 Good, hi everyone. Can you hear me fine? Okay, so I'm Andrea Barizani. I'm from Italy. He's Daniela Bianco and we had this little project about playing with cars and traffic information and we just want to share our Fun research with you, and I think you're the perfect audience for this So we get this presentation of Lackett and one other conference as well but I mean I'm very honored to be here and Explaining all of this to you. So as you can see we have some gear here that we brought in the states And as you can imagine that wasn't a very easy thing to do So because when you travel with this kind of thing in the baggage you get always these kind of things so TSA baggage of inspection notice and This this is our FM transmitter which kind of looks like a bomb And so when the TSA officers, you know got it at the inspection There's a small switch over there, so he got it and he said okay. Let's try this boom So apparently TSA officers are allowed to make those kind of jokes Well, if you made those jokes you get arrested So I found out to be very very very amusing, but anyway, we got a gear it was they broke it But we fixed this so hopefully we're going to demo the thing for you We also have a very you know a slightly big antenna over there Which we call the sterilizer so if you ask silly questions at the QA We just pointed at you with full power so Injecting traffic information signals, so what's this about so? This is about one hacker or well I mean I hope so getting a new car with a new satellite navigation system and traffic information China going on and Before even driving the car thinking oh wow that could be interesting. I could play with that. Let's see what's going on so in car satellite navigation system in In Europe and in other places. I'm going to go in detail about that So they can get dynamic traffic information and the system being used for that is called RDS CMC, okay? So we'll show how we can hijack these kind of messages and do pretty much whatever we want So why do we want to do it do it because hardware hacking is fun because it's very 80s because we're you know using FM RDS so 80s which you mean it means cool So and also the problem is that drivers usually implicitly trust this kind of information on car So my dad has a similar navigation system. He sees an alert over there. Oh, I'm so going to do that So this could be a slight problem and more important cheeks will melt when you show this and we're going to prove that to you Which is basically the whole point. I mean we don't hack for money. We act for chicks So radio data system so RDS is used for transmitting data over FM Whenever you have a station and you see the name of a station on your radio, that's RDS doing some work for you Okay, so it's used pretty much everywhere 100% of radios nowadays. They display RDS system is describing a standard So what happens here here? We have can you see the pointer somewhere? Okay? So we have the mono section of the FM spectrum we have a pilot tone and 19 kHz Then we got the stereo information and then at the 57k subcurve we have the RDS signal Which what are you doing which is used for? I mean I'm like talking to people here. I'm sorry. Yeah So at 57k we get zeros and one over there Okay, so not audio we get something that is going to be demodulated and we can get data and so cool We have the digital word So RDS TMC was first introduced in Germany in 1997, you know, where else Germany? So it was implemented on Europe in the following year So Italy got in 2004 and just so you know, it's a very old technology like RDS is very 80s But Australia is getting RDS TMC in 2007, right? And most satellite navigation system are using this kind of traffic message channel thing only in the last couple of years So it's very very relevant so what happens you got your traffic messages like the cops the you know Stations on the highway they detect a queue or whatever and they're sent to FM broadcasters And then they are going to send the information over their RDS stream And then that's going to be picked up by your car So it's implemented in most so if you buy a car, you know get a satellite navigation system within the car So it's built in then you most of the times you get TMC or if you buy high-hand Portable satellite navigation system you get TMC if you buy low-end navigation system You can buy an external antenna and you pay for it you install additional software and you can get RDS TMC capabilities TMC is available in both free and commercial services, and I'm going to go in detail About that and you can also be transmitted over digital radio and our research applies as well So that's a RDS TMC terminal so we can see we have the traffic event list So we have a very cute icon that we got the event So there's the patchy fog the first two and slow traffic who had the name of the road and then so those are Italian No, the road so the name is weird. I'm sorry for that. I apologize And then we got how far the event is and if you click on that or whatever you press about them Then you got a map and then you can see where the event is And this is like interactive you can see the event list so if an event is affecting your route Then you're going to get a pop-up in some circumstances Okay, so you can either browse the existing messages or it's going to pop up for you So the issue there's no form of authentication of the data There's some form of encryption supported But it's not really encryption and I'm going to explain about that and anyway, even if it was properly done is Absolutely relevant to our goals So what we wanted to do we wanted to send faith TMC messages against our victim By using off the shelf component So we didn't want to spend like ten thousand dollars for doing this more or less like a hundred and You'll be the judge of our results This is the victim So it's very cool when you're doing it talks like you got the victims light and it's like a box or server This is a fucking car That