 Hola, hola a todos. Hola, hola. Hay mucha gente de Latinoamérica, así que... Estamos hablando español. Mi nombre es Claudio Calaciolo y soy de Argentina. Conmigo es Shay Laverta, soy de Argentina, también. Estamos both working in Telefónica, in a unit called 11 paths, it's a unit from Telefónica. This is our first talk in English, so be patient with us. Or drink something, I don't know, it's the same for me. This talk is about De Bicho. De Bicho is a hardware backdoor and we also construct and software to do this backdoor functionality better. So to start talking about this, we have to talk about why, why we are working about backdoor in a canvas. And the real question is why not, why we can do, we can backdoor our computer, we can modify our computer, our server, our phones, but why not we can do the same with our car, yes? And just we are curiously people like you, like all of you. So the real reason is because we can. This is the project. So the first thing that we need to talk with you is about safety because car hacking is not the same like computer hacking because it's dangerous. You can modify something in the message that can activate the break or the gas pedal or just some function in the shine and you can break something or you could cause injury in someone. So you have to be careful. Thank you. Gracias a todos los españoles. You have to be careful with this because there is not so important how trained are you because accidents occur, so you can see that in this sample, for example. Okay. He is worried about safety. Okay, when we talk about car hacking most of you think about the connected car, the model cars, because in the model cars you can find in our country. Okay, it's not working. You have a lot of things of connectivity. For example, you have the TPM. That's true, that's true. It's my car. In the connected car you have GBS, you have Bluetooth, you have Wi-Fi, you have the TPM model for pressure. You have SIM cards to control your car. You have a lot of interface to do something with the car. Even USB or some storage, like SSID. So you have a lot of things to do or to play. But what happened with the canvas, with the network, the real network of your car. We want to work with this type of network because in our country it's not so common to find this type of car. Okay, this type of car, with all these things. It's not so common. So we want to play with this and find one way to access the network of the car and to control it remotely. This is the project that we work. So for most of you, maybe canvas is not so common. So we need to do a quick review about how canvas works. This talk is not about how canvas so it shows a quick review. The canvas of the control area network is all standard, all standard. It's an all standard. Then about 15 years. So in that moment security was an issue. So canvas was designed to work in some environment with a lot of noise. With a lot of noise is the correct word because you have an engine. So you have a lot of noise in the interface itself. So canvas was designed to be faster, to be efficiently but not secure. In that moment all networks with canvas was not only for cars. You can find some network in canvas or with canvas protocol in industrial environment like the people before. But when we talk about canvas we have to for a car we have to talk about a standard from 1996 that was the introduction of this connector in our cars. ODBD2 ports no es muy claro pero es un conector. En este conector puedes encontrar en tu carro en la cabina de tu carro y es usado para diagnósticos. En este estándar que fue incluido en ese dato tienes un montón de pincas manufacturadas en tu carro puedes decidir para qué van a usar. Hay algunas específicas pincas específicas como signal grounding o can high, can low que son standardas pero tienes un montón de pincas que puedes usar o no es decidido para manufacturadas. Ok, esta es la parte de la cabina y es difícil pero es necesario entender. Espero superar. Ok, cuando hablamos de cabina tenemos que hablar de cabas. Es por eso que la cabina es basada en una cabina de bolsillo cada cabina puede ser un sensor o un acu y la información transmitida en la cabina puede ser usada por salas y cabas en el mismo tiempo. La cabina fue desarrollada para usar en un ambiente automático donde hay un montón de pincas que usan un sistema que es diferente al bolsillo y que permite obtener inmunidad contra interferencia. En este sistema hay un transmitor que es un signal transmitor en duplicado una con un valor positivo y la otra con un valor negativo que es la caja y los signos de caja. Si el transmitor recibe dos signos que no son iguales es carciado assuming que el sonido está en el bolsillo. A continuación el protocolo de cabina tiene algo conocido en Bertil Doshi donde tenemos un estado dominio que es 0 y un estado resistido en el formato de frecuencia. En ese estado podemos ver una frontera de cabina la parte verde es la frontera que contiene la idea de frecuencia y lo importante aquí es que esas ideas con motocerros tendrán mayor prioridad en el bolsillo por eso las frecuencias asociadas con el bolsillo tienen la idea de mayor prioridad en el bolsillo. Por eso tenemos el yellow y el data en verde que puede contener una maximina de 8 bytes y como vamos a ver no hay distinación de source o distinación ni portes de source o distinación como protocolos que no sabemos como tcpip así que no puedo tener que ver los filtros de arbitración para saber si debería llevar los datos de frecuencia. Creo que mi inglés no es bueno