Look At What My Car Can Do
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 122 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/40523 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Presentation of a groupView (database)Transportation theory (mathematics)Information and communications technologyDigital signalSystem programmingContent (media)Physical systemInclusion mapSynchronizationDisintegrationConnectivity (graph theory)Digital rights managementUsabilityIntegrated development environmentFunction (mathematics)InformationAutomationVulnerability (computing)Physical systemInformation and communications technologyDigitizingINTEGRALContent (media)Streaming mediaMusical ensembleDigital photographyVector spaceInclusion mapDependent and independent variablesInternet forumUsabilityDigital rights managementComputer crime2 (number)BootingUser interfaceAugmented realityChannel capacityExpert systemInformationCartesian coordinate systemPoint cloudConnected spaceFunctional (mathematics)FamilyGame theoryPresentation of a groupView (database)Transportation theory (mathematics)Perturbation theoryMultiplication signArithmetic meanVideo gameWordExploit (computer security)Message passingDialectComputer animation
08:24
Connectivity (graph theory)Remote Access ServiceUsabilityHacker (term)Control flowMalwareFreewareEmailInformation managementView (database)Decision tree learningSystem programmingComputer fileComputer-generated imageryDisintegrationGeneric programmingInterface (computing)Physical systemExecution unitDisk read-and-write headInformation and communications technologyData storage devicePhysical systemHacker (term)Digital photographySynchronizationMusical ensembleCoefficient of determinationUsabilityPresentation of a groupElectric generatorWordModule (mathematics)Point (geometry)CognitionObservational studyPropagatorComputer virusMixed realityTelecommunicationInformation privacyEmailNeuroinformatikCommunications systemTrailUniform resource locatorContent (media)MalwareMedical imagingCurvatureSide channel attackMessage passingGoodness of fitNumberAudio file formatMultilaterationEnterprise architectureMP3Profil (magazine)Flash memoryPortable communications deviceAddress spaceDirected graphFilesharing-SystemInformationLoginType theoryPeer-to-peerWeightConnected spaceComputer fileStatisticsWireless LANShared memorySystem callRemote procedure callLecture/Conference
16:49
Computer hardwareFlow separationPhysical systemDisintegrationPlastikkarteData storage deviceSign (mathematics)SynchronizationModule (mathematics)Execution unitDisk read-and-write headUsabilityRead-only memoryBlogMessage passingNumberDigital electronicsWhiteboardVideo game consoleFirmwareClient (computing)Computer-generated imageryDifferent (Kate Ryan album)Module (mathematics)Socket-SchnittstelleFlash memoryPlastikkarteExecution unitOperator (mathematics)SoftwareSequenceBinary fileHard disk driveNumberPhysical systemRegular graphData storage deviceRight angleDisk read-and-write headRandom matrixNavigationConnectivity (graph theory)Raw image formatRule of inferenceMultilaterationOnline helpMass storageVideo game consoleComputer fileMedical imagingElectric generatorGoodness of fitPresentation of a groupSynchronizationWindowProfil (magazine)Musical ensembleTrailFinite differenceArrow of timeOperating systemMathematical analysisStapeldateiDirected graphInformationLoginDigital photographyAudio file formatMessage passingUniform resource locatorGreatest elementMultiplication signSubject indexingSoftware development kit
25:13
Execution unitDisk read-and-write headNP-hardMedical imagingDigital rights managementEuclidean vectorPasswordMiddlewareLaptopProcess (computing)Structural loadMaß <Mathematik>WebsiteClient (computing)Asynchronous Transfer ModeCAN busComputer configurationPhysical systemMenu (computing)Computer hardwareFirmwareWireless LANData storage devicePlastikkarteSoftwareSign (mathematics)Hard disk driveExecution unitEnterprise architecture1 (number)Data storage deviceSoftware testingPower (physics)NumberPasswordComputer hardwareSoftwareDigital rights managementConnectivity (graph theory)Disk read-and-write headPlastikkarteSuite (music)Product (business)Physical systemMusical ensembleWireless LANInformationComputer fileElectric generatorCodeOperating systemMedical imagingLaptopKey (cryptography)Social engineering (security)Asynchronous Transfer ModeComputer configurationMalwareBit2 (number)Different (Kate Ryan album)Module (mathematics)Right angleNavigationWindowExploit (computer security)Process (computing)Military baseECosHermite polynomialsOffice suiteWebsiteWritingEntire functionControl flowLevel (video gaming)Computer animation
32:58