was my second secondary motivation for doing the talk the first one was chicks as I mentioned already So this is a big team So first thing we need to do is like sneak RDS information for actually understanding the protocol and see what's going on So we need to get a row FM signal, right? We don't want the audio component I want the whole spectrum so that I can play with it and I can demodulate my RDS subcarrier So the easiest way for doing that you buy a PCI audio video tuner the cars that you put in a PC for you know watching television or radio and what happens so This is the board and that's a normal PC by the way without a case so but this way it's more hockey and cool and So what happens? You can high jack one of the pins on the board and you will get the row FM signal And then you can do whatever you want with it So if you go to that link there's a list of cars you can find tuners that are known to have this MPX pin available So we use the one using the FM 1216 module from phillips, which is available on like 80 percent of boards that have FM and tuning capabilities So once we have the carrier we build a circuit using a TDA 733 OB Which is one of the most common chips using cars for demodulating RDS Okay, so that cheap does the job for us and then what we want to do is when we want to able to read the data Right and so we use a programmable integrated controller for converting that information into serial So we can hook that up to a PC and then we can see stuff And then we can decode whatever is going on there and we wrote our own software as RDSD which is available open source for decoding RDS and specifically RDSDMC so There's one other project going on RDSD You will see there which tries to do the same thing but it's outdated is not being updated in a long time And we just wanted to focus on TMC and they don't so that's why we did our own thing plus. It's cool. So So this is the board which is this being in there. That's the pin we hijack TMC So maybe you can tour these lights off so that they can see the slides better. I don't know I I don't know if you can you can see this probably but anyway, so So this is triggered. So you might are you busy or shall I talk? Okay, he's busy Okay, cool. So thinking RDS. So what happens? We have VHF tuner. Okay, we get the MP signal We pass it over a circuit. This is the circuit Okay, very crude thing. So here we got a TDA which is this thing here And then we got logic for converting this to serial. So it comes in MPX. It gets out serial and zeros and one which is cool So we take that digital signal and we pass it over this for serial input of the PC And then we have our RDS decoder software. Okay So main components one TDA 743 OB, which is like, you know 10 bucks a peak microcontroller Which is like 7 bucks and you know this board doesn't cost more and yes 16 dollars or whatever assembly So you can see our very advanced lab. So we even got a bed near The assembly for like burning the circuit. So because we wanted to attend and nurse, you know our assembly This is circuit. So if you want to build it on your own, you can you know get those lights on our website You can do it. It's very easy. I mean, we're not technical guys, right? We talk on the keyboard all day. So if we were able to do this Anyone can do trust me on that So peak programming so we program peak for converting the RDS signal We use a custom peak programmer, which is a variation of very well-known programmer So it's all you know thunder stuff and what we get out are zeros and one if the quality is good So the demodulator chip knows when the signal is bad or when the signal is good because it Performing some sort of checks and things. So if the data is bad with an asterisk and a plus Okay, so what you can do you can either ignore sequences with bad data or you can replace them with zeros and one And if you feel lucky, maybe I mean it's going to work So we program the peak with our own assembler code, which is available open source You can download in at fun with it. So you can do everything that we did here. So this is the output So that's an oscilloscope. That's the RDS signals sniffed over the air So there's a way and that's represents zeros and one and that's one examples of what we can get So zeros and one that's a very crappy signal. So we can see some zeros and ones and the other one are crappy data Can we get a demo or? Okay, well fix it He's my slave not in a sexual way I should be careful So this is the RDS protocol. It's very simple It's may it's designed to be space efficient because there's not much room for sending it It's not like we have wireless in here. It's like radio So we have a group of 104 bits. We have four blocks every block is 26 bits 16 bits of data and 10 bits of check word the check word is like a checksum It's being used for is it be it's computed against the data and we can see if the packet was good or not Of course, this is not like, you know, normal checks and which are very reliable since we have, you know, like 26 bits It's not too much. It's binary zeros and ones even if the checker is right Doesn't necessarily mean that the data is good. You can get good checks and check them checks and that matches the data But still it's not good. So not a very safe method And that's why sometimes on your radio when you see the program name. It's like garble. It's like radio question mark, whatever Even if the check on some computation is going is working. You can get bad data the first block of every group structure as a PI code, which is a program Identification code every radio station has one code. It's 16 bits and block two We got a group code which is used for advertising. What kind of packet this will be so with RDS We can sell we can send the station name. We can send alternate frequencies. We can send you the time We can send you the information about current channel being broadcasting at Traffic program. So that's advertised by the group code. So depending