 cool. We're going to start uh going now. So my name is Justin. I work for uh Delphi Automotive who's sponsoring the car hacking village. Uh I run the red team testing lab there. So my team who you'll see around here is the ones that are going to be doing demos and doing a lot of this stuff for us but we hack our own modules to help our engineers secure them better. So to get into this a little bit starting off uh at the car hacking village we do have a CTF there this year. Um it's really really cool. They got lots of different interfaces, lots of different systems to hack into. Um the first place prize is this truck over here. Um so if you guys want to play around you can win a truck. Another prize that we're going to be giving away is this antenna that we're going to be demoing for you guys. So you can see right here this is a GPS helical directional antenna. Uh we'll go into the making of that as well in a little bit. So to yeah going back to our day job so we're uh Delphi Cyber Security testing team. We do pen testing for the company, processing tool development as well as research and development. This is what our facility looks like. We've got a bunch of garage bays we can pull cars into and a pretty big facility to do testing on modules. So now moving into the outline we're going to talk about uh different test interfaces on the wireless side as well as tool kits for it just to help you guys out in case you may not have tested or done this stuff before. So we'll just kind of give you the rundown of what we're using and what works for us. Then we're going to do a demo on uh key fob analysis. So we're going to use GNU radio and a hack RF to do some analysis on key fob to show you how to pull those out of the air and do uh deep dive into those. And then we're going to go into building directional antenna um which is this guy over here in the front Brian who's the mastermind behind that. And then we're going to get into the demo of actually directionally pointing GPS over here and showing you how the antenna works. Alright so now this stuff I'll run through quick because you guys probably know a lot of this. Um this is just a typical Wi-Fi standards. So I just wanted to throw this in here so you had it all. Um here's some tools that you guys can use for Wi-Fi. Um we don't do too much Wi-Fi stuff in cars. I mean pretty much most of them have WPA too. So unless you can bypass the password which they're getting a little bit better the car companies are slowly getting better at making good passwords on WPA too. But that's really the only weakness that we're seeing. Um so yeah we'll go to the next one which is going to be Bluetooth. Bluetooth was a lot more vulnerable in the older versions. So any older cars that have older versions of Bluetooth in it are extremely vulnerable to those types of attacks. Um here's some more specs on that. It's another RF spectrum that sits in the 2.4 gigahertz range. Um the Bluetooth version 5 is really nice because it's bumping up the speed like crazy. And mainly the whoops mainly the distance which is nice. Um just because all these different devices people are making in their houses. Um you can go a lot more farther in your house but then for us if we want to do drive buys we can also get into their stuff. So here's some tools that we use for Bluetooth testing. The ubertooth one is really helpful and then we just use this adapter. It's really easy. We can transmit on this. We can do whatever we want with this device. Some Bluetooth devices won't allow you to. Um so now moving into cellular there's three different areas that we focus on in cellular. This is just giving you a rundown of spectrums. So whenever we're trying to dig into a new technology or understand it more this is the type of data we compile to start digging and understanding what tools we want to buy. Um and then we start reaching out to vendors or coming to events like this and buying all the hacker tools. So when you're getting into a cellular related stuff or any wireless stuff on cars um it's recommended to look for this type of content on any of the modules. Mainly something with the FCCID or even an IMEI number. It's going to let you know there's a cell network in here and there's transmitting some kind of RF somewhere. So this is how we quickly can move on to understanding what's coming out of this module. It's now looking into the tools that we use. We're um trying to find what works best for us. So we buy a lot of industry based tools like this guy up here. This is from Road and Schwartz. It's a cell site simulator. So this will actually put up a cell tower for you. You put a SIM card in your phone or whatever you need to and now you can see all the data streams and everything that's going back and forth from that phone. So it's really helpful for us when we're trying to test apps and cars that people are building to understand if they're actually communicating to the server securely and what type of data they're sending back and forth. Um and then for putting up base stations um on a cheaper way you can use a Blade RF with the HBTS or this USRP device with the HBTS as well. Those are a little bit cheaper routes to go. And you can have a lot more custom