Social engineering (security)Physical systemVideo game consoleState of matterPlastikkarteWireless LANComputer virusInformation and communications technologyDisintegrationSocial engineering (security)Electric generatorNavigationMappingSet (mathematics)Digital photographyComputer configurationInternetworkingCASE <Informatik>Physical systemPlastikkarteINTEGRALSoftwareInformationComputer virusHard disk driveView (database)Connected spaceLevel (video gaming)Wireless LANMalwareMobile WebCommunications protocolHacker (term)Uniform resource locator2 (number)Streaming mediaInformation and communications technologyConnectivity (graph theory)Formal languageMusical ensemblePoint (geometry)VideoconferencingVideo game consoleDisk read-and-write headComputer animation
40:12
Physical systemConvex hullPlastikkarteComputer virusVector potentialInformation and communications technologyPortable communications deviceCollisionExclusive orGoodness of fitMeeting/Interview
40:48
Goodness of fitCollision2 (number)Crash (computing)Lecture/ConferenceComputer animation
41:24
Source codeMoving averageWitt algebraPhysical systemTopological vector spaceMusical ensembleComputer programmingTransmissionskoeffizientUniform resource locatorCollisionMeeting/InterviewComputer animation
42:00
Physical systemCAN busHistologyPhysical lawCollisionMultiplication signPoint (geometry)Physical systemMathematicsRight angle
42:42
SummierbarkeitFreewareCAN busPhysical systemGoogolCrash (computing)Vector potentialMultiplication signRule of inferenceComputer animationMeeting/Interview
43:32
Computer crimeEnterprise architectureComputer fileDemo (music)Operating systemPhysical systemFirmwareMultiplication signLecture/ConferenceMeeting/Interview
Transcript: English(auto-generated)
00:00
So what we're going to do, since you guys were so cool, we're going to kind of turn this into a drinking game. So Digi has brought some booze with him. We're going to kind of pass some of it out as much as we can. Every time I say the word um, you have to drink. And I say um a lot.
00:24
Do you want to just like pass them around? But you can just, alcohol kills all the germs. So whoever has it, you just keep passing. Whoever has it, when I say um, you have to drink.
00:42
Official invitation to Toastmasters. Oh. Thanks. Actually, I'll get with you later because I am interested in that. So my name is Tyler Cohen. This presentation is Look What My Car Can Do.
01:01
I want to give a special thanks to Ben, Joel, Mark, Rob, Peter, Zach, Matt, Kate, Maddie, and Charles. Now some of these people know that they helped me. Some of these people do not. So you'd be kind of surprised at how many people I asked if I could rip apart their cars and they said no.
01:24
Like it's for science, come on. So we had to come up with creative ways to get access to these cars. This car that I'm standing in front of is a Ford Fusion 2011. And in one of the photographs, there's a little hint from where that car came from.
01:42
If any of you guys can see the hint, pick up on it, and say where that car came from, Zach over here will buy you a beer. So just call it out when you see it. But it's in one of the photos. All right, so this is a disclaimer. Yes, I work for the Department of Defense.
02:04
This presentation reflects my own views and not any of those of my employer. Anything that I show in here or talk about potential things that you can do. I take no responsibility if you happen to void your warranties. I also unfortunately had to tailor my presentation
02:22
at the last minute. I didn't want to get fired or sued by Ford. So there are things that I'm not going to be able to say, but I can hint to them. So I'm going to give you an overview, just a quick introduction.
02:41
We're going to talk about the technology, avenues of exploitation, resources, and then the future. So also, I've had about 10 years of experience doing digital forensics.
03:00
I've worked for the Department of Defense Cybercrime Center, IBM, NASA. Everyone's like, what, you did forensics for NASA? What, were you like going after people from Uranus or something? Sorry, I think that was funny. It never gets old either. So that's what this presentation
03:21
is going to be geared toward. It's going to be geared toward a forensic analyst and what they can get from these cars. But also, as a user, you have to understand that there's information that you're putting out there on these cars that is giving away stuff about you. So cars are not just for transportation anymore.
03:41
They are now becoming entertainment centers, communication hubs. These vehicle systems now store and stream digital content, and they're used as communication mediums. So it's not like the old days where your car was just your car. This is now, in today's world, people want to be connected to their social networks.
04:02
They want to be able to find everything. They want access at their fingertips, and they should. I do too. So manufacturers are coming up with really innovative ways to market and sell vehicles. Emphasis has been on technology, integration, and safety.
04:23
And Ford has been leading the way since 2007 with the inclusion of the Microsoft Sync system in its vehicles. So I kind of look at Ford as what Apple did, how Apple reinvented the digital music players.
