 My specialties are primarily SCADA systems, automotive systems, medical device testing. Essentially, I really like embedded systems, anything that impacts modern life as we know it. A lot of times we work with wireless systems and airborne systems. Quick disclaimer, obviously opinions are my own, not my employers. They're not picking any particular vendors. Even though we try to remove logos, some things are just gonna be way too obvious about who things belong to. In some cases, it wouldn't be actually point out of the vendor. They're the vendor who are doing things slightly better than others. So, since we're talking about automotive forensics, this is where the story usually starts. Havrec, possibly some fatalities, perhaps a fire that won extinguish for two or three days. You all see the headlines. There's often a crash and you see a sensationalized story in the newspaper about the particulars of the crash. How fast the vehicle may have been traveling about what the driver may or may not have been doing, what the driver may not or may not have been using, such as a cell phone or a DVD player at the time. And I'll point out that the article mentions a black box. I'm sure you've heard all of them about the mention of black box with airplane crashes. Your vehicle also has a black box. When investigators are working a crash or some kind of an incident, their primary source of data is a black box. Since the black box is actually regulated by Congress, there's a law about what the black box stated on the vehicle is supposed to contain and for how long. Now, other common sources, many of our vehicles now have a GPS. If you have one in your luxury vehicles, you may have a LiDAR. You and your passenger will very likely have a phone, which will also be recording data and shoveling it back to Apple or Google, Chinese government, all three. You're typically running a slew of apps, including Waze, Google, again, Apple Play, a number of other applications, which may be uploading in real time. You may be running an external GPS unit, such as one of those Garmin units, which constantly puts breadcrum along your route. Again, reliable source of data, mostly. A quick mention on LiDAR. There's two types of LiDAR systems, one that performs real time acquisition and another which simply tries to get a baseline and contains internal database of supposedly all roads that you're supposed to be able to drive and Shen tries to do a quick pattern matching. Again, most modern phones, unless you have a flip phone, has a built-in GPS, has obviously a cellular connection, so it's doing GPS trail iteration. In order to be E911 compliant, it's constantly trying to determine its position and point in time. And of course, it's using Wi-Fi technologies, such as Skyhook, again, to help narrow down its location. Even the Bluetooth and GPS are off or don't currently have a signal. External GPS units, even U.S. units, in addition to the GPS system, typically have Glossner's Galileo. If you're in APAC, you may also be using Baidu or IRNSS. Typical GPS threats, again, we have jamming, spoofing, and detection. We have RF jamming, which is simply filling up the radio frequency, whether it's L1, L2, or L3 band, or you can actually have more sophisticated protocol jamming, where you're actually trying to speak GPS protocol, but broadcasting inaccurate data may actually cause seg faults on some of the external units or cause them to lock up, as opposed to just not being able to receive a signal on the typical bands. You can have an active degradation attack, where the quality of the signal may drop from being able to position yourself within three meters or five meters to within several hundred meters. That would obviously complicate forensics or any kind of incident investigation. One of the less common attacks is actually enhanced accuracy. It makes the victim think that they actually have a far better idea of where they are than they actually do. You can actually make somebody who has, for example, 500 meter accuracy, think that they have one meter accuracy, which is fine granular, which is basically this amount of space right here, and may make them act rashly or a dry passer, because they think they know exactly where they are or where they're headed. And of course, you have location spoofing, much more sophisticated, more advanced timing attack. Requires more hardware, but it has been seen in the wild. Of course, you don't really even have to have a sophisticated attack, because people will follow their GPS anywhere. It's 2018, and this is a screenshot from an old story, but usually I can find five or six of these every single year. Where the carbon says turn left, this is a boat ramp, and people will drive right in. GPS spoofing, as I mentioned, fairly sophisticated attack, requires a lot of resources, more commonly seen at nation state level, but we have seen it at sophisticated criminal level. It has been more successful used against ships. First of all, they're isolated there, they're in the middle of an ocean, there's no street signs, and there's no Wi-Fi or other assistive technology, and they tend to be a more attractive target. It's possible to obviously divert the ship into unsafe shipping channels, divert the ship towards an underwater obstruction, when the ship captain actually thinks that they're sailing through a clear channel. GPS jamming is dirt cheap, as little as $12 in some cases, from the dongles that we've seen, from the informal testing that we've done. Something like that can actually affect three to four cars around the vehicle that's actually using it. So these are sold to prevent employee tracking. So if an employee issues you a vehicle, for example, and they want to know where you are, an employee who may want to fuck off during lunch will plug one of these in, and their employer is not going to be able to track them, except it will also affect the number of vehicles around them. And then we have some significantly more advanced packages. Some like that will impact several city blocks quite a bit further. We have a thing in radio, height makes might. So for example, you would take this up on a helicopter with you or to 52nd floor, you're going to have a much better footprint. Sally, it's not a nation state level attack, it's around $2,000, which again, for sophisticated attackers, pocket change. There's very few solutions in the market for detecting GPS jamming, or especially GPS