 You guys are at DEF CON, I didn't know if you know that. Uh, Saturday morning. Uh, we've got a fantastic talk. Uh, this guy has presented with us before. Uh, he's coming back to, uh, talk to you about, uh, it's a remote hacking remote car starters. Yep. Perfect. Uh, so without further ado, I will let Jmax get to it. Uh, let's give him a big round of applause. Thank you. How's everyone's DEF CON going? Really? Let's try that again. How's everyone's DEF CON going? Okay. So my name's Jmax. I'm a software engineer by trade, hacker by passion. Um, I pretty much like anything to do with locks. And, um, throughout this talk you're going to hear lots of opinions. Those opinions are my own. They're not my current employer, past employers, or future employers' opinions. Louder? Okay. All the opinions are my own. Summary of the last statement. Um, if you like what you see, or you don't like what you see, hit me up on Twitter. Um, handles at Jmax. Um, I'll try to get back to you. So a little bit on the backstory here. As you probably figured out, this talks about cars. Um, but it's not about cars themselves. It's about aftermarket, uh, remote starters and alarm systems. And I think it's important to provide a little backstory here because we may look at these devices and think they're, um, some of a luxury item who would really want that. Um, so I want to tell you how I got into looking at these. So I live, it's cold. Um, some would say really cold. And my girlfriend has a condition called Ramon Syndrome. And what that is is the blood vessels in her extremities will constrict, uh, if she gets cold. And that can cut off blood flow to her hands for example. And if you go without blood flow in your hands for a while you can end up with something very similar to frostbite. Um, and it's about November of last year. And I haven't figured out what I'm going to get her for Christmas yet. And she comes home from the airport, uh, one week after traveling for work. Um, and she gets home and she's very upset because her car never warmed up on the way home. At that point I say okay, I figured out I know what I'm going to get her. I'm going to get a remote car starter. And so I start looking around at all the various options out there for remote starters and there's a lot of them. And I notice that quite a few of them won't give you the consumer information. They won't give you access to how to install it. They won't give you access to the tool chains you need, um, to program the unit. Um, and that's kind of a problem for me. It's my car. It's my remote starter. I should have access to those tools. So I look around a bit more and I find a company out of Canada, Fortin, who makes a remote starter and they provide, uh, documentation fairly willingly. Not only for how to install the, um, the unit in various cars, but also the tools you need to program the unit. And so I'm like that's perfect. Um, that's what I'm going to get. And I start looking around for remotes. So with remote starters, while you could use the factory remote, your range would then be limited to the factory remote. And you can get aftermarket remotes with these units and they'll have advertised ranges anywhere from like half a mile to a mile and a half. Um, but from the reviews it's apparent that those are advertised ranges and in the real world you see much less than that. And the problem is, as I said, she travels for work a lot. Um, and my concern is, um, she's not going to be able to start her car from a mile and a half away while she's at the airport. There's a lot of concrete. So I'm thinking about like, you know, what would be great is if she could just pull out her phone, open app on the phone and hit start. Um, and so I look around, uh, Fortin's list of third party vendors who integrate with their system. And I find this one called my car. And what it is, is a little cellular unit with a GPS in it that you can put in the car and you hook up to the remote starter. And then this provides the capability of being able to pull up your car, uh, in an app on your phone as a picture of what your car should look like based on its make and model. You can start the car, unlock the car, um, do anything you could do with a keyfob. I'm like, that's perfect. When the plane lands you'll be able to start a car by the time she gets to it, it should be warm. So at this point, let's talk a little bit about how remote starters work. In order to understand remote starters, we first have to understand how cars start. Traditionally, cars start off using a keyed switch. It's just a keyed switch. There's nothing fancy there. And when you put your key in the ignition, you are completing a circuit when you turn it. So when you turn it to the accessory position, you're completing a circuit that will power up the interior of your car. When you turn it to the crank position, you're powering up the starter motor. And this was true up until around the mid 90s. Around that time, vehicle mobilizers started to become fairly popular on the U.S. market. And in a mobilizer, well, it may sound fancy it's just an electronic lock. So you have the mechanical lock that is the key. And then you have an electronic lock, um, that is a transponder and something to read that. Um, and if you don't unlock the electronic lock, your car won't start. So in the slide here, on the, uh, left side, there's a key with a over molding. And there's, on the right side, there's a key with, it's just a metal insert. The one on the right will just actuate the mechanical components. Whereas the one on the left can actually unlock that electronic lock that allows your car to start. So why do I mention this? Well, remote starters today have to bypass the immobilizer. It's necessary for the remote starter to work if you want it to work in a modern car. And so if we look at how you could hook one of these systems up to your car, um, here's an example from Forden's documentation showing