uh uh customizability with those. Um next is moving on to key fob which we're going to show you the demo on. This is something that was introduced in 1980 by Ford. Um there's two main frequencies which is 3.5 mega hurt and 33.92 mega hurts. Um the distance is 5 to 20 meters and the security on this is mainly rolling codes and challenge response. A couple years ago you guys may have seen a guy named Sammy Kamkar create a device that was able to bypass or you know leverage rolling codes to be able to get into people's cars. Um there's also passive key entry systems which are running stuff in the uh kilohertz range. So when you walk up to your car and you want to unlock it with just your button uh uh or the handle on the car that's usually using something in the kilohertz range. And that's called passive key entry. So here's some tools that we use for uh the key fob stuff. We mainly are using the HACRFs but the spectrum analyzer is really helpful to see those packets coming across. Um and then we also use the yardstick one because that goes down to the lower kilohertz. So now we're going to GPS which we'll show you in a demo on that as well. This is something that was created by the United States in the 70's. Um there's a few different bands. The ones that are mainly public are L1 and L2. Uh if you want to lock down GPS properly use both radios in your devices. Most people don't. I know Apple doesn't and we can show you what happens with that cause they don't. Um we'll pretty much can put anybody's phone wherever we want if you're only using one band cause your phone's only relying on that band so it's not getting another source to say hey you're not actually here you should be here. Um so we'll show you what how that can be messed with. Um some different tools we're using for this. You can use a HACRF uh they're kind of hard cause you gotta stack a bunch cause you have to transmit again receiving. Um and then we mainly use the Blade RF um which we have set up here connected to this antenna. So we'll show you that in a moment. And then the next one the last one which is a fun one which you guys may not have heard of yet. This is something that's coming in cars. It's kind of scary from my perspective cause what they're trying to do with it but it is something that's needed. Cars do need to talk. If we're gonna have autonomous cars down the road they do have to talk to each other in some manner. So this is currently the automotive solution for that. It's called vehicle to everything. Um it runs just above uh the 5 gigahertz range and it has a protocol of 80211P which is very similar to all the wifi standards. It's really not that much different. The biggest thing is uh it's got this IEEE 1609 application layer on top of it. And then here's some tools that we use for that. Um if you're looking into development tools so these are just the hacker type tools besides this one but another development tool you can look to is something called Cota Wireless or MK5. Um that'll allow you to actually transmit and do some V2X based stuff. And then another one from the auto industry is pretty big it's Vector Canoe. They're really expensive so hopefully in the near future some hackers will release some tools that are a lot cheaper for you guys. Alright now we can move into this uh keyfile analysis if you're ready Dave. Hi everybody my name is Dave Connit. I work for a Delphi along with Justin and I'm sort of the radio guy I guess uh over there. Okay this is my screen popping up here. No. How do I? Oh there we go. That's interesting. Well if you can't see it I'm gonna have a hard time demoing it. Alright so who's used GNU radio before? Anybody in here? Has anybody for the people who haven't used it have you heard GNU radio? Okay so if you haven't used GNU radio or you've heard of it I'm gonna explain just the basics of what this thing does. It's a useful tool that we use in the lab uh that we use to isolate different wireless signals. So Justin spoke about GPS you know DSRC but at the end of the day in the radio frequency spectrum you know vehicles themselves they have like 15 different radios on them. Your phone probably has like six or seven you know you got bluetooth, wifi but then what about the non-standard wireless? So you know I've got my key fob here for my truck for example. Now this thing doesn't speak wifi, it doesn't speak GPS. So how do we deal with signals when we don't really have you know like a wifi adapter to like just let us authenticate to it. Uh basically uh from the blue reverse engineering random wireless signals and looking at the binary data uh inside of them. So I wanna show you two tools that we use in the lab uh to isolate these signals and how we can decode the actual binary data uh off of that so we can actually send and communicate with uh with these basic devices. It's actually generally speaking easier to talk to these guys than something like using wifi. It's much less complicated. So for example with your key fob it's just a series of bits and if the car hears that the right series of bits there's no handshake. It just says oh I like those bits I'm gonna open up the car. It's that simple so as long as you know that code or how to generate that code uh then you can talk to it. So actually being able to read the code off of the air if you don't know what the wireless signal looks like. It's a very useful skill to have in general. Um Defcon we've seen talks that guys talk to satellites using these techniques. You can talk to cars. Uh anything that transmits a wireless signal that you can talk to. So I'm using a hack RF. I think the range on this thing in frequency terms is uh it goes up to 6 gigahertz and down to 10 megahertz. 