on what group code we get Which is a four bits code those remaining five bits over there. They change then we got B zero one bit is for version TP is this traffic program. It's one if it a traffic program is going on It's zero if there's no traffic problem going on and that's being used because you can tell your radio Stop the CD or the cassette when there's a traffic information program, which you know drives crazy Most people that you know buy radio for the first time at least I remember 15 years ago My dad was going crazy. I want to listen to cassette and then use information but so that's the fucker that does that and Pty tells you what kind of music you're listening to it could be jazz country blues, whatever So some radios you can tell I only want to listen to jazz music and then you can do that and Never seen that being used at all. Anyway, it's there. So TMC uses RDS in this fashion. So we have the PA code, of course That's you know should be there group code B zero TP Pty and then we've got three bits TF and DP Then we've got a direction beat a PN beat the extent so the extent of the event event and location So let's go in details in all of these. So this is a TMC message. I was going to be you know use so TF and the are used for multi-group messages. So in TMC We can either get our information in one group structure or we can get our information in more group structures So if you want to send more information, they can do that We only concern with single group messages here because it's easier DP is duration and persistence. I get an accident We estimate is going to last for one hour or you get a queue We estimate is going to last for three hours. We got telephone emergency Telephones not working on the highway. That's an old-day event So that's being used for telling you how long the message should be stored on your satellite navigation system Diversion advice if it's zero we do not the satellite navigation system does not recommend you a diversion Okay, so suppose there's a weather message like rain the satellite navigation system is not going to say Oh my god, this rain. Please use a different road. No, that's not going to happen But if there's like, you know a major accident on the highway Then the satellite navigation is going to pop up a window saying, you know, there's an accident You really want to go somewhere else and then you can decide if you to detour so calculate a new route Which eludes that accident or to stick on your current path Pn is used for direction. So this we want to be space efficient, right? So we have a location code on a highway and then with that bit We says if the event is affecting one direction or the other one and also we got the extent so the event extension We can get a queue which is like three miles long four mile long or one mile long Okay, so that's what it used for and then the event code which actually says at what's going on So there's a table or never started a navigation system with predefined codes So the subtle navigation system gets the code it converges will a human readable message and then you get your event Same thing for the location code. So there's no enough. There's not enough space for sending GPS coordinates So what happens every sideline navigation system in every country as its own? Location database table and in that table, you're going to map location codes with GPS coordinates and road names as well okay, so One important thing to understand is that we can only send and receive messages about predefined location codes We cannot send the message where I want like here not only on roads in most cities You can also send messages in the city in ports depend, but anyway, it's a pretty fine location table There's a standard for the location table Some countries gives you a public Table so you can download in on the internet or sometimes you need to hack your sideline navigation system for getting it So you got your DVD for your navigation system. You do strings on it. Oh, oops I can see a location code, but you're not supposed to do that So we built our own tool as RDSD simple RDS decoder. So it's Performs nearly full RDSD MC decoding. It's the only tool we are aware of that does that next cycle for satellite navigation systems So you can get tax and HTML output. It's very easy to use and you can pass a location table to the tool So it's going to convert your location code to actually GPS coordinates and stuff So you get a row as you work bitch, so You get a row signal, which is zeros and one so the first thing you need to do is lock in on DPI code because That's where your RDS stream starts the PI code is public most of the times You can download very big Excel sheets on on the internet with all the FM stations and you can get the PI code But don't worry if you don't know about the PI code It's simple the most recurring string in the stream because it appears in the first packet of every RDS group So you just use the minus capital P option and you can find the most recurring stream Which is this case is five to one eight and that's also a hint The first digit of DPI code it depends on the country So we know that five is Italy So that's our candidate and then you can use it for decoding the row stream Okay, and then you can see the packets going on. So this is like if a real or wire shark for RDS Message, so this is a standard RDS messages is a zero a group is a Tuning information, okay, and this is also the one that gives you the name of the station and in every packet We can get only two letters. So we got RT here And also the tool gives you the collected letters So the name of this station is RT L one oh two dot five and here we got RT, okay So this is very useful because when you're messing with such a short protocol and you got zeros and ones Even if all zeros and ones are gobbled up You're going to get something that makes sense because it's always going to the code, right? So one way for checking it that you're actually