 Good afternoon guys, welcome to So You Want to Hack a Car. Just so nobody sues me, you can break your car with the tools I'm going to show you. I can't help you fix your car, so please don't whine to me if you do something dumb. Little tip though, on most cars, if you unplug the battery for 20 minutes and then plug it back in, it works again. I wish I was kidding, but that is the truth. Now I see why they didn't want to do that. Sorry, the HDMI cable isn't working amazingly well. About me, my name is Jerry Gamblin, I'm the Principal Security Engineer at a start-up out of Chicago called Kenna Security. My personal blog is at jerrygamblin.com and you can follow me on Twitter at Jay Gamblin, I'm always available to answer questions and talk to you guys about car hacking or cybersecurity in general. So they gave me 45 minutes, but I need like 25 minutes, so we're going to get through this and then everybody is going to get some time back to go enjoy the rest of DEFCON. Why carhacking.tools? Because we're not going to do this, right? If you're here to learn how to take over a car and hit the brakes, go in 90 or whatever, this isn't the talk for you. This is hacking in the late 90s, early 2000s version, right? Your car has a ton of data, you want to see that data. Your average car probably gives you 4 to 8 gauges while it has about 150 to 200 data points in PIDs that it's just spitting out all the time. And if you're like me, you're like, I want to know what all that data is. I might not have an oil temperature gauge on my dash, but if my car is spitting that data out, why am I not collecting that and looking at it and overlaying it on a map? Or why am I not figuring out what my coolant temperature is or monitoring my gas? So that's what we're going to do, because I love data. I want to have all the extra data I can. I want to be able to do stuff like this, right? I want to be able to use Torque Pro and overlay my car's data on top of the dash cam, right? It's useful. Your car has the data, and it costs about $11 to get this information out of your car. So what is car hacking.tools? I go on and off on car hacking. I like to get the data out of my car. It's just, here's how it starts, like, oh, I really want to figure out something in my car. So then I spend like four days recompiling all the tools on Linux to get them to work. And then by that time, I'm on to another project because I have ADHD. Just getting the tools installed was enough. So I just decided to put together some shell scripts to take about the 20 most popular Linux open source tools and let you guys build them automatically. They have all of the dependencies that are needed. So you just either just download the OVA and run it in virtual box or run it in VMware. Or you just run the shell scripts that's on my GitHub page and it'll just install all the tools. And I'm going to try really hard to keep those up to date over the next year. Oh, I should have put this slide up. Here's all the tools that are installed. Like, you have your CAN Utils and your CAN Bus Utilities and your CAN Backdab and, you know, Socket, CAN and UD Sim. So you can pull this OVA down right now and there's a simulator on there and you can start playing with it today at night in your hotel room. And it's also really affordable. The best OBD2 adapters are 30 bucks and you can get them on Amazon next day. I will put these slides up, but all of this information is on the website with links directly to Amazon to these so that you don't have to take photos of the screen unless you want to because I just see it all the time. I don't know what people do with those pictures after conferences. And this is what it looks like. This is the full build out. If you download the OVA, you have a car hacking desktop. So it has all the tools. You run it and you can start pooling data with Wireshark or with SocketCand or with Cantact right into your system. Let's just talk about some of the challenges. Car hacking is hard and dangerous. There's probably 150 people in here. If we have two people who have the same car, like the exact same model car and the exact same year car, it would be super rare. And when you're trying to figure out the data your car is giving you, you can't Google it, right? I can't sit there and Google, please tell me what my Toyota Corolla means here because I'm the only person in the world in my garage at 2 a.m. trying to get kids out of my Toyota Corolla, right? This is old school hacking. You're not going to like find a proof of concept on some PaySpin page that somebody dropped there because like it or not, you're the only person looking at the data coming out of your car in most cases. And you can lock up your car. Getting ready for this talk, I was in a hurry, I had to take my car in the shop about three times. That's mostly because I'm terrible at Python. It's a super small hobbyist community. I will guarantee that whoever wins the CTF out there does it professionally. There are very few hobbyist car hackers that can get a foothold and spend the time necessary to do it. You talk to those guys, I love them, they're like, oh yeah, I just get an ECU which is a $500 computer that runs your car and I put it on my test bench at home. And so they're sitting in their office doing this. I'm out of my garage with no air conditioning trying to work in there, right? So that's the split. If you're doing this as a hobbyist, you're likely doing it on something that you have to drive every day and you don't want to break it. While if you're doing it professionally, they send you the brains of the computer and you can sit in your desk and work on it. So it's a totally different way to look at it and that causes this problem. Full start open source projects and then they just abandon them in this field and I'm not sure why. I'm trying to get people to be better at this and I'm trying to help where I can. I love Charlie Miller, but this tweet is true. I don't know why people write these tools. I wrote a tool and 2016 that hasn't been updated and nobody touches it. So it just sits there and rots. And stuff like this, the Python OVD tools, the guy who maintains that moved to San Francisco, doesn't have a car now, so isn't updating the PIP. So if you want to do PIP install Python OVD, you're downloading an install package with 45 open bugs that are known, right? So this community in general needs help. So if you want to get into it, be willing to give back, be willing to share that information because that's the only way it's going to go from one person in their garage trying to do this to a thing where people can really start getting the data out of their car that they need. In reality, virtual machines and Bluetooth plus serial really, really sucks. I'm not sure if anybody's tried to do that, but all of the Elm adapters have FTDI serial most of them and trying to get that to run through. Sorry, 94, I don't know what's going on, 45 or something. It's really hard to bring all of those tools together into one spot. So I recommend if you can afford it to pick up the cheapest laptop that'll run Linux and to do it there. It'll make Bluetooth so much easier, it'll make all your serial adapters so much easier. The future car hacking tools, I'm going to add more tools, I have a few pull requests in to build out some stuff. There's going to be a better OVAs. I'm really working on that to make this more useful for an organization and group and then we're going to go to Docker and a pie image because those are the next two steps and hopefully by this time next year we can have this built out for Windows and Mac. This is a really short thing. I wanted to have a conversation. There wasn't a lot of data here. I wanted to just release the tool and get people who are interested in doing this to actually have the tools. It was much more about doing the exercise of building the scripts to install the tools. That took me a month of time to do that. That's basically all I have. The OVA tools are at carhacking.tools. If you go to that site you can get a link to the GitHub page and you can download the OVA. I'd like to thank Kina Security, the engineering managers in the back. If you're in college and you're looking for a job, we have a great program. We have flex time. It gave me more than enough time to work on this during the week. I just thought if you're interested I want to thank them because they're a great place to work. If you guys are in college, you just don't have $11. I have probably 10 or 15 OBD2 adapters that I'm not going to use that I want to give to people who will use them. If you want the hardware to get started in this, please come and see me. I'm more than glad to give it to you. I'm going to start with people who either are unemployed or in college first who want to jump in and then anybody else is more than willing to have some of this hardware. I really do want everybody to take time possible to go and look at the tools and see if they can help improve this and I'll answer all the pull requests we can. Thank you, guys. I'm sorry that we had, sorry it was so short. I'm more than happy to answer any questions anybody has and I'm not sure what's going on in the back still. Thank you.