From ccsubs.

com
Vid: https://www.youtube.com/watch?v=OobLb1McxnI

[applause] >> Despite the fact that Charlie is a Saint Louis

fan. We will talk about break into a jeep and doing bad things to a jeep. Let's give
them a big hand [ applause ] >> Awesome. How's everyone doing. Fantastic. 10
minutes to get the sound on that was not nervous racking. I'm raiser and this is
blade. We are here to talk about hacking a car. What this is not. This is not going
to be every detail we have. We will drop our 90 some

pages later. We will go fast and loose. >> And also don't be disappointed the
Chrysler representative will not be coming in. >> LL Cool J was our rep. Psa
before we get going on, stop saying unhackable. You are going to look silly and
give people incentive to look at. >> You have a control gateway you have to go
through and apparently they have found a

secret way for writing a software. When they say you can't hack it, you can't
hack it unless you can hack the gateway then you can hack it. We are going to
go through all the wireless vector. Talk about how we got cellular. Hack a car of a
cell. And go through some payloads to do the cool stuff and really fast this
section about [ inaudible ] those parts

while super boring to talk about still took us three and a half months. The whole
talk is that. That's how you go from wireless portion to having physical control.
And it's super difficult at least for us. >> So let's talk about why it means to even
remotely attack a vehicle and what you need to look for and that sort of thing.
The first thing you need remote

attack or cold running on it somehow. Look at the attack service on the vehicle.
Most vehicles will have these attack service. Hooked up through cellar, bluetooth
or apps. You are actually have a little chip key talking back and forth to the
receiver of the car. Tpm, and some cars it's hacking your wifi hot spot. >> When
people think remotely hacking a car. That's

how you get in. We will show you that's really one small step in a whole series of
events. >> So what's next? The part the heart of getting the code and talk to the
can network that's where the network of the car lives. Step three is figuring out
can message to send to make it do physical stuff. Every vehicle manufacturer
will have different messages you have to figure that
out. The thing to care about the abs system the transmission and other stuff that
you eventually want to control. We heard you can buy these databases you buy a
car, look for sniffer that's what you need to do. >> Shockingly they wouldn't sell
that to us. And you send the messages. You only need 1 car and the messages
will work for other cars. When you send the

messages if the car has more advanced feature, more things you can control.
Jam on the brake, self-park whatever. >> That's why we pick the self-park cars.
>> Let's talk about the car we have. >> So the car was a white 2014 Jeep
Cherokee. >> This is a car in unfortunate situation where the brake is not
working. The brake lights are on but not braking. >> Hamam known

for speakers. You connect the system from this car from them. They make killer
speakers. >> You see what I did there. >> Killer speakers. >> If you buy one of
these or few like we did, we rip them apart. If you look at the board inside,
connected to the lcd portion. The a 55 r zero it has a carrier printed on it. The
other section had a renaissance 530 when dealing

with can control. If you looked at this board, hey, there's air between these two
section. That would be air gap by definition. But that's not essentially true. >>
We are currently air gapped. >> So you connect the system. Chip runs arm. 32
bits. The operating system is qnx. Command like, it's an environment we are
comfortable working in. There's a bunch of different chips,

different operating type system on this thing it's not one os with one chip. So we
jail broke the jeep. We showed that last year. The main purpose of doing this was
exploit the system. This is not needed. I repeat not for the remote stuff needed
this time but if you want to investigate the system you want to have a live
example, jail brake it, shell. >> We will show

you how to remotely brake these cars. No physical access needed. On your own
car you can do this. Stick in super special usb stick, upgrade. >> It doesn't really
say jail broken. >> Next step is wifi. Am I doing this particular car and other cars
that have the system offer hot spot capability. And this is something you can turn
on and it's like the default is wpa 2

