 Good afternoon ladies and gentlemen. I'm Ian table I'm here to do my talk on how an automotive researcher had his car stolen by a can injection That's the official title of this talk The unofficial title of this talk is the irony of how an automotive security researcher had his car stolen by a method He found on another vehicle. Yeah, great my Colleague who did the research with me dr. Ken Tindall isn't present, but he has recorded some of the slides here So I will be introducing him now, and I'll introduce myself after There should be audio Mine my name is dr. Ken Tindall and he calls me the can bus guru And it's true. I've been working with can in the current history for a long time An industry veteran started in 1995 With all those p2x large platform project and that was back when can was a shiny new theme And this was their first major can platform I helped Motorola design the first real-time can control and I sold my start-up back then to the box The industry veteran. I'm the CTO of Canada slabs, and that's a can bus security company and I have quite a few roles that I've been a hardware IP designer, so we designed Can hg the protocol for speeding up can by inserting extra fast data and inside a slow can bit And I've been an embedded real-time hardware Software designer and I designed the crypto can system for encrypting any can frame and today. I'm working on the Can in automation can sec working group for can excel security So now I'll introduce who I am you could say I'm the ultimate car hacker I built this vehicle 18 years ago now. It's based on the Ford Sierra rear-wheel drive platform From around the 1990s. It's got a Ford focus two-liter engine in It does actually have three see use and it includes can but if you want to try and hack it I think you would be sitting on my lap Because the car can wise about that along so good luck There's a little disclaimer down the bottom there This work was carried out on my own money on my own time and nothing to do with any current or previous employers Just to get that clear. So a little bit of a history about my car hacking in the past In 2015 I bought this Citroen DS5 and you could tell your phone to the head unit and surf the internet from the phone From the car why you'd want to I don't know whatever But if you did a n-map scan in the other direction, you could find four ports open 23 111 3333 and 20,000 23's telnet like everyone knows guess what no credentials straight in route access You could then extricate any of the data via the USB or via FTP sir FTP server mapped as a path Yeah, so great. I wrote up my findings sent them over to Citroen in France and said by the way, is this not a matter of French national security? Because the French president gets driven around in one of these things and they were like meh, I don't care One of my most popular tweets or one of my most person highlighted tweets is from Charlie Miller himself. I'm saying yep. Good find great That was in 2017 August 2018 I spoke at Defcon car hacking village Defcon 26 now about the entire Findings of what I found how I found it the disclosure process and how they fixed it Guess what they disabled the Wi-Fi They didn't actually disable the telnet demon You could still go back in over the Bluetooth and turn it back on by modifying those sequel light databases that just happened to be in there So great wonderful Eventually they did actually disable the telnet demon in about three versions of software later But no one actually had ever got a recall to actually say here's a security update to your head unit So good luck if you've got one of them there. It's probably still vulnerable In September 18, I went to the bug crowd bug bash I was one of 12 global researchers at the event in Louisville, Kentucky and The vehicles there all had radar guided cruise control if you look at the round the radar guide is cruise control sensor Which is that one there? There's a little plastic shroud pop that out of the screwdriver take two bolts out sensors out your act on the Canbus wiring guess what that can bus wiring can do Start stop the car Unlock the vehicle this on an arm the alarm open the trunk We weren't actually allowed to test whether we can actually do any hacks on a moving vehicle But yes, we did get a payout between myself spectres and RQ you of a five figure some Safe. Thank you very much bug crowd. Hell yeah After I did that There's a picture of me slightly slimmer slightly younger version of doing a haha watch this Tap to tap to tap unlock tap to tap to tap car started Yeah, I can steal a vehicle that vehicle. I can't tell you which because an NDA in under 90 seconds from a virgin vehicle and The car is still vulnerable today one generation later So great Security really works doesn't it? Since then using that money from that bounty. I am built my own car in a box called PD zero PD zero is a perjio to eight P for perjio and D zero is to a in hex It's basically most of the electronics from that vehicle except for the airbag ECU and it thinks it's a fully working car the inspiration was 3p over there, but as you can see on the left there. There's a ABS simulator for the wheel speed sensors There's a crank and cam sensor simulator for the speed For the engine speed, etc. There's some O2 simulators as well If you want any of the hardware to do that contact me I have spares of those things and I have instructions on how to do it. It's up on my GitHub But I now take this around the UK and Europe as part of the car hacking Village Europe I've actually been