how the unit I got, the evil one, gets hooked up. So on the lower left side, there's a couple lines that are labeled IMO. And those have to do with dealing with the vehicle immobilizer. And then if you go to the very top on the right side, there's a couple lines labeled can high and low. And those are connections to the vehicle's CAN bus. The reason remote starters connect to the CAN bus is to reduce installation cost. Because it's fewer, it's fewer connections, your installer has to make. So if they can read data off the CAN bus or they can send commands over the CAN bus, they're motivated to do that. Because again, it reduces installation times. On the, uh, left side of the screen at the very top, there's a bunch of GPIO. These are just related to controlling or reading information about the car. So for example, uh, when you hit the lock button, maybe you want the lights to flash and the horned honk, um, that can be controlled through these GPIO. And then at the bottom on that side, that big clunky connector is the high current interface. And what that does is bypass the mechanical side. So as I said, when you turn your key, you are completing a circuit. Um, that big chunky con- connector there allows those circuits to be completed with simple relays inside of the remote start unit. So here's just a couple pictures from, um, installing the remote starter. Uh, basically it just consists of pulling off the steering wheel column, making a couple electrical connections in the, um, foot well. Um, it's really not that complicated. It looks fairly daunting, but it's not that hard to do. The remotes themselves get hooked up over what Fording calls data link. Um, it's a proprietary protocol. Um, really it's just five volt UR running at 9600 BOD. Um, and it just connects via a bus. So these two remotes here that I'm showing, we'd be connected to the same UR connection. So sometime after installing the unit, it, I start thinking, you know, I, I wonder how this affects the security of that vehicle. Obviously it has to bypass the immobilizer, but, uh, how secure is this? Um, not only the cellular side, but the remote start side. So I start looking online to see if maybe Fording publishes the protocol for their data link. Um, so I can start looking at it from that side. And I go to the forums and people have actually asked for the protocol and consistently they're told, no, we don't give out that information. One of the more entertaining responses I saw with it was this one where they say, the Evo is not meant to be used as a hobbyist toy. It's meant to be used as a tool by professionals. So, I'm a professional of sorts. I said about building my own car on my workbench. So I got a second unit, put together a breadboard that represented a car, some switches to represent the ignition, momentary buttons to represent the brake pedals and bunch of LEDs to represent various states. Um, I get everything wired up and I hook up a FTDI device to start monitoring the data link. And I'm capturing data and at first it looks something like this. I mean, okay, it's not really apparent what's going on here, but if you squint your eyes just right, you can tell there's definitely some structure here. Um, paying a bit more attention, I noticed that whenever I press a button on my remote, the message that is sent by the antenna to the remote start unit always starts with 0C and ends with 0D. So if we just split what we're receiving based on 0C being the start and 0D being the end, we end up with something more like this. At this point it's clear there's some structure here and we can figure out what's going on. So putting in a bit more time and being a bit more diligent about keeping track of what button I pressed and what message I saw, eventually I'm able to put together a spreadsheet where I, um, figure out what each of the commands and each of the messages look like. And so here's just a simple breakdown of what a typical command looks like over the data link protocol. When you press a button on your remote, the antenna sends the remote start unit a command that looks like this. So you have a start sentinel, that's at 0C, you have two bytes that represents the direction or at least I think that's what it represents. Um, that's somewhat interesting because UART is already directional, there's already a transmitter received line. Um, so that's why I've labeled it garbage, just treated it as a constant. Um, following that we have a single byte that represents the command the user would like to run. So this could be unlock, it could be lock, it could be start, stop, panic, anything that you can do from the remote, um, will have a command associated with it. Following that we have a payload. Um, in the case of messages coming from an antenna to the remote start unit, this payload is almost always going to be an address or ID that identifies the remote or antenna that the message came from. If the remote start unit doesn't recognize an ID, it will ignore the command. And to get a remote start unit to recognize the ID, there's a multi-step procedure that involves putting the key in the ignition, turning it on or to the accessory position, and then hitting the break pedal some number of times, pressing some buttons or modes. Um, it's a procedure, doesn't really matter, but it learns the ID at that point. And then if we look at the end of the message, it ends with a checksum and that end sentinel that we, um, identified earlier. So now that we understand how the protocol works, what can we do with it? So, to show this I have a couple videos. Uh, do we have sound? Let's try this again. Is that not fine? Guys, anything? It's playing. Presentation view, it's got. Let's do this. Okay. Let's try this again. Still no sound. It's plugged in. Okay, I guess we're just going to be talking through this then. Um, so what I was showing you there is the, we'll scrub back. Okay, so that white box there is a development