CAR HACKING VILLAGE - Automotive Evidence Collection – Automotive Driving Aids and Liability
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 322 | |
Author | ||
License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/39854 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
|
DEF CON 26125 / 322
18
27
28
40
130
134
164
173
177
178
184
190
192
202
203
218
219
224
231
233
234
235
237
249
252
255
268
274
287
289
290
295
297
298
299
302
306
309
312
315
316
00:00
Video gameDatabaseOrder (biology)Type theoryIncidence algebraLevel (video gaming)Real-time operating systemSoftware testingPhysical lawPhysical systemDevice driverNumberCASE <Informatik>RoutingMusical ensembleAdditionPoint (geometry)Pattern matchingCommunications protocolCartesian coordinate systemCrash (computing)Source codeMetreBlack boxOpen sourceTrailWireless LANMultiplication signUniform resource locatorComputer forensicsSpacetimeRight angleSoftware protection donglePosition operatorLecture/Conference
06:57
MathematicsFlow separationData loggerLoop (music)Physical systemPoint (geometry)Crash (computing)Event horizonMultiplication signUniform resource locator2 (number)Demo (music)Position operatorLecture/Conference
08:26
Physical lawPhysical systemDevice driverPoint (geometry)Position operator1 (number)Lecture/Conference
09:14
Row (database)MathematicsOrder (biology)TelecommunicationBus (computing)ModemCategory of beingSynchronizationCausalityPhysical lawState of matterBitData loggerEEPROMForcing (mathematics)Sampling (statistics)Device driverQuicksortGoodness of fitException handlingCASE <Informatik>Error messagePersonal digital assistantPoint (geometry)Open setCAN busCrash (computing)CollisionPlastikkarteInformation privacyEvent horizonBit rateBlack boxEndliche ModelltheorieNP-hardMultiplication signAnnihilator (ring theory)Rule of inferenceStandard deviationComputer forensics2 (number)Position operatorGame controllerLecture/Conference
15:59
TelecommunicationLevel (video gaming)CausalityState of matterBitEEPROMForcing (mathematics)MereologyMultiplicationExecution unitDevice driverNumberEmailRevision controlException handlingCASE <Informatik>ModularityPresentation of a groupPersonal digital assistantAbsolute valueCAN busEncryptionRegulator geneDirection (geometry)Crash (computing)Black boxWhiteboardRule of inferenceSoftware protection dongleLecture/Conference
20:32
INTEGRALLimit (category theory)Goodness of fitRegulator geneCollisionIdentical particlesTouchscreen2 (number)Lecture/Conference
Transcript: English(auto-generated)
00:00
My specialties are primarily scaler systems, automotive systems, medical device testing. Essentially I really like embedded systems, anything that impacts modern life as we know it. A lot of times we work with wireless systems and airborne systems.
00:21
Quick disclaimer, obviously opinions are my own, not my employer's. We're not picking any particular vendors. Even though we try to remove logos, some things are just going to be way too obvious about who things belong to. In some cases when we actually point out a vendor, they're the vendor who are doing things slightly better than others.
00:40
So since we're talking about automotive forensics, this is where the story usually starts. A wreck, possibly some fatalities, perhaps a fire that won't extinguish for two or three days. Have you all seen the headlines? There's often a crash and you see a sensationalized story in the newspaper about the particulars of the crash.
01:04
How fast the vehicle may have been traveling, about what the driver may or may not have been doing, what the driver may or may not have been using, such as a cell phone or a DVD player at the time. And I'll point out that the article mentions a black box.
01:22
I'm sure you've heard all of them mention a black box with airplane crashes. Your vehicle also has a black box. When investigators are working a crash or some kind of an incident, their primary source of data is a black box.
01:41
Since the black box is actually regulated by Congress, there's a law about what the black box stated on the vehicle is supposed to contain and for how long. Other common sources, many of our vehicles now have a GPS. If you have one of the newer luxury vehicles, you may have a LIDAR. You and your passenger will very likely have a phone, which will also be recording data
02:04
and shoveling it back to Apple or Google, Chinese government, all three. You're typically running a slew of apps, including Waze, Google, again, Apple Play, a number of other applications which may be uploading in real time.
02:22
You may be running an external GPS unit, such as one of those Garmin units, which constantly puts a breadcrumb along your route. Again, a reliable source of data, mostly. Quick mention on LIDAR. There's two types of LIDAR systems, one that performs real-time acquisition
02:43
and another which simply tries to get a baseline and contains an internal database of supposedly all roads that you're supposed to be able to drive and then tries to do quick pattern matching. Again, most modern phones, unless you have a flip phone, has a built-in GPS,
03:01
has obviously a cellular connection, so it's doing GPS trail liberation. In order to be E911 compliant, it's constantly trying to determine its position and point in time, and of course it's using Wi-Fi technology such as Skyhook, again, to help narrow down its location. Even the Bluetooth and GPS are off or don't currently have a signal.