requested to take it to Australia, Brazil America Singapore Philippines amongst other places, but I took it to Amsterdam once and that was fun What's in the box a car what a model car. No a whole car Security man didn't find it funny. It was like yeah, what you do that for it was like On your way, I don't want to feel that for me. So great In October 2019 I again went to the bug bash in the global headquarters of the same OEM up in Detroit Again, can't mention it, but it's in Detroit. There's one of a few And there was radar hack version 2 This little device here is based on an ESP 32 It has Bluetooth and Wi-Fi and it also has an infrared receiver at the bottom there is a little remote control if I put that device between the radar and the radar Wiring and go the other side of the car park press the button the trunk opens There's nothing you can do about it Yes, it's a targeted hack against a single vehicle, but you could have some fun with your mate's car You could also Possibly test it on a moving vehicle because the Bluetooth actually is Bluetooth can But they wouldn't allow us to test it on a moving vehicle because that would be dangerous And we might do something stupid and so yeah In October 2019 also went to the Auto Isaac over in Texas for Hacker one at Toyota's headquarters That all come pertinent later Myself specters and muttley did a talk about vulnerability disclosure program and how that should value Valuable to the automotive industry and how researchers like myself and others can help the automotive industry And you need to have this program in place So that we can get you that information and you can start to fix things Some vendors do have it some vendors do it well some vendors don't but yeah 2020 or the COVID year as you call it. I made this little box here. It's what I call value pasta The real fat the real version of twi pastors over there somewhere on the PWTC stand their version cost you $30,000 That's a car that version cost me $800 to build It does almost exactly the same thing and I've actually retrofitted it with RFID based ignition and the JBL speaker thing I'm talking about is actually Possible to plug it in and basically use this to start the ignition on the car in the case so None of that code is in the code that is on get hub because I'm not gonna release that because I'm not stupid It's actually stored in the e-prom and no one's ever gonna get that other than me But it's actually vulnerable. I was gonna ring it, but I didn't have enough space in my hand luggage. So yep On to the actual theft itself April last year I came out on a Sunday morning found my bumper hanging off and the wheel arch Trim hanging off and the headlight was unplugged. I'm thinking That's on the kerb side No one's hit it. That looks like vandalism Looks a bit dodgy. I didn't even think it was trun and trying to steal my car And then a friend of mine who's another security researcher got in contact and said by the way They might be trying to nick it. It's like, oh for fuck's sake. I actually tested the radar sensor on the Toyota It's on a different network. You can't do it by the radar sensor. You can do it by the headlight though. Thank you Great wonderful So at that point I bought myself a dash cam installed it front and rear Come back to that in a second In July I started a new job up the other end of the country I had to leave at sort of five o'clock in the morning came out found the same thing again Bumper hanging off headlight not working. So I drove to work with one headlight in the dark Not a good idea. Whatever Not quite the dog, but yeah So when I got to work I then put it all back together plugged it all in everything's all hunky dory came back home Next day everything was fine with work Go to bed Wednesday night Get a get a nudge from the misses at the hot post in the morning Where'd you park the car last night? Same place. I usually park it. Oh Crap it's not there So look out the window Big space no car shit So what do I do get on to the old my Toyota rap? You may or may not be able to see this but the my Toyota rap says it's got a hundred percent fuel 11,463 miles and at the bottom there if you see just where it's got the Icons it says vehicle in motion So the car was currently in motion It doesn't track a vehicle that has been stolen there is no way to track a vehicle has been stolen Because there is the issue of say there was a domestic violence case and someone wanted to get away from their other half Someone might have access to the app so they know where you are So the only time that actually updates is when it actually stops at the other end Which is great, but that comes on to my next thing from the my Toyota rap I got an update saying the fuel gauge is down at 50% Where was it when the fuel gauge was down at 50% I don't know it must have known somewhere where it was But yep great. I'm not gonna locks myself because I don't actually live there anymore So don't worry So in the my Toyota rap you get notifications As you can see those big orange alerts are like oh bugger something bad has happened The one at the top says hybrid system major malfunction take it to a dealer immediately The one below it says sonar system again take it to the dealer immediately So they're basically screwed the car bugger So I couldn't track where it was It didn't then appear ever again Phone the police. They couldn't do anything Tried to contact Toyota online They wouldn't do anything because they don't have stolen a vehicle tracking in the country Which is a bit shit really