board I have that's running, that is a particle development board that's running firmware I wrote that understands the Fortin protocol and allows me to interact with the, um, the Fortin remote start unit. So, what I'm showing here is I send an unlock command to the car. Um, well, you should have seen the command in the previous one, the unlock command doesn't work because the remote started doesn't yet know about that antenna. So as I mentioned, it's just you are. And one of the things with remote start units is they often support what's called two-way communication. So they're able to tell the remote about the state of the car. For example, if the car started or stopped. And to do this, it actually set the remote starter sends a message back to the antenna. And when they do this, they include the address of the antenna they would like to send the message to. Now the problem here is because that's going over the U.R. connection and it's a flat bus, anyone on that bus can see the address being sent. So in my firmware, I have the capability to clone an address. So if we turn on the clone mode, at this point I'd really like sound. Um, so the, at this point we need to generate a message. To generate a message, um, we can just simply open the car's door. So by opening the car's door, uh, the car sends the remote starter a message, or sends the antenna a message saying that the door has been opened. At this point in the video, the alarm is going off. You'll just have to take my word for it, but it is. Um, and we've also managed to clone the antenna because it's attempted to communicate, or clone the ID because they attempted to communicate with the antenna. Now when we send unlock, the alarm shuts off and the car unlocks. Okay, let's try this again. I won't want, it's going, we don't hear anything. Okay, so where's my mouse? Okay, I'll let you see the- So what we have here is a super impresa that has a 4 in 1 remote starting alarm system installed and plugged into the antenna data link bus. I have my particle. And if we send an unlock command from the particle, um, you'll send the command, but nothing will happen. What we can do then is we can just clone an existing antenna. So if we, um, tell the firmware that, hey, we want to clone, um, an existing antenna, now we just need to generate a message that is going to call the remote start unit to reach out to one of the antennas and try to tell it something. So in this case, that's as simple as opening the door. Now the alarm may be going off, but we've managed to clone the address. Now we can just send an unlock command and we've unlocked the car and disabled the alarm. So at this point, we've managed to send a command to the remote start system, get to honor it all without the key. So now let's try starting the car. Okay, now let's say we want to actually start the car. Normally, um, if we just type start and we try to run the start command, it won't work. And the reason is this car is a manual transmission. And remote start systems, um, will normally have a special procedure when it comes to manual transmissions. In this case, it's, you have to, uh, with the key and the ignition, um, hit the remote start button while the car is running. And then you can pull the key out, walk out the side of the car and when you shut the door, it, the remote start will shut off the engine and it will lock the doors. And this is to keep the car from ever remote starting while it's in drive because that's dangerous. However, it's not really a security feature. And to prove that, it's as simple as, if we take a look at one of these remote start units, um, what makes it, um, work in the manual transmission mode is this loop of wire here. If you cut this loop of wire, it switches to the automatic, uh, transmission mode. And that case doesn't require any special setup. So we just saw the start didn't do anything. So what I'm going to do is I'm going to return to the dash. I'm going to cut this connection, um, to make that easy for this demo. I just install a switch on this loop. Okay, the connection's been cut. Now, if we rerun the start command, this time, the car starts right up. So at this point, we have a car that we can start. Um, we can add the remote to it. We can start it without a key. Um, but if you have a remote start unit, you know that that's not everything you need to do. There's normally a key takeover procedure. You normally, well, you shouldn't be able to drive away on a car that's remote start. But let's say we want to drive away on a car that was remote started. How would we do that? One of these times I could feel something. So to disable the wheel lock, um, I've put a normal key in the ignition. This does not have the transponder in it. So it cannot actually be used to start the car. However, we have it in the ignition, and we actually only have it in the accessory position. And that is enough to disable the, the wheel lock on the superroom presa. Um, you don't have to go all the way to ignition to get the wheel lock to cut off. Um, and now, okay, sorry, not my computer. Don't know what's going on there. Okay. I want this video. Let's try this again. There we go. So now that we have the car started without a key, let's say we want to drive off. This is where it gets a little bit tricky because these remote start systems will have some form of key takeover. And what that means is we can, the owner can put the key in the ignition, turn it to the ignition setting, and then transfer over to that. Um, but if we don't have the key, the moment we press the brake pedal to drive off, the car will shut down. Now, if we want to get around that, it's fairly simple. We just have to figure out how the car is telling the remote starter, um, that the brake is being pressed. In this case, that's happening over CAN bus and plugged into one of these ports back here is the CAN bus connection. And if we just unplug that while the car is