 Hey, thank you for coming. I want to do a really short talk today about some aftermarket vehicle accessories we've been looking at. Now I'm going to start by looking at some aftermarket alarms, which was research we published back in February this year, and then I want to move on to some new stuff, which I wasn't going to be able to talk about, but responsible disclosure, you've got to follow it. The vulnerabilities were fixed yesterday, so I'm quite pleased we can actually talk about some of these live now. Now I want to go back to look at what we looked at before. I want to look at some smart car alarms, and what got us interested in the smart car alarms was the vendor advertised themselves as unhackable, and I'm thinking, wow, that's got to be really interesting, unhackable. You might remember some work our team did about a year ago on a certain cryptocurrency wallet called BitFi. The cryptocurrency wallet marked it by John McAfee as unhackable, and about two days later the team had rooted it, and yeah, that went well. We got a pony for the second time at Black Hat on Tuesday this week, which we're really happy about. Anyway, let's move on to it. We're going to look at a Russian alarm vendor called Pandora. Anyone heard of Pandora? One or two of you. Okay, they're big. They've got two million customers with these devices installed, and they advertise themselves as unhackable. We started looking at it, looked at all the words they were marketing, and I don't know about you, that means nothing to me. It's a waste of time. We looked at the mobile app, looks very much like the classic mobile app you get with a smart vehicle, so you had a telematics interface. You could identify the vehicle. You could find it in real time. You could check that your vehicle was locked. You could pop the trunk stuff. You could also start and stop the vehicle. I'm getting interested in this, right? The problem being is if you have keyless entry vehicle, some of them are becoming hard to ensure now. So manufacturers are, sorry, insurers are insisting on aftermarket alarms. We started looking at them, and I'd like to introduce a colleague of mine who's sat over there, Vangelis, very clever guy. He doesn't always dress like that. We were doing some TV work for the BBC, and they said, can he put on a black hoodie and some dark glasses? So he doesn't always come on out like that. Within moments, he'd found vulnerabilities in the mobile app API. They found an insecure direct object reference. Remember those vulnerabilities that we knew about 10, 15 years ago that keep popping up again? He found a vulnerability in the JSON parameter and the one that allowed you to reset the email address when you've forgotten your password. So we could change the email address without authorization, trigger a password reset, receive the password reset, and take over the mobile app account. So we're now in quite a good place. We've now got all of the functionality of the alarm, which is nuts. You could just trigger it. They didn't authorize it correctly. Now, we thought it'd be really interesting. We wanted to see what else we could do. So we spent a lot of money on car alarms, and I had a very difficult conversation with a colleague of mine who owns a Range Rover and said, what we want to do is fit an alarm to your car that makes it easier to steal. Is that okay? Okay, that's fine. So we did that. That's his Range Rover. The API is screwed. You can enumerate the vehicle type through here. So if you want to steal all the Range Rovers, the Lamborghinis, the Ferrari's, you can just go and find them all. You can geolocate them in real time. So that's his car parked in our office. Got the map. So we know what the vehicle is we want to steal. And then you can unlock it. You can also track the driver in real time wherever they are. So you can see if you've been speeding. I think that's quite creepy, right? You can also do some other stuff. You can also stop it. You can stop the engine of the vehicle by enabling the immobilizer remotely. Now it won't cut the engine out immediately, but if soon as you come to a stop, if you turn the engine off, you're out. If you've got stop start, you pull up to the lights, you aren't going anywhere again. And this actually happened. So my colleague forgot to de-immobilize Mark's Range Rover one morning and he woke up at 5.30am to go to the airport to get his mother-in-law. His car wasn't going anywhere. Oops, that got fixed. So just to recap, it affected two million vehicles. You can geolocate any vehicle in real time. You can select the brands you want to go for and you can unlock it to order as well as immobilize it. We then started looking at the manual and something really freaky. We found, bottom right there, in the installer's guide is a microphone. We're thinking, okay, this is kind of interesting. Why is there a microphone? Turns out it's for the European Equal Directive. So if you have a high G impact, it can automatically dial the emergency services. What we found is you could remotely turn the microphone on on the vehicle