Cheap Tools for Hacking Heavy Trucks
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 93 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/36290 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
00:00
HackerSpannungsmessung <Mechanik>Spannungsmessung <Mechanik>DifferenteComputeranimation
00:30
ÄhnlichkeitsgeometrieStandardabweichungHardwareHackerHackerStandardabweichungProtokoll <Datenverarbeitungssystem>AbenteuerspielHardwareComputeranimation
01:07
DatennetzIdeal <Mathematik>RechnernetzDatenverarbeitungssystemHook <Programmierung>Bus <Informatik>DatennetzCAN-BusComputeranimation
01:31
DatennetzDifferenteStandardabweichungWhiteboardFreier LadungsträgerGenerator <Informatik>Workstation <Musikinstrument>Interface <Schaltung>Regulärer GraphSpeicherabzugKlasse <Mathematik>AusnahmebehandlungComputeranimation
02:11
SenderDatenverarbeitungssystemProdukt <Mathematik>Computerunterstützte ÜbersetzungStandardabweichungProzess <Informatik>DifferenteReverse EngineeringKomponente <Software>Protokoll <Datenverarbeitungssystem>MereologieDatentransferGamecontrollerComputerunterstützte ÜbersetzungComputerMultiplikationsoperatorTelematikBitComputeranimation
03:07
DatennetzService providerCAN-BusRechnernetzVersionsverwaltungInformationBitBildschirmfensterVersionsverwaltungTouchscreenFlächentheorieTelematikPlastikkarteBus <Informatik>E-MailLoginService providerDatennetzCAN-BusComputeranimation
03:53
HackerQuaderComputeranimation
04:31
RechenwerkKomponente <Software>OISCNational Instruments CorporationGamecontrollerTechnische Zeichnung
04:51
KontrollstrukturFehlerkorrekturmodellBimodulSinusfunktionVersionsverwaltungDatenmodellAnalysisDifferenteEinsDigitaltechnikARPANetComputeranimation
05:13
CAN-BusDatennetzAnalogieschlussEinflussgrößeGamecontrollerRechnernetzQuaderFehlerkorrekturmodellComputeranimation
05:57
DatenfeldEinfacher Ring
06:14
Protokoll <Datenverarbeitungssystem>StandardabweichungCAN-BusVerschlingungFigurierte ZahlBitDifferenteKartesische KoordinatenProtokoll <Datenverarbeitungssystem>InformationImplementierungMultiplikationsoperatorMessage-PassingStandardabweichungDiagrammComputeranimation
07:06
Message-PassingMaskierung <Informatik>VerschlingungHauptidealringRechter WinkelRechnernetzRegulator <Mathematik>MultiplikationsoperatorKomponente <Software>HauptidealringProtokoll <Datenverarbeitungssystem>MIDI <Musikelektronik>Message-PassingEinsFrequenzDatennetzCAN-BusComputeranimation
08:18
CAN-BusOpen SourceAdressraumDatenverwaltungMessage-PassingStandardabweichungAdressraumParametersystemMessage-PassingBitOpen SourceEindringerkennungProtokoll <Datenverarbeitungssystem>TypentheorieGruppenoperationDatenverwaltungDifferenteEinsTelekommunikationZahlenbereichComputeranimation
08:52
VerschlingungSystemaufrufGasströmungSoftwareAnalysisBridge <Kommunikationstechnik>Serielle SchnittstelleMessage-PassingDateiformatParametersystemStrategisches SpielFunktionalanalysisModulare ProgrammierungInteraktives FernsehenDynamisches SystemAnalysisWhiteboardSoftwareBridge <Kommunikationstechnik>StandardabweichungDifferentePortscannerVerschlingungComputeranimation
10:07
HackerSoftwareCAN-BusHardwareVektorpotenzialMaßerweiterungKernel <Informatik>Mini-DiscBildgebendes VerfahrenDatensatzKernel <Informatik>MikrocontrollerMessage-PassingImplementierungMaßerweiterungRechter WinkelCAN-BusComputeranimation
10:43
HackerVerschlingungBus <Informatik>
10:59
HackerKonfiguration <Informatik>Klon <Mathematik>ChiffrierungFunktion <Mathematik>SystemaufrufKlon <Mathematik>GarbentheorieVerschlingungFunktionalanalysisKonfiguration <Informatik>ResultanteProtokoll <Datenverarbeitungssystem>SoftwaretestReverse EngineeringModulare ProgrammierungBitSoftwareComputeranimation
12:11
FehlerkorrekturmodellMessage-PassingEndliche ModelltheorieProtokoll <Datenverarbeitungssystem>KonfigurationsraumReverse EngineeringParametersystemKontrollstrukturReelle ZahlComputeranimation
13:06
ParametersystemProtokoll <Datenverarbeitungssystem>MaßerweiterungProtokoll <Datenverarbeitungssystem>ParametersystemUmwandlungsenthalpieMaßerweiterungKonfigurationsraumAblaufverfolgungComputeranimation
13:29
Message-PassingChi-Quadrat-VerteilungMessage-PassingBus <Informatik>MinimumPunktMultiplikationsoperatorAnalysisComputeranimation
13:51
Prozess <Informatik>DatennetzMessage-PassingAnalysisRFIDBlockcodeMessage-PassingEinsDickeMultiplikationsoperatorDifferenteProzess <Informatik>Protokoll <Datenverarbeitungssystem>GraphiktablettSkalarproduktAnalysisSoftwareBitHydrostatikComputeranimation
14:40