remote started, um, you'll no longer care if the brake is being pressed. Now, because that's under the dash, what I'm going to do here is I'm going to, um, start and unlock the car so I can get out and get that disabled. I'll show you that in a second. Okay. Now we're under the dash here and I have my remote starter, um, right down here. And there's a little white connector here. And that's the connection to the CAN bus. If I unplug that, you'll see that the car is still running and we still do not have a key in the ignition. And at this point, if I get in the car and hit the brake, so if I press the brake, the car will not shut off. And that's because it doesn't know the brake pedal is being pressed. So at this point, we can get in the car, we can put the car in drive, and we can proceed to drive off in the car. All without a key. Okay, so there's an important note to make there. Um, and that was that click you heard at the end. That was actually the wheel lock of the car itself engaging. So the wheel lock is entirely mechanical. So we can't defeat that electronically here. Um, you would have to use something mechanical to get around that. So breaking the cylinder or something else. Something I really wasn't interested in doing in her car. So all the firmware for what I demoed is available out on GitHub. It'll be made public after this talk. You just go to github.com forward slash jmax open remote start. Um, you'll find the fur- the firmware I was using along with the schematic, um, for my little dot board there. But now let's get on what you're really here for. Which is what happens when we add the internet to this system. Cause that should make it better, right? Um, as I mentioned, the unit I got is the my car unit. But my car is sold under many different names. And the unit I got was branded link R L T by omega. But this isn't the only brand name it's sold under. It's sold under my car, um, my car vision, car link, link R. Um, but also Kia. It seems for a while Kia dealerships in Canada were installing this system. Or at least that's what the my car Kia app seemed to imply based on subscription. Interestingly, that application is no longer available in the app store. I also want to note that while I'm just looking at my car and Ford in here, um, that doesn't necessarily mean other systems are better. At the same time I was doing this research, Cyber Gibbons and Pentest partners were looking at other systems with similar capabilities. Um, and they found very similar issues with those systems as well. Which brings me to the real question. The thing I want everyone to be thinking about, which is how does this happen? How does a product with the issues I'm about to show you make it to market, um, without anyone saying anything? And if anyone here has an interested looking at remote car starters, there's a couple things I want to point out. Um, first as I mentioned earlier, if a remote start system is misinstalled in a manual transmission vehicle, it's possible that the car can start while in gear. Um, this means the car can actually begin moving and the engine can actually start up. Um, and now you have a car that's moving without anyone behind the wheel. Um, so that's obviously dangerous. Um, but there's actually a more subtle and I think, uh, bigger risk. And that's, if someone parks a car with a remote start system in an attached garage and it's remote started, um, accidentally or without their knowledge, carbon monoxide can enter the home. And that can create a very dangerous situation. So if you do have a remote start system, you should definitely have carbon monoxide detectors. Um, but also if you are looking at a remote car start system, just like with locks, never start a car you don't own and that you don't know where it is. Um, because the consequences could be dire. So looking at the my car unit, it's this little black box with this eight pin header. Two of those pins are actually for a debug interface. Um, connecting to this debug interface, it's obvious the unit is running Linux. A fact which, as far as I can tell, the manufacturer does not disclose. Um, if you want to drop into the Linux shell, uh, the password is actually OELinux123. Um, so if you do get one of these, there you go. Um, but without logging in, you can use something they called the AT engine. And this lets you run AT style commands on the command line so you can do things like change the IP address the unit is talking to. And if we look at the diagram at the bottom where it says IP, this is actually the server that the my car unit talks to to communicate updates. Um, and just underneath that there's an L port, that's the port that this is listening on to receive commands. By using the AT engine and changing the IP this was talking to, changing it from one that my car controlled to one I controlled, I was able to determine that this device is talking via unencrypted UDP. Um, I didn't do much looking into that, but I thought that was fairly, um, significant and interesting. So here's some more information on this if you want to pick one of these up. Um, couple things to note, uh, voltage kind of matters on that UART and well son the documentation seemed to imply it could be tolerant of much higher voltages. And the next story I'll tell you shows that, eh, you gotta be a little bit more careful. So as I said, where I live, it gets cold. And about, about a month after I gave the system to my girlfriend, my curiosity got the better of me. When I installed the system, I had a nagging suspicion that is opening her up to some security risks. But I said, you know, don't look at ignorance as bliss, just don't think about it, just don't think about it, and I was able to do that for about a month. And after a month, I pulled the cellular unit out of her car, put it on my bench and started playing with it. And the forecast for the next week was cold, negative 30 Fahrenheit. Um, and you know, I was able