para explicarlo claramente así que puedes ir a Wikipedia también. Ok esta es la forma de cómo una frontera de cabina parece. Tenemos que saber que una frontera de cabina no indica cualquier tipo de información que tiene. Por ejemplo, una frontera de cabina que tiene información de RPM y no indica cualquier tipo de información que tiene RPM. Así que para encontrar qué tipo de información cada frontera tiene, tenemos que hacer un proceso de reversión. Por eso hay muchas diferentes herramientas. Esta es una oscilloscope y es la herramienta más baja que podemos encontrar para analizar canciones. No lo usas. En nuestro caso, tenemos una modulación de cabina para ver la representación de las cosas. Pero es too fast to see. No es posible. Por otro lado tenemos las herramientas más altas para ver canciones de cabina para analizarlo fácilmente. Pero es too hard. We have an example here. We are doing in a BWU Fox. We just start the light and this is what is occurring in the sniffer. So if you see this again here just you can see that the only action is start the light. Put the light in on. But there is a lot of frames of the data traveling in the canvas. That is why it's very difficult to do this one because in your house when you put it on the light it's just one command. You put it on and the light is on. That's all. But in the car when you activate the light in your car the model for the light is sending every time every second a lot of frames with the message light zone not just once. So when you activate this one you can see a full explanation that there is a line with one change every time but it's not the case because when you activate the light in your car you have that message constantly but you have another message why? Because when you start the light in your car not only the light is on because you have the activation of the panel of the instrumental where you have the icon of the light and you have other lights in your panel that put it on and maybe other function depending on the car. So in this car that is an old car and it's a mechanical action we have a lot of message but think about what happened por ejemplo anondasibic and hondasibic from this year we have a video about what happened when you put the key in the ignition mode it's the fucking matrix So the real question is this one How we can find the cam frame we want it's a bit difficult So nowadays tools to analyze cam last year here in the car hacking village or in the vendors area we can find some of them can spy, car loop can analyze from microchip or even we can use socket cam with open hardware tool as well with the canotill for linux In our case we began using car loop from microchip Usually these tools allow us to hacking cam frames on the bus as well but the frequency with which this tool makes the transmissions may not be fast enough to canvas yeah, that's when that happens As I've said it's currently curing state so constantly it's curing state So in this case the light module is saying that the lights are off while we are injecting every 100 milliseconds that the lights are on so this what produces the flicker effect So you can see that we need more speed to inject that that payload so with software it's not so easy so we build and our backdoor is with the odb2 port so that is why we start working in that project and we present this one in the co-party in the last year and for this moment for this project a lot of people ask about how it is possible to someone put in your car a hardware backdoor and you don't notice that yeah the answer is easy because if you for example left your car in a car wash it's a good opportunity for someone to put something in your odb2 port or maybe in a valid parking there are moments when you left your car and someone can do that or maybe if you give a ride some spide maybe or maybe if you are married with Shane's mom there is a possibility that we start working in that project that was the first one yeah, when we began we started with a simple injector and there are PIC 18F2618 yeah with a transceiver to convert a high and con low signals and the firmware that we developed in assembly can be checked with a great speed on the car frame so avoiding what we saw in the previous video and after came the malicious ideas and we thought how we could control this remotely so we added a scene 800L so that to control the hardware backdoor through SMS commands yeah and that was the result our first proof of concept and worked fine and after that we thought that we would be nice to setting up the car frames and the attacks commands through a PC software so avoiding hard calling the car frames and the commands into the firmware so we added a USB interface and we have to develop a new hardware where there is two modes a hack and a programming mode and we can to between two modes via this switch you have the programming mode and the hack mode and this new hardware has a looks a bit nice and the components yeah yeah and here we can see it's the comparison with a rather decking as you can see it's a little hardware yeah so we have it at this moment at this moment at this moment we think about it was a nice project to improve it because to configure this one we need to know about assembler you have to put out the microchip program it and put it again so we start working in this new interface in this new design and we we need or we want to create another another piece of this project that was software so this is the real thing about the carback door maker so for us this is the Vicho and this