ComputersicherheitFehlerkorrekturmodellProtokoll <Datenverarbeitungssystem>Entropie <Informationstheorie>Gemeinsamer SpeicherOrdnung <Mathematik>ComputersicherheitCodeCASE <Informatik>Open SourceEntartung <Mathematik>SchlüsselverwaltungAnalysisZweiComputeranimation
15:28
CodeMessage-PassingChiffrierungSchreiben <Datenverarbeitung>Exogene VariableIndexberechnungDatenflussExogene VariableComputersicherheitMessage-PassingCodeCodierungCase-ModdingAutomatische IndexierungDisjunktion <Logik>ChiffrierungLesen <Datenverarbeitung>DateiformatAusdruck <Logik>BitVererbungshierarchieEntropie <Informationstheorie>Computeranimation
16:13
MusterspracheChiffrierungMessage-PassingProtokoll <Datenverarbeitungssystem>TypentheorieASCIIExogene VariableMusterspracheChiffrierungHauptidealringStandardabweichungSystemaufrufComputeranimation
16:42
Gerichtete MengeVektorraumMessage-PassingParametersystemEntartung <Mathematik>RechenwerkSchlüsselverwaltungKonditionszahlBitChiffrierungBus <Informatik>Inverser LimesTelematikKontrollstrukturComputeranimation
17:28
Operations ResearchSoftwareDatenverarbeitungssystemVariableSoftwarewartungObjektverfolgungInformationSoftwareMultiplikationsoperatorFehlerkorrekturmodellNichtlinearer OperatorCASE <Informatik>SystemaufrufResultantePortscannerComputeranimation
18:08
ChiffrierungFunktion <Mathematik>SystemaufrufFehlerkorrekturmodellVersionsverwaltungVideokonferenzSharewareRootkitKryptologieTouchscreenAuswahlverfahrenVersionsverwaltungFreewareVideokonferenzComputeranimationProgramm/QuellcodeXML
18:33
FehlerkorrekturmodellProtokoll <Datenverarbeitungssystem>RootkitBitEntartung <Mathematik>XMLUML
18:53
Faktor <Algebra>MenütechnikFehlerkorrekturmodellSerielle SchnittstelleMereologieBimodulCodeParametersystemPhysikalisches SystemExplosion <Stochastik>PasswortEin-AusgabeFunktion <Mathematik>VerschlingungKontrollstrukturHauptidealringComputersicherheitSoftwarewartungSpannweite <Stochastik>PlastikkarteXMLComputeranimation
19:22
FehlerkorrekturmodellProgrammProtokoll <Datenverarbeitungssystem>XMLUML
19:51
Faktor <Algebra>MenütechnikBimodulSerielle SchnittstelleFehlerkorrekturmodellMereologieCodeParametersystemExplosion <Stochastik>PasswortPhysikalisches SystemFunktion <Mathematik>VerschlingungKontrollstrukturHauptidealringComputersicherheitSpannweite <Stochastik>Ein-AusgabePlastikkarteSoftwarewartungLateinisches QuadratKartesische KoordinatenE-MailXMLComputeranimationTabelle
20:10
FehlerkorrekturmodellVersionsverwaltungSharewareRootkitVideokonferenzFirmwareVerhandlungs-InformationssystemAnalysisKlon <Mathematik>Ein-AusgabeMessage-PassingAnalysisHydrostatikFehlerkorrekturmodellHardwareKlon <Mathematik>Reelle ZahlParametersystemHackerFirmwareComputeranimation
21:03
SoftwareInformationSharewareElektronisches WasserzeichenComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
Alright Defcon, we're gonna make this fast, this is a short talk, so I'm going to just, uh, get them rolling, please come in, find a seat, um, and, uh, enjoy your talk, uh, without further ado, this is Haystack in 6 volts, uh, let's give them a round of applause. Alright, go guys. Hi there, I'm 6 volts. And I'm Haystack. I'm Haystack. And we're
00:27
gonna be talking about cheap tools for heavy trucks. So, there's a lot of differences between cars and heavy trucks, and we're gonna be talking about some of those. We're also gonna be talking about the R&D problems we face and how we get around them. And, uh,
00:44
we're also gonna do some very preliminary stuff about, uh, networking protocols and standards, uh, there's a lot to go over, so we're just gonna dump it all in a white paper for you to read if you really care that much. Uh, we're also gonna go over a new hardware tool that we built, uh, that should save you some money if you want to start getting in, into truck hacking, and also go over some, some light truck hacking
01:04
adventures, uh, that we've had. Some quick, some quick notes, we're going to assume you're familiar with basic vehicle networking, if you're not, Google it. Um, we assume you're familiar with the idea that if you get on the CAN bus, you can do bad things. We are leaving out lots of details that are gonna be in the white paper. Um,
01:22
check the GitHub by the end of the week. Um, and a safety disclaimer, if you hook up to a truck and start fuzzing it while it's moving, bad things could happen. Don't do that, we're not responsible if you do. We have done that, do as we say, not as we do. So, uh, trucks as we talk about them are really any big, anything with a big
01:40
diesel engine in it, uh, the thing that most people are familiar with are semi-trucks, uh, class 8 over the road vehicles, but also dump trucks, wreckers, uh, marine engines, generator, uh, big generators, uh, agricultural equipment, anything like that is all gonna work largely the same way and is gonna be made by the same people. Um, an