to connect to the shell, get working, and the cellular reception in my home lab is not that great. Um, so at some point I decided I want to work on it with a different computer. And the FTDI device I'm using doesn't have a particularly long cord, so I go find a different one, plug it in my computer, plug it into the remote start unit, power everything up, and all the magic smoke leaves the unit. And she's flying out tomorrow. Um, so at that point there's a lesson learned there. Um, if you want to do any type of hardware hacking and you can't afford to lose the unit, always have a spare. Um, but if you ask, ask my girlfriend, the moral of the story may be, if you're significant another is a hacker, don't let them play with your Christmas presents. So now let's look at the software. Um, no chance of magic smoke here I hope. Uh, the, I, I fire a man in the middle proxy, I disable SSL, validation on my phone and begin sniffing what traffic is being sent by the application to the back end. And during the registration process I noticed it takes my email address, sends it to a web service to check to see if that email address is tied to an existing account. And it's using basic authentication, which is interesting because I haven't created an account yet. So I don't really know what to do with that and kinda just file, file it away in, in a notepad and move on. I create my account, I log in and one of the first things you do, the application does when you log in is it calls a web service to check who the current user is. So I just call that web service with the credentials that I saw earlier that were used to check to see if my email address exists. And the response that I get back is my car admin. Now at this point I really don't think this is the admin because this has to be a low privileged account with a really important sounding title. After all we all know people like this. So I create another request to start my car using this account. I hit send and I get back 200 ok. And about three seconds later my car starts right up. So it turns out the my car admin account was an admin account. Hardcoded into the mobile application. But it doesn't stop there. In the previous response you may have seen this thing called API key. Again from monitoring traffic with man in the middle proxy. I know that you can use these API keys in place of a username and password. If you use the fixed username API and one of these API keys you can authenticate as that user. So I copy and paste this, this string into the password field on postman. Set my username to API and I hit send and it doesn't work. I don't get back a response. And I don't really know what's going on. I'm a little confused. I stare at it for probably a good five minutes and then it dawns on me. I forgot to strip the quotes and the comma from API key. And looking at the response there's a sequel error. At this point it's apparent that you could just could have just used basic sequel injection to bypass the entire login process and become the admin or any user you wanted. Like this is not at all complicated. So let's have some fun with sequel injection. I don't think anyone's ever started a car with sequel injection before. So let's try that. So I craft a sequel injection that targets my user account, skips the whole password thing. We'll just use sequel injection for that. Hit send. I get back my, my status 200 okay. But this time I was smart enough to record a video. Now it's a little, the video is a little dark because I didn't realize I was going to be doing this talk at that time so. So this works the correct side. Just start via sequel injection. Sorry one of these times I'll get this right. Okay where is the window? And it looks like the command was sent. So this is in my office looking outside. You can see the reflection my computer screen there. And there the car was starting. Okay so there we go. We've started a car with sequel injection. But it really doesn't stop there. They didn't just have sequel injection in the login. They had sequel injection everywhere. Whether it be the URL path query string parameters bodies. It seemed like everywhere you looked there was sequel injection. And looking at the error messages from the from looking at the sequel error messages we can see that what we're entering as a, as a password is being compared directly against a column named password in the database. So what this means is they have plain text passwords and sequel injection. As they say not good very bad. Okay so that's enough of that sequel injection stuff. Let's see what else we can do. So as I showed before here's how you remote start a car. Um you just post a command to this commands API saying your command type of engine start. And you get back in integer ID representing the command ID. You can then pull a service with uh you can then pull a service to get the status of that command. And it looks something like this. And so you know I get the thinking and I increment and decrement my command ID and I notice I get responses back. It seems to be pulling any command ID. Try a couple more values and sure enough it's pulling back any command ID in the sys or any command that's ever been sent in the system. Now there's not really anything sensitive here. So it's not really that big of a deal but I get to thinking maybe there's um a direct object reference that I could use to start my car. So I take the start command from a legitimate user for my user account and try to call it via my second user account that shouldn't have access. And I get back an error message saying 401 unauthorized account out of hierarchy. So maybe it won't work. However if you look at that API there's actually duplicate information. The user's email address and their account ID are roughly corollary. Both specify a user. And if you design APIs or rather if you hack APIs duplicate information is a source of bugs. In this case a developer could implement