1 megahertz? 1 megahertz. That's a huge range. Uh this is actually a monumental invention software to find radio in general. Uh having this kind of power to be able to transmit and receive on that wide of frequency range is something that ten years ago even would have cost millions of dollars in equipment and would have been military classified type technology. So please get one and learn how to use them. They're very awesome. All right so I'm opening up basically a utility called GQRX. GQRX if you install a new radio along with this uh you're gonna be covered. So I'm gonna move this guy over here. GQRX this this guy right here is a spectrum analyzer. Everybody knows what that is. It's our eyes and ears on the frequency uh the frequency realm. This lets us see our wireless signals. This guy and most spectrum analyzers cost between mhm at least ten thousand dollars up to five hundred thousand dollars to a million dollars. Just to give you an idea of what it's like just to see uh a spectrum range that we're talking about here. Hack RF costs I think two or three hundred dollars and it can see almost the same range as this guy. This this guy's still better it's more accurate but the hacker refs good enough for us hackers. And GQRX I wanna show you basically does the same thing that our two hundred thousand dollar spectrum analyzer over here does. And you can actually see they look very similar and I'm going to use GQRX to move down and find my key fob signal to show you guys what that looks like. I happen to know that it's three hundred and fifteen megahertz. And everything all your devices they come with an FCC ID if they're being sold commercially. So they will tell you what the frequency is on the FCC's website. Super useful website to look up all kinds of parameters that we're going to use in GNU radio to decode this signal. So you can see here when I press my little button for my hack RF there's a little bumpity bump coming. That's a frequency shift key coming from my key fob. I do wanna show you as well so we're looking at I think uh what is this? Twenty megahertz in bandwidth or sixteen megahertz I can't remember. I do wanna show you an important and difficult part in dealing with GNU radio is setting up the filtering. And I wanna show you just what filtering looks like in GQRX. When you click around you can see that little band there. It's actually filtering all the signals out around it and if I had my audio on it would actually play the sound for the uh the signal that you're receiving. So you're narrowing in and zeroing in on that signal that you're looking for despite capturing twenty megahertz worth of bandwidth. So a uh I think my computer locked up. Yeah. Okay. Well that's okay I was gonna close GQRX anyway and switch to GNU radio. The important thing to understand is when we're gonna decode this signal in GNU radio and get the binary bits out of there um there's basically four steps and essentially we have to capture the signal from a source. That's obvious. And then we need to filter all the junk around it out from the signal. And that there's an entire series you should watch Michael Ozman's uh SDR series if you haven't already. It's uh Hacker it's he's the guy who created the Hacker F. And he's got an entire educational video series and he's got an entire one dedicated uh an entire hour dedicated of filtering. It's uh it's a science and an art. There's a lot that goes into it. Uh there's many different kinds of filters high pass, low pass, band pass, ex flating, fur filters, blah blah blah. Um learn them all what they do um they're not that tough but they're a little intimidating to get to at first. It's very important to zero in on your signal uh with those filters though. Okay so once you've zeroed in on your filter and uh on your signal with your filter the next step that you have to do is demodulate it. Uh demodulating is gonna come in a couple different flavors. There's frequency demodulation and amplitude demodulation. So when you're playing around in GQRX it will behoove you to figure out and identify with your eye or your ear whether you're dealing with a frequency shift key signal or an amplitude shift key signal. Amplitude sounds like Morse code or it's changing in volume. A frequency shift key is gonna have differing tones that you'll hear and it'll sound more like uh like music or dubstep or something like that. So once you identify that you can pick your frequency shift keying or or your amplitude shift keying. So I've prepared new radio blocks here. Let's see if this works. Is it? No it doesn't. What's that? Oh there we go. I'll wait for it for a second. Okay I have to be fast here. So my program that I've written here, new radio oh whoa. It