 Okay guys, let's start because there's a lot of information and so, okay, so thank you so much for coming here We're gonna be talking about Salinas rat whoever is Mexican they know what I'm talking about the rat You know my friends and the biggest one actually, but anyway, so this is a linear rat. It's an SMS commanded rat So This is an effort done by three guys of us not only me. It's very important to mention that Gerardo can they they were not able to come for another Projects, but we are it's an effort of three guys So we're gonna be talking about the whole process that we took in order to infect an infotainment The one that you guys have in the right side That is the infotainment is up and running stand alone. We're gonna give a demo at the end of how we can still SMS messages in here and I'm gonna give you a copy of one of the Book that I wrote So I'm gonna ask you guys one specific question in Spanish. So hopefully you can Understand it now. Just kidding. Okay. So everything started with car loop Karloop is a is a OBD put OBD to port is connected into the automobile You know when you go to the service you plug in this guy there in order to do debugging information So we we started thinking about okay, so let's plug this device into the car It's pretty convenient. It has a microcontroller from particle Basically, you can code your stuff and push firmware updates through the cloud And then this is an example of An implementation of socket can so that you can basically monitor ODB to information. So This is just a one-on-one example of you know, just sniffing into the car We were like playing with that one-on-one stuff and then This is a quick video. So what we did here is We were just connecting this guy sniffing the OBD to port I'm flashing the car Okay, so So it is this was just the one-on-one flashing thing, right? So we said, okay, if you if we can flash the car easy So what what don't we try to get into the car and see what else we can do? Because it turns out that only the lights can be controlled through the OBD to expose to the car We said, okay, so let's go inside the car and see what it is, right? So then we started playing with with this So I wanted to ask you guys who of you pair your phone with your car while you are driving. Can you raise your hand? Yeah, right. We all do that, right? That's the that's the reason that we decided to target the driver in this talk because When you guys are plug when your car is pretty convenient But at the same time, what if the car is infected with malware? And what if we can use the your phone to talk to our rat and remotely, right? Or exfit tray data. So that was the thing that we wanted to prove in this specific talk. So Why the driver as you guys know, there's has been a lot of effort on car hacking on On those guys really good research on breaking stuff into the brakes Into the echoes those things and controlling the steering wheel. That's great But we wanted to focus on something different, especially as I said because it's very convenient to plug Your phone into the car while you're driving. So that's why we decided that based on many people That is plugging their phone in the car If we can do something inside the car that can be huge so We can exfit tray the data through the SMS that means that As you know when when you're driving the car those cars doesn't have internet connection So then how you can exfit tray the data? Some of the people who are trying to search for open networks while you are driving But that's gonna take you like for probably three to five seconds to get the open network and then it's gone Right. So it's not stable. So we said if we connect through the phone We can do a back and forth information with attackers through the attack through the driver's phone And it's totally stable So different scenarios that we can come up with is espionage, you know, like you can monitor messages from from a person Like congressman and your wife, you know, if you want to know if she's cheating on you Rental if we can if we can if you can imagine if we can rent a car, right? We infect the car we rent we rent a car We infected send it back to their dealer to the rental office Then every time someone else drive that car you can be stealing information from that And that's huge because that's not targeting one person is targeting whoever is driving that car, right? So splitting out and see the wrong turn off the display. We're gonna see that in a demo So many scenarios that we can think about obviously run somewhere like what being the operating system Denying calls we can for example if someone calls this guy while driving we can deny calls Because we control it. So the first thing we need to do is we need to set up this guy The guy that you see right there in the right. We need to set it up, right? So the first thing is we need to buy by the way this whole thing car I drive that car. So I said I cannot test it in the car. So when I get a test bench, right? So the first thing you need to do is you need to find a test bench. So eBay is very good Option for you guys. So lucky me. I found that the specific Infotainment that is in eBay is exactly the same that I have that I'm driving This has the information in the site. These are the piggy tails Those are very important for you guys So anytime you want to buy something like that make sure that you have the pig tails If you don't have the pig tails, you don't have a way to connect it because it's just Manufacturer base. So you make sure to have that and ask for that otherwise don't don't buy it And this is how it looks in the car, right? This is the whole thing. So the first thing was to understand the internals and this guy runs Linux arm and free scale IMX 6 and links arm 32 bits kernel memory display bluetooth JTAG Renesas m16 16c. This is