Actually a friend of mine Ken actually thought it was a targeted hack because I did the radar hack and someone thought Oh, it must be another car hacker They've nicked the car for a couple of days and it will reappear in three days time it didn't a Couple of weeks later my neighbor has a land crew though Or shall we say had a land clue the first time they tried to nick it the alarm went off and they run off the three little scroaches Couple of weeks later. He left it out on the road Around the front. We went in for half an hour came back out. It was gone So it wasn't a targeted hack. There was two vehicles from my gut blocks bow stolen and also There are a couple of rad falls around the area where I used to live that I used to see around and about that Aren't there anymore either so there are quite a few that were stolen from that area and Looking on reddit and things there are also quite a few in the north London area that had also been stolen So on to my initial investigations I'm not going to play this video because it's a bit dark and a bit rubbish You can't really see it, but if you take a look at the video there QR code This video is linked in the blog post when we first linked it. It had 20,000 views on it It now currently has about 330,000 views on it. I think they've made some money out of us linking to their video Good luck to them because they had their car nicked as well. So that's great So on to another vehicle. This one was from Twitter. This is slightly sped up and takes about 90 seconds in total so Playing around in the corner by the bumper mate comes along with a torch See the lights come on Doors are open jobs are good and cars gone That's literally 90 seconds. Oh bugger So I did a bit of an investigation Respect to a friend of mine who works in vehicle system forensics He used to be an ex police traffic cop And he said he'd come across some of these things with his colleagues that he used to work with and they are basically a little Bluetooth speaker That has some extra electronics inside it that you plug into the canvas in the back of the headlight wiring The giveaway is the two pins here to a USB C cable. So yeah, great But this is used for plausible deniability. They gets chopped in the street. It's a speaker. It's broken It doesn't work if they were clever They could actually put a slightly smaller speaker in and still work, but whatever, but they're sold as emergency start devices Why would a locksmith want something that looks vaguely like a USB speaker to go and open cars Yeah, not good when I first found out about it. The price of this device was 1500 euros When I actually eventually got around to buying it in February this year the price has gone up to two and a half thousand euros I'm not going to give any details of where I posted it from because they actually don't sell it anymore But if you Google emergency start device JBL, you'll find it and there are shops across Europe and in Eastern Europe in America other places that now sell it for nearly for 5000 euros or five thousand dollars. So the price is going up because they're obviously in demand but yeah Here's the list of the actually claimed devices it actually believes it works on so you've got the Toyota Supra Prius CHR Rev4 Highlander Land Cruiser Pro-Ace and the majority of Lexus range. So that's quite a widespread so yeah You can knit quite a few different cars quite easily very cheap So what is actually in this device? You've got Externally it just looks like a JBL speaker Internally, there's the electronics from the speaker the blue PCB the black blob is the electronics for the actual device itself I can't give you the details of the underneath the black blob because that gives away what it actually is but basically there's a pic 18F 25 K80 and a modified cantron sever I Can't go into the details on how that modified cantron sever works or what it does Ken's gonna go through that in a minute and so Yes, it is modified that details will never get out I tried to do a bit of reverse engineering with my old picket thing But there's no one or amongst thieves and the bastard had locked down the bit The firmware so you couldn't read it out But there is a heart of darkness attract that you can do on that chip But you potentially need two of those chips because you have to read it out half of the chip at a time Which is I'm not buying another one, especially as it's four and a half thousand euros now There is possibly a few other ways to glitch it and get access to the Firmware as well, but we believe we've actually got the data out anyway by just what it does on the canvas I'm now going to hand back to Ken Let's look at some bench testing that we did to investigate how this this device works First point I want to make out is this is using fake data So we've renamed the can I advise and payloads because we're not here to help people make devices to steal toilet cars So this is a logic analyzer trace and we've got some can data here from various ECU traces and the theft device and there's a signal here called Inject us just select so that enables the override transceiver. We should talk about the moment And then this is the TX line for the injector F device that's injecting can frames and then we can see here All the other are ECU's is a transmit line from one of the ECU's and then various can high low signals on the bus And then we have another receive Pin on can transceiver so we can see what what comes through So this is a standard cam frame. So we were very nice. So here's the visual line