getting a real thing and you're not messing up the circuit completely is Checking the name of the station if it makes sense that it means your tuning is good Everything is working. Okay, or of course, you can also check the check word But as I said, it's not very reliable. So this is the our tool the codes that just for you know Seen things going on and actually confirming that you're getting a good dump 88 group so eight a groups are used for the CMC message itself So this is a single group message is about slow traffic So that's code one one five is slow traffic and then we got the location which is three oh eight four Which is a very very big road in Rome and you get these all the times where in Italy remember? So you're flooded by slow traffic and everywhere an accident and here there you get a Google Maps link So you can click on it and you can see if actually your message makes sense We also got a version that plot everything on Google Maps and I'm going to show you that and this is a free a group So very important thing This is used for advertising the TMC capability on that channel because it's not that your satellite navigation system is going to Watch on all frequencies it needs some things that Advertises the fact that TMC is being used and that's using the free a group which is a general packet It's not specific to TMC, but this packet is an application idea of 5255 5 5 0 which is the number reserve for TMC And then you can get a custom data part So it says which location table and table number I'm looking for and if it is this is an international scope a National scope or original scope. So it's another retirement of TMC capabilities So this is plotting all events on Google Maps, which is also your useful for see if the messages make sense So if you see a big chunks on events on in Rome and Milan, you're set. I mean it makes perfect perfect sense now Video clip time so we want to show you why injecting RDS TMC is good and why you can get late because of that So we thought it was very very important to stress that point. So we got a video for you In this video we mentioned the first conference the video was shown But you're not going to see that because I will be redoubbing that part with my magic ninja skills So just pretend you're not hearing that So it's a very cheesy movie. Do we want to see the cheesy movie? Good Defconn Prepared to be a rocked. Okay darling Let's go home. Okay, sweetheart I Love my new toy. I know you love it more than me We have to the I trust in mine Shut up Look how good is the navigator now, huh Here and with my portable device, I injected RDS TMC messages onto your navigator. So now you are in my power I'm the evil Hacker and I have all this knowledge because I follow that one the best conference in the world Can you feel my power? Love me got the check case in point it works, but warning your experience made it fur Cannot vouch for that So that's why I wanted to do that So does it work now? Yeah. Oh really? Okay, just like you fix good. So injecting RDS TMC messages So we use a commercially available RDS encoder for the box you can build your own we just didn't in time for it it's very easy to do and We can you can talk to this thing using I square C bus which is a very very common bus So this game this thing comes with a software that you can use for you know crafting very Standard messages about radio tuning you we just build our own code so that we can fully send whatever we want Okay, so we said all parameters PI PTY and that's all and then we got the free free free RDS blocks that we can program as we want and The check word is automatically computed by the chipset Okay, so we don't need to worry about that and there you got a link You can download the code and then we can do whatever we want with it So this is how we do is so the code is very crude So crude is code rushed and ugly because of unexpected deadline and You modify the source code and there you can set whatever you want to send So you set the PI buff the name of the station and then you got your those two custom fields So you set exodational values there so we can see the first one is 85 which translated into binary So we got 1 0 0 0 1 0 1 and the first four bits are the group Which then is a so it's a 8 a group or we can see there We got the event which is 0 1 1 0 1 1 0 0 which goes to 1 0 a and then that's Q in traffic Okay, so we can see binary. That's like being Neo and the matrix cool forget assembler doing binary. It's way cooler And then you can set a location table. Okay, so you know the location table You can set the the your destination of the message if you don't know about that You just need some messages you correlate dot with what whatever you're seeing on your navigation system And then you can build your own table if you cannot dump it from the navigation system So this is how it works We got our I square C application talking with parallel port on the to the RDS encoder Okay, and then very important thing. We got a FM transmitter, which is that thing the thing that looked like a bomb Okay, so make components one encoder one transmitter one peak again We need a digital PLL tuning and then an antenna So for building the FM transmitter, which is one of them, you know most critical part here It needs to be very very stable because we're not sending audio information We're sending a digital signal. So it needs to be very stable And so that's why we need a digital PLL tuning and also we also want to be able to use whatever frequency We want we just do not want to be to stick on one frequency because we want a hijack existing challenge and all that kind of stuff Okay, so that's how we do it and then we add a big antenna But actually we use a small cable now because we don't want to piece off other broadcasters. That would be very bad Of course, we didn't try it right with a big antenna We didn't you know like hijack soccer matches and stuff and you know, we totally didn't do