through one of the insecure direct object references in the API. So you could listen to two million people's cars. I don't know about you. I say stuff in my car that I don't want anybody else to hear. But hey, this is fine. We can just listen to you. Next one. Anyone here heard of Viper? Big brand. Right. Guess what? IDOR! And we found a vulnerability in the API for Viper as well. It was very similar. We could change the user password directly. We could then hijack the account. So we're thinking, right, it's time to do responsible disclosure, isn't it? We've got three million vulnerable vehicles right now. And we thought that Viper, being a U.S. operation really cool, they actually thought we'd get there first. Pandora, Russian operation, thought they'd be difficult to work with. Viper, responsible disclosure, nearly a train wreck, but not quite. We didn't reply to any of our emails, but we found a VP of connected stuff on LinkedIn. I dropped him an intro line and he accepted straight away. And instantly we had a communication interface and they got it fixed in three days, which was, I thought, quite impressive actually, is I wish all vulnerability disclosure was like that. Pandora, I thought, were going to be a train wreck. We got no response to any of our disclosure attempts. I phoned up the U.K. agent and they didn't reply to return my call, but I did get a call back at the weekend. And to be honest, the guy was a bit pissy with me. So I thought we're about to see a real train wreck of disclosure again. But he phoned me back the next morning and said, yeah, we fixed it. Oh, wow. And they're all cool. And he said, hey, we'd like to really thank you for all the work you've done. We'd like to offer you a free alarm. It's okay. Don't worry. You can keep your alarm. That's fine. So let's move on to some new research. Who's had a low jack? Okay. I didn't realize it's actually an urban dictionary term as well. Being low jacked is also a term used for being ficked with a criminal ankle bracelet. I can tell you a story about the security of those as well, but we won't go there because I might get in trouble with the cops. Right. In the UK and Europe, low jack is a different brand name. It's the same operation, but it's called tracker. So I'm going to use the words low jack and tracker interchangeably. So bear with me if I get one wrong. The idea being is if your vehicle is stolen, you get an alert, you tell the contact center, and they set up a report with the cops, the cops have radio equipment and they will go and find your vehicle. And they get 90% of their stolen vehicles back again. That's great for the insurer. Although if I have my car stolen and someone's driven it hard, I don't know if I want it back or not. Thank you. But anyway, it reduces your insurance premium, certainly in Europe. They'll give you a discount if you have a tracker or low jack fitted because the losses to the insurer are fewer. The way it works is that a web app and mobile app, you set up a geofence. If the GPS on the vehicle, a little module that you fix, I've got one out there, if it senses it's gone outside the geofence, it alerts. You get an alert on your mobile app, you get an alert from the contact center, you get an automated call. And if you don't reply, it's fine. It's not been stolen. They'll inform the cops. But that's great because you get your car back. Guess what? We'll come to this. In the UK, we have a body called Faction Research, who are owned by a consortium of insurers, and they carry out some really good work. So they do crash testing. They certify vehicles for being safe and secure. And they have saved lives undoubtedly. Really good operation. They also look at the physical security of vehicles. So how easy is it to pick the lock? How is it to steal the vehicle? More recently, they started getting into key relay evaluations. And in the last few months, started doing vehicle cyber security evaluations. That includes certifying and accrediting vehicle tracking devices like Lojak and Tracker. They credit them. They credit them so the insurance industry can go, yeah, that's great. So we have a keyless entry problem. It's okay. The vehicle's still got a tracker fitted. We still get the car back. We're in a good place, right? They've also recently started doing vehicle security ratings in general. And so I'm sure many auto AMs would be very upset to receive a rating of poor security, although I'm sure Audi are pretty happy. Actually, I just ordered an Audi e-tron by complete coincidence. I really want to have a look at that. So they're putting, they're staking the reputations of many of our auto manufacturers on their security ratings. So you'd really want to know that their rating process, their accreditation process was really robust, right? You'd expect if they're going to say a vehicle is not secure, that it's poor security, that it's a really good accreditation process, right? That you can stand by and defend. So let's look at the accreditation process for the immobilizer. So it's an S5 accredited tracker. So Lojak and Tracker