and you can talk to it. It's super cool. If you are jamming down the road and be
online. >> When we were doing the research I can get on twitter and online
stuff. >> I'll be driving on hallway and on twitter. >> It's great. It's the future.
>> It was the future. Anyway so that was our first plan of attack was go after the
wifi. Why get wifi, I don't know how wireless tire
pressure censer works. I have no idea. If you could attack the wifi portion it's not
that cool because it's not own by default. You have to pay and it's quite
expensive. $35 a month. So most people will not have that on. And even if they
do, you have to figure out how to join the network. It's random p h2 password.
Not easy to get on. >> I so I paid this. >> We are

taking donation. Charlie needs $350. >> I'm the only one. Whenever I have
problem I would call. And they would say oh, Mr. Miller. You can look at this code
and if you read it, it tells time and gets random values. Figures out the link 8 to
12 password and pix random ascii passwords. That's random. Hard to guess at.
But it is seeded on the time. If you know

what second it's seeded on, so you can get an idea of what started on. >> The
car 2014 so you would assume it's made before that and after 2012. Limited
space. >> Right. When you first turn it on, you get some idea. And you can do
the math and figure out that if you start to figure out how passwords are based
on the time it's based on 15 million, 7

million guesses. And if you know what you are doing which we don't. You can
imagine doing this in about an hour. Attack, cruising on a hallway, you spot a
jeep. >> Super creepy. >> So then if you eventually join the network and if
there's vulnerability you can attack it. >> I feel bad driving green bird off the
road. >> So there are other ways to do a lot easier.

Here's a code to show what to do when you try to figure out what time it is.
When it's first on, you don't know what time it was. That's the chip that talks to
the cellar connection. So they can get the time accurately through cell tower. If
there's a code if that fails and I don't know the time that this other network I just
default to January 1, 2013. Some I looked

at my password and head unit, please don't join mine. And you can figure out
what time it corresponds to. It turns out that time correspond January 1, 201332
seconds after that. >> So you can imagine car factory, coming out the same
time. Most of them, limited set of passwords that you need to try if anyone didn't
reset it. >> So when you turn the car on it took

32 seconds for the wifi to come on. Set the password, I don't know. January 1, so
ten or 20 passwords you can expect. So you can join the wifi network the
problem is no one has it on except for me. Nonetheless we will continue on let's
say if you could join what can you do something bad. Wifi is better than
connected. So we are making progress. You will see some open
ports. Some are in the paper. They are mostly crazy stuff. But really cool is they
are irc server. It's something called debus. So debus is important 167 on all these
vehicles it's an inner process communication, the idea is one process sends
message on other process and it does that. >> These can require authentication
but on jeep it allows anonymous connections and

ipc stuff. So we used a program called defeat, which is a gui. And debug python
for writing all out scripts and stuff like that. >> Just in print it seems like it's a
bad idea. >> Seems not the best idea. >> It's not design for outside thing to be
talking to it. So we were pretty sure that we could find something here. If you
load the dv program, list on the side

services available. Dot service. Dot tuner and so on. For each of these there are
certain methods you can call. It will give you all these methods. And you'll see
things like for the service come there's a method called view black screen or
screw dtvhmiq and stuff. >> There's everything. >> There's a huge attack
services available. >> We sure hope so. >> And there was.

These services and methods and stuff are backed by lua script and I have to
learn that. The first thing I look for is there a memory corruption. >> Memory
corruption, it's hard. Let's go shopping and that means lua. >> We look at
command-line instruction first. We found several. So this is one if you are trying
to remove a track from that, I think it's for

navigating. If you pass a file name, if you say please remove the track semicolon.
>> So we ran that quick looking for command-line injection. There were so many
of them. We have one. So theoretically we can attack this thing. >> So if you can
join wifi network through this you can do it, but -- so anyway I was like super
proud. I've been a computer hacking for

