Car Hacking Village Talk Details

Main Talks

ben_chris.jpg

PowerLine Truck Hacking: 2TOOLS4PLC4TRUCKS

Speaker(s): Ben Gardiner & Chris Poore

Friday @ 11 AM PDT

Abstract: Trailer ABS functionality has been a regulated requirement in the US & Canada for decades now. The 'PLC4TRUCKS' technology that realizes this requirement is ubiquitous on the road today and can also be found in buses, trains and some other unexpected places. We are releasing tools to read and write PLC4TRUCKS traffic. The first, gr-j2497 is a GNU Radio flowgraph with custom block and the second is an extension to the Truck Duck tool released at DEF CON 24. With these tools in hand, attendees can read PLC traffic without touching the bus -- or control their own trailer air brake controllers connected at home and we will show them how

Bio(s): Ben Gardiner is a Senior Cybersecurity Research Engineer contractor at the National Motor Freight Traffic Association, Inc. (NMFTA) specializing in hardware and low-level software security. Prior to joining the NMFTA team in 2019, Gardiner held security assurance and reversing roles at a global corporation, as well as worked in embedded software and systems engineering roles at several organizations. He is a DEF CON Hardware Hacking Village (DC HHV) volunteer. He is chair of the SAE TEVEES18A1 Cybersecurity Assurance Testing TF (drafting J3061-2), and a voting member of the SAE Vehicle Electronic Systems Security Committee.

Chris Poore is a Senior Computer Engineer at Assured Information Security in Rome, NY and a member of the Systems Analysis and Exploitation (SAE) group. He works to analyze, understand, characterize, and exploit cyber systems using adversarial techniques with a focus on RF-enabled devices. He has experience writing code for software-defined radios and GNU Radio to reverse-engineer RF communication protocols and perform sophisticated attacks. Mr. Poore has a degree in Social Engineering, is an active somnambulist, was King of the Pirates for three years, and frequently violates PornHub’s terms of service.

dan_thomas.jpg

Before J1939: A J1708/J1587 Protocol Decoder

Speaker(s): Dan Salloum & Thomas Hayes

Friday @ 12 PM PDT

Abstract: Medium and heavy duty equipment communicate over vehicle networks using a number of protocols and busses. While researching the interaction between tractors and semi-trailers, we identified the presence of two legacy protocols, J1708 (physical layer), and J1587 (transport layer). The current mechanisms to capture and decode this data do not promote cost efficient data DISCOVERY, but as a team, we have developed techniques that will allow us to use existing diagnostic hardware to capture and decode J1587, and J1708, messages from the vehicle bus.

pretty_1587, our software application, has been designed to process input streams and convert SAE J1708 and J1587 messages to a convenient format that a user can read or pass to another software application. Our open source python code has been designed to be versatile and to work with the output of existing diagnostic tools and can consume data over network sockets, from files, or from stdin, allowing most hardware solutions that interface directly with the serial bus will be able to pass data to pretty_1587 to decode the data contained in the J1587 messages.

Bio(s):

Daniel Salloum is a Reverse Engineer by title and curious at heart. He is currently employed by Assured Information Security where he spends his days doing security evaluations and creating tools that help. His background as both a system administrator and programmer help him to navigate system innards. If it must be done more than twice, he'll script it. If it can be recreated in a few hours, it probably will be. Daniel has recently been accepted into the world of ham radio, and may be heard on the airwaves at some point. This is his first conference and expects it won't be the last.

Thomas Hayes is a Hardware Engineer at Bendix Commercial Vehicle Systems in Elyria, OH and a member of the SAE J1939 committees. In his current role, he manages the hardware process for braking and other heavy vehicle systems from brainstorming with napkin drawings to the creation of full PCBs to product testing and manufacturing. Prior to Bendix Thomas held design and leadership roles in a number of venture backed startups and worked in simulation technology for the aviation industry. In his spare time, Thomas enjoys rebuilding vintage motorcycles and teaching kids how to solder without burning their fingers off: success rate unknow.