that So this is the Injection circuitry RDS encoder and the FM transmitter, okay So transmitted FM so can be tuned to arbitrary frequencies border to have Stable one we can cover long distances very easily So if you push one that of energy on that antenna, you can get two miles very very easily, okay? Otherwise you can just put a cable. So you see that light going on That's working an antenna right now and then your rage is like one or two meters. It's very very close So it depends on what you want to do You ever want to like hide yourself in a tunnel and waiting for cars passing through and you know They're not going to see the the wheel seeing them because they're in a tunnel But you're inside with an antenna, right? So they're going to pick it up or if you want to target only one car You just feel a very small device you can say in that one box and then you hide it in a trunk So they drive they got this thing in the trunk They're never going to be fine now and you're not going to affect anyone else So, you know local laws is not going to find about it. Okay, so that's cool that's evil and So That's our 10 at the sterilizer. He was staying out all the time. So resistance is huge No kids for you. No more and I had to stay inside a car to check that everything was working properly Well protected by my far-dive cage. Anyway So video clip time, let's show to you what happens when we obscure Out radio station. Okay, so we tested these on Saturday and Sundays at the times where soccer matches are being, you know, played And we're in Italy remember So that's like major We tune to our channel as long as we get close we can hear this static noise So that's our channel this one That's one oh two without five That's one of the major bird caster in Italy and you can hear nothing We move away from it and then you can hear we are radio going on. Okay, so that's what happened So we can obscure radio station. That's cool. So what we want to do is We want to find a way for hijacking the channel and sending our messages So we have two ways for doing that one way is why we hijack an existing channel So we obscure your soccer match because we know that on that channel they're sending RDS TMC messages and we send eight Groups so D message itself because your satellite navigation system already seen all those free a groups It knows already that he wants to tune on that channel So what happens you got your navigation system is this 10 seconds on every frequency it gets a free a group Okay, that's a good channel for me. I'm going to catch that information I'm going to get back to you for getting messages and so on and so on and so on So on an application system usually get two tuners one that looks in cycles looking for free a groups And then the other one that goes on the groups that would that on the channels that were good getting 8a groups information So what we do here? We forget about advertising our channel. We just you know hijack an existing one we Completely obscure your soccer match and then we send whatever we want to send. Okay You need to be careful with the timing, but it's you know, very efficient and worse Also, there's one very important thing to keep in mind the tuner of your radio in the car is different from the tuner of the sudden Up system. Okay, so this doesn't necessarily mean that the challenge You're listening to is the same one that subtle navigation is you know detecting TMC messages on Okay, so you need to be very unlucky if he's listening if the driver is listening to the same channel Okay, but if that's a concern and you really want to be stealthy you can take a non-use frequency Whatever you know that in that region there are not it's not going to be used and your broadcasts free a groups plus 8a groups So you fake the whole thing and then your subtle navigation system is going to lock up on there And the nice icon will go from red to green and that means you're in business. Okay So of course what happens is that on that specific channel? You won't hear anything. Okay But there's one thing you can do for being stealthy so most radio stations They broadcast on the main frequency and then you got a secondary frequency. Okay, you do not have the same frequency all over Italy You move around and then you change the frequency. Okay, and RDS radio system are able to pick up the frequency automatically You don't need to do anything. That's because there are some packets which send us the alternate frequencies So what you can do you can have you can add an additional receiver in these circuits And then you can get you can tune on the secondary frequency for the channel your hijacking So that way you can remix your gene original audio in so you can remix your soccer match Again so that you won't be pissed off and you will never notice that them and jacking your channel The only difference would be that the power will be will be elite You know, it will be a little bit less powerful than that So it's very easy to do so you can be completely well almost completely self. Okay So let's demo what we're going to do here. Okay, it's up to you There Not black out. Oh Sorry, you should talk. Mmm. Oh, they get us leap and run. Yes. We have natural problem Oh, we got net for problems. So we're not supposed to have net for problems. You know, we're hackers Just a sec this goes here Maybe that's your problem Which goes here That's all lame, you know, they're going to remember this issue. Is that right a beer us? Yeah Yeah, it's cool. Don't let me down, please Well, okay, let's keep this we maybe show you at the QA session. Okay. Oh, we got it stealthy It's your fucking switch So what we're going to show you so we got everything on the board So what we're doing we are injecting and snipping at the same time. Okay, so we're using one PC for everything So we got a tuner there. Okay, and we're gonna antenna there. Okay, so that sniffs and then Okay, and then we had a f don't do that And then we got our f and