this in these four different ways. So if we look at cases 2 and case 3 both highlighted in red those will result in direct object reference. Both of those don't properly check to see if we're authorized to run the command. So what we can do so we try case 2 it didn't work what about case 3? To try case 3 we simply have to change the account ID in the URL. Previously we're using the victim's account ID. Let's just use the attacker's account ID. So I set the account ID to be the attacker's account ID rather than the victims. Keep the device ID as the victim's device and send the command. And sure enough 200 okay. I get back my command status and a couple seconds later my car starts right up. So what does this mean? So via three different vectors we're able to basically do anything a legitimate user can do. But let's call out what that is. We can locate any vehicle in the service. We can identify uh the type of vehicle that is. Make a model. We can unlock the car. We can start the car. Um we can edit the car. We can do anything. And 3 there's 3 different ways of doing this. So obviously my car tried to fix some of this. Um in the case of the uh hard coded passwords it seems they just put a reverse proxy out in front of the application to hide the credentials they were using. Well you see there's a problem with this. Reverse proxies aren't magic and they don't fix everything. And in this case they kept the SQL injection in the backing service. And so while I no longer have the password I still have had no off that I still with no authentication could do SQL injection via the check user. So that was interesting and at that point I decided okay let's see what else is here. Let's see if they left more. And the device registration still seemed to have SQL injection. And both of these things still seem to be still seem to be vulnerable up until about 36 to 24 hours ago. So um yeah. So googling around you may have noticed all the URLs here are m2msuite.com. And so I decided I'd hit google and search for m2msuite. And it came up with this um site. This must be some type of back end interface for the my car system. And so obviously the only thing one should do when they see this is throw a couple single quotes in there and see what happens. And of course what happens is you get SQL injection. And this is months after the initial disclosure that they had a problem with SQL injection. Um so if you have SQL injection you should really fix it as soon as possible. Um but none of this is what I consider to be the most offensive bit of this all. And that's actually has to do with location. So my car has a GPS unit it can track the location of car and in their application they will gladly show you your car's current location. And that's the only way this gets used in the application. Now if we look at their API's it's not just your car's current location. They seem to be storing a heck of a lot of information. Uh much more than what is needed to keep track of your car's current location. In the case of my account over the span of 13 days they have a little under 2000 data points about my vehicle's location. None of this was disclosed in their privacy policy. But it gets worse than that. Maybe you could argue this was a development mistake. Maybe this is a side effect of the way the service is implemented. There's another API where they analyze your data. And instead of just having a list of places you've been they identify top locations your vehicle has been. Frequent places you visit. Again to my knowledge this is not disclosed in the privacy policy. I can't find anything there that would um indicate they were going to do this. So maybe this isn't that surprising though. Because after a bunch of searching I believe I found the parent company of my car. And their company called Procon Analytics. And so I went to their site and went to the frequently asked question page and and looked at the question how do you secure data? And to this they said unlike public cloud environments that battle for priority Procon Analytics uses virtual private cloud that supports only our customers and applications. With no interference from other users this dedicated highly secure environment ensures higher availability faster delivery of service. When you partner with Procon Analytics you can be assured your data is secure and protected. I really don't even know what to say to that. But if we head over to their Facebook page they say more. There they simply say protecting vehicle data is vital. And to that I have to say I agree. So back to the question that that I said at the beginning of this talk. How does this happen? And maybe more importantly as an industry how do we stop this from happening again? And so that's my talk and at this point I'll take any questions you have. Okay so the question is did they fix everything? At this point I believe everything I reported is fixed on the my car side with the exception of the privacy stuff I mentioned at the end. Last I checked that was all still the case. I don't know. I don't have any vectors that I know of that generate SQL error messages though I haven't looked too hard. Could you come closer so I can hear you? Sure. So when I said I could edit the car the question about was when you said you could add the car could you edit parameters in like the ECU? What I specifically referring to there was editing the car in the my car service. So they keep a digital representation of your car and so that could have been edited via the direct object reference, SQL injection or any of the other vectors discussed. So the question was about do you know if a push button start system will allow you to unlock the steering wheel to get around the steering wheel lock. So my car has a push button and there is no steering wheel lock. So I suspect that if you installed one of these in a push button car you definitely couldn't rely on a steering wheel lock. Cool. Thank you.