uses flowcharts to define your actual software. In the background of each one of these flowcharts there's actually a python script that gets executed and you can see here this is what I was talking about. I'm using the Osmocom source which is my hack RF. I set the frequency to 315 megahertz because I know that that's where my signal is and I set my sample rate to be about 4 megahertz. That means I'm capturing 4 megahertz of bandwidth around the signal. That's a lot of bandwidth. The actual bandwidth of this signal is like 200 kilohertz. It's not that wide. That's why I pass it into a filter. I'm not going to explain all of these different parameters but basically I'm zeroing in on the signal with his so it's kind of offset from 315 megahertz. It's not quite exactly. It's like 314.9. You can figure that out from the FCC website. So I'm offsetting it to zero in on the signal and then I am shrinking down that 4 megahertz of bandwidth just to capture this signal alone and none of the junk that's flying around it especially here at DEF CON. I'm then piping the signal into a frequency sync which is exactly the same thing as the spectrum analyzer that we see here so we can actually see the signal that we're capturing and confirm that we're getting it. Demodulating the signal. And now this is the secret sauce to get the binary data out of it. So at this point this is nice. You'll actually be zeroed in on a signal. You can hear it. You can record it. You can save it and you can import it into other analysis tools like Baudline and Spectrum or even Audacity. Your favorite music editing program is able to read this data coming out of here. So you can just put that into a file sync right there. But if you just want to pull the bits out you put it into a clock recovery block. The only thing you need to know to use this block is your Baud rate of the signal. And you can look at that visually or you can look it up on the FCC. My key is I think 115 thousand symbols per second. Once I know that then I put it into a binary slicer that slices it into bits and I save it to a file on the tempFS. I'm going to show you what that looks like when it runs right now. And I know there's a lot of information. I have a ton of resources for you folks that you can like walk through chapter by chapter. There's a lot of authors out there that have done this exact same thing and they explain everything in far more detail than I can here today. All right. So I'm going to run the program. Hopefully it'll work. I'm going to click OK. That's fine. All right. There is my signal. And now I'm just going to exit because I've captured what I need. So I save that to temp test. I'm going to go ahead and just dump that with a hexadecimal viewer. And bingo. So you can see the pattern there in the bits. Zero one zero one zero one is basically all ones. It's a bunch of it's a preamble for the signal saying hey you're about to receive some interesting data. And right after that you can see that there's a there's the code right here. Now something I didn't show you in my block that if you actually want to use this in the field is there's something called a there's a way that you can set an access code. So hey look for the ones in a row and only capture the bits that come after that. It's useful so you don't get this file that I showed you that has all of the repeating signal here. It'll just grab the signal that you're interested in but just for the purposes of this demo I wanted to show you the preamble and the code, the preamble and the code, the preamble and the code. And that is literally the key fob signal for my truck. So if somebody wanted to take a picture of those ones and zeros and can find my truck in the parking lot you could re digitize the signal over the air and break into my truck. And that would be that. Anybody else want to try pressing the arrow and lock key and let me record it and tell me where the making model and where it's parked? No? It's really cool stuff. That's all I have for you today for my demo but that's how you decode a binary signal arbitrarily broadcasts over the air. You reverse the entire process to broadcast it out and please learn how to use new radio GQRX and buy yourself a hack RF to get into this stuff. And thank you very much. I'll pass it back to Justin. Thanks Dave. Uh we gotta flip laptops. I gotta, we gotta flip the laptop again. Open. Yeah pull the HDMI. Sorry one second will we uh switch the demo stuff up. Alright now we're gonna get into uh the making of that antenna over there. Whenever the screen wants to load. Yeah one moment. Um just HDMI. Sorry guys. Alright here we go. Nope no source found. Sorry I, it's, I have it set up to duplicate. Sorry guys. Yeah. Um no it's HDMI. Actually sure we can try it. Oh alright never mind. We'll try this if not then I'll try this little dongle. There we go sweetness. Sorry about the delay guys. Alright so now we're gonna get into uh building a helical antenna. So this is gonna be presented by Brian Gillespie. This guy's a badass physics guy. He knows a lot of stuff in physics and now he's becoming a hacker so here you go here's Brian. Alright alright thank you Justin. Um are you gonna index the slides since you uh since you