03:21
External GPS units, even U.S. units, in addition to the GPS system, typically have a gloss and a Galileo. If you're in APAC, you may also be using a Baidu or an IRNSS. Typical GPS threats, again, we have jamming, spoofing, and detection.
03:45
We have RF jamming, which is simply filling up the radio frequency, whether it's L1, L2, or L3 band, or you can actually have more sophisticated protocol jamming, where you're actually trying to speak GPS protocol, but broadcasting inaccurate data may actually cause segfaults
04:02
on some of the external units or cause them to lock up, as opposed to just not being able to receive a signal on a typical band. You can have an active degradation attack, where the quality of the signal may drop from being able to position yourself within three meters or five meters, but within several hundred meters.
04:21
That would obviously complicate forensics or any kind of incident investigation. One of the less common attacks is actually enhanced accuracy. It makes the victim think that they actually have a far better idea of where they are than they actually do. You can actually make somebody who has, for example, 500-meter accuracy
04:41
think that they have one-meter accuracy, which is fine granular, which is basically this amount of space right here, and may make them act rashly or drive faster, because they think they know exactly where they are or where they're headed. And of course you have location spoofing. Much more sophisticated, more advanced timing attack,
05:02
requires more hardware, but it has been seen in the wild. Of course you don't really even have to have a sophisticated attack, because people will follow their GPS anywhere. It's 2018, and this is a screenshot from an old story, but usually I can find five or six of these every single year,
05:21
where the car says turn left, and this is a boat ramp, and people will drive right in. GPS spoofing, as I mentioned, a fairly sophisticated attack,
05:45
requires a lot of resources, more commonly seen at nation-state level, but we have seen it at a sophisticated criminal level. It has been more successfully used against ships. First of all, they're isolated there, they're in the middle of an ocean,
06:00
there's no street signs, there's no Wi-Fi or other assistive technology, and they tend to be a more attractive target. It's possible to obviously divert a ship into unsafe shipping channels, divert the ship towards an underwater obstruction, when the ship captain actually thinks that they're sailing through a clear channel.
06:22
GPS jamming is dirt cheap, as little as $12 in some cases from the dongles that we've seen. From the informal testing that we've done, something like that can actually affect three to four cars around the vehicle that's actually using it. So these are sold to prevent employee tracking.
06:42
So if an employer issues you a vehicle, for example, and they want to know where you are, an employee who may want to fuck off during lunch will plug one of these in, and their employer is not going to be able to track them, except it will also affect the number of vehicles around them. And then we have some significantly more advanced packages.
07:03
Some like that will impact several city blocks quite a bit further. We have a saying in radio, height makes might. So if, for example, you were to take this up in a helicopter with you or to 52nd floor, you're going to have a much better footprint. Sadly, it's not a nation-state level attack.
07:21
It's around $2,000, which, again, for a sophisticated attacker is pocket change. There's very few solutions in the market for detecting GPS jamming or especially GPS spoofing. We're not going to get too deep into this demo. So before we move on further, a quick definition of what is positioning.
07:44
It's not simply location. You want to know your location at a given point in time, simply saying your home is not enough. We need to know that your home between certain hours. And you want to know change in location over time. You want to know when you got to that location and when you left that location. Otherwise, the location data is essentially worthless for investigation.
08:05
So the so-called vehicle black box, it's actually, well, it's usually not black. It's actually called an event data recorder. The Congress has mandated every vehicle produced since 2014 have one. It typically has five to 20 seconds loop of data recorded, continuously written.
08:22
And once the body impact sensor or one of the other crash detection or crash prevention systems detects an event, it's going to start saving that data. And if everything works correctly, it's going to prevent EPROM from being overwritten, which actually doesn't work too well.