more into the can related messages And and it has GPS of course and the backup camera and very important guys USB Ethernet So the USB that we see in the car that you think is just to plug in and charge your your phone Or or just to know plug in for mp3 music turns out that has Ethernet That means you have an IP address and you can talk to the to the car Okay, so the next thing you need to do guys you need to find a wiring diagram If you don't have the wiring diagram, you don't know how to connect the dots and the wiring diagrams are only hold by the Manufacturer so we were able to find this thing in leak in internet and that help us to connect all the dots So the whole thing here is the audio system the audio system is is talk to the connectivity master unit The connectivity master unit is all we need to connect this guy and boot up We don't care about other components just the component to boot up this guy, which is the radio the bluetooth The SMS messages, so we connect this guy If this is how it looks in the back it has In specific can messages and accessory the accessory guys I didn't even know what is the accessory, but I don't know you guys what is the access You know what is the accessory? Ignition part of it Okay, so when you plug your key in the car, right? You do one one one switch that turns on that Release the steering wheel the second one and releases the display, you know with it with the lights That's the accessory part and then you turn on the car. That's the ignition is starting So for us, we don't have the car, right? We but we need to have that cable that mimics the accessory so that we can turn on the display So that's the accessory part that we find out here Okay, so we have everything up and running and then we have this guy ready Okay, so then we need to start trying to get access to this guy So there are many ways to do that one was via serial access That we found out later. I'm gonna explain you how and then the second one is as I said It has a USB which gives you IP address you can do brute forcing to the infotainment has really weak passwords and it's nothing Difficult but still if you have serial access or USB connection that doesn't work because you need to have something remotely, right? I mean you need to have a way of that the driver gets infected Not that you go to the car open the car and infected that doesn't work So then we found a vulnerability guys Like a one year ago that it works through the USB And basically what it does is it exploits the auto run I'm gonna explain you in a second and we start testing that one And so see this is how it works. So when you plug in the USB into the car It goes and check if exists in a specific event. So it calls what is called gain main Instance main instruction file is a any file So it's gonna plug the USB and if I if it finds the any file is gonna check it And inside the any file is gonna check for a execute dot any file inside that one is gonna check Okay, do you have a date date date retrieval information command if it has that it's gonna call it and basically guys This is just gonna receive whatever is in that command line as you can see here in the bottom Whatever you put in that command line is gonna take it and execute it so simple Nothing advanced and that is gonna do a system on whatever you pass and then you can extract securing in in the In the in the car in the infotainment car So this was the vulnerability that these guys found and then we tested and it turns out that it was working fine We get access to the infotainment. So at this point guys, we we said, I mean should we keep finding Vulnerabilities to break into the car or should we focus on what we can do once we are inside the car So since it was too easy as you can see to break into the car We decided let's work on what we can do once we are inside the car Okay, so this is just a quick demo guys so that you can see how it works So basically what you need to do is is as I said we have the USB at the top That USB is the one that you see in the car, right? So then you will go as social engineering, you know You go to the guy and say he is free music or free porn or whatever is your you know I don't know but anyways you convince this guy, right? Or you leave the USB's in in the desk wherever this guy plug in the USB into the car and then the all around that I just described is gonna start executing so we take around 30 seconds to pop up just because of this whole process of Deciding what is gonna do and eventually what we are doing here is just popping up and screen Obviously to show that it is infected, but obviously in a real scenario. You don't need to pop on anything. Yes It's in the machine in the operating system It there is a library a dynamic library that triggers when you plug on block the USB and start handling all the events From the USB so the USV has a tiny file that this guy is gonna read Pretending to update something, but it's a batch script that we can control. Yeah So this is basically infecting this guy, right? So what is the motivation that we at this point we said should we moving to attacking the car the driver Or what should we do? So something very important that we realize guys is that this vulnerability was patched by the manufacturer and then this but this specific Infotainment doesn't have that vulnerable. It was my vulnerable, but then when we I went back and checked my car turns out that my car was also vulnerable and Even though I have been driving that car for more than one year and a half. So my friend was also vulnerable So that makes me think about that why the It was not updated by the manufacturer I keep in mind that these firmware is not like Windows updates. You cannot just get the update through internet So you need to go to the manufacturer. They need to plug a SD car and