Remotely Rooting Charging Station for fun and maybe profit

WATCH: http://chv.link/kevin2600

Huajiang Chen & Wu Ming

FRI 8/6 •
11:00 AM

In recent years the emergence of a new security threat to the electric vehicle charging ecosystem. How safely and easily charge electric vehicles, is deeply impacting the way people travel. Therefore we conducted an in-depth security analysis for the EV charging stations from Schneider Electric.

In this talk, we'll present 3 vulnerabilities (CVE-2021-22706; CVE-2021-22707, and CVE-2021-22708) which we found in Schneider Electric's EVLink Charging System. We'll start by explaining the architecture; components, and protocols involved in such a system. Then we'll walk through step by step how do we found an RCE Vulnerability from it.

We will be diving into the journey of reverse engineering EVLink Charging station. Start from firmware acquisition, and the various challenges of exploiting EVLink. We'll explain the details of how do we overcome these limits, and show how our payloads manipulate the system in order to get a reverse shell with Root privilege. Finally, we'll present a video demo of exploiting the vulnerability.

BIOS:

• Wu Ming (Twitter: @rapiddns) is a senior security engineer. He specializes in Web Security and a Bug Bounty Hunter.

• Huajiang "Kevin2600" Chen (Twitter: @kevin2600) is a senior security researcher. He mainly focuses on vulnerability research in wireless and embedded systems. Kevin2600 has spoken at various conferences including KCON; DEFCON and CANSECWEST.

Commercial Transportation: Trucking Hacking

WATCH: https://chv.link/benlgardiner

Ben Gardiner

fri 8/6 •
12:00 PM

Join us for a technical review of the how-to of hacking big rig trucks. Included is an overview and introduction to commercial transportation, specifically trucking (tractors and trailers), and its technologies. It will cover the vehicle networks J1939, J1708/J1587 and J2497, how they operate and what they can be used for both intentionally and unintentionally. Several tools for truck hacking are presented and a survey of the public truck attacks are covered. Many tools are introduced and discussed, some are covered with examples. Attendees should leave with a good sense of what are the potentially fruitful areas of technical research into commercial transport cybersecurity and how they can equip themselves to successfully explore those areas. Some exposure to the CAN bus is assumed but no specific experience with commercial transport is needed.

From CTF to CVE

WATCH: https://chv.link/lnxgod

Bill Hatzer

FRI 8/6 •
1:00 PM 

A brief overview of my approach to hacking things and how preparing for a CTF discovered my first CVE on Hyundai Bluelink. I was practicing some burpsuite stuff and decided to tap and trap my Phone... and caught something strange.

Bug Hunter's Guide to Bashing for a Car Hacking Bug Bash or Contest

WATCH: https://chv.link/shipcod3

Jay Turla

Fri 8/6 •
2:00 PM

Bug Bounty Programs and Bug Bashes geared towards vehicles or automobiles are getting attention now. A lot of our brethren have also been wining some of these competitions. What is their secret to their success? How do you prepare for one? This talk will summarize some techniques and methodologies the speaker observed during his stint as a triager for automotive security bugs and a common car hacker. This talk will also be an eye opener for other bug hunters who wants to dive into car hacking so that they may be able to participate car hacking bug bashes soon.

Remote Adversarial Phantom Attacks against Tesla and Mobileye

WATCH: https://chv.link/ben_nassi

Ben Nassi

Fri 8/6 •
3:00 PM

In this talk, we present "split-second phantom attacks," a scientific gap that causes two commercial advanced driver-assistance systems (ADASs), Telsa Model X (HW 2.5 and HW 3) and Mobileye 630, to treat a depthless object that appears for a few milliseconds as a real obstacle/object.

We discuss the challenge that split-second phantom attacks create for ADASs.
We demonstrate how attackers can apply split-second phantom attacks remotely by embedding phantom road signs into an advertisement presented on a digital billboard which causes Tesla’s autopilot to suddenly stop the car in the middle of a road and Mobileye 630 to issue false notifications. We also demonstrate how attackers can use a projector in order to cause Tesla’s autopilot to apply the brakes in response to a phantom of a pedestrian that was projected on the road and Mobileye 630 to issue false notifications in response to a projected road sign.

BIO:

• Ben Nassi (Twitter: @ben_nassi) is a security researcher. He specializes in security of autonomous vehicles and IoT devices.
  

My other car is your car: compromising the Tesla Model X keyless entry system

WATCH: https://chv.link/LennertWo

Lennert Wouters

Sat 8/7 •
11:00 AM

This talk covers a practical security evaluation of the Tesla Model X keyless entry system. We will cover the internal workings of the system, including the key fob, the body control module and the pairing protocol. Additionally, we detail our reverse engineering techniques and document several security issues. The identified issues in the key fob firmware update mechanism and the key fob pairing protocol allow us to bypass all of the cryptographic security measures put in place. Our proof-of-concept attack allows to unlock and start a Model X in a matter of minutes. The vulnerability in the key fob firmware update mechanism was fixed by Tesla using an OTA update.

Not so Passive: Vehicle Identification and Tracking via Passive Keyless Entry

WATCH: https://chv.link/zeetw11

Nick Ashworth

Sat 8/7 •
12:00 PM

Attacks on the passive keyless entry system have been around for a while, with most focused on gaining physical access to the vehicle. We have developed a new attack, Marco, that instead focuses on identifying and tracking vehicles by exploiting weaknesses in passive keyless entry systems. This attack works similar to a cooperative radar system, where the attacker transmits an interrogation message, and any nearby key fob will automatically respond. The attacker can then use these responses to identify and track key fobs either generically, such as all fobs of the same make and model of vehicle, or specifically, such as a key fob with a specific identifier.

Fuzzing CAN / CAN FD ECU's and Network

WATCH: https://chv.link/IntrepidControl

Samir Bhagwat

SAT 8/7 •
1:00 PM

Get an overview of fuzzing, various techniques used in vulnerability testing, and how to automate your Fuzzing.

Build Automotive Gateways with Ease

WATCH: https://chv.link/FuctBitz

Don Hatfield

SAT 8/7 •
2:00 PM

Vehicle network architectures within modern vehicles have been transformed by the introduction of automotive gateways. These gateways enable seamless communication between different vehicle networks and are central to the success of modern architectures. In this presentation, we are going to cover some of the challenges that automotive engineers face when tasked with converting data between old and new network protocols. We’ll also detail how this process is made much easier.

Safety Third: Defeating Chevy StabiliTrak for Track Time Fun

WATCH: https://chv.link/EricGershman

Eric Gershman

SAT 8/7 •
3:00 PM

Electronic Stability Control (ESC) system saves thousands of lives every year by preventing accidents before a driver starts to lose control but it can be a real drag when trying to race a modern electric vehicle. Both the Chevy Spark EV and Bolt electric car communities have been unable to defeat the ESC to get full control of their cars on the track. Join me on my journey as I attempt to defeat Chevy’s Stabilitrak to turn an EV econobox into an autocross speed racer.