05_all_edit.jpg

Realistic Trends in Vulnerability based on Hacking into Vehicle

Speaker(s): Ryosuke Uematsu, Shogo Nakao, Ryoichi Teramura & Tatsuya Katsuhara

Friday @ 2 PM PDT

Abstract: This presentation introduces the trends in the ECU vulnerabilities and the mitigations against the ones, and also our assessment method.

We have worked with more than 10 auto manufacturers and suppliers, and we have assessed a lot of their ECUs in development. Here, we had already found over 200 vulnerabilities, making it reveal the trends in both the vulnerabilities and mitigations statistically. Some of them make a huge impact on automotive safety, that is we can hack into the vehicle via the wireless connection.

Bio(s): Ryosuke Uematsu is a security engineer in NDIAS, focusing on radio network security such as Cellular, Bluetooth and WirelessLAN.

Shogo Nakao is a security engineer in NDIAS. His research interests include automotive cybersecurity and functional safety.

Ryoichi Teramura is a security engineer in NDIAS. He received his Ph.D. degree in Engineering of Kobe University. His research focuses on cryptography and automotive cybersecurity. He has published papers on conferences including Escar Asia 2019. He is a member of the CRYPTREC committee for Japanese government's cryptography.

Tatsuya Katsuhara is a security engineer and acts as manager in NDIAS. He loves all "connected" technologies - especially digital identity, platform and edge device. To make these services including automotive more secure and convenient, he launched hardware related cybersecurity team few years ago and that leads to NDIAS.

Brent_Pic.png

CAN be super secure: Bit Smashing FTW

Speaker(s): Brent Stone

Friday @ 3 PM PDT

Abstract: Bit smashing CAN transceivers are already on the market and cost pennies. Using them would make vehicles, robots, and medical devices effectively immune from almost every layer 2 attack including denial of service. Brent explains why this security measure works so well. This is also a call to action for industries using exclusively multicast ICS protocols like CAN to invest the <$5/platform to greatly improve their product's security.

Bio(s): Brent is an academic and professional cybersecurity researcher focused on helping average Joe get access to safe and reliable technology. His background includes work with statistical machine learning, search, time series analysis, defensive cybersecurity, and industrial control systems. He has presented across the country from DEFCON in Las Vegas, IEEE in Chicago, and several other venues in between. https://www.github.com/brent-stone.

jp-photo_small.jpg

Misbehavior Detection for V2X communication

Speaker(s): Jonathan Petit, Raashid Ansari & Cong Chen

Friday @ 4 PM PDT

Abstract: In this talk, we will present network attacks that aim at fooling V2X applications. Then, we will show how our misbehavior detection system can detect such attacks. We will also demonstrate the progression of an attacker that becomes smarter and smarter in order to highlight the limitations of current misbehavior detection systems. Attacks and defenses will be shown working on production-ready onboard unit.

Bio(s): Dr. Jonathan Petit is Director Engineering at Qualcomm Technologies, Inc., where he leads research in security of connected and automated vehicles (CAV). His team works on designing security solutions, but also develops tools for automotive pentesting and builds prototypes. He was the first to demonstrate attacks on LIDAR and camera system for automated vehicles. His reesarch also covers privacy of CAV, where he demonstrated real-world eavesdropping and its effect on location privacy.

Mohammad "Raashid" Ansari is a Senior Research Engineer at Qualcomm Technologies Inc., where he performs research in systems security. His current research focus is on developing misbehavior protection system for connected vehicles. He builds proof-of-concepts to analyze network security mechanisms for connected vehicles. He presented hacking tools for connected vehicles at BlackHat in 2018 and DARPA SDR Hackfest in 2017. Raashid holds a Master of Science in Electrical Engineering from the University of New Hampshire, USA. His thesis focused on security of in-vehicle networks.

Cong Chen is a Senior Engineer at Qualcomm. He is currently working on security topics of connected and automated vehicles with a focus on vehicular network misbehavior detection and trusted vehicular communication. His research insterests also include embedded security, hardware security and Side-channel security.

kevin-alex.jpg

Hacking TESLA Model 3 - NFC Relay Revisited

Speaker(s): Kevin 2600 & Alex

Saturday @ 10 AM PDT

Abstract: NFC technology is widely developed in payment; ticketing and access control systems. In the automobiles key fob field, Tesla Model 3 is one of the modern vehicles using an NFC tag as a digital car key. By implementing such a system, allows owners driving experience much conveniently.