update your firmware. So But still I don't know if you guys are familiar with what is called? Warning calls from in US the warning call is when you get a letter that says a you we find something in your car Come to the dealership and we are gonna fix it for you Recalls exactly that's it in US. So for this specific thing I would have expect these guys to send some recall for this, right? I never didn't get that and for sure I didn't get up because I have the same car So I was saying a how many cars my people know about with this specific thing But these guys just doesn't even care even though they patched the firmware So we said let's do something inside the car so that that can help us to push into fixing these things and treat it Seriously, okay, and this is when this is like an example of the safety recall notice that you might get into your Into your house if your car has some problems. So And as I said potential targets, you know rental cars if we can infect the car with malware It's gonna be thousands or millions because this firmware is probably millions in driving outside. I do know if they are not They are not dating and when I went to the dealership I tell him a could you please upgrade my firmware and the first answer was and what is finger? So that was what the service guy told me then I talked to the manager He said if you want me to update your firmware first of all, you need to have a problem in your car Something is wrong with your car. We cannot do anything if you don't have any problem So I went to another dealership and I said, you know what you know way So My car the Bluetooth is not working. He said why not I said I don't give a shit man He's not working just update my framework man. And then finally, you know, you need to do a lot of stuff So back to the game, right? So we were playing with these guys So let's focus on infecting the car and see some consequences so that we can prove that you need to take this seriously So we're playing with the car and then we lost access to the infotainment because we were playing with the services and then Unfortunately, we lost ethernet connection. We lost Wi-Fi connection So we found in a specific block that there was a UART a connectivity to this guy through the Two specific pins. So then we were tried to get find those guys inside the infotainment plug it in and Thanks, God and Josh Gomez. We got that back. So So we were able to get access to the infotainment What we learned here guys is that when you're testing a device make sure that you have a backdoor or some way to get in So you cannot just, you know, it's not trying your stuff and suddenly you get access and you lose access You get screwed so you make sure you always have a way back to to your to your device Okay, so the next thing is persistence as you know We want to make sure that this guy runs every time the infotainment boots. Pretty easy There is an SMS service running and it has a specific XML file. We just add our rat into the XML file. Pretty simple. Every time this guy runs It was gonna run our rat. Obviously it is read-only, but you can remount it as read-write No issues, nothing that stops you. Pretty easy. Okay, this is our lab setup. We are ready to go We're ready to start playing with this guy We have a UBOS parade for the serial access We have a big old bone where we compile our rat. Every changes we do instead of doing toolchain cross-compiling We just route our, we just use our big old bone which turns out to be exactly the same Linux ARM version That infotainment is running so we compile our changes there and the USB hub, the USB hub Since we were three guys, we plunge this hub that we have excellent access all of us Especially for remote debugging which is very slow through Wi-Fi Okay, once we were inside guys, we found this test application This test application is basically a debugging application that the manufacturer left inside this guy So that helped us a lot because it's full of symbols and we only need to reverse that guy to understand how to interact with multiple components It's a test app client that talks to a test observer Which has an XML commands and then you can control the audio you can control Bluetooth You can control configuration of the car Wi-Fi settings gambas So we were analyzing this guy and we found the prefix which is 80 plus TMC So if you talk to these guys for the client do this prefix and put your own commands You start interacting with the car without I mean it's gonna save us too much time And actually we use this for a specific reason to reset the phone in the Bluetooth as you're gonna see that in a demo in a second It was pretty convenient. It's an example. So for example, you can see there You have like 80 plus TMC after that you have commands to execute like you can see the firmware version you can see The V number you can see the build date And of course you can also control Bluetooth and those things that I'm gonna show you later But this was pretty good for us very bad for them for the guys that are living debugging tools in the infotainment Okay, next thing guys. So when you're analyzing these kind of things you need to debug it You cannot just go. I mean, maybe some ninjas here reverse it right, but I'm not a ninja reversal So so that just just looking statically I need to you know, do debugging Information so that I can see exactly as an SMS message. I put a break point I need to see how it's going on at hundreds and every single steps You need to have debugging thing, but this is this is a Linux arm in infotainment embedded It's totally different than in Windows. So the first thing that we got was watchdog The watchdog means that if you stop a break point after three seconds is gonna reboot The infotainment so we need to find a way to kill the watchdog The second thing is