spoofing. We're not going to get too deep in this demo. So before we move on further, quick definition of where this positioning. It's not simply location, it's you want to know your location at a given point in time, simply saying your home is not enough, we need to know that your home between certain hours, and you want to know changing location over time. You want to know when you got to the location and when you left that location. Otherwise the location data is essentially worthless for investigation. So the so-called vehicle black box, it's actually, well, it's usually not black. It's actually called an event data recorder. The Congress has mandated every vehicle produced since 2014, have one. It typically has five to 20 seconds loop of data recorded continuously written. And once the body impact center, one of the other crash detection or crash prevention systems detects an event, it's going to start saving the data. And if everything works correctly, it's going to prevent eProm from being overwritten, which actually doesn't work too well. So there's 15 data points which have to be written by law. Most systems today use around 30 data points. Some of the most common ones are obviously velocity, which is how we know the vehicle is doing 120 miles an hour. Throttle position. If you've seen some of the headlines about the gas pedal or the brake pedal being stuck, that's how you determine if the driver was lying or if the driver confused the gas and brake pedal. If they were going full throttle or actually trying to brake. Seat belt use, very useful in postmortem, if the driver didn't survive or in litigation with the manufacturer steering. We can determine whether or not somebody is going to swerve towards the crowd or away from the crowd and if the vehicle's skidded. And of course, airbag deployment. So as much as I hate to mention Tesla, actually Tesla gives us a really good data point whether or not somebody's hands were on the wheel. Again, essential for investigation because we want to know if the human was driving or if the driving assistant was driving. It's not an autopilot, it's a driving assistant. Eye focus. There is an internal camera which can actually determine if you're looking straight ahead or if you're looking down on your phone or messing around with the DVD player. And if the vehicle's equipped with LiDAR, it actually is able to save LiDAR data. For some reason I can't get the slide to, oh okay, it is playing, cool. So this is actually what a crash looks like from the standpoint of a Tesla. This was a crash in a parking lot and this was actually the vehicle driver's fault. They confused the gas and the brake pedal and they hit the townhouse. So a pretty useful investigation combined with the other data. For those of you that know a little about forensics, everything, even if there is no standard for how something should be done, you have to use scientific methodology, meaning the steps should be recorded, they should be repeatable. You need to be able to measure the error rates and prove what the error rates are. And you need to try line them with some sort of industry standard that already exists, whether in automotive investigation or in computer forensics. There's three main ways to interrogate the so-called black box or the event data recorder. One is roughly a $12,000 toolkit. One is directly over OBD2 port, which is not supported by every manufacturer. Or the other ways to actually crack the device open and connect directly to the eProm. Tools as I mentioned, they are public, you can buy them. All you have to do is send a $12,000 check. They also take credit cards. They refuse to send me a free sample to nerve. Many of you, well, not many. Some, especially US vehicles, do support communication over CAN bus. So if you actually know the commands, you can download data from the event data recorder over the OBD2. The communications are encrypted. Again, on certain forums, you can get your hands on the keys, but it's a little bit problematic. This method, the biggest issue, of course, is that it induces data changes. Meaning as you're reading the data, you're actually introducing error data. If the black box failed to record data from one of the sensors, which is very common, it's actually going to write error data. So the crash is a pre-violent event. And right now, when you're sitting down, you're exposed to one G force. During an impact, your vehicle can experience as much as 26 Gs of force. Meaning a lot of electronics, even hardened electronics, will fail. So it's not then common to not receive data from sensors for the last few seconds. Again, crashes are an instantaneous event. It's an elastic collision. It can actually last three to five seconds as all your crumple zones meet their final position. This third method is the actually preferred method if you only have access to a $12,000 tool and you don't want to cause data spoilation. Looks a little overwhelming. All you have to do is find your event data recorder, crack it open, find the eProm chip, connect the clips, connect the bus pirate, and start dumping data. And hopefully not find anything in the meantime and hopefully videotape everything or preserve data to essentially prove to court if it comes to that what the data was at the time of collection. I actually have a device with you if you want to practice later in a car hacking village. This is an event data recorder that was pulled from an American vehicle. Don't look at the label. This vehicle was involved in a crash, but the airbags did not deploy. So some of the interesting things with this. Privacy concerns. Many states do not have laws about how or when the data can be pulled from your event data recorder. Even though you own the vehicle, you essentially don't always have a say in whether or not the data candor should be pulled from your vehicle. You've seen the data pulled in divorce cases, which is absolutely idiotic because I mentioned they can save up to 20 seconds. But some attorneys know that they record vehicle position and they get a court order to pull data from a car and it gets them absolutely nothing useful, but the judge grants them the warrant. This data is not remotely accessible. There should be a star next to that. Now, the one exception is Tesla. We know the data is stored remotely off-site. We've actually been able to prove that some super outbacks also store some data off-site. The luxury models that are fitted