took. Okay so um gonna just review some of the fundamentals of the uh of radio physics ways as most you probably know but we need to understand that with more building things like this and uh doing things that Dave's doing and other people. So so the quick review. So here's our whole uh our spectrum of uh that we have you know uh increasing uh wavelength uh we get have the lower frequency and then we have uh higher frequency smaller smaller wavelengths and if you see where I've got that arrow pointed radio frequencies are typically uh frequencies above 1 giga hertz or 10 to the 9 hertz um and they travel at the speed of light and so we go to the next slide here uh so they travel on a straight line and they reflect so when you're above that uh frequency range they'll bounce off uh things like the walls when you have the lower frequencies you can um environmental effects on them but for what we're doing you know the travels at the speed of light and it's important to remember our wave equation here where we have uh you know the frequency the frequency times the wavelength gives us the speed so that's gonna be helpful when I build the antenna and forward so he look at antenna this is what the main part of the talk here so uh well backwards so you got your center your your center support here which is uh which is this uh V here and you can see that the antenna over there uh the coaxial feed line and then you have the insulating supports because we don't want any uh connectivity anywhere else you got the reflector group uh ground plane and then um you got your um coaxial that uh feeds your signal in or if you want to uh receive then it goes the other way so there's two modes that these helical antennas can uh operate in and that's the normal mode uh where the helix pitch in diameter are small compared to the wavelength and our omnidirectional and then the axial mode type end fire which is what that antenna over here is is um the diameter and the pitch are comparable to the wavelength you'll see that when I'm gonna uh show up here next are coming up so this is just kind of a visual what it looks like from some simulations between an omnidirectional type antenna which just kind of radiates out and spreads out where the end fire directional which is the helical which means we can point it at things is is is this one here so here's a little more uh animation here for us just to show uh what happens when we have a helical antenna and that is depending on which way the helix is oriented we uh the waves will spin uh one way or the vectors here will show the polarization will go be right handed or left handed and so that's based on how this uh which way that's turned now I don't know uh you took the animation out looks like that's okay but you can see down here as it comes out these waves are are spinning around that's the representation up here and that's the end fire for that okay so this gets to the heart of the manner here of how to make the antenna so I found this way web nice website up here that did most of the calculations for us um so plug in the frequency how many turns you want and then it pops out all this information that we need to build the antenna so this is the general schematics that I we had to I had to take and interpret to uh you know build that antenna that's sitting over there uh so that we can use it for our work and um looking at what happens when we uh GPS is pointed something that has it and what impact it's going to have for us all right okay so real quick take some tools to build that and some design work from from the previous slide to make all these parts here so this is our our bridge apart mill that I was using I was in the process of putting in the holes all these holes are based based on fractions of the wavelength on that from that slide I showed you before so that tells me what the spacing needs to be here and then um from there you need to use the lathe to make some of the other round parts basically that you need and one thing that I remember that an antenna is just a wire so all that is just a wire configured a certain way to get the frequency we need for this application and some plastic some aluminum and other tools all right so there's the end backwards there's the antenna and I think we're ready for the demo so this is the things we're doing in the lab here so you can see we're getting the signal we've got a blade RF Nick over there's got us all set up some of you he's been broadcasting that for the whole time so depending on your device it could show you that it might be a thousand feet above Moscow so if he points it over here let me get out of the way you should see the signal get get stronger as he points it over here that's the purpose of it and now if you put your hand in front of it's bouncing off the wall put your hand in front of it when you turn it over there because I checked it earlier so you saw it's now because it's reflecting off the wall like I was mentioning because it's behaves like light so just bounce off the wall so and that's that's everything we're like this thing's not working we're like this thing's not working but then we're like oh yeah reflection light it's just light so that's why if you do I don't