However, on the other hand, attacking methods against the NFC system also emerge endlessly. The NFC Relay attack is one of the top methods. In this talk, we will reveal the research and attack methods for Tesla Model 3 NFC key tag system. By investigating how this feature works, and how to exploit the protocol by a design flaw. By the end of this talk, we will demonstrate the security limitations of such a system. And the attendees will not only understand how to exploit Tesla's NFC key tag system. But can also apply the same research methods for other brands of vehicles with similar NFC technology.

Bio(s): Huajiang "Kevin2600" Chen (Twitter: @kevin2600) is a senior security researcher at the Ingeek security research lab. He mainly focuses on vulnerability research in wireless and embedded systems. Kevin2600 has spoken at various conferences including XCON; KCON; DEFCON; CANSECWEST; OZSecCon and BSIDES

Yuchao (Alex) Zhang is a senior security researcher at the Ingeek security research lab. Alex specializes in Vehicle and IOT Pentesting; Android reverse engineering and mobile vulnerability research.)

vic_harkness.png

Houston, we CAV a problem

Speaker(s): Vic Harkness

Saturday @ 12 PM PDT

Abstract: In the future, connected and autonomous vehicles (CAVs) will be everywhere. A lot of different technologies have been proposed for use in CAV intelligent roadways. This talk presents the results of a literature review which aimed to examine the security of the proposals and standards. The proposed CAM/DENM protocols for maintaining awareness between vehicles are paid particular attention, as well as the use of 802.11p/OCB to create base-stationless ad-hoc networks. The results of threat modelling exercises to examine how an attacker may pivot through CAV networks to reach their goals are also described.

Bio(s): Vic is a security consultant working at F-Secure Consulting in England. She works with a wide variety of tech, but her pet areas are novel networks, facial recognition systems, and novel biometric modalities. Outside of work she enjoys annoying birds, travel (or did), and photography. Find her on Twitter @vicharkness, where she mainly shitposts.

robet.png

CMAP: Open Source Vehicle Services Mapping Tool for noobs

Speaker(s): Robert Leale (CarFuCar)

Saturday @ 1 PM PDT

Abstract: CMAP works to catalog open services on vehicle Ex is by using the Diagnostic Scanning to automatically capture as much information as possible from your vehicle.

Bio(s): Some random dude that canbushack.

derrick.png

All Aboard the CAN Bus… or Motorcycle

Speaker(s): Derrick (CanBusDutch)

Saturday @ 2 PM PDT

Abstract: Follow me as my passion for motorcycles, goes head first into my passion for computers, and I build tools and software to reverse engineer my motorcycle's CAN system. Python scripts, microcontrollers, pulse width modulation, some potentiometers, and a bit of what I like to call “Ruthless Engineering”, has helped me finally reach the pinnacle of CAN bus packet reversing. We’ll cover some engine simulation, execute some packet capture session analysis, and put it all back together again, for the development of an aftermarket gauge cluster.

Bio(s): Derrick is a corporate IT infrastructure professional, Cyber security hobbyist and motorcycle

enthusiast, with more than a decade involved in the fields. When Derrick isn’t consulting for major firms
in the San Francisco area, feeding his autodidact addiction, or working on independent projects, he can
be briefly seen as a blur passing you on the highway.

From Blackbox to Automotive Ransomware

Speaker(s): Nils Weiss & Enrico Pozzobon

Saturday @ 3 PM PDT

Abstract: The lack of state of the art security features in many current cars can lead to devastating impacts for the vehicle owners and passengers. This talk presents the full path from the investigation of safety critical ECUs to the development of a proof of concept malware/ransomware affecting the whole car.

Bio(s): Nils Weiss and Enrico Pozzobon are PhD students at the University of Applied Sciences in Regensburg. Both are focusing on automotive security research since more than 4 years. After an internship at Tesla Motors, Nils decided to focus on automotive security as a research field. During his bachelor and master program, he started with penetration testing of entire vehicles.