02:01
exception, a diesel pickup truck, so if you see Bubba in his, uh, Cummins Dodge Ram, uh, that's just gonna act like a regular, a regular passenger vehicle. So, many of the components that are in trucks, uh, have to be interchangeable. So you can get a Peterbilt truck with, uh, a Packar engine or with a Cummins engine and you used to be
02:23
able to get one with a CAT engine. Um, so that all of those parts have to work interoperably, like the, the brake controllers from different vendors, the engines, the transmissions. So they, they've had to agree to this standard so that all the electronics can speak to each other and the truck can actually work. So, one of the major differences with heavy trucks is, uh, if you do anything with passenger vehicles, a
02:43
big part of your job is reverse engineering the protocol because every manufacturer has their own thing. Uh, with heavy trucks, with big diesels, uh, that's all been decided upon by the Society of Automotive Engineers beforehand and it saves you a lot of time. Uh, so you may have read something in Wired recently, those guys just took a
03:00
standard and injected traffic and sure enough they were able to cause unintended braking and acceleration. So, we're gonna talk a little bit about the telematics attack surface. Most heavy trucks that are out on the road in, in a fleet have a dash-mounted touchscreen that controls the driver's logs, navigation, gives them a way to
03:21
communicate with the fleet, um, kinda like email and in, in emergencies, contacts the fleet and allows the, the truck driver to talk back to them. Um, they use the cellular network to connect to the, uh, telematics provider in the fleet and these devices connect directly to the CAN and J1939 bus. Um, also the, the legacy 1708. Many of them
03:42
run embedded versions of Windows, like Windows CE or XP embedded, um, that's kinda scary to me. Uh, yeah, we've, we've had some luck with rooting them by doing things like popping an SD card out of the back. Uh, so a big problem that we had when we started getting into this is, uh, trucks are expensive. A, uh, so like a Freightline or Cascadia,
04:02
something like that can cost over 100 grand. Um, ouch, I do not have that kind of money. Uh, for the exp- and for the aspiring hacker, even if you're rich, they're big, hard to store, hard to drive, uh, I can drive a 5 speed, a 6 speed, a 1 down, 4 up speed, uh, but I can't drive a 14 speed. Um, and, uh, they're also expensive to operate. Uh, so we, we
04:25
didn't have one, and we still don't, we're trying to get one. Uh, so how do we experiment? Uh, we built this thing. We call this the truck in the box. So, this is a bunch of components out of a heavy truck. Um, the engine control module, the instrument cluster,
04:42
there's a couple other things hiding in the back there, a power distribution unit and, uh, national instrument, CRIO. We quit using that, but, and then the knobs are a bunch of, uh, potentiometers for, for sensors. Um, the first one took about 6 months to build and cost about 10,000 dollars, but that's still... Thanks DARPA. But that's still a lot
05:01
cheaper than the cost of a truck. Um, since then we've built over a dozen of those full size ones for different, uh, trucks and engines. Um, we later compressed the concept into the size of a circuit board, but that's not pretty, so we're not gonna show it off. Uh, so the concepts of the truck in a box, um, we wanted to recreate the vehicle networks including, uh, J1939 and J1708. J1939 is built on CAN, J1708 is kind
05:26
of RS485, it's similar to J1850. Um, it, it also fakes passive, uh, sensor signals. So, uh, usually oil pressure sensors and temperature sensors and things are just, uh, they just
05:41
measure voltage or resistance and ECMs, uh, the engine control module tends to freak out if those things aren't pres, aren't present, so we're just trying to keep it from freaking out. Some of the more complicated signals are things like the accelerator pedal and the, uh, the way the, the vehicle measures its road speed. This is the, a, uh, a tone ring that's on the back of the tail shaft underneath the truck. Um,
06:04
on the left here we've got the actual sensor and that tone ring spins past that sensor generating a magnetic field, so we, we hooked one up in a, in a vice and put the sensor next to it and then you get this kind of signal. So we can re, RE that signal, figure out, characterize it and then play it back to the ECM and we can actually put