okay, if you fucking do that again, you'll be sorry So then we got the injection system. So that led over there, which is turned on is our injection system So our PC is sending and receiving the channel at the same time. So there we got a source code So there we set our packet. So right now. What kind of packet is that? It's a Q In the Milano, Genoa that is a famous road. Yeah, so very realistic. Yeah. Yeah So what we do now also the PS name the PS name is a realistic is death gun Yeah, oh, that's very realistic So right now if you have a FM radio and you tune on the frequency we're using you should see death gun as the name of the radio station Which is cool? So program whole thing. Yeah, so the PS name is death con the PI code is 5218 and this is the payload of the packet that we want to inject So Q in the Milano, Genoa One more beep Let me Let me do that. Okay, so now Now we are writing on the apron of our RBS encoder Okay So that's over parlor report, right? Yeah. Yeah, it's quite so so, okay What was that? Don't worry. Oh this fucking keyboard Okay, that's a think but that's the best keyboard ever. So shut the fuck up Okay, so this is the this is the stream the RBS stream that we get directly on the serial port of the PC That's like the matrix isn't that cool so we can we can grab it you can actually see the structure over there You can see there's a there's a line going there There's that recurring set of numbers going from top left to bottom right. Okay, that's probably either our location code or TPI code So you can see there's something going on over there So now we can use our decoder SRDSD minus T because we want to see only the TMC packets Minus D we can specify Database location table So that's a very good quality signal there are no bad There's no bad data over there in real life if you have if you're tuned correctly You see it's almost like that you might get like one or two bad beats every like every packet or so And but if you convert those to zero one, it's going to be just fine Okay, if you have a very very crappy signal, then it's like half of them is better quality. Okay Sorry. Yeah, you can talk now. Okay, thank you Now the PI code To it, I don't know The stream file Okay, so this is the output of our So that's our packet Is it as you show a queue? Okay, so you can check that is the same that we have prepared before So the event code is a queue traffic if you're pointing your finger on my laptop screen That's not going to be very helpful for them, isn't it? Okay We're not there yet Technology wise. Okay, so maybe Apple is working on that but I don't know. Sorry So the end code is our fucking queue traffic The dear old code is Milano Genova. So you have also the link to Google map. Okay, so it works cool Thanks, my fix Don't deserve this spot So the fun part begins What we can do we can create queues bad weather rain smog fog fresh snow Tunner storms Silver surfer everything We can create full car parks. Oh dad. I so want to go to the amusement park. You cannot the car park is full. I'm sorry So that could be useful if you are kids, right? Yeah, look it's full So overcrowded service areas. Oh my god. That's kind of useless. I mean if you got to go you got to go All right, so but anyway, it's there Accidents road works and so on it's not very exciting, but it's still nice It gets much better though. Okay, so that's an example code 108 queuing traffic. Okay, so you can see Did this the icon over there? You can see that a road instead of being red is like bluish because that's the affected road Okay, so it's a queue and if we put it a version B to one the saddle navigation season going to say up There's a queue get lost Closing road we can close arbitrar roads bridges tunnels with a number of events are one more than one events for that Okay, so what happens here the sudden up will pop up the event set telling you the road is closed Which is very believable. I tend not to trust queues and accidents messages because they might be old Okay, so I just go on if I see a closed road. I might really believe that my dad surely will believe that so But there's one interesting thing if the closed road is encountered during Recalculation which happens all the times because you get in a tunnel you lose the GPS signal the route gets recalculated you miss a turn which happens all the time especially nearly and The route gets recalculated so if the road is closed the navigation system is going to silently the tour you Is not going to tell you about it So if you're driving my place and you know don't know the road I can close all the roads around you You're going to miss a turn at some point and I can just detour you wherever I want and then the hitmen with a gun can You know shoot you because oh So that's bad So this is also known as keep your parents from reaching home or keep your girlfriend from reaching home Or keep your boyfriend from reaching home. Whatever just you know pick one So that's closed roads, so we closed the Trieste Venetian, which is you know big road Okay, so you can see there so that's the event list and they're on the road You can see a closed sign and it's closed and there's the pop-up so we can detour or we can you know return This is the silent the tour thing. So the first image. That's my normal route to home Okay, you can see the blue line Then I inject the message and we can see that it's closed and we can see that actually the route It's different. Maybe you cannot see that very well, but trust me on there. Trust me that it's different Okay, so that's kind of bad security messages The event table supports a number of security related messages. So this is where it gets fun Without anyone ever use them so far and you know when the states you got TSA homeland security So imagine this like you got president or something with an escort, okay? And these guys are trained to stop everything and the first sign of suspicion Okay, so what do you think it will happen if they