08:40
So there's 15 data points which have to be written by law. Most systems today use around 30 data points. Some of the most common ones are obviously velocity, which is how we know the vehicles do 120 miles an hour, throttle position. If you've seen some of the headlines about the gas pedal or the brake pedal being stuck, that's how we determine if the driver was lying
09:02
or if the driver confused the gas and brake pedal, if they were going full throttle or actually trying to brake. Seat belt use, very useful in postmortem if the driver didn't survive or in litigation with the manufacturer. Steering, we can determine whether or not somebody swerved towards the crowd
09:20
or away from the crowd and if the vehicle skidded. And of course, airbag deployment. So as much as I hate to mention Tesla, actually Tesla gives us a really good data point whether or not somebody's hands burned the wheel. Again, essential for investigation because we want to know if the human was driving
09:40
or if the driving assistant was driving. It's not an autopilot, it's a driving assistant. Eye focus, there is an internal camera which can actually determine if you're looking straight ahead or if you're looking down your phone or messing around with the DVD player. And if the vehicle is equipped with LIDAR, it actually is able to save LIDAR data.
10:02
For some reason, I can't get the slide to... Oh, okay, it is playing, cool. So this is actually what a crash looks like from the standpoint of a Tesla. This was a crash in a parking lot and this was actually the vehicle driver's fault. They confused the gas and the brake pedal and they hit the townhouse.
10:23
So, pretty useful investigation combined with other data. For those of you who know about forensics, even if there is no stand-up for how something should be done, you have to use scientific methodology, meaning the steps should be recorded, they should be repeatable.
10:41
You need to be able to measure the error rates and prove what the error rates are and you need to try to align them with some sort of industry standard that already exists whether in automotive investigation or in computer forensics. There's three main ways to interrogate the so-called black box
11:01
or the event data recorder. One is roughly a $12,000 toolkit. One is directly over OBD2 port, which is not supported by every manufacturer. Or the other way is to actually crack the device open and connect directly to the EEPROM. Tools, as I mentioned, they are public, you can buy them.
11:23
All you have to do is send a $12,000 check. They also take credit cards. They refuse to send me a free sample. The nerve. Many of you, well, not many, some, especially US vehicles,
11:42
do support communication over CAN bus. So if you actually know the commands, you can download data from the event data recorder over OBD2. The communications are encrypted. Again, on certain forums, you can get your hands on the keys, but it's a little bit problematic.
12:03
This method, the biggest issue, of course, is that it induces data changes. Meaning, as you're reading the data, you're actually introducing errant data. If the black box failed to record data from one of the sensors, which is very common, it's actually going to write errant data.
12:21
So the crash is a pretty violent event. Right now, when you're sitting down, you're exposed to one G of force. During an impact, your vehicle can experience as much as 26 Gs of force, meaning a lot of electronics, even hardened electronics, will fail. So it's not that uncommon to not receive data from sensors for the last few seconds. Again, crashes are an instantaneous event.
12:41
It's an elastic collision. It can actually last three to five seconds as all your crumple zones meet their final position. This third method is the actually preferred method if you only have access to a $12,000 tool
13:02
and you don't want to cause data spoilation. Looks a little overwhelming. All you have to do is find your event data recorder, crack it open, find the EEPROM chip, connect the clips, connect the bus pirate, and start dumping data. And hopefully not find anything in the meantime
13:21
and hopefully videotape everything or preserve data to essentially prove to court if it comes to that what the data was at the time of collection. I actually have a device with you if you want to practice later in a car-hacking village. This is an event data recorder
13:40
that was pulled from an American vehicle. Don't look at the label. This vehicle was involved in a crash, but the airbags did not deploy. So some of the interesting things with this.
14:00
Privacy concerns. Many states do not have laws about how or when the data can be pulled from the event data recorder. Even though you own the vehicle, you essentially don't always have a say in whether or not the data can or should be pulled from your vehicle. We've seen the data pulled in divorce cases, which is absolutely idiotic because I mentioned they can save up to 20 seconds,
14:22
but some attorneys know that it records vehicle position, and they get court order to pull data from a car, and it gets them absolutely nothing useful, but the judge grants them the warrant. This data is not remotely accessible. There should be a star next to that. The one exception is Tesla.
14:42
We know the data is stored remotely offsite. We've actually been able to prove that some super outbacks also store some data offsite. The luxury models that have been with 4G modem will upload and sync data opportunistically. So 12 states do have court rulings
15:03
about search warrant being required by the vehicle. That means that 38 states currently do not. The data is considered the property of the vehicle owner. However, after a crash, if your vehicle was towed, you essentially lose control of the vehicle. The tow truck driver can consent on your behalf, or the police investigator can go out
15:21
to the garage where your vehicle is stored and start pulling off data because there are no hard laws about that. So we mentioned... Sorry? Even cases where a warrant is required, the police can still go and pull the data, and after the fact, they act in good faith. So unless you have a lawyer in standby,
15:41
they will go and issue an emergency injunction. You are SOL because the data has already been pulled off your vehicle, and the judge will just rule the police act in good faith. I mentioned civil lawsuits. You have the case of people being hurt in an accident, and the dispute is whether or not
16:02
the accelerator was pressed down or whether or not the brake was deployed. And again, whether or not the person caused the crash by looking down at their phone or whether their automotive driving assistant actually caused the crash. Right now, there are several interesting cases in the courts,
16:22
both the United States and China, about liability in the case of the driving assistant being the primary cause of the crash. As I mentioned, two primary methods of access. We have the diagnostic port,
16:41
which, for those of you that don't know, is this OEU-2 port that all your vehicles have, unless you have a vehicle prior to 1992 and 1996. And you have the airbag module, also known as the body impact module. Sometimes they are combined together into one single unit. If they are combined together, it looks a little bit like that.