06:21
miles in the truck on a bench. So I already talked a little bit about the 2 main, uh, networking protocols and, uh, the J1708, like I said, it's RS485-ish, 9600 baud, uh, there's some slight transceiver differences and then there's also another SAE standard called J1587
06:41
that specifies everything all the way up to the application layer. Uh, J1939 is similar but it's built on 250K CAN, uh, if you're into this, you know the passenger cars are 5500K, uh, we also see ISO 15765 but only for diagnostic comms, uh, details in white paper, like all the different protocol details if you wanted to write your own
07:00
implementation, uh, we should be, we should, we should be able to give you enough information to do that. So for J1708, the, uh, older protocol messages are time delimited and you've got these things called MIDs and PIDs. The, the MID is, is, uh, analogous to the CAN ID, it's the first byte and it tells you who on the network is
07:21
talking and the PID, uh, is, comes right before any data, uh, on the, in, in a message and it comes, so PIDs and data come after the MID and unpacking those PIDs and the data is how you figure out what messages say. Um, mostly older trucks, uh, will have only
07:41
J1708, uh, there was a period where there, they, they would have the both networks J1587 and J1939 at the same time, uh, some newer ones will have components that use it, uh, and then also there are these things called gliders, uh, if, if you're a hot rod builder, you'd know it as a rolling chassis, people will, will order, um, a truck with
08:00
no motor in it and the reason is, is because, uh, emissions regulations go by the date of manufacture of the motor and not the date of the truck, so they will have everything but the motor made and these things will last for 2 million miles pretty easily, so they'll put the older motor in it, so you may see new trucks with old networks and old engines in them. So J1939 is the newer protocol and it's based on 250K
08:24
CAN, it's got extended IDs that are 29 bits long instead of 11 bit long IDs like, like they're in cars, um, sometimes they, they have some basic specs for source and destination but those aren't enforced, um, there's address management, there's a transport layer, message fragmentation, there's about a dozen different documents that are,
08:42
you can read through that are published by SAE but they're all kind of thick, there's a couple of, uh, parameter group numbers that are just like a, a message type that are reserved for proprietary communications and those are the fun ones. And then also, um, there's the vehicle diagnostic link connector which is called a DLC or a DLA, uh, this
09:01
industry is terrible at acronyms, so there's always like 5 acronyms for the same thing, uh, it's similar to an OBD2 scan tool in a passenger car, also it's OBD onboard diagnostics like O, not ODB who is a founding member of the Wu Tang Clan, people mess that up constantly and it drives me a little nuts, um, it's basically a USB, uh, slash serial slash,
09:25
slash ethernet, uh, to J1939 to J1708 bridge, these things are incredibly overpriced, they come at like $700 or $800 and it's seriously just like, I converted one thing into another thing and it's two chips that they bought from someone else and soldered them onto a board. Um, the, uh, the RP 1210 is a standard that governs
09:46
functions exposed by their drivers, so observing those driver calls is an excellent strategy for dynamic analysis of OEM software because they're always the same name and they always have the same arguments in the same format, so you can sort of get a running
10:00
analysis of what the different software packages are doing at, at various stages of, uh, ECM interaction. So we're releasing a new tool called the TruckDuck, it's a cape for the BeagleBone, it gives you two CAN channels and two J1708 channels, so you can do things like message filtering, recording, simulating ECU, uh, we've also got a custom OS image
10:24
with the J1939 kernel extensions built in, uh, and then he, Haystack wrote some stuff for, uh, using it in Python, he's also written a, a J1708 implementation in the BeagleBone's PRU, which is amazing, they're like little built in microcontrollers on the
10:41
thing, and, uh, this is what it looks like. Um, over on the, the right hand side I've got the diagnostic link connector, that's the, the big DB 15, uh, two screw terminals, those are the green guys, and then, uh, it's got the power circuitry so that you can power it from the bus. So a, uh, another thing that, that we released is, uh, an RP 1210
