my specialties are primarily scalar systems or automotive systems medical device testing essentially I really like embedded systems anything that impact

modern life as we know it a lot of times we work with wireless systems and airborne systems quick disclaimer obviously opinions are my own not my employers very not taking any particular vendors even though if you try to remove logos some things are just gonna be way too obvious about who things belong to in some cases wouldn't be actually point out of the vendor there the vendor who are doing things slightly better than others so since we're talking about the all of them of the forensics this is where the store usually starts have rack possibly some fatalities perhaps a fire that uh one extinguisher for two or three days you all seen the headlines there's often a crash and you see a sensationalized story in the newspaper about the particulars of the crash how fast the vehicle may have been traveling about what the driver may or may not have been doing what the driver may not I mean I've been using such as a cell phone or a DVD player at the time and I'll point out that the article mentions a black box I'm sure you've heard all of them about the mentioned the black box with airplane crashes your vehicle also has a black box when investigators are working a crash or some kind of an exit incident their primary source of data is a black box since the black box is actually regulated by Congress there's a law about what the blacks black box stated on the vehicle is supposed to contain and for how long now other common sources many of our vehicles now have a GPS if you have one then you're our luxury vehicles you may have a lidar you and your passenger but will very likely have a phone which will also be recording data and shoveling it back to Apple or Google Chinese government all three you're typically running a slew of apps including ways Google again Apple play a number of other applications which may be a uploading day in the real time you may be running an external GPS unit so it's not such as one of those Garmin units which constantly puts a breadcrumb along your route again reliable source of data mostly quick mention a lidar there's two types of weather systems one that performs real-time acquisition and another which simply tries to get a baseline and it contains internal database of supposedly all roads that you're supposed to be able to drive and share entrusted you a quick pattern matching again most modern phones unless you have a flip phone has a built-in GPS has a obviously cellular connection so doing GPS trail iteration in order to be e 9-1-1 compliant it's constantly trying to determine its position and point in time and of course it's using Wi-Fi technology such as skyhook again to help narrow down its location even the Bluetooth and GPS are off or don't currently have a signal external GPS units even US units in addition to the GPS system typically have closest Galileo if you're in a pack you may also be using a bug you or IRNSS typical GPS threats again we have jamming spoofing and detection we have RF jamming which is simply filling up the radio frequency whether it's l1 l2 or l3 band or you can actually have more sophisticated protocol jamming where you're actually trying to speak GPS protocol but uh broadcasting inaccurate data may actually cause seg faults on some of the external units or cause them to lock up as opposed to just not being able to receive a signal on the typical bands now you can have an active degredation attack where the quality of the signal may drop from being able to position yourself within 3 meters or 5 meters to within several hundred meters that would obviously complicate forensics or any kind of investigation one of the less common attacks is actually adding enhanced accuracy it makes the victim think that they actually have a far better idea of where they are I didn't actually do you can actually make somebody who has for example 500 meter accuracy think that they have one year accuracy which is fine granular which is basically this amount of space right here and may make them act where actually or a drive faster because they think they know exactly where they are or where they're headed and of course you have location spoofing much more sophisticated more advanced timing attack requires more hardware but it has been seen in the wild now of course you don't really even have to have a sophisticated TAC because people will follow their GPS anywhere its 2018 and this is a screenshot from an old story but usually I can find five or six of these every single year where the Carver says turn left this is about ramp and people will drive right in GPS spoofing as I mentioned uh fairly sophisticated tech requires a lot of resources more commonly seen at nation state level but we have seen it at the sophisticated criminal level it has been more successful used against ships first of all they're isolated there they're middle of an ocean there's no street signs and there's no Wi-Fi or there assistive technology and they tend to be a more attractive target it's possible to obviously differ the ship into unsafe shipping channels divert the ship towards an underwater obstruction of when the ship captain extra things they're sailing through a Clear Channel GPS jamming is dirt cheap as little as twelve dollars in some cases from the dongles of you've seen from the informal testing that we've done something like that can actually affect three to four cars around the vehicle that's actually using it so these are sold to prevent employee tracking so if an employer issues you a vehicle for example and they want to know where you are an employee who may want to off during lunch will flood one these in and their employers not gonna be able to track them except it will also affect the number of vehicles around them and then