that we were putting breakpoints in either and it was not triggering at all So we decided to look at it a little bit and then we found that the Service manager control all the other processes and then as soon it will trigger the watchdog But funny thing is that we can kill that SMS service manager No restriction at all and there is no watcher. It's simple second thing is via GPIO You can we can put a flag there and watchdog is gone. That's the second approach now Talking about the GDP break points. So we find out that there is an instruction We didn't know about it. It's called undefined instruction So the way it works is that it's this is the trace code if you want to look at it It's basically pretty simple. So what are you gonna do is that in the Instruction that you want to set your break point You just replace that with the on instruction as you can see in the right side Once you do that it's gonna trigger a trap That drop is gonna be caught by the application But since we're debugging it is gonna stop on us after that You just need to revert back the bytes on memory and keep going debugging But turns out for us at least this was the way for us to start debugging services because this is services If you are familiar with Windows services debugging. It's a pain in Linux is the same It's not an as an standalone application So this was this was the way for us to start debugging. So we are ready and let's start looking into the main component So the way it works this guy. It has a JavaScript base front-end runs with opera browser It connects to through web sockets to what it's called a multimedia in unit interface That unit interface talks to all the components and through debots Through the phone updates backup navigation Bluetooth everything then that guy connects to the service manager Which has all the components inside the car if this is a total like a world You know, it has ignition camera. It has like a video-related messaging And can be really so so that you guys have an idea we focus on this part only but it's like huge We just focus on the part of how we can control the messages coming in going out of the infotainment Which is just the JavaScript site MMU site and the MSG library which controls this whole thing Okay, so let's Focus on SMS messaging. Let's see how it works. So when you receive a message from this guy It's right now. It's like a you know one slide, but it took us like Probably three weeks to understand this whole thing. So You got your you send a message. You're right like From I am sending a message to the guy that is driving that car, right? The guy is driving that car receives the message blue to take it. It calls a blue Blue go service handler that triggers through the boss connects to the MSG Which is the Linux library that is handled this specific communication. It triggers the SMS notification callback Then it stores that message into a CSQ light Table then from there it talks to the multimedia interface, which is going to talk through web socket to the GUI Then the GUI is finally going to display through a JavaScript Event so JavaScript and the MMUI are talking through web socket as you can see here The is they are just waiting for the information coming in and out and once they receive it They pop up a message into the into the screen. That's simple But those are the main components that needs to be understand if you want to control it Okay, then sending a message if you want to send a message out from this guy to the world Like you are driving you get a message you can put reply Send message this guy is going to send a message out the way it works is that this guy again It's just a reverse order. It goes to the MMUI JavaScript to MMUI through web sockets then this is like a portion of example of a JavaScript how it works So basically you put the message that you want to send It sets the state of MMUI It's like an estate machine so that it controls multiple events You need to put it in a state in this case to send an SMS message You put an ID of the event in this case SMS and just trigger the event and it's gonna connect to msg component Which is the Linux library which called the safe message keeping mind this one safe message It's the one that's gonna allow us to use the boss to talk to the Bluetooth and send the message out Finally to the guy whoever is outside. Okay, so this is the whole process receiving and sending So now let's see a little bit very important for us for because we said, okay We understand now how it works So now I want to send an SMS message to the infotainment and I want it to respond to me I want it to my malware to know when a message is being received so that it can trigger whatever I want right the first thing Is that my I need to wake up my rat? So we realize and that the messages are being stored in a SMS Database SQLite on a clip it so you can just open it up. It has some tables But interesting ones are the attachment and the message table So the attachment table is the one that every time you receive a message It stores the message in that table and the message table is the one that when you click read inside the infotainment It's gonna store that message in truth into that table that means that if we can monitor the Attachment table will know exactly when a new message is coming to the infotainment And as soon as we see a new message into that table we can wake up our rat and start executing what we want Okay, so then there are some limit patience when we were trying to do it with JavaScript Because basically as you know JavaScript you need to start pushing the screen is popping up So it's not something that it's easy to see and it's so it's correction And also the driver or whoever is the target is gonna realize that so it's not it's not convenient This is just a quick example guys