is S5 accredited. In some cases, it's actually mandatory. So your insurer will not ensure some vehicles unless you have a tracking device fitted. Why did I do this? Fundamentally, so I could steal a friend of mine's car. We'll come back to him in a bit. There are currently seven accredited tracking devices in the UK accredited by Fashom. So we spend a load of cash and we have them fitted to a bunch of our vehicles. We've gone for three because I think they're quite representative. Tracker Lojak by far the best known brand. Trackstar, which is approved by several OEMs for fitting to their vehicles. So they're dealer fits. So you pay the dealer, they fit it. And also another one so called Smart Track, which is not dealer fit. But we looked at the API and code and thought, it looks a bit screwy. We need to have a bit of a play with this one. So so long didn't read summary. We could defeat the theft alerts. So we could make the stolen car appear like it wasn't stolen. We could remotely immobilize thousands and thousands of vehicles without authorization or authentication authentication. And our conclusion was is the accreditation process that we're having carried out on our vehicles and on our aftermarket products is not fit for purpose. Let's look at the detail. Let's start with a big brand. So how does it work? You have a mobile app. You have a web app. You have a geofence you set. So that's a geofence set around the vehicle at our office. The geofence is busted. You get a text or a call. In that case, it wasn't stolen. So we said, yes, all fine. No further action. We're good. Guess what? Founded in a skilled direct object reference. You could change that forgotten password email address just like you could with Viper. We looked into it, trying to work out why they had the same problem. Turns out the same firm, the same backend telematics operation, the business called Calamp, who provided the telematics platform into Viper, had exactly the same telematics platform for their own Lojak service. We reported the vulnerability in Viper. They unintentionally fixed the vulnerability in Lojak back in February. So they fixed the vulnerability they didn't know about by accident. That was kind of cool. But the EU infrastructure is on a separate environment. And so that didn't get fixed, which is why vulnerabilities for Tracker are across Europe. So we found exactly the same bug. Could take the control of the account. Except there were more. We found another one. You could delete the theft alerts. So your thief comes along, got a little bit of savvy. Before they steal the car, they delete the theft alert. So your car, hey, it's just fine, right? And we could also directly and indirectly delete the geofences around the vehicle. So if you wanted to go steal your high-end vehicle, you go and compromise the mobile app API, you find the car in real time, you then delete the geofence, go and steal the vehicle, and off you go. Happy, hey? Great. You can just delete it. Let's look at Trackstar. That's one of the next biggest brands approved by several AMs fitting. And actually, they just had one IDOR. Wow, we should have none, but they just have one. And that's actually fitted to my car. That's my vehicle sat at my house. And yeah, you could compromise the accounts with one IDOR, take it over, delete the geofences, off you go. Great. Fantastic. Let's look at SmartTrack, because this is the fun one. So more IDORs. You could take control of the account in pretty much the same way as you could with the others. That's one of our vehicles at our office there. But then we discovered you didn't actually need to secure direct object references. We found a backup site that was published the internet and realized that it wasn't interpreting SQL requests correctly. They were going back completely unsanitized, the back-end database. Now, we didn't do this, but apostrophe all one equals one, we're pretty confident that would have worked. Oh, it's like 2003 all over again. Surely, we forgot about this. No, we didn't exploit it. As a result of that, we didn't even need the IDOR. They weren't actually correctly authorizing requests from the contact center to immobilize the vehicles. So when you report a theft, it's not you that's supposed to immobilize the vehicle or report it to the cops. It's supposed to be the contact center. And somehow, for some reason, they've made the API request, sorry, the request from the contact center to the report is stolen, world readable, which was a really weird thing to do. They didn't check authorization correctly. So you could now instantly immobilize every single one of their vehicles. We had a bit of fun. So this is my colleague, Phil, who I don't think's here. And we fitted the smart track to his vehicle. And he went on holiday, but I went around to his house because he was going to a wedding and we had one hour to complete this piece of research to prove whether it works or not. And what we showed, in less than a second, though his engine's going, he switches it off, he switches it back on again, and his car's now