11:08
tracer, so for a while, uh, when we would reverse engineer what the, what, uh, these software packages were doing, and when we were trying to reverse engineer the proprietary, uh, protocols, the best option was to buy a diagnostic link connector whose driver
11:21
has debug logging capabilities, so you would flip a little switch in the, in the driver software and it would say, you know, I sent this, received this, received this, sent this, um, the only known, the only one we know of costs $700, it's like the Cadillac of DLCs, uh, that can be a lot of money for some people, especially if you're just doing bench testing on an ECM that you got at a junkyard someplace, like us, um, and
11:46
then I rolled a, uh, an RP 1210 API tracer that logs results of RP 1210 function calls, so you're not dependent on the Cadillac of DLCs anymore, and, uh, it works with any of them, including the cheap eBay clones, uh, for all two weeks that they work, and,
12:01
uh, it allows you to decrypt and translate on the fly, and when we get kind of into the, uh, what we did with this stuff section, uh, you'll see that a little bit. Um, but what is it good for? Like all that stuff I just went through, uh, all that and a buck, we'll get you a cup of coffee, uh, like 10 years ago, so, you know, what, what can you
12:24
actually do with this? Um, we wanted, so we, we, we wanted an attack, and we wanted to have a viable attack that could actually have some conceivable impact in the real world, uh, but we didn't have a truck, so this, this presents an issue. If you're not driving
12:42
something, it's very difficult to tell when breaks are applied when you have no actual breaks. Uh, so we needed something that we could do in vitro, and, uh, the solution was malicious ECM misconfiguration, so reverse engineer the protocol, um, yeah, reverse engineer the protocol, and then model, send messages using that protocol to, uh, to
13:06
misconfigure the ECM. Um, so most of the parameter configuration is done over proprietary protocol extensions, um, we promised not to give too many specifics out, um, so that you can't do very bad things to trucks that are on the road, because that
13:23
would be pretty dangerous. Um, we're going to give a demonstration of what is possible with the, the truck duck and the APTI tracing. So this is some proprietary traffic. You can see the, the messages here, I'll point you, so we can see the, the, the FE
13:41
there in the middle, that, that indicates that this is a proprietary message, and that's what you really want to look for, and the message down at the bottom is just, uh, something regular flowing across the bus. So initial notes from analysis of this protocol, um, the same process, clicking the same buttons in the software yielded, uh,
14:01
different network traffic every time. So this stuff was actually obfuscated slash encrypted, um, which, which is kind of unusual. A lot of the different manufacturers, including, uh, newer ECMs, this was a very old one, uh, they're not encrypted or, or disguised in any way. Um, messages that appear to do the same thing
14:22
are the same length, so it's not too obfuscated, no one's like padding to a block length and then doing stuff, it, it, it's simpler. And, uh, this is where I yada yada yada passed a bunch of static analysis I did with dot peak and IDA because this is DefCon and I don't want to try to teach pros how to use dot peak and IDA. So, after, um,
14:44
after doing static analysis, I figured out, uh, what the bytes after the first 3 are. The first 3 are specified by SAE, uh, the first byte, first byte is the source, the second byte says, hey, this is proprietary and it's interesting, the third byte says this is the
15:01
destination. In this case, this is the DLC talking to the engine. This next code is proprietary and that's a security setup and then that, this low nibble over here, uh, on both ends, these are kind of degenerate keys. There, there's obviously not a whole lot of entropy in a 4 bit key, but that's what they got. And, uh, that, so they, they
15:25
pre-share that, uh, in order to carry out the, the rest of the protocol. So then, there are, uh, I found other command codes, so this high nibble, uh, F was the security setup, D is an encrypted write, C is an encrypted read and then E is an encrypted read
15:44
write response. So no matter if it's responding to a write or a read, it's going to be, uh, that, that, that's going to be the format of the reply. The low nibble is the message code and then there's this little formula where you take the pre-shared 4 bit super high entropy key, add it to the code in the message mod 4 and it indexes into a