we have some significantly more advanced packages some like that will impact several city blocks quite a bit further we have a saying in radio pipe Nick's might say for example you were to take this up in a helicopter with you or 250 second floor you're gonna have a much better footprint sadly it's not a nation state level attack it's uh around two thousand dollars which again for sophisticated tacker is pocket change [Music] there's very few solutions in the market for detecting GPS jamming now or especially GPS spoofing now if we're not going to get too deep in in this demo so before we move on further quick definition of where this positioning it's not simply location it's a you want to know your location at a given point I'm simply saying your home is not enough we need to know that you're home between certain hours and you want to know change location over time you only know when you got to the location when you left that location otherwise the location data is essentially worthless for investigation so the so called vehicle black box it's actually well it's usually not black it's actually called an indent a the recorder the Congress has mandated every vehicle produced since 2014 have one it typically has five to twenty seconds loop of data recorded continuously Britain and once the body impact cents are one of the other crash detection of

crash prevention systems detects an event it's going to start saving that

data and if everything works correctly is going to prevent Iran from being overwritten which actually doesn't work too well so there's 15 data points which have to be written by law most systems today use around 30 data points some of the most common ones are obviously philosophy which is how we know that equals do 120 miles an hour the proposition if you've seen some of the headlines about the gas pedal or the brake pedal being stuck that's how you determine if the driver was lying or if the driver confused the gas and brake pedal if they were going full throttle or actually trying to brake she'd felt use and very useful in post-mortem if the driver didn't survive or in litigation with the manufacturer

steering VQ determines whether or not somebody you know swerved toward the crowd or are away from the crowd and if the vehicle skillet and of course airbag deployment so as much as I hate to mention Tesla actually Tesla gives us a really good data point whether or not somebody's hands were on the wheel again essential for investigation because we want to know if the human was driving or if the driving Justin's driving it's not all the pilot it's a driving assistant I focus there is an internal camera which can actually determine if you're looking straight ahead or if you're looking down your phone or messing around the DVD player and if the vehicle is equipped with lidar it actually is able to save lidar data for some reason I can get the slide - oh okay it is playing cool so this is actually where the crash looks like from the standpoint of a Tesla this was a crash in a parking lot and this was actually the the vehicle drivers fault they confused gas in the brake pedal and they hit the town house so pre useful investigation combines the other data for those of you know a little about forensics everything even if there is no stand up for how something should be done you have to use scientific methodology meaning uh the steps should be recorded it should be repeatable you need to be able to measure the error rates and prove what error rates are and you need to try line them with some sort of industry standard already exist whether in a automotive investigation or in computer forensics there's three main ways to interrogate the so-called black box or the event data recorder one is of roughly a 12,000 tool kit one is directly over obd2 port which is not supported by every manufacturer or the other ways to actually crack the device open and connect directly to the EPROM tools as i mentioned they are public you can buy them all you have to do is send 12,000 check they also take care of the cards and they refuse to send me every sample the nerve many Vietnam a some especially US vehicles do support communication over campus so if you actually know the commands you can download data from the event data recorder over the obd2 the communications are encrypted again on certain forms you can get hands on the keys but it's a bit problematic this method the biggest issue of course is the in the induces data changes meaning as you're reading the data you're actually introducing errant data if the black box failed to record data from one of the sensors which is very common it's actually going to fire their data so the crash is a pretty violent event right now when you're sitting down you're exposed to 1g of force during an impact your vehicle can experience as much as 26 G's of force meaning a lot of electronics even hardened electronics will fail so it's not uncommon to not receive data from sensors for the last few seconds again crashes are 913 use events it's an elastic collision it can actually last three to five seconds as all your crumple zones meet their final position this third method method is actually preferred method if you don't have access to 12,000 tool and you don't want to cost data spoil Asian looks a little overwhelming all you have to do is find your event data recorder crack it open find the EPROM chip connect the clips connect the bus part and start dumping data and hopefully not for anything in the meantime and hopefully videotape everything or preserve data to essentially prove no to core that becomes - that what the data was at the time of collection I actually have a device with you if you want to practice later in the car hacking village this was an event data recorder that was pulled from an American vehicle don't look at the label this vehicle was involved in the crash but the airbags did not deploy so some of the interesting things with this privacy concerns many states do not have laws about how or when the data can be pulled from the event data recorder even though you own the vehicle you essentially don't always have a say in whether or not the data that can there should be pulled from your vehicle we've seen the data pulled in divorce cases which is absolutely idiotic because I mentioned they can save up to 20 seconds but something attorneys know that they records the vehicle position and they get court order to pull data from a car and it gets them absolutely nothing useful but the judge grants him the warrant this data is not remotely accessible there should be a star next to that now the one exception is Tesla mean though the data is stored remotely off-site we've actually been able to prove that some super Outbacks also store some data off-site the luxury models are filled with 4G modem will upload sync data opportunistically so 12 states do have court rulings about search warrant being required by the eagle that means that 38 states currently do not the data is considered the property of the vehicle owner however after a crash if your vehicle is towed you're sent you lose control the vehicle the tow truck driver can consent on your behalf or the police investigator can go out to the garage Eagle store and start pulling off data because there are no hard laws about that so we mentioned more sorry even cases where warrant is required the police can still go and without pull the data and after the taxi they act in good faith so unless you have a Laurence stand by they will go and issue an emergency injunction you're Sol because the day's already been pulled off your vehicle and the judge will adjust world the police acted in good faith I mentioned civil lawsuits you have the case of people being hurt in an action and dispute as well is whether over or