Enrico Pozzobon started with automotive security during his Erasmus semester at the University of Applied Sciences in Regensburg. He studied telecommunication engineering at the University of Padua. Since 3 years, Nils and Enrico are building up a laboratory for automotive penetration testing at the University of Applied Sciences in Regensburg. Besides penetration testing of automotive systems, both are contributing to open source penetration testing frameworks for automotive systems (Scapy).

Marcelo.jpg

ChupaCarBrah: Open Source Hardware and Software for Interacting with your Vehicle CAN Bus

Speaker(s): Marcelo Sacchetin

Saturday @ 4 PM PDT

Abstract: Commercial products for interacting with CAN can be pricey and not easily extensible. Some good open source hardware are very often out of stock by distributors. ChupaCarBrah is a Python based device for sending and receiving CAN messages from your vehicle that requires just a BeagleBone Blue and some wiring.

We cover how to build a device 100% based on open source software and hardware. It makes it more affordable, and easy to use/extend. It is designed for newcomers to the car hacking community, and also for more seasoned hackers that will be able to leverage a single board computer attached to the car's CAN bus. As an example on how to extend it, we show how to use cellular LTE network to exfiltrate all the OBDII/CAN and GPS data to the cloud. It is pretty useful specially for remotely monitoring the car, and also for online training and/or virtual meetings. All source code and detailed instructions on how to install, assemble and use the device are shared on Github and Hackster.io.

Bio(s): Marcelo Sacchetin (@MSacchetin) has been helping software developers over a decade to write secure code across multiple Fortune 100 companies. He mainly focuses on building automation for SDL and empowering developers to master cybersecurity. He created a cool open source coding robot (blupants.com) so the next generation of hackers can have fun learning Python. He is a car hacking hobbyist and engaged in a bunch of other stuff such as: anti-virus evasion, mobile robots navigation, ICS/SCADA security and Python.

pat_kiley.jpg

Hacking Ludicrous Mode on a Tesla (moar powerr!)

Speaker(s): Patrick Kiley (Gigstorm)

Sunday @ 10 AM PDT

Abstract: This talk will cover how I reverse engineered the ludicrous upgrade process on the P85D. I then successfully upgraded the hardware and firmware on a P85D to make the car faster. I will cover the hardware upgrades, the firmware changes as well as the architecture of the Tesla Battery Management System.

This talk will be a deep dive into the Tesla BMS firmware, as well as CAN DBC and UDS routines. It is based on Patrick's main DefCON talk.

Bio(s): Patrick Kiley (GXPN, GPEN, GAWN, GCIH, CISSP, MCSE) has over 18 years of information security experience working with both private sector employers and the Department of Energy/National Nuclear Security Administration (NNSA). While he was with the NNSA he built the NNSA's SOC and spent several years working for emergency teams. Patrick has performed research in Avionics security and Internet connected transportation platforms. Patrick has experience in all aspects of penetration testing, security engineering, hardware hacking, IoT, Autonomous Vehicles and CAN bus.

CHV 101 Talks

kamel.jpg

Automotive In-Vehicle Networks

Speaker: Kamel Ghali

Friday & Saturday @ 10 AM PDT

Abstract: Modern vehicles are home to tens of Electronic Control Units (ECUs) that each manage a different subsystem of the vehicle. With the control of the vehicle distributed across so many machines, sharing information in a robust, timely manner becomes a necessity. In-Vehicle Networks were developed to meet these communication needs, bringing functionality optimized for the automotive environment into the industry. In this CHV101 lecture, we'll explore the different In-Vehicle Network technologies used in vehicles today and each of their strengths and applications.

Bio: Kamel Ghali is a veteran of the automotive security industry, with experience working both within the automotive industry and as an external consultant. His passion for automotive security goes beyond his work, with him volunteering as an instructor for the Society of Automotive Engineers (SAE) Cyber Auto Challenge and leading the Japanese branch of the Automotive Security Research Group (ASRG). He's a two-time finalist of the Car Hacking Village's annual DefCon CTF and active member of the CHV community. He currently works at White Motion, an automotive cybersecurity firm based in Tokyo, Japan.

xavier.jpg

OBD and what we CAN do with it

Speaker: infenet

Friday & Saturday @ 11 AM PDT

Abstract: Learn about the history of on-board diagnostics, OBD I and II Standards, Data Is Accessible From the OBD II and Architecture of OBD-II and CAN.