16:04
character array, uh, that's buried in a DLL someplace. And then you just XOR it with everything. So it's XOR encryption made slightly less bad. So then, uh, after we decrypt it, I modified the RP1210 API tracer to decrypt all this on the fly and then the,
16:23
uh, the pattern became a lot more, uh, a lot more comprehensible, you know, you can see that it's just a very standard call and response type protocol where you have a PID and then it says, hey, you know, 6 0, I want to see that and then you get a bunch of ASCII characters, I'd have to look up what that is honestly. And so, uh, what
16:44
could we do with this? So, now that, now that we have this, this degenerate encryption algorithm and we, we know the PIDs and we can trace this stuff, um, if we get on the bus, we can set parameters in the ECM. So, uh, the one that we chose was, uh, hard
17:00
vehicle speed limit, so, uh, the governors in heavy trucks are just a, a byte that you, that you write. And so we thought, hey, wouldn't it be cool if you just, like, froze a, a semi-truck at only being able to go 30 miles an hour? But that's, that's still kind of boring because if you can get on the bus physically, if you can get physical access, you can just cut the break lines. Um, you, you could compromise a
17:21
telematics unit and then have it send these, uh, these messages during a key on engine off condition, but we wanted, we wanted to do a little bit more. Um, so, uh, then, uh, hijacking OEM software, uh, software is used in day to day operations of the fleet, um, all that, we've talked about fleets being data hungry before, uh, and as a
17:42
result, they are pulling data off these ECMs after every trip in, in many cases and, uh, that data, uh, or when, so they're always pulling this data and so, unlike where passenger car, where unless you're throwing a check engine light and the dealership's putting it on a scanner, um, these things are interacting with software all the time and so
18:04
there are a lot of, uh, opportunities for things to change. So I repurposed the API tracer, um, so instead of just decrypting and logging things on the fly, uh, modifying, re-encrypting and writing, so let's see what that looks like. Um, this is a screen
18:22
cast because showing the full ECM would give away the brand and I'm really bad at video editing, also I'm very sorry about the free version trademark, this stuff is expensive and this is on my own dime. Okay, so at the beginning I started the kind of degenerate truck rootkit, I very artfully blacked out the manufacturer, uh, logo.
18:47
This protocol is very slow so I'm gonna try to patter a little bit while, while it's getting set up. So here you can see that the, uh, the vehicle speed was at 55 miles
19:09
an hour, our hypothetical technician knows his drivers can't drive 55 so he decides to bump it up to 70 and as far as anyone can tell, uh, that, that went fine. It was set to 70
19:23
miles an hour. And then after disconnecting we go and check and make sure that, uh, that the truck mangler program is dead and then so we actually see what happened and again we wait for the slowest vehicle protocol in the world. For those who didn't hear the
19:57
joke he made, Lynn is in fact very slow, but, there. So, you know, we can see that in
20:07
fact it was actually set to 30 miles an hour and this guy would have gotten about a mile down the road and, uh, and then would have had to realize that he had to turn back and if you, if you manage to keep this running and get persistence, um, there would be no
20:24
way to tell. So they would be checking mechanical issues over and over so I think this is a very viable, uh, attack with real impact. So for future work we're gonna work on writing an RP-1210 driver for the truck duct to allow easier traffic modification. It's even
20:40
cheaper than some of the eBay adapter clones that you can get. Um, we also wanna work on making the PC side attack a little more interesting so the technician doesn't have to actually modify a parameter, it can just do it once they connect to the truck. Um, we would really love to do some deeper firmware analysis on ECMs, you know, pull some chips, read some data and do some static analysis. Um, we'll be in the hardware hacking
21:02
village and car hacking village if you have any questions. Um, we'll also have an ECM and a bunch of live demos of this stuff so it's not just a stupid screencast with a watermark on it, you can actually play with, with, uh, with this technology. Thank you very much.