that I want to show you So here what we are doing is is we have a message being sent through JavaScript So the message is being triggered in a specific event. So as you can see here I'm gonna be touching different parts of the infotainment But as long as I don't touch the part inside the infotainment that triggers the message Nothing is gonna happen. So I'm touching here I'm going to different tabs in the infotainment nothing happens because there is not a trigger right there But then suddenly I'm gonna you see I'm moving to the sound or to different places But then I'm gonna move to a place where a message is gonna be sent out by JavaScript without touching the same button So we put the the message inside in a specific event the event is read message So we go there we click read message here. You see the same button We are not gonna talk that post that button when we click here any of those messages Checking the left side the message is gonna be sent automatically through JavaScript. Check that The message is sent automatically and it's receiving the phone So this was a way for us to send messages through JavaScript But as I said it was there but it was not enough for us because it was too limited It was not easy for us to to don't wake up the driver So we said, okay, let's focus on other other options. What socket is one? And then the msg or the deboss is the other option So we are trying to find a way to send messages out, but we saw that JavaScript. It doesn't work for us Okay, so in the web socket approach Basically, you can put a sniffer into the web socket and you can see all the communication going back and forth between the JavaScript and the MMUI component so that way we can get that information and replay it So it's possible, but you need to convert this story You need to convert this guy from from this information in Jason in to see use the Libraries to talk to the web sockets is it's good, but still it's a lot of work So the second approach is using the library Linux library APIs So in the left side you can see all the structure when you're sending an SMS message We dump it from memory and in the right side we start constructing the structures in order to understand how to send a message via C code it's still it's possible But again, this is just one simple event if you want to do many other events You're not gonna be keep going adding and adding more events just to support and specific action So the final one was deboss deboss is pretty cool because the boss has all these different Implementation which means you have interfaces to talk to the Bluetooth Interfaces to talk to the radio to talk to the GPS everything you don't need to do anything You just need to call the deboss interface and method and that's it So we're exploring that information and then we decided that let's go through the deboss approach Okay, so at this point we said okay, we have the guy that we need so let's focus on that So this is something So to give you an idea guys what it is the deboss interface is exposed You can see that we can do Bluetooth pairing operations DPS navigation maps network devices connection system updates and the bottom SMS operations That means if we are able to understand the SMS operations We might be able to send and receive messages. Okay, so a little bit fundamentals about deboss just quickly It's a linux IPC mechanism. It's just a channel to communicate information between processes It is used by leap deboss in in linux It has specific policies by the way in this specific infotainment. There is no security policies We're free to do everything actually Infotainment has a firewall that we can disable and we can talk to deboss also remotely It is simple as take some parameters and you talk to it. It's pretty simple. So We thought it was great our feature, but probably not so then we start understanding the deboss The first thing is Receipt messages this get message guy is gonna allow us to receive messages But turns out that this long line is very complicated Which means is that it's a nested structure that the deboss send Command inside the infotainment doesn't support So we were very happy with that let's send messages and receive turns out that it doesn't support this complex next step Structures, so same for the other one same message same message as I said It's to send messages out and also complex structures. So we said okay So we need to find a way to to implement a deboss inside the infotainment So the deboss monitor so that you guys know is like a sniffer But for deboss deboss send it to send the messages, but as I said it is really Limited okay, so we'll start playing with different different libraries. I'm gonna go really fast in these three slides guys It's just a lot of effort by Gerardo by the way he spent probably three weeks Trying to compile a statically different deboss binaries because we want a binary that supports nested Complex structures for us to use it in a scriptable way, but then turns out that it was not possible very hard We try like leave deboss. It was limited didn't work with Reggie deboss You need to compile everything statically didn't work then we found and Ross bindings with deboss Also didn't work dot boss didn't work defeat. This is the one that we use I'm gonna give you a demo in a second. This was pretty well We use it. It's supposed to nested structures that I said, but this is a GUI So if it is GUI to still it works perfect, but it's not a scriptable Okay, so then by the boss turns out that these guys also run some sort of Python But it didn't work anyways and finally leave the boss leave the boss these guys This is a solution for us turns out that it supports nested Complex structures as I said or container type container types and it has a tool chain created by some guys I'm gonna leave you guys