That goes through is what's transmitted Here's the can high low lines are pulled apart when you have a dominant bit And that will come through just fine here. So this is a perfectly fine cam frame Now let's have a look when we turn on the inject chip select line so this turns on the The transceiver and that forces a recessive space on to the bus. So here. We're we're injecting a One bit on to the can line so injecting a recessive state and here's an ECU trying to transmit and it goes through this very very funny pattern here Trying to assert a dominant state and you can see it's trying to pull these Can high low lines apart, but it doesn't really succeed. So what the other ECU see on their cameras you pins is just a recessive, which is the same as the transmitter signal if you want to know why this pattern is like it is this is a One of my can quiz questions on my blog post, which will point you out. So you can see here When we're actually trying to transmit frame, so here is a spoof frame being transmitted And here the ECU is receiving that Now one of the interesting things about can is the the sender Transmits a recessive bit for the acknowledgment slot and then all the ECUs respond with a dominant bit now normally This this override transceiver would cause that to fail and there would be an error because you wouldn't get an acknowledgement back but when all of the ECUs are all pulling together They have enough they can drive enough voltage onto the bus through the combined transceivers And that is just enough to push can high low apart enough to then come through as a dominant bit So everyone sees that as a valid can frame. So that's one of the nice properties of the way this transceiver works Nice as in it works Is it allows all the ECUs to pull together so you have one ECU on the bus? That's not strong enough to drive and acknowledge bit So I've been talking about that custom can transceiver circuit It's inside that resin blob It's not a proper can transceiver of course because criminals don't care about can standards So it's designed to break all the protocols to push weird voltages onto the bus And that's enough to spoof all the can transceiver circuits for all the real ECUs So it can push any Can bus traffic onto the bus That other transceivers will see as proper can frames and most importantly it can't be stopped You can't other ECUs cannot drive A dominant bit onto the can bus unless they're all acting in exactly the same time So this means hardware security approaches like nxp stinger transceiver which has a Kind of that blacklist whitelist for destroying can frames in it knows us boos that won't work because it can't send An error frame onto the bus because it can't drive a dominant state And the can hg protocol i mentioned earlier also uses the same technique To destroy frames in it knows are bad in some way and again It can't do that if this transceiver circuit is driving a recessive state on the bus So let's have a look briefly how this works in a bit more detail This is a network topology diagram for the torture for it's very very simplified Just for clarity. So the actual wiring diagrams are complicated awful lot more ECUs in it and many more can buses But this is the the rough schematic. So up here we have the left headlights where the themes are break into the connector so they can access to can high low on this red bus Also on this bus is the smart key ECU So this is the ECU that enters into a nice dialogue with the driver's keys It uses asymmetric encryption certificates and things all nice and secure And the driver's keys can be authenticated and then once it's been authenticated it sends a message over can bus to the door ECUs to unlock the doors and to this gateway ECU Which is forwarded on to the engine management system on the can bus that disables the immobilizer And so the thieves basically disable this this whole bus And inject Can frames that spoof the smart keys can frames to say that everything is fine So all these ECUs see everything that see the the smart key frames and act on this at the door module It's open the gateway sees a valid frame and turns it on and engine management system Obviously just operates on that So that's how the the can injection works Um, there's a blog post. I wrote up on this and it it's been very well received and it's in fact used for the CB that's been awarded And it generated an awful lot of comments So we thought we'd do a top three frequently asked questions here Except they're not frequently asked questions there. Um, car security mansplenations from people who don't understand How cars work? So I thought I would give the top three Why your mansplenation of how easy it all is is not actually Uh, so coming in at the three, uh, is just out of firewall to isolate the headlights Uh, it's about uh, unfortunately a firewall costs money. It's a pcb power metal case connectors a couple of can buses All kinds of stuff like that and some more connections on the other side Even if it cost 10 dollars, which it won't But even if it cost 10 dollars multiply that by 50 million cars, which is what twator made In the last few years that is a total of half a billion dollars. So this is a brilliant security solution Uh, we're about as smart as ever musk because you've wasted about the same amount of money. He's just wasted on twitter Number two just use tls and wire guard to encrypt all the messages Well can messages are eight bytes long And can messages contain a small sensor and x-ray to data like turn the main beam on