15 years. I knew there was command-line injection. I kept looking for more
methods called execute. Execute stuff. So this method takes in parameter and
that parameter is shell command you want to execute. >> So if you look below
four line python script that's 4 line of python. We thought we have to do
something super cool. Give hand to python [ applause ] And if

you see in python script, net cat it was already on there. It's great. >> Just to
show what talented speaker we are. Here's a screenshot from our talk last year
on remote attack services. That's actually the vulnerability of this year's talk.
This is accidental disclosure. >> I don't know what the terms are these days. >>
If you are on the wifi network, if
they paid for it, and join, you can get code running on their head unit. What can
you do, Chris. >> We wrote a thing called gps 3000. It tracks gps. It's got the car
to spit out gps coordinates. Web server and upload google map. And I tell when
Charlie is going faster, or slower, and put on the nice map package that up and
sell to NASA and track everyone in here. >>

In the complex of that he's no problem tracking me but not drive next to me. This
is not like we get code running and inject something in the process, this is just
into this unauthenticated rtp service. >> This is like hey, where are you? Here I
am. >> This is the feature of debug. >> We can do other stuff. You can just turn
it on. Pass a number and it

goes. Additionally, you can turn the radio and volume up. [ video ] >> Nothing.
No wires. No computers. Hey, Charlie give this car some style. Change the
channel for me, if you could. There's some hip-hop. Turn that up. >> It's so loud
that you can't even hear yourself thinking in the car [music playing]. >> So he
turns it off. It goes back to normal. >> Hot

103 it is. >> So that's what you can do through the radio. We haven't talk about
physical control. You can't do it yet. It takes more work. We were jazzed but you
still need to do with joining wifi. Can you do this with other interface instead.
Other services actually bound to other interfaces not just wifi ones. So maybe we
can do it over cellar. First thing first, to

see we can do it we need to find out the jeep ipo address is and see if we can
talk to it. Ip address is on the sprint network. And the other is at internet. >> If
this jeep is connected to your web server. >> The first thing is the cell tower will
block access. >> I tried to buy but it's register add stolen. I had to sign up for
sprint contract to get another

cell I can use. >> So once we are on the sensor cell. We can actually talk to that
port, 687. This is like a huge win. Now we don't need to talk over this wifi. Every
car is on has an ip address and cellar turned on. >> You may not even know you
have it, it's on. The cool thing is only thing we have to change in the exploit is ip.
Doing it over cellar instead of wifi. The same

python but now we need on the cellar. There was no re-factoring, our test case
were good and no additional regression were needed. >> So cool it's working on
that. I tried on my cell phone from the same cell tower. So that thing we bought,
throw into garbage. >> The sprint contract, don't need it. >> So let's see,
probably we were on the same
cell tower, it might block it if it's different tower. So I drove far. >> I don't know.
>> So Chris tries it from Pittsburgh. >> From the windows' phone. >> He's
making excuse. So he tried from Pittsburgh. Doesn't work. There's some sort of,
the amount of car you can attack less than Pittsburgh and within certain range.
You turn your car on and you start driving. An hour away

from house, I tried, and still works. If you notice some people gassing up there,
we are hacking the cars. It still works. >> Can you try computing better? I was
doing from the phone with some shit from windows phone. Instead I had to pay
more money to sprint to make the hot spot work. I can test Charlie's car from
Pittsburgh and we found out later nationwide. >> So now you

can hit any car on this vulnerable port from the whole country. Way better than
wifi. So that was fun. And a little scary. By then we had told Chrysler about this.
They didn't tell us how many cars out there. So let's find this for ourselves. >>
So we start mask scan was really good. Basically we saw that every time the car
booted up it was on one or two

class a. 21.25. So we started scanning those things. >> Either thousands on

sprint network or a lot of vulnerable cars. So then remember debug service it's
just like a web server. We made a couple requests for these cars. Every time you
turn on your car, maybe it's just like five cars some dude [ inaudible ] so we, you
can get gps info like you have described on the tracker

and vin number. That's technique you can start figuring out how many cars there
are. So we built one scanner called "shut up dave." So dave likes to talk about
junk hacking. It's so easy. No impact. So shut up dave. It's a scanner. It looks up
the vin to see what kind of car it is. And then you find other vulnerable cars.
Here's the cars that we found on the