the The links is basically these guys created a tool chain Specifically to this kind of car so for us. We don't need to deal with dependencies problems with all those Information problems, so we just need to use these two chain and and was pretty well You just defined your XML deboss introspection Information that you want to call through the boss and it's gonna work So here's an example This example is one of our modules that I'm gonna show you is just called Flickr Flickr was Compiled with this tool in a scriptable way in the infotainment It's pretty simple. So you connect to the people sport and you establish a connection to the deboss then set up The interface that you want to deal with the boss. It's called LBDS. It's a video related Interface that we use to set the brightness which basically means you can turn off The display turning on that's simple, but this is the way that finally you run, you know, if you have done some tool chain Compilation so it's just a way to compile it and ready to go. We have the Flickr ready to use in the infotainment so We have everything ready guys and finally before the demo see here is the whole everything is gonna work So we have all the components. So basically is this lady Driving the car listening to music, right? She's already infected with the With the Salinas rat through social engineering. So Sorry, not yet guys. She was not infected Now it's infected. Okay, so then she So she blocks the USB and then these guys gets infected then we do the persistence As you remember we put this guy into the services that I can boot up all the time Salina rat is running then we start monitoring the SMS database so that new messages are coming without executing Then we launch this differ with the debosses differ Which is like a white shark for TCP is the same for deboss So we put with the deboss to start listening in specific events that we know are related to the SMS messages And then the test up to you guys remember the test up tool that these guys left into the infotainment So we use that one to reset the connection to the infotainment So what that means is that we understood that when you you connect your phone to the infotainment There is a session between your phone and the infotainment. So when we infect the car That session already happened because these guys already connected So we need to find a way to reset that connection so that the session is established again And then we steal it once we steal that session we can control the whole SMS messaging That's why we use this test up tool in order to steal the session between the phone and the Bluetooth By the way, this is not needed per se I mean we did it because you can do that on demand Let's say that you have a 30 minutes shot to do this You cannot wait for this guy to get a message Or a call so that you can intercept the session because this is the one you're going to receive the session But we reset it on demand so that it gets disconnected and we get the session But the other option is you just wait and eventually when it receives a message We will still get the session. Okay, so we intercept the parent session This is a way JavaScript SMS that we saw even though it didn't work a lot It helps so it help us as the as the first weekend Because it just want to send a message out to the attacker and the attacker will receive the phone Where the rat is connected so at this point we know What is the the phone infected in a car and then from there we can start sending messages to the infotainment And it's going to start stealing SMS or whatever you want. So this is the whole process guys. So let's let's Let's do a demo so Here are all the commands supported in the rat We are you know implementing some of them ransomware is just put this guy on on usable mode And and you can take it you need to take it the dealership. It's pretty simple You just remove a specific services and you lost connectivity as we did actually well implemented what we learned So that if you want to fix it you need to go to the dealership To get it fixed and this is a test observer that we are running. You know, this is the debugging tool Wi-Fi ethernet and the flicker. It's just an example. So so let's do a demo guys. I'm gonna move there Yeah, let me Okay, let's let's do it here because I think I don't think I can move the laptop. Anyways, let's see Okay, so Okay, guys here. I am connected To the to the car Okay The first thing I'm gonna do I'm gonna turn on the Bluetooth in the in the infotainment so that I can pair my phone Right So we are here inside the the car in this screen In the right side, I'm gonna run the famous and the boss monitor. Sorry the boss monitor Let me just open this so and let me Find it. So here I have a specific Guy which is this Okay, this is just the boss monitor what you're doing here is you're saying a Monitor the boss on a specific event. They've been it's called get for the folder list Why because we want to monitor that event only because we know that when the phone is connected It's connected this event is gonna be called so we don't want to do everything right if we just want to put a filter It's basically that so I'm gonna just run this guy So it's ready. It's waiting, right? So now in the left side of the screen I'm gonna start running what is called the The test observer you remember the test observer that I told you guys You don't remember it Okay, so see we have here the test observer Okay, this guy will learn obviously after after doing the reverse in that we need to call it with disabled command Because otherwise is gonna time out. So okay, we run this guy it starts running there And it's ready. Okay, so right now. We have these debugging service. So what we're What we're gonna do is now what I wanna query this guy So this is something that I'm doing