This is not the sort of thing that you throw, uh, huge overheads of mainstream IT solutions for it Car Electronics is a distributed real-time embedded safety critical mechatronic system controlling wheels It is not a phone on wheels. It's not a computer on wheels It's a distributed control system and it's all about short worst-case latex ease not about bandwidth. So very even though can is relatively slow Because the data is relatively small This is uh, this is a perfect solution for it. A car isn't this data center on wheels and all these mainstream IT solutions They're solving a completely different set of problems. Uh, and so those solutions are not appropriate for real-time control And number one, uh, just use a relay to turn the headlights on. Why do you need a can bussing headlights? Well, first of all, it's not called a headlight cluster for nothing Inside that are the main beam, the low beam, the side lights, the indicator lights, the daylight running lights Different lighting modes, washer pump motors, wiper motors, uh, elegy projector lights And then there are multiple ECUs that want to control all of this stuff And some cars of course even have motors for steering the headlights The idea that you can just turn it on and off or the switch is, uh, simply not workable But a superlative suggestion and one that will bear in mind No, we're not going to do that Can't just, um, chuck it back to a relay. So onto media coverage Here is a sample of the different reports about what happened after the blog post was released Uh, most of them come out with, oh, headlight hacking It's not the f-ing headlight. It's the f-ing headlight wire Yeah, you unplug the headlight. The headlight is now nothing to do with it But life happened They make up the stories Um, it was quite interesting. There was a story in sweden About a shed load of rav 4s and rx 450s being found in a container warehouse Which were allegedly stolen for payment for drugs to be shipped abroad Um, so they sort of pinned it together That it was actually done by can injection after that we published our details on our blog post Because they actually thought it was done by a relay attack Because both of them look exactly the same Uh, I will go on to another bit in the press If you know of the a a in the uk automobile association The chairman sir edmund king had his wife's lexus stolen And he then published a post saying Um, by the way, put your keys in the microwave because that's a faraday cage Yep, great. He then said his car was at his keys were actually in the microwave So how did they steal it? probably can injection Didn't go anywhere near his keys So I did send him the details and he is going to have a look at it and get back to me But it was busy with some smart motorway stuff um, so That's an interesting story that the man in charge of a had his lexus nicked and he still doesn't know how it was nicked He does now, but whatever Onto a bit more media coverage vice.com Did this video Try the door handle Cables already plugged into the back of the headlight under the wheel arch Plug the thing in It's doing some messages He now tries the door handle again. Oh, no, it's still locked. Whoops Press the play button on the side That triggers the locks Now he just unplugged the thing because you don't need it anymore wander around to the side of the vehicle Open the door Press your foot on the brake and if you look carefully the rift counter now shows a thousand more thousand rpm That again less than two minutes There is a vice video With the same story showing the older 3210 Nokia version Which will steal 2012 to 2015 type varieties So there are links on my website to all these stories and things and videos So if you want to have a look at my later my websites at the end There's also been quite a lot of industry coverage upstream produced there Half year 2023 auto cyber trend report Our research got mentioned and our blog post was linked Oh, no can injection. Yep. It's been around for years. Just no one speaks about it They think things are secure. It's not c2a also publishes other one can injection A rising threat to the automotive auto security Yep, there again links are on there to my website on my website to those So we actually got the cve issued by asrg and we did that so that Other manufacturers can be made aware That website I bought the device for the Toyota and Lexus Sell devices for every cut a make that are is available at the moment Ranging from a few hundred dollars to twenty five thousand dollars ish So no no no manufacturer is immune And yep, I'll go on to some of that bit later I did actually log the name of the Cve as can injection with the emojis That's the uk spec emojis Because we drive on the correct side of the road That's the american spec emojis because you drive on the wrong side of the road Or the right whichever you want to say But i'm english i'm right The currently the cve is only listed against my 2021 rev4 because that's my car I'd like to get it updated with the other ones when we confirm which ones actually do work But that may take time So on to actual numbers So in the last six years the rev4 has sold five just over five million vehicles The Prius about half a million chr about four million land cruiser hundred thousand Highlander two million ish Lexus I couldn't find individual details of all the different models But over that six years five six years four point two million vehicles So potentially across the globe there is at least 15 and a half million cars that can be stolen By this 