immobilized. It took less than a second to immobilize potentially 25,000 vehicles. I loved his hamming up there. That was great. That's crazy. Poor Phil. We got it going again, but everything was fine. I want to tell the story of disclosure net because I think it's okay to have vulnerabilities. That's fine. I think the bit that sets one firm away from another is how you handle a disclosure. Do you embrace, respond, take action? Or do you threaten the researcher with legal action? Cease and desist? Yeah, it's a badge of honor, right? So we thought people would respond. So track star, we're actually really good. They didn't reply to any of our emails. In the end, after trying their call center and failing to get through, I tweeted them publicly. And yeah, we'll talk about that in a minute. But when they made in connection with us, they fixed that API in 30 minutes. And I think that was phenomenal. That was really, really impressive, right? Lowjack and Tracker, I thought, given that we disclosed stuff to CalAMP before, I thought we'd have a really seamless, straight, get it fixed straight away. And they didn't actually, it took a bit of time. And I finally managed to get hold of the UK office. And whilst they were a bit slow to get fixed, they actually fixed it two days ago. So that's cool. Once we got through to the right person, they took action fast. SmartTrack were interesting, actually. The customer services, they took my email and said that they passed it on to the right team, and they made contact with me if they were interested. Okay, that's fine. So I tweeted them publicly on social media as well. And actually, in fairness, they fixed all the SQL injection and all the IDOLs across an entire application in 48 hours. So actually, I thought they did quite a good job, really. I think Trackstar best, Lowjack second, SmartTrack third, but they recovered it well. But this is what I find really frustrating, is why do I have to tweet someone publicly to ask where I brought a vulnerability to? It shouldn't have to result in this, because the problem is, is that I don't know about you, but when I tweet something like this, people start paying attention. A lot of infosex cyber journalists follow me, and stuff goes long, and I don't want that to happen. I just want them to talk to me so I can tell them about the vulnerability. And same with SmartTrack. I took it to them. Why did it have to happen like that? Why couldn't it just be a straightforward, quick engagement? Here's the vulnerability, get it fixed. Thanks, guys. Here's a little credit for it. Cool. Yeah, wouldn't that be great? However, that's not my story. Those are vulnerabilities. The problem I have, the thing I really, really bothers about me, is Thatcham. The guys who are putting the badge of approval on these products so that we as consumers buy them confidently thinking they impede the security of our car. Now, I went to Thatcham and I got hold of their press office and said, guys, we found some vulnerabilities in products that you've accredited. Tell me about your accreditation process. So I want to understand it because I want to make sure I'm being fair with you. And they said, fundamentally, they check that it works. So we're buying a product with a stamp of approval on it that fundamentally works. They also said they checked that physically it was secure. It had to resist an attack for up to two minutes. A physical going for the wiring attack. I don't think that's good enough. I really don't. I then started digging deeper and I found their detail. And this I found really shocking is that they used to take six to eight weeks to accredit these devices, which suggests to me they were doing more, right? But they cut their cost and they cut their certification process to down to as little as one week. And I think that's unacceptable. I really do. Remember, this is an operation that's accessing the security of our vehicles. They've moved into assessing the cyber security of our vehicles as well. This really worries me. Who do we put faith in if the organizations we rely on to give us confidence aren't fit for purpose? That bothers me intensely. So that's kind of the end of my talk. There are some more things we're working on right now. We're also looking at the integration of the alarms and immobilizers directly onto the can. In order to immobilize that vehicle, it has can wiring. In order to speed the installation process for that alarm, it has can wiring so it can detect the can type it's working and customize itself so it can get the right messages. Some of those vulnerabilities that I've showed you, we believe there's exploitation direct onto the can via the vulnerable APIs. And that bit is quite scary. So I think what we concluded from this talk was that we found a whole new way of injecting can data remotely over the public internet. So that's us. There's a whole load of research on there. It tells you all about what we do. A lot of other cars, security testing and advice, but with a complete write up of everything I've shown you here. Thanks very much.