with 4G modem will upload and sync data opportunistically. So 12 states do have court rulings about search warrant being required by the vehicle. That means that 38 states currently do not. The data is considered the property of the vehicle owner. However, after a crash, if your vehicle is towed, you essentially lose control of the vehicle. The tow truck driver can consent on your behalf or the police investigator can go out to the garage where your vehicle is stored and start pulling off data because there are no hard laws about that. So we mentioned. Sorry? Even case the warrant is required, the police can still go and pull the data and after the fact, too, they act in good faith. So most of you have a law in standby that will go and issue an emergency injunction. Your SOL because the data's already been pulled off your vehicle and the judge will just rule the police act in a good faith. I mentioned civil lawsuits. You have the case of people being hurt in an accident and the dispute is whether over or not the accelerator was pressed down or whether or not the brake was deployed. And again, whether or not the person caused a crash by looking down their phone or whether their automotive driving assistance and action caused a crash. Right now, there's several interesting cases in the courts, both in the United States and China about liability in the case of the driving assistant and being the primary cause of the crash. As I mentioned, two primary methods of access. You have the diagnostic port, which for those of you that don't know is this OVD-2 port that all of your vehicles have unless you have a vehicle prior to 1992 and 1996 and you have the airbag module also known as the body impact module. Sometimes they're combined together into one single unit. If they are combined together, it looks a little bit like that. Now I typically found under the driver's seat or in between the driver and passenger seat. It's bolted in pretty well because again, you need to be able to feel the impact of the vehicle, feel acceleration, deceleration. It has a number of sensors on board and the encryption module, which is supposed to encrypt the communication between the CAN bus and the eProm chip and a completely unprotected eProm chip with no tamper detection and no tamper protection. So, direct access over OVD-2 was pretty straightforward. Now we get to the part of don't try this at home. I'm supposed to tell you that there's a liability because this module can trigger your airbag in a vehicle with multiple airbags that actually can kill you because an airbag deployment does produce enough force to fracture your skull. It does have built-in protection meaning if there's an electrostatic discharge, it's gonna air inside of caution and you flood airbags. As I mentioned, the airbag module is often integrated with the black box. This particular one isn't, but this is actually more of an exception to the role. The states that currently have regulations about who can have access to data and when. As I mentioned, the other 35 states are undetermined right now, because there's insufficient court rulings or no court rulings. No cases have come up to the federal level as of yet. We are monitoring the case in China. That's due in court, we believe, in October. So that's gonna be really interesting. So some interesting takeaways. The eProm chip on board, once you crack the case open, as I mentioned, does not have tamper detection or tamper protection. The chip cannot know when it was last accessed or if the data was written properly by the car sensors or if I opened the chip, opened the body prior and wrote air and data to the chip just before the investigators got their hands on it. No tamper detection. For example, the black box and steering your vehicle could be modified. There's no way to externally determine it because there's not even a very simple seal over it. As you can see, there's not even a gold foil seal over it. So I can literally just unplug this and plug this in somebody's vehicle. No protection at all on a board or chip level. There is one manufacturer that sells hardware locks that cover your OBD2 port, but it's a plastic part that covers up a plastic part. So it's essentially protected by goodwill. Sorry, this is a very compressed version of a one hour long presentation that just kind of shrink down to 25 minutes plus a fire alarm. But if anybody has any questions, you can take them now or also you're welcome to play with this after the talk and try pulling data off of it. Any questions? Obviously available to answer questions over email or right outside this room. And I'm not going to hold up the next speaker. Oh yeah, go ahead. Oh yeah, absolutely. So commercial vehicles such as 18-wheelers also have these sensors. The lock covered not just personal vehicles, so trucks do have them as well. They actually typically have more loggers because there's a separate one for the cargo compartment and a separate one for the actual rig. Modern trucks also collect a lot more data. It'll be interesting to see what the Tesla truck is, but some of the... Ha ha ha. But a lot of truckers now use dash cams, which again would make great evidence. Truckers are very annoyed with cars cutting them off because they're big and slow and they do really annoying things like follow the speed limit. But I have not had a chance to steal a black box from a truck, but my understanding is that they work exactly the same way, simply because of the regulations. Regulations didn't distinguish between buses, trucks, or passenger vehicles. The legislation only covers the United States, but because the U.S. is such a major consumer, the vehicles that are made to serve the U.S. market are also very similar vehicles to what's made for other countries. So the black box is still in there. We know that the vehicles that crash, for example, Saudi Arabia, have the same black boxes because again, we see the same headlines with the same data being pulled up. And again, as I mentioned, there's integration for the airbag deployment. Yes, good question. Yes, one of the screenshots I had, you can actually see a good size capacitor on it. Define the screenshot in a hurry. So yes, there is a large capacitor. From what we've seen, you'll give you about 12 seconds of data. The collision data that I've had access to had lasted for maybe five seconds, at least the important stuff. Welcome. All right, thank you folks for coming. Thank you.