20 dollars worth of electronics Yeah, great wonderful And going back to that number of 56 million 50 million ish cars Over the last six years they sold 56 and a half million cars Again times that by ten dollars. That's half a billion dollars Security ain't that cheap All these figures were taken from either wikipedia or google or toto's website themselves So When we actually bought this device I did some testing on friend of mine's car Lexus ns 300h I made a device here As you can see it's got a little missile switch That does the unlock the other switch here turns off and on the Additional transceiver component I went over to see my mate and we tried it without the additional transceiver Um because I didn't want to break his car because I know when my car was stolen it through 20 60c's And probably had to be reset. So I was a bit cautious Check the one for unlock that worked Check the one for start the engine without the additional transceiver didn't work After I left curiosity got the better of him And he used my version of this And had a little play himself no keys in the car nowhere near Plugged it into the headlight Let it do its thing Pop the thing up press the button car unlocked drove it around the car pocket a couple of times Yeah, oops He then put it all back together started the car with a key properly with a key present, etc And um the um rotating headlight on the left-hand side of the vehicle stopped working So we had to take it back to the dealer and say oh my headlights stopped working on this gov I haven't been playing around with it Luckily it didn't cost him anything because um, I feel a bit guilty that he broke his car for me So yep, thank you very much Yep just I'd like to actually get access to all of the different models that are actually claimed to be used And then have the full Toyota diagnostic tool with the cooperation of Toyota To then reset them and then update the list on the cve to then actually see which ones are and are not um possible um the interesting one is though, um if you know anything about the Toyota Supra That may or may not be a bmw z4 So is the bmw z4 also vulnerable? To the same thing. I don't know. I would like to check it if you have a z4 in the car park Hit me up later Well, have I go No, don't please. I don't want to get done for doing anything anything stupid And the Toyota pro ace van if you know anything about that one, that's based on the Peugeot Citroen platform in Europe So again, there are other platform at other vehicles also based on that platform that could potentially be vulnerable On to the disclosure process. This was fun In march earlier this year. I put a tweet out. Does anyone have a contact? on in Toyota Either japan or us or anywhere Um to help us with the disclosure. I've got this thing that's used to steal cars I've got nothing. Is that okay? I run my local dealer. I nearly walked the car off and said by the way Have you had any issues with cars being stolen? And the receptionist was really helpful and said no, but I'll get the service manager to ring you back About half a later service manager rang me back and went Actually, yeah, one of my demonstrators I was out for a night out a couple of weeks back or a couple of months back Parked it up went home came back that next morning. It wasn't there He did a he did a bit of a investigation and then found out. Yep They've been nicking it by the headlights I spoke to him and he said at one point late late in last year. There was um His garage alone that he worked at was getting three instances a week of vehicles either being stolen or being potentially stolen There was a memo put out by someone somewhere in Toyota UK or europe or something saying By the way, make sure you lock your vehicles up behind the bars and things because they will go walkies off your forecourt So yes, um, they are aware of it. They've known about it. Great I then sent some details to him about what we found out He must he's then sent them off to somewhere Who he was dealing with and then a few days later I got a direct email from someone from Toyota Japan Copied into quite a few people in Toyota Europe and it basically said Use hacker one vulnerability disclosure program So yeah, that one that I went to auto isack in 2019 to talk about vulnerability disclosure. That was at Toyota's headquarters. Great Their vulnerability disclosure program has a couple of caveats. There's a restriction to modifications to the vehicle Tell that the criminal tell that to the criminal rip the bumper off to actually get to the headlight So yep, you can't do that to steal my car. Yeah, no, you're not allowed to do that. So yeah, great And there's an implied nda And then implied nda says when you tell hacker one something about it Basically, you then can't tell anyone else about it So you can't warn anyone that you've actually told her Toyota via hacker one um, so great wonderful I did actually get an email back from Toyota Japan saying by the way, we're going to waive that nda But a few weeks later I got um someone I know was on the auto isack Um panel and they were discussing our vulnerability In one of their meetings and the discussion basically went along the lines of how can we shut these people up Because it's cheaper to silence them to actually then fix the problem. So Someone sends me a random nda disclaimer thingy that may or may not be on an email that I can't jarenki genuine You think I'm going to trust that? Do anyone see what happened to Carlos Gown? Yeah, great. No Got done for fraud had to be