Thanks everybody for coming Have one last tip if you have a teslo of no hood And it's a low battery. It only gets 140 miles if you put a cardboard hood on it You get over 160 miles. That's your hack for the day. Have a great day. I hope you enjoyed def con And thanks so much for coming to my talk