Bio: Lifelong hacker and hacker of all the things. Founder of Enterprise Offensive Security, creator of security tools for DevOps Engineers such as auto-remediation using AWS Lambda and CIS Compliance Scanning Tools, SSO implementations on the Service Provider and Identity Provider side(s). Simulated Advanced Persistent Threat Actor. Started DEFCON group in Detroit DC313 and Director of #misec Detroit.

robet.png

Fundamentals of Diagnostic Requests over CAN Bus

Speaker: Robert Leale (CarFuCar)

Friday & Saturday @ 12 PM PDT

Abstract: Data can be requested using CAN Network, but what data can you ask for? How do you know how to send requests? What type of requests can you send? What can data do with the data that you get back? How do you handle errors? So many questions on how to get started. We will answer the fundamentals of shaping a request and handling the response.Diagnostics are a way of communicating directly with Electronic Control Units in vehicle. UDS is a standard diagnostic protocol. We will explore how to format a UDS request and handle its response.

Bio: Some random dude that canbushack.

ian_t.jpg

Cluster fuzz!

Speaker: mintynet

Friday & Saturday @ 1 PM PDT

Abstract: How to get started in #carhacking using cheap CAN hardware and an instrument cluster, shows the hardware needed and an example of a cluster. Then show some fuzzing of the cluster, including some tips for the CTF.

Bio: Network / security architect that has a passion for car hacking, found vulnerabilities in his own car and also private Car bug bounties. Now runs Car Hacking Village UK and is part of the team behind CHV at defcon

LinkedIn: https://www.linkedin.com/in/mintynet/
Twitter: https://twitter.com/mintynet
Website: www.mintynet.com

kamel.jpg

Bluetooth Security in Automotive

Speaker: Kamel Ghali

Friday & Saturday @ 2 PM PDT

Abstract: Bluetooth is a short-range cable replacement technology that is found in millions of IoT devices around the world. Due to its ubiquity and breadth of functionality, it's been seen in vehicles as early as the late 2000s. While commonly used for phonebook access, hands-free phone usage, and media control, Bluetooth is nonetheless an important vector to consider when analyzing a vehicle's security case. In this CHV101 lecture, we'll explore Bluetooth as a technology and its relevance to automotive cybersecurity.

Bio: Kamel Ghali is a veteran of the automotive security industry, with experience working both within the automotive industry and as an external consultant. His passion for automotive security goes beyond his work, with him volunteering as an instructor for the Society of Automotive Engineers (SAE) Cyber Auto Challenge and leading the Japanese branch of the Automotive Security Research Group (ASRG). He's a two-time finalist of the Car Hacking Village's annual DefCon CTF and active member of the CHV community. He currently works at White Motion, an automotive cybersecurity firm based in Tokyo, Japan.

xavier.jpg

Automotive Ethernet for the rest of us

Speaker: infenet

Friday & Saturday @ 3 PM PDT

Abstract: Discover the latest in Automotive Ethernet adoption, learn who is using Automotive Ethernet and why are they using Automotive Ethernet.

Bio: Lifelong hacker and hacker of all the things. Founder of Enterprise Offensive Security, creator of security tools for DevOps Engineers such as auto-remediation using AWS Lambda and CIS Compliance Scanning Tools, SSO implementations on the Service Provider and Identity Provider side(s). Simulated Advanced Persistent Threat Actor. Started DEFCON group in Detroit DC313 and Director of #misec Detroit.

jaime.jpg

Car (to Cloud) Talk: Using MQTT for Car Hacking

Speaker: Jaime

Friday & Saturday @ 4 PM PDT

Abstract: As with IoT, cars are becoming increasingly "smart". In the automotive and trucking world, this means adding the ability to collect real-time telemetry data, gather information for predictive maintenance, as well as consumer features like remote lock/unlock. This talk will cover the internals of how MQTT--a lightweight messaging protocol frequently used in automotive and IoT--works, and how it's used in automotive applications.

Bio: Jaime is an EE turned software developer turned security researcher. She caught the infosec bug through playing CTFs, and now works at GRIMM hacking cars. In her spare time, she adds LEDs to things and hangs out with her dog.