is the carback door maker why because in this program you don't need to know anything about assembler anything about programming shows you don't need the correct frame that you want to inject put it right in the memory so this is the other part of this project when we start creating this we work in this setup in this basic setup when you can see the ID the identificator I think that Shaila told you but when the ID is lower there is higher higher priority higher priority priority in the bus so because the lower the lower ID is the gene function yeah this is the length of the frame and these are the data in the 8 bytes this is the first the first part and we have the sms control so when we create this one if you read a message from the camp that start the light you can put that correct frame here you can say with sms you will control it and just press right and that's all but when we construct this when we will this application we start thinking about another function and we start working with advanced setups the first thing is the possibility to introduce your phone number so you if you put this one in your car and you send and you put here your phone number only you can control this this feature and anyone scan and the second thing is to run automatically so this payload how? for example if you in your car throw you are driving your car and throw for a specific location with a GPS I can tell to the program to the bicho that start automatically the payload controlling the fuel and the same we work the same with a specific frame so if you are you are driving your car and you for example start the light I can tell you to the bicho that when you start the light the car stop the machine stop or the wreck stop if you want to see this one podemos verlo aquí español estoy sufriendo como un condado muchos años que no sufría tanto no la charla que car, que car creo que fui yo pero bueno por ejemplo este es el bicho en el program mode con estos switches es en program mode tenemos luz verde pero si empiezo el programa la gente seguría si empiezo el programa y yo pongo el conecto este bicho es red si me dice que hay una comunicación entre el software si sé el correcto frame lo pongo aquí y el correcto SMS que quiero usar para controlar este que 4 letras puedo usar que quiero para usar 4 letras por ejemplo y es bueno aquí puedo decir mi número de teléfono y si empiezo correcto eso es todo el modelo ya está listo así que pongo el conecto aquí pongo este pongo esto en app para hacer más y conectar esto en oTV2 eso es todo son frecuencias gracias ahora bueno pero a este punto pero a este punto tenemos otro problema porque para hacer este tenemos que saber el correcto frame tenemos otro problema tengo que sniffar mi carro todo el tiempo pero tengo otro problema que mi carro por ejemplo tiene un mensaje específico speed todo y mi carro por ejemplo pongo otro mensaje porque no es un mensaje standard todo el manufacturador ha implementado su propio mensaje incluso en el mismo manufacturador todo el modelo tiene diferentes canframes entonces en otra cosa es un database un database es un database para compartir información sobre el mensaje si read con un mensaje para tu carro puedes poner un canframe y eso es todo completar esta información entonces si no encuentras puedes poner un nuevo carro si no tienes el vector puedes poner un nuevo vector y es totalmente open y libre para ti entonces en este momento tenemos un hardware tenemos un software y un database open entonces tienes mucho divertido y todo es libre eso es lo bonito puedes ver un ejemplo con este video nos enviamos un mensaje con la luz on y ahora un mensaje con la luz y la luz off si piensas es eso todo el correo es si es para ahora este proyecto no es todo entonces para terminar quiero decir algunas personas que nos suportan para Nicoleno para nuestro inglés es su padre Eva y Chris para el diseño de la página web el código CAF para el diseño Mondaland para su apoyo para el database eso es todo y si tienes preguntas en español en español no soy familiar con carros y es fácil de ver si mi carro es hacke si las dos partidas son realmente esposas es debajo del exterior debajo del exterior debajo del exterior o debajo del como te lo digo en el volante o en la guante es en el cable es en el cable si por lo tanto el conector es el eléctrico y en el cable y en el cable y en el cable y en el cable y en el cable Gracias a tus stress lejan screens connector now Right Natural No ¿Cómo está? ¿Cómo está? ¿Cuánto meses? ¿Cuántos meses? Sí, 10 meses. Es un juego de juego, no es trabajo. Creo que todo el proyecto no era así, pero creo que es difícil de encontrar el frío correcto. Es un trabajo muy complicado. Sí, hay muchos procesos de reversión para encontrar el frío correcto que quieres para las luces, para el motor o algo así. Es un problema. Eso es porque nosotros hacemos la base abierta. Sí. Esto es para compartir. Sí. Sí. ¿Quién es uno de los cariores celulares? ¿Quién es uno de los cariores celulares? ¿Cuál es el número de teléfono? No. Puedes poner... ¿Quién es uno de los cariores celulares celulares? No es un problema. ¿Qué es el GSM? El GSM. El GSM es para loquete con el productor. Pero no es importante el salvo de los cariores celulares. Sí. Sí. Yo digo esto porque en el estado tienen el GSM y el CDMA. Ok. No, es el GSM. Sí. Sí. No. No. Si te quedas tan chico. Ah. ¿Quién es uno de los cariores celulares? No. Ok. No. No. ¿Quién es uno de los cariores celulares celulares? No. No. No. No. No. No. No. No. No. No. No. No. No. No. No. No. No. No. No.