think you know if it's gonna go the whole way but if you do that and put your hand in front of it it's gonna put it away because now it's it can't reflect off the walls anymore but if you do this now it's starting to reflect off the law the walls in the room in the ceiling just like light does another thing too we don't have the amp plugged in on this so we're not giving it enough power we could pump this thing or here I'll let Nick talk about that with proper amplification you can cover this entire casino and whatever signal you want this will render all navigation GPS completely useless you'll be wherever I tell you you are yeah so pretty scary stuff especially with autonomous cars coming down the road obviously we care about safety a lot which is why we design stuff like this so we're not just putting everybody in the whole entire place in Moscow we're just putting everything that's directional over there it's a safer way of doing tests like this you know you don't really want to get FCC calls so doing stuff like this and having the proper facility to do this stuff in is also really helpful the lab we do all this testing in is pretty much a fair day cage we don't have self inside the building we can't get anything in or out so we know the tests that we're doing inside are not affecting systems externally from our lab so yeah that's about it if you guys want to get into cars we'll be here the whole entire time during def con we do we're a part of the CTF so we have some stuff over there you guys can hack into try to find some flags and maybe win that Jeep or that truck or this antenna so yeah thank you guys for coming out and enjoy the con we got a question for you we're doing questions now I realize we do have some extra time so if you're using both L1 and L2 that would stop an attack like this from a skid if they were doing one radio you can sync two radios broadcast L1 and L2 for the correct position but it requires manual math or a very well written program what you would see with both receivers is you would see that L2 is getting where you would expect where L1 is not and L2 if they broadcast there's no open source github project for that yet but I'm gonna post it you would be able to tell also by the difference in timing so we need less than five parts per million accuracy to be a precision to be able to get this to be received by your phones or any other consumer grade device it is very unlikely for someone to be able to do the wiring correctly to get that kind of accuracy to be consistent through two radios at the exact same time so that's a good stop for this type of attack great question any other questions it will go with you in the red first so with this attack the question was could we impact timing the answer is yes whatever time I broadcast it it you kind of need to know more about the the packet that gets broadcast from the satellite but basically it's it's latitude longitude and it's time of broadcast and then your radio takes in all those signals it picks up and says ah I see the time of flight was so-and-so therefore I'm here so if I were to broadcast consistently a different time yes you would receive it and trust it it's a very weird phenomenon but people do it they use their GPS as timers with your RSA certificates time is usually a factor in that and you can completely set the seed value for a lot of these embedded controllers because they'll generate the same certificate given the same time so if you know what it was once you can just tell it it's the same time over and over again and all the sudden you're able to get the same certificate all the time which means now you command the middle even if they rotate their certs funky little CS problems become very big security holes any other questions cool yeah so that's a good question we don't directly focus on the full vehicle yet we're mainly focused on modules so if you guys don't know what Delphi does they create a lot of safety systems in your cars as well as infotainment systems in your vehicles so right now our focus is strictly on protecting our parts down the road we do want to have offerings to like our customers or we could do full vehicle assessments for them but right now it's strictly on the module side I did a talk a few months ago at sands that kind of laid out a lot of this stuff I can get you that link and there's a presentation there that'll show you more details of what we did for that yep we do yes we also focus sorry the question was are we only focusing on like our ECU's or the interfaces that are coming in from other stuff and the answer is absolutely the stuff that's coming from other systems and that's why even the wireless stuff you know when stuff's coming over wireless we're testing that we don't only look inside our systems we look on the interfaces anything that's connecting to the systems a lot of it's hard to test when you only have the module because you don't know how everything's going to be talking to it so that's why we're trying to build our systems up to eventually do full vehicle assessments so good question yeah yeah cool we'll talk later any other questions all right if you guys have any just ask or if not just stop by our booth thanks again