see terrorist incident in the satellite navigation system? They will go oh Fuck so that's bad. You can put a terrorist incident everywhere. So I don't know why they Planned that in the standard, but it's there Air raid danger So I imagine you know your f-amber casting station. Oh, we got an air raid on the highway So maybe we should send them warning to our cars and they're so polite that in the standard You can send air raid stops You can you know go there So you can you can advertise your rate and you can say okay? Look at son so feel free do your own thing be merry on the way So that's our air raid on our coast road, you know, that's that's major. So When I started working the IT business, so I was you know trying to Make my dad understand. So what was going on? So hey dad, you know, I can hijack System calls from the latest Linux kernel and my dad went get a life So when I show him this picture, it was oh wow your job is cool It was all finally ten years after so we're so sticking to these things. They're much much better. So forget code for now car or cools Air crash And if you think that's not believable enough, so we put an aircraft near an airport over there So you got your airport and you're got your aircraft I mean, I would believe that even if I know that I can inject messages. So that that's kind of major Bomb alert TSA would totally love this You can put a bomb alert in a airport, too, you know, that's bad So and of course you can pop up these messages. Okay, so this we had a security alert stationary traffic So could one five seven one. So let me show you So this video clip will be World War three on a highway So I'm plotting my route. I want to go there Total road. Yes, I can pay I wait five seconds Nope security alert. It's that kind of traffic There's the hacker over there So what shall I do? Oh, let me return. I don't trust this ring. So let's see the event list and actually see what's going on bomb alert security alert air raid close World War three on a highway Funny messages bullfight So you can put a bullfight on a highway So I dream about a story about this one. So I imagine the European community, you know Having this big meeting so and they're going for an event list and you know someone like the chairman is saying bullfight Why do we have this and the Spanish people go we got those we asked for those So that's my story. I think bullfight they asked for that You can get delays due to parade. So you can put a parade on a highway. That's cool And then you can also put people on the road and then accident. Yeah, that will be fine So there's one other cool thing you can get a boxing match So you can put a boxing match on a highway But you know that when you get an accident in Italy a boxing match after that is not so unrealistic So that kind of makes sense and no you cannot have a pony. I was so sad because of that. Anyway Implementation issues. So there are a number of implementation issues. So we thought when we were first doing this thing Okay, so we got to be careful. We got a match DPI with the frequency we're using So it turned out if you're using PI code 6 6 6 6 it doesn't hurt the navigation system is going to pick up your message So it's even much more easy to spoof messages There are some codes which are allowed by the standard but are not supported like total console consolation You cannot cancel all the messages But what you can do you can cancel all the single ones because you can only have one event per Location so you got your broadcast station station sending a queue. Okay. Let me cancel that send an accident Okay, let me cancel that so I can do it another service and remove all the messages from the navigation system Okay, so they will go there even if there's a queue or something like that There's a broken message which is not honored at all So what we want to do is like pop up bombers on all navigation system Even if there was no route at all being plot, but we cannot do that At least we with our navigation system. Maybe with some others you can do that Diversion beat is totally ignored by most implementation. So you put it to zero you send an accident The car is going to pop up the event. Anyway, you put one to like snow the car is going to ignore the van So it's there, but it's not being used at all. Okay, so we accept other weeks Packed other navigation system to have similar or even more interesting issues You know, we only tried to because we don't want to you know waste money on buying on buying like 10 or 20 different navigation systems. So but I see encryption so there is encryption It's a very lightweight encryption and it was used only for commercial services. So at some point vendors got okay We would like to sell this service, but how can you sell this service? You're broadcasting your station picks it picks it up You can see it. So what they find out we can encrypt the location code So what they do they use a different encoding because it's not encryption at all for the location code So a normal satellite navigation system is not going to have that location code. So it's not going to show you the message If you pay Subscription and you get the proper set of location codes then you can see the message Okay, so the problem is that only location code is encrypted So you can actually see what's going on and even if I don't know what location code is I can just modify everything else and then use the location code you sent and then I'm in business But the encryption are beat wise operations So beat wise operation is not encryption. You can sniff there You can get like 10 or 20 packets You can correlate that with real messages because you have a navigation system that works and then you can find the key and do whatever you want if you really want to Read and then hijack those messages But we don't care because every navigation system is supposed to be able to receive Commercial services if they have subscription as well as free messages So I can just