internet that were vulnerable to this particular attack. >> Anything from dodge
viper to your pedestrians Chrysler 200. >> It took all 7 white hat not to hit a
viper. I didn't do it because we are ethical. At the time Chrysler told us it was
only 2014. >> So we tried to figure out how many vehicles were out there. >>
So one day I was out running and we should

figure out based on repeat of vins we see. If we see tons of vehicles and they are
almost all duplicates of each other, if you don't see duplicates there's ton. There
must be formula for this. I googled. Biologist had something to track owl. So the
population. So our estimate to be 400 thousand. >> Which we were way off and
there's 1.4 million. >> So the owl thing
didn't work very well. >> But we want to be conservative with our estimate. >>
At this point we can do stuff on the radio and we should be ready to go. >> Not
the case. >> From this diagram. >> I made this diagram and now I have to call
myself a lier. The radio does stuff the both can buzz and community with the
outside world. You have to get on the o mass chip. How do you

physically control this car? The air gap was an air gap with a spy line serial line
between it. So all the car that we've ever talked about there's always separation.
When car company says, our entertainment tell mac system is separate. They
mean that it's going to take two steps. >> It's two separate chip but not actually
separate. >> From the o mac chip you can't

send the information. >> Or we gave up. >> I'll state it's impossible. But it can
relay information. Hey, you know that 5th can message, send that one. But not
send arbitrary one. >> You look at the stuff and architecture and figure out
maybe you can update the firmware on this. Luckily for us we knew it existed,
you can download. >> When you get the

usb stick to update your car, it can update wa 50 chip. O map chip can update
the a 50 chip. >> And on the head unit there's ioc update it takes firmware
image. There's no code signing. Maybe you backdoor. Do whatever. >> So we
backdoor it. You can talk to it and send messages. >> The next is reading data
sheet for data sheets on data sheets. You get that firmware you want

to look at, find base address, create segments. So this took a really, really long
time. We are breezing through it because the paper covers it and nobody wants
to watch screenshots. We eventually found out here is where you can send can
messages. You can send the can message. All the code region do that but there's
no region to call o map chip. We found spy parser and

over wrote that code to jump over and down to handwritten shellcode that would
take chip from spy line and interpret them as can messages and sends them to
can bus. >> On the side. We cough still gotten arbitrary code. >> There's bunch
of he did not shellcode that we wrote. Put in rom. And that way we can command
on spy and send arbitrary can command. >> It's

not design to update and drive around. It's supposed to be people hitting stuff.
It's all in the paper. I wasn't perfect if you screw up the flash, the second chip,
you are under to the dealer. >> Luckily we bought the car brand new so under
warranty. Customer service was amazing. >> I never lied to them. The screen
doesn't turn on anymore. >> That's true. Because
I broke the firmware. >> They say we will start over a couple of times. And we
know that's not going to work. >> Disconnect the battery. Anyway, couple of
mistakes and couple times at the dealer but it's all good. So we've gave you all
the pieces to do that. Let's go over it again. First, you find ip address for a jeep. If
you would want to find on your girlfriend's jeep,

that's harder. You tether to a sprint phone and exploit the o map chip. >> You
spend three months rewrote. >> You only have to do that one time. And then tm
messages. This isn't actually in Greenberg. He was in crash zone. Let's see what
this looks like in its full glory. That's computer hacking right there. So you'll look
right now the exploit is running, download the

modified firmware. Flashing the chip. The screen goes black. So you wait. And go
for it. There. Now, it's rebooting. [ overlapping video audio ] >> Right now that's
over the air firmware update, and mitigate the car and send can messages. >>
Hold on. I'm going to hit hack and another hack. It didn't work. Put that on csn
cyber. They should. So there. >> And