not the accelerator was pressed down there of whether or not the brake was deployed and again whether or not the person caused the crash by looking down their phone or whether there are automotive driving is just an action caused the crash right now there's several interesting cases in the courts both the United States and China about liability in the case of the driving assistant than being the primary cause of the crash as I mentioned our two primary methods of access we have the diagnostic port which for those of you that don't know is this we you to port that all of your vehicles have unless you have a vehicle prior to 1992 in 1996 and you have the airbag module also known as the body impact module sometimes they're combined together into one single unit if they are combined together it looks a little bit like that now a typically found under the driver seat or in between the driver and passenger seat now it's bolted in pretty well because again needs to be able to feel the impact from the vehicle feel acceleration deceleration has a number of sensors onboard and the encryption module which is supposed to encrypt the communication between the can bus and the EPROM chip and a completely unprotected prompt with no tamper detection and no tamper protection so direct access / ob2 was pretty straightforward and now we get to the part of don't try this at home I'm supposed to tell you that there's a liability because this module can trigger your airbag in the vehicle with multiple airbags you actually can kill you because an airbag deployment does produce enough force to fracture your skull it does have built-in protection meaning if there's an electrostatic discharge she's gonna err on the side of caution and employed airbags as I mentioned the airbag modules often integrated with the black box this particular one isn't but this is actually more of an exception to the rule the states that currently have regulations about who can amp access to data and when as I mentioned the other 35 states are undetermined right now because there's insufficient court rulings or no court rulings no cases have come up to the federal level as of yet we are monitoring the case in China that's doing court we believe in October so that's gonna be really interesting so some interesting takeaways the EPROM chip on board once you crack the case open as I mentioned does not have tamper detection or tamper protection that ship cannot know when it was last accessed or if the data was written properly by the car sensors or if I open the chip open the body prior and wrote air and data to that chip just before the investigators got their hands on it no tamper detection for example the black box ensuring your vehicle could be modified there's no way to externally determine it because there's not even a very simple seal over it as you can see there's not even a gold foil seal over it so I can literally just unplug this and plug this in somebody's vehicle no protection all on board or chip level there is one manufacturer that sells hardware locks that cover your obd2 port but it's a plastic part that covers up a plastic part so it's a essential protective a good well sorry this is a very compressed version of a one-hour long presentation that just kind of shrunk down to 25 minutes plus the fire alarm but uh if anybody has any questions if you could take them now or also you're welcome to play with this after the talk and try pulling data off of it any questions obviously available to answer questions over email or Brad side this room and I'm gonna hold up the next speaker oh yeah oh yeah absolutely so commercial vehicles such as 18 wheelers also have these sensors don't walk covered not just personal vehicles so trucks you have them as well they actually typically have more more

loggers because there's a separate one for the for the carbon compartment and a separate one for the actual for the rig

the modern trucks also collect a lot more data it'll be interesting to see what the Tesla truck is but some of them I'll put a lot of truckers now use dash cams which again would make great evidence truckers are very annoyed with cars cutting them off because they're big and slow and they do of really annoying things like follow the speed limit but uh I have not had a chance to steal a black box from a truck but my understanding is did it work exactly the same way simply because the regulations regulations didn't distinguish between buses trucks or passenger vehicles the legislation only covers United States but because US is such a major consumer the vehicles that are made to serve the US market are also very similar vehicles to what's made for other countries so the black box is still in there we know that the vehicles the crash for example Saudi Arabia have the same black boxes because again you see the same headlines with the same data being pulled up and again as I mentioned there's integration for the airbag deployment yes good question yes one of the screenshots I had you could actually see a good sized capacitor on it trying to find the screenshot in a hurry so yes there is a large capacitor from what you've seen you'll give you about 12 seconds of data the collision data that I've had access to had lasted for maybe five seconds at least the important stuff thank you great thank you folks for coming