17:04
Now, I typically found under the driver's seat or in between the driver and passenger seat. It's bolted in pretty well because, again, you need to be able to feel the impact of the vehicle, feel acceleration, deceleration. It has a number of sensors on board, an encryption module, which is supposed to encrypt the communication
17:21
between the CAN bus and the EEPROM chip, and a completely unprotected EEPROM chip with no tamper detection and no tamper protection. So direct access over OB-2 was pretty straightforward. Now we get to the part of don't try this at home.
17:44
I'm supposed to tell you that there's a liability because this module can trigger your airbag in a vehicle with multiple airbags. It actually can kill you because an airbag deployment does produce enough force to fracture your skull. It does have built-in protection, meaning if there's an electrostatic discharge, it's going to err on the side of caution
18:01
and deploy the airbags. As I mentioned, the airbag module is often integrated with the black box. This particular one isn't, but this is actually more of an exception to the rule. The states that currently have regulations about who can have access to data and when.
18:23
As I mentioned, the other 35 states are undetermined right now because there's insufficient court rulings or no court rulings. No cases have come up to the federal level as of yet. We are monitoring the case in China. That's due in court, we believe, in October. So that's going to be really interesting.
18:45
So some of the interesting takeaways. The EEPROM chip onboard, once you crack the case open, as I mentioned, does not have tamper detection or tamper protection. The chip cannot know when it was last accessed or if the data was written properly by the car sensors or if I opened the chip, opened the body prior and wrote errand data to that chip
19:02
just before the investigators got their hands on it. No tamper detection. For example, the black box that's here in your vehicle could be modified. There's no way to externally determine it because there's not even a very simple seal over it. As you can see, there's not even a gold foil seal over it. So I can literally just unplug this and plug this into somebody's vehicle.
19:24
No protection at all on a board or chip level. There is one manufacturer that sells hardware locks that cover your OBD2 port, but it's a plastic part that covers up a plastic part, so it's essentially protected by goodwill.
19:42
Sorry, this is a very compressed version of a one-hour-long presentation that just kind of shrunk down to 25 minutes, plus a fire alarm. But if anybody has any questions, you can take them now, or also you're welcome to play with this after the talk and try pulling data off of it. Any questions?
20:08
Obviously available to answer questions over e-mail or right outside this room. And I'm now going to hold up the next speaker. Oh, yeah, go ahead.
20:21
Oh, yeah, absolutely. So commercial vehicles such as 18-wheelers also have these sensors. The lock covered not just personal vehicles, so trucks do have them as well. They actually typically have more loggers because there's a separate one for the cargo compartment and a separate one for the actual rig.
20:44
Modern trucks also collect a lot more data. It'll be interesting to see what the Tesla truck is, but a lot of truckers now use dash cams, which, again, would make great evidence. Truckers are very annoyed with cars cutting them off
21:02
because they're big and slow, and they do really annoying things like follow the speed limit. But I have not had a chance to steal a black box from a truck, but my understanding is that they work exactly the same way, simply because of the regulations. Regulations didn't distinguish between buses, trucks, or passenger vehicles.
21:29
The legislation only covers the United States, but because the U.S. is such a major consumer, the vehicles that are made to serve the U.S. market are also very similar vehicles to what's made for other countries. So the black box is still in there.
21:43
We know that the vehicles that crash, for example, Saudi Arabia, have the same black boxes because, again, you see the same headlines with the same data being pulled up. And again, as I mentioned, there's integration for the airbag deployment.
22:05
Good question, yes. One of the screenshots I had, you can actually see a good-sized capacitor on it.
22:21
Find the screen shot in a hurry. So yes, there is a large capacitor. From what we've seen, it'll give you about 12 seconds of data. The collision data that I've had access to had lasted for maybe five seconds, at least the important stuff. All right, thank you, folks, for coming.