here guys in front of you But obviously behind this if this is what's going on behind the scenes, right? So you guys can see exactly what the rat is doing the rat is doing the monitor The rat is turning running test observer talking to this guy and querying the phone So so the first thing we're gonna do is we're gonna say, okay, so let's run this guy Okay, so we said you remember the prefix which was 80 plus TMC equal So we're gonna say a tell me what are the phones connected in this car, right? You are in Mexico City, right? You are not in US. You are just the drug cartel boss So you are waiting for this thing. So I'm just okay. Give me Give me what are the phone connected? It's just okay. So we have Three phones that has been paired into the car That's just per phones. Okay. Now. Tell me what is the phone? That is active right now the phone that is being Driven by the by the car by the driver, right? It's right now there. So we said Five 18 and says, okay So the one that is active right now, which is my phone is this Mac address So then we said, you know what reset that connection so that we can as I said If you reset the connection when the connection is established again We're still the session of the Bluetooth and the phone and then we can control everything. So we said, okay So for this guy We do this the commands and then we said reset the connection So what I want you guys to look at is in the right side after I execute this Because in the right side when we issue the connection reset in the right side of the boss monitor is gonna catch That and new connection. Let's see. So we run it. Let's see here Let me check not we didn't get it here. Let me check for 32 Plus See I think it was this This is a new check of the command quickly here That's the one just let me let me quickly Automatically here, so I'm gonna try to execute exactly the same command Which is Yeah Okay, so now we got the session. So what is the next step with that session? Let's take it unless it's still SMS messages So we take these two guys as you can see by the way the sessions Sometimes in this case, you can see it is the same but sometimes it changed actually This code this but this is the latest one. Okay, so let's go to To my input want to box in this one to box what I have is I have the tool you remember defeat tool This is the GUI, but obviously behind the scenes. We don't need the GUI We just need the other option to compile it and execute it through tool chains But this is for you guys to see so what I'm gonna do is I'm gonna connect to the infotainment through through Wi-Fi To the port 3000. I don't know if it is still connected probably not. No, I don't think so. Let me just quickly Reset the the connection Yeah, let me check Okay, yeah, let me just Yeah, it's okay we have connection and so Okay, so we connect Through we're connected to the boss the boss has multiple ports. It depends on the port has the exposed interfaces, right? So we connect to this interface and we are here and we are Interested on the msg one as I if you remember guys, this is the one that we are interested msg client, okay msg client as you can see has all these exposed Different methods for us to control SMS messages So the first thing that I want to do is I want to use the get message list This may get message list is gonna say a pull out all the messages from the phone that you just Give me the session Okay, so what I'm gonna do now, then it's I'm gonna I'm gonna go here And I'm gonna prepare my message So basically here. I'm just copying you remember those those two two values that values that we got let me let me get them again These two guys So what I'm gonna do is just I'm gonna copy this guy Okay to the to the command line before below this command line guys is just to interact with the boss So these are all the parameters that I need to pass the first parameter is the connection ID The second parameter is the context ID And then we are set Okay, we pass the second parameter Paste and that's pretty much it this is the whole information that we need we just paste it into the into the tool You can see here in the top connection context ID timeout all are the parameters for the boss Obviously during this exercise we need to realize what are those different parameters? But after that is it's simple now Here, this is the great value these four is the number of messages you want to get I put three for example But we can put more right so what I'm gonna do right now I so that you can see that this is a Life so I'm gonna just send some three messages to my I'm the driver right so but I'm gonna send it pretending that I am another guy I'm gonna send a message to me so that you can see it's popping up in that guy So that guy is receiving messages and then we will steal those messages. So so let's say we put Viva what's the name of what is the name of your wife my friend But anyways, so I don't think it went through you see something popping up. Let me know okay, but I don't think so Okay, so let's let's do this. Okay, so we said execute here. Let me just We click execute here Okay, and then when we click execute Should I just need to click in source and here in source guys We get the messages latest messages is three messages. You can see here damn This is my friend Josh Gomez a friend of mine then Here is another message, you know all those messages. So we just retrieved three messages if we could put here for We might get obviously more but that's basically the idea right so we do execute and then we go to Source and I think I get another one. Okay, so these are the messages But what we did is now we get the messages from the phone, right? Now we need to send it out Right now we get it now. We need to send it out. I mean we get it But these messages isn't debots So we need to send it out to the