DEF CON 27 TALKs


Fast, Furious and Insecure: Passive Keyless Entry and Start Systems in Modern Supercars

Lennert Wouters

Sat 8/10 •
10:00 AM-10:25 AM
25 min talk

Our research revealed several weaknesses in the Tesla Model S passive keyless entry and start system. The talk will be a comprehensive overview of how we reverse engineered the key fob, the issues we found and an efficient proof of concept attack. The proof of concept attack exploits the use of an inadequate cipher and allows us to clone a Tesla Model S key fob in a matter of seconds using commercial off-the-shelf hardware. Information from the FCC database suggests that the same attack could affect vehicles produced by McLaren, Karma and Triumph Motorcycles as they all use a passive keyless entry and start system designed by Pektron. I will share our experience with responsibly disclosing our findings with all the manufacturers.

Some extra information:
We made a PoC video which is available here:
https://www.youtube.com/watch?v=aVlYuPzmJoY

The paper describing this research was published at TCHES and is available here:
https://tches.iacr.org/index.php/TCHES/article/view/8289

I was an invited speaker at Real World Crypto to present this research, the presentation was recorded and is available here:
https://youtu.be/4hq4yiVCopU?t=4189


Hacking into automotive clouds

Rotem Bar

fri 8/09 •
1:00 PM-01:50 PM
50 min talk

In this talk Rotem will share my experience about how he hacked different automotive clouds, techniques he used and goals pursued after connecting.

Rotem will talk about the main connectivity areas he looks for, supplier integrations and differences between normal clouds and automotive clouds. Once Rotem got a good foothold, Possible targets and places which can harm the most. Where can to jump next inside and how deep the rabbit hole goes.
In this talk Rotem will give real life examples of:

  • From zero to hero – Full backend control with examples

  • Common fails which allow me to jump between networks

  • Dangers of connected cars - Taking over a car from the cloud

  • How to break a production line

  • Cloud credentials leakage


Reverse Engineering and Flashing ECU Firmware Updates

Greg Hogan

Sat 8/10 •
11:00 AM-11:50 AM
50 min talk

 

 

Many ECUs do not support reading firmware over CAN, but since automotive manufacturers make mistakes and need to fix firmware bugs, they release firmware updates and support writing firmware over CAN. This will be a deep dive into how you can obtain these firmware updates, decrypt them, (modify if you like) and flash a firmware update file for Honda ECUs. The ECU tools provided by automotive manufacturers are from the stone age, so let’s use a modern web browser to flash an ECU!


Legal Over-the-Air Spoofing of GNSS and its Effects on Autonomous Vehicles

Victor Murray

Fri 8/09 •
4:00 PM-4:50 PM
50 min talk

Many systems depend on accurate location information from Global Navigation System Satellites (GNSS) for normal operation. Public GNSS lacks integrity mechanisms and is vulnerable to spoofing. U.S. Federal law does not allow over-the-air spoofing of GNSS or other signals, which makes assessment of vulnerabilities difficult outside of an enclosed laboratory environment. This research proved the usefulness of a Mobile GNSS Spoofing System that enables legal, real-world evaluation of GNSS vulnerabilities. The mobile spoofing system was used to evaluate vulnerabilities in an Unmanned Ground Vehicle (UGV). The UGV GNSS was exploited using several different attacks including forced lane switching, driving off the road, and stopping the vehicle.


Lojack'd - pwning car alarms, vehicle trackers and immobilisers

Ken Munro

Fri 8/09 •
3:30 PM-3:55 PM
25 min talk

Research by us has revealed direct CAN injection remote via APIs, which we intend to present the detail of live.

Viper Alarms uses a back-end from CalAmp, the manufacturer of LoJack. We'll show how the LoJack vehicle tracking & recovery device could be compromised and recovery of a stolen vehicle prevented.

This research lead us on to compromise of OEM-approved vehicle trackers and immobilisers. The rabbit hole went very deep indeed.

This is a story of systemic compromise through weak platform providers and outsourced security.


Weaponizing Hypervisors to protect Car Infotainment from hackers

Dan Regalado

Sat 8/10 •
12:00 PM-12:50 PM
50 min talk

Historically, hypervisors have existed in the cloud for efficient utilization of resources, saving space, and money.

The isolation feature is one of the reasons hypervisors are heavily moving to other ecosystems, like Automobiles, so that for example, if an Infotainment crashes, does not affect other sensitive ECUs like ADAS. Blackberry QNX and AGL announced the use of Hypervisors in their deployments on Cars.

The trending is real, but there is a big challenge! Most of the systems in Cars run on ARM, plus, protection at the hypervisor level is still limited. So, is it possible to have a framework that runs at the hypervisor level, able to monitor at the OS level and most important, capable to identify and kill threats coming into the monitored devices?

During this talk we will walk you through the steps needed to setup a framework running on Renesas R-Car H3 board able to monitor ARM-based devices and to kill malicious threats identified. Also will discuss challenges on syscall monitoring, single-stepping limitations, techniques to stay stealthy or to get better latency, techniques to detect and kill traditional malware seen in enterprise like Ransomware, Heap Exploits and capabilities on VM Escape attacks and feasibilty to detect Spectre-like exploits.


Hacking Android and qnx (What treasures lie inside your radio)

Neiko Rivera

Sat 8/10 •
10:30 AM-10:25 AM
25 min talk

Showing the inside of QNX and Android with a high overview of each system and there unique attributes. Finding common misconfigurations in Android systems, while also showing people how to extract and begin the process to reverse engineer (but no in depth reversing of apks).
Hardware hacking on systems to gain escalated privileges to obtain initial foothold on device and begin reverse engineering from there!


Digital Vehicle Forensics

Eoin Bates

Fri 8/09 •
5:00 PM-5:50 PM
50 min talk

Digital Vehicle Forensics involves the acquisition and analysis of digital data (digital evidence) from various vehicle systems to assist in motor vehicle related investigations.

THIS WILL NOT BE RECORDED
 


Tell Me Lies - Automotive LIDAR and Low-Tech Obfuscation

Rick Hansen

Fri 8/09 •
2:30 PM-2:55 PM
25 min talk

What will it mean if LIDAR becomes ubiquitous in autonomous vehicles?

Join us for an exploration of a LIDAR’s operation, network attack surface, and the development of low-tech countermeasures that render solid objects invisible and turn thin air into a virtual wall of steel.


Intro to UDS

ac0rn

Fri 8/09 •
3:00 PM-3:25 PM
25 min talk

"What is UDS and how can it help me hack cars?"

The goal of this talk is to give a brief introduction to UDS (ISO 14229), what the capabilities of UDS are, why automotive ECUs implement it, and how it is useful in hacking cars. The talk will have examples using standard Linux socketcan interfaces as well as CanCat scripts to help people discover UDS devices and services on their own vehicles.