send my own messages and is going to pick them up is not relevant at all So don't think about rg stmc encryption as a security measure. It is not Just for discrimination So what we've seen can be trivially injected you can get a cheek because of that. So that's you know end of story Drivers don't tend to have any security awareness So if you use a computer like, you know, you can get viruses and stuff nowadays if you drive a car Would you expect that someone can do something like this? I don't think so. Well now you can So we don't think it's the end of the war. It's not like we attack this protocol at all I mean, it's very all it was designed to reuse existing infrastructure, which makes perfect sense but since they want to have your car and doing more and more things with your navigation system and It's vital that in the future. We don't commit the same mistakes We do with our services and you know unencrypted protocols in the past for computers So just please you use authentication use encryption whatever you want give me integrity But just don't let this be clear to us because maybe 10 years from now We'll be very sorry if we made that kind of mistake. Also cars have like a long lifespan I cannot upgrade my car like I can do that with a software on my computer And sure I'm not going to change my car because I have a satellite navigation system Which is vulnerable to these kind of things So they have a very long lifespan and that's why we use our DSC and see now Which is like way old so we should be careful with that and we hope the future protocols will have You know some security so we got official response from the people doing this protocol It was very fun. Let me read it for you. The title of the article was hacking TMC unsuccessfully. Hello We did it The first and overriding statement that should be made is that transmission of this type are directly analogous to pirate radio broadcasts and certainly will in the case of Europe and the US Contraving each country's respective broadcasting legislation and laws. Oh, thank you that you're telling me it's illegal I'm sure I will stop any attacker So like killing people is illegal. Oh, we're safe. That's fine There is a chance that a false message could be decoded But a degree of knowledge would have to be gained on the parameters of the message being coded like it's clear checks I can make it out. I can do whatever I want The random use of any location code would result in a randomly located event also random choices of event codes may not cause a terminal to react Did you see me using random codes? I Don't think so. We know exactly what we can detect and we know exactly what we can send So this is plain thought and it was after our presentation was like, you know available Then there's a whole bunch of crap about this frequency will not be either in the main a a fleece or the secondary a Athletes broadcast in any of the tuning variants of the TMC that that's crap It doesn't make sense at all. The radio station can do that. I can do that. There's no magic involved This is not magic And the last one is the most hilarious one service providers and broadcasters I am sure have many protection mechanism processes in place to prevent any legitimate access to their services within their Infrastructure so faith manages so these guys are doing a protocol and they're sure people, you know, they have protections So that's crap. So you can read the full response there and you can read our reply to their response there So if you want to I didn't like a extrapolate Sentences out of context trust me in that never means so hard to convince people that clear text protocols are like that never So the future TMC is also supported over digital and satellite radio It's harder to inject because you need to do more hardware and stuff, but the same thing There's no encryption. There's no vindication going on TPEG this transport protocol experts group is the new standard designed for placing TMC They support encryption but a it's optional and it's like encryption So you got these bits. These are for encryption. They don't tell you what kind of Cypher you should use they don't tell you anything about that so I can use a null codec and you know, that would be nice So they really need to do stricter definitions and they They reply to us and it was very hard to convince them about the father. This is a security issue But you know, they said that they will consider in the future having stricter requirements So there's a new cool thing going on which is GST global system for telematics It's an impressive project the NW is backing it up and all people so what I want to do You put a credit card in your car and then you can download services and system and traffic information so smart It's going to use PKI and SSL So if only in theory it should be hard to do anything about it, right? And it's very sad to realize that the encryption comes only when there's a commercial side on it As soon as you put a credit card, then they want encryption. Okay, so it's not that good But anyway, so this thing will not happen, you know Anytime soon, but you know, we were so going looking forward to play with that. Trust me on that Simmer system. So in US you got also Microsoft Directman Which is like RDS on steroids. So they use a subcarrier They have 15 times the bandwidth of RDS system and it works pretty well and they have encryption going on there and I've read some Papers and it looks done properly. Of course, we didn't play with that, but it's promising But of course we cannot get any Europe at all or everywhere else because they cannot get that frequency license it at all That's a current license at all. So this is the end of our talk. We hope you enjoy that and We can either get questions here or maybe we'll move to the QA Room so that we can answer to whatever questions you might have. So thank you very much I hope it was fun for you and as you can see he has a future as a porn actor