attacker to the attack against the messages So what we did here is we just create a small tool that we are basically parsing these messages and sending it to a second a second the boss interface which Which is the one that send the messages out if you turn it Whoever tells me what is that interface name and when I give you the book So what is the interface name that we used to send the message out? Who say message my friend? That's yours. My friend. Okay. Yeah, it's called safe message So with safe message is the one interface that we use to send it out. Okay, so now here I need a volunteer that wants to play a role as an attacker so that What don't worry? I'm just want you to receive the message. So I want to send this message to someone outside If there is no volunteers, I can do it in myself, but I mean, is there any volunteer? Okay, my friend come over please So what we're gonna do is we're gonna use can you type your your phone? Yeah So what we're gonna do here is just we're gonna type a phone right? This is obviously behind the scenes automated is the attackers phone But here we're gonna use his phone. So these messages that we just saw there are gonna be sent out It's just basically what we're doing. It's just like the final step on this whole thing I'm just need to this is escaping thing. I remember that it's Jason thing So it's just we need to escape it, but anyway, it doesn't matter. Okay, so can you type it here my friend? Here one second. Yeah, right there. Okay. So I think needs to have one I guess but anyways, so we have this this phone What's your name? So we have the phone of Jeremy is gonna be the packet right now So we're gonna you're we're just gonna execute this so that you guys can see How it looks like the messages out Just give me one second This okay, okay, so let's execute that command. Let me see if that works So Okay, so this is just a first of all why just passing the messages here You can see in a more easier way the the phones and So anyways, so here is the phone that we got information here information here information here, right? So this you don't believe that these guys is just a friend that it really loves me and actually is my phone It was just me. Okay, so then we're gonna send this message out. Okay to the phone that we just decided So in order to that as my friend Pellots We're gonna use a different interface right as you remember so we're gonna go to the safe message interface That's a message interface is gonna allow us to send the message out and it's gonna be sending the message out to this phone Which is the phone of Jeremy so Jeremy can you just stand here? Is this like a magic act of my friend, you know, so just do like this like the phone like not you don't need to Don't see if it receives a the message You know the demo doesn't work. So don't worry guys Okay, I send the message Let's see Okay, I told you guys Well, it's in the outbox actually the the command works, but Yeah, I don't know. Let me try another phone here also yet since we're here It's right away, I think there is some Meta gene here Okay, that's that's my phone then let's see Execute well, I put the one Lot one no, I don't think so. Oh, yeah, Mexico No, but it's that way, but I think yeah, because I was not auto retrieving meta shit, so I don't know maybe something Without one Okay, yeah, let's try that and let me just grab again your Okay, let's try that actually I don't recall how I So you just like to keep the to remove the plus only right Okay, let's try let's try that Like Let's try that. It doesn't work. Yeah, because I tested I think I tested it without that and it works So it's something weird with them Yes, just let me quickly check here if I am Yeah, no, no, it's active. Yeah No, I don't think it's working. Let's do something man If you receive it later during the day Yes, so that these guys say yeah, sorry guys, I don't know what's going on with the communication But actually I have a demo video here at the end But we do this is exactly the same let me check here No, no, but this is the same. Yeah, it's exactly the same so for some reason it didn't send the message out So sorry guys for that last one. I don't know what why it's not working But well anyways, that was the last step So we're still the messages and then we just call the same message and then the messes are going out to whoever is a destination address, but I also try with mine and he didn't I didn't receive anything so So there is something. Oh wait. No, I would see it actually Yeah, you didn't saw the pop up there. Okay guys, so sorry for that Communication there, but it was the last step and just some takeaways here. Hopefully I'm gonna connect it outside We'll see if that sends the final message and I receive the message here But for some reason it's not popping up there, but anyway, so Kind of recommendations. How about with this talk? I hope that The recalls from the from the cars they can take more seriously The fact that we can affect cars because I think that This kind of scenarios is real and that can happen And I don't think that it's gonna there is gonna be a problem. So Well, there's gonna be no the last last the last Demo can you send a message? We're gonna send a message now outside. I'm gonna send a message. Let's say here is attacker It's gonna send a message to my phone and then my phone is gonna Receive the message which is the right inside and it's gonna do some actions in the infotainment. So let's try that one as the final Yeah Yeah, guys for some reason is not working there's a message it's a message messages in this room for some reason, but anyways So I apologize with that. That's pretty much it. Thank you so much to Alan month. Don't thank you guys John Matt your McMaster and George Gomez for your work and Obviously, that's it. Thank you guys