smuggled out of japan in a flight box um So currently we're in the process of disclosing via asrg Automotive security research group and they are again getting exactly the same response from Toyota And the response is report it via hacker one This morning. I actually had a meeting with someone from uh Toyota usa And basically told them some of the details of my findings and they basically said it needs to go via hacker one Because we need to track things Which I understand that's fine And I said to him as long as you get me a piece of paper that is a signed proper piece of paper On Toyota headed paper. We will do it. We will share some information There may have to be an nda in one direction because you might tell me some stuff that you don't want getting out Which is fine, but anything that is currently out Isn't dangerous because I'm not going to tell you all the secrets and I can't tell you all the secrets because it's How to steal a bloody car so, yep After that auto Isaac thing I did actually put a LinkedIn post We're a bit of tongue-in-cheek thing that basically said by the way if you want some information on this stuff Hit us up We can have a meet private meeting without too many people around so that we can discuss it with other OEMs, etc So back on to my colleague, uh ken with some potential fixes Okay, so we've talked a lot about how this theft device works and how it uses a transceiver to bust through all kinds of Defenses and we've talked about all the things that won't work like Relays to headlights and 50 billion dollars of money spent on electronics What fixes are there? So we offered to One of them is to do a quick and dirty short-term fix So make the gateway paranoid about can bus errors at start-up So when the vehicle is first being started up and this theft device is working It's a very crude device. So it blasts its frames onto the can bus and everyone else's Frames don't turn up. So there are heartbeat Messages missing and stuff like that. So if the gateway device is a bit paranoid And sees a bunch of errors on the can bus its own frames are being not being sent. It's on It can basically say I'm not going to forward any messages until that happens until it's all gone away And if there was a false positive on that you would just try your smucking again So this is a quick and dirty hag The theft device vendors, I won't explain how but they could work around this after a while with a bit more work and Efforts or maybe we just move on to someone else's car. But either way it's a short-term fix A permanent fix to this is to use cryptographic messaging Between the smart key Up here smart key to you and the doors and the smart key and the engine management or possibly just the gateway And you can use solutions like cryptocan which I developed Can its labs or you could use Secco C which is autosales secure on-board communication to secure those those messages Against spoofing. There's no need to encrypt every motion. Of course, you don't need you don't need to encrypt everything because Some of the boring sensor messages It's it's important. It's the smart key Traffic to the mobilizer in the doors. There are things to to encrypt Just a couple of slides left. This one's quite funny. I think toto might be trolling me 2024 to to come it gets a JBL speaker that has a nifty removable speaker Looks a bit like this Is this just in case you lose the keys out on the trail? It's got the hardware in it Little extra wire poke it underneath the wheel arch jobs are good I don't think it does but it'd be bloody hilarious if you could retrofit it I could do that. I'm not going to because we don't get the Tacoma in the uk, but it would be funny Um, this is potentially my last slide with any sort of information. Um the fallout of our findings friend of mine David Rogers found this article about Jaguar Land Rover Insurance companies in the uk are not ensuring them anymore Because they are so easy to be stolen Or they're basically pricing it out of the market so carmakers need to get their finger out their arse and fix it because Cars are going to be either uninsurable Or no one's going to want them Because no one's going to be able to afford a few grand a year to actually ensure their car But the problem is they will fix it going forward They won't fix it going back So all those cars that have previously made are still vulnerable So yeah, not good Onto my slide on our slide Just like to say thank yous first to the ASRG To specifically John Hildreth. He's been helping us with the disclosure program process Um to uh to over to Japan We are doing this is exactly the same talk at the ASRG SOS Conference next month in september. So look it up I'd also like to say thank you to bug crowd and All the team of car hackers that were there in the 2018 and 2019 Events wave if you're in the audience There's some down at the front. There's some at the back. Yep Um, no loudon my colleague my friend. That's a um incident investigation chat ex-policeman He's the one that pointed me in the direction Zoltan may or may not be the crazy bugger that broke his own car for me Thank you very much. I didn't ask you to do that you idiot Uh, finally, I'd like to say thank you to the car hacking village for allowing me to be here and share this story I don't have time for questions because cock-ups with audio And I can't give you any more information than has already been given. So don't ask Yeah, I can't give it I cannot tell you anything about how it was made the messages or anything So thank you very much