then windshield wipers go. >> Now you may applaud. >> Another thing to
notice there's snow on the ground. It's not a hack-a-thon. We are responsible. >>
The mechanics tool cost us $7,000. It was all java. There was encrypted fails.
Luckily it was java. They use awesome password. So that's how decrypt their file.
The fouls lesson learn if you are putting that

stuff on the mechanics's computer, it will always figure out. In the paper it says
the commercial they use. >> That's not going to stand out. >> Come sum, we
didn't know what they did. When you don't know, you reverse engineering. You
put in c, python, and that's what you do. Now you can send messages by putting
our own data bytes in them. Now we can at arbitrary

volume. Et cetera. You need to figure this out if you want to send can messages
on the bus. >> We know passwords authenticating it. We need to figure out what
message to send. Last talk we did pre-collision system to engage. We piled a
bunch of box. Resend them later to get the brake engage. >> And this is car
hacking. The engagement did not engage. >> After the talk people

said that system will engage only when it's metal. So you set your trash canna
empty parking lot. But the problem is random people walking by. So we found
another place slightly more abandon. And we did it again. So the camera cuts
out here for some reason which you will find out. Notice how fast we came
around this corner. This is in front of a school. Charlie's kid
school. I send a lot of money to send my kid to school. And you will see why the
camera blocked. [ video ] Pre-collision system does not work with metal trash
can. The camera was destroyed. So now we know, we got the messages different
way. We start to do stuff. And that's our lua script looks like. So we can do things
like turn on the spray, wind shield wiper turns on. And

you can do things like turn signal. Speedometer. Going 70, I make it say 40. I
swear I'm going 40 miles an hour. I literally have video that I was not speeding,
officer. You can do the locks. Charlie locked the car. And over the cell, hacked it,
unlock the door. I figured Charlie bought my coffee. And then I stole everything
from the car as well. You send the

message to make the transmission stop working. The gear indicator light is
blinking which it shouldn't. Anyway I'm stuck. So there are other kinds of
messages you can send. Let's just watch the movie. >> Everyone loves movie.
>> There's brake. But it's not going to work. So when we were driving we don't
line up with a ditch. We haven't be able to do that

speed. There's more details about how to send more complicated stuff on the
can network. >> Wend messages and only get the messages and there's no
arguing sending the right stuff. >> The other one, it listens to who was loudest.
Chris was always the loudest. Here me. And Chris watching. >> You can see the
granularity of the control. Parallel park it.

There it is. >> I missed. We are almost done. >> Braking again. We had
preconditions. We already did this once before with cars. >> Here's the brakes
go off. So we are super responsible. We disclosed everything. We disclose in
October. Super coincidence and recall happened on that same day. >> We made
to organizations that were not working well. But this forced

them to work together. >> Recall stuck but when you block on sprint, no car is
vulnerable. We found this on internet, it's a rendition or recreation of us
disclosing to Chrysler in a boardroom. [ video ] >> I am super pissed and those
guys looked super scary. We tried to test on more cars. Our friends wouldn't let
us borrow their jeep. >> Awesome job. This is

what hacking and getting things fix is all about. >> As of right now we can't hack
these cars. On the wifi you can't no longer buy wifi from rip off place for $30 if
your car is not updated with the patch. So no car is vulnerable. That's what we
want [ applause ] >> Impact, recall has ever been done this big. Hacker makes a
difference this is a cool time to be part of
this. You can effect government, business and not just tech companies or info sec
companies. >> This legislation was introduced the same day wire video. >>
Sometimes you can make a company drop $40 million in market cap in a
afternoon. If we were lessen we would have short it. >> We didn't. The point is
that they are not going to listen to us but they are going

to listen to stakeholders when they are losing money. Those kind of bug don't do
anything to stock guy. >> And they will follow you on twitter after the article. >>
So if you want one more twitter follower, hack a car, and that company will follow
you. >> Hacker needs to hack but now we can make a difference in other sectors
that isn't ours. Hackers make a

difference. Everyone give yourself a round of applause to be in the industry for

changing the world. [ applause ] >> Thanks