04:41
Ford is paving the way for cars. So their systems are much more advanced than any of the other systems. So what are the designers thinking when they're designing these cars? Obviously, they're concerned about safety. But aside from safety, Ford is really, really,
05:01
really concerned with digital rights management. Now, since they're using the Microsoft OS, we know that it's Microsoft DRM technology. Now, I bet you there's some of you in the audience who are experts at DRM vulnerabilities and cracking and know a bunch of research that applies to that.
05:22
But basically, what I'm saying is that the Microsoft DRM is vulnerable in ways, in any way that Microsoft DRM would be vulnerable, it's vulnerable in this capacity too, because it's using the same technology. Designers are also thinking about connectivity, user-to-user and car-to-car,
05:43
ease of use, you just want your stuff to work, and reliability. So what do I mean by connectivity? Cars are really concerned with users connecting to their user stuff. Your gadgets and their functions are being integrated
06:01
into your driving experience. So I want my content and I want it now. I want all my music that's stored in the cloud and I want to be able to access it wherever I am. I wanna be able to connect my phone and have it stream all of my information.
06:20
I wanna be able to use voice dialing. I want it all just there, I want it to be easy. And then you also want to be connected to your user environment. You wanna have your social applications available to you and you want your car to do it. My car, why shouldn't it give me the cheapest price of gas?
06:42
Why shouldn't it tell me happy hour specials? My brother Zach over here, he likes using social applications to look for hot chicks and dudes. He puts it up, the augmented reality, and he can see how far away a hot chick is from him and he can chat with her. He can say, yeah, I'm gonna check in
07:02
and I'm gonna check in with you and let's meet up. Why can't your car do that for you? Ease of use, your stuff should just work. I mean, most of us are pretty lazy. We just want our stuff to work. We buy it, we spend a lot of money.
07:20
There shouldn't be any issues. So the car companies are moving toward driving, not interfering with your social life and things just working. That means more automation, more integration and more interoperability. That's a tough word. Well, what? Yeah, exactly, exactly.
07:42
So what does that mean for us? Well, the more automation, what is that? That means the more vulnerabilities and more vectors of attack. So these are things that I want us to just kind of be keeping in our minds. Reliability again, things should just work. There have been some complaints with the Ford systems
08:01
that I've been reading on the forums and then from people who actually have these cars. There's complaints that the car entertainment system reboots while driving, which is kind of a problem. Actually, not all of it, as you're gonna see in a second, not all of it is.
08:22
Changing songs shouldn't take 15 seconds and stored data should be accurate. I know that you guys are all familiar with that story. I don't know if it's a true story or not, but woman was using her GPS data and it essentially told her to drive off a cliff so she did and she died.
08:42
I don't know if that's true or not, but basically, you want your data to be accurate, so stuff like that doesn't happen. All right, so what are users thinking? They're thinking we want safety, again, ease of use and connectivity. Something that they should be thinking about
09:00
is confidentiality of their data. There's a lot of data that I'm gonna show you is actually stored on these devices. They need to be thinking of, a friend could come into their car and get their data if they have devices set up for that. These devices have remote access now,
09:20
they have wireless on them, there's Bluetooth. Or a forensic analyst could come and take, get your data. So they really need to be cognizant of what's being put on there. So, you know, if there's photographs or things on there that you don't want to be found, just don't put them on there.
09:41
I mean, simple as that. What are hackers thinking? Well, what do hackers do? They make something do what it's not meant to do. So some things that have actually happened, some things that are going to be happening probably in the future, controlling the car remotely. So using the wireless, the communication system is connected
10:05
and that's been proven I believe at this conference and then there was a study, a school study where they've dealt with the tire pressure. It's been proven that these communication systems are connected to the car's onboard computer. So it is very possible to get a piece of malware,
10:22
get it in through the communication system on the car and then control the car. You can stop it, start it, really whatever you want to do. So hackers and hackers, good hackers, black, white hackers, they're both thinking about protecting or stealing personal data.
10:42
So again, there's a lot of data that you have on this device. You really have to think of these devices like a computer. Anything you wouldn't want to put on your computer, you don't want to put on your car. Side channel comms, these cars can be used as communication devices when speaking to other cars
11:01
and I'm gonna show you at the end of this presentation the IntelliDrive which is coming out in about five years and cars are broadcasting, Wi-Fi coordinates and essentially you can use this for communication. You can use the Bluetooth for communication, you can use the wireless for communication
11:22
and you can do these in such a way that your traffic is not necessarily going to be intercepted and I'll let you guys kind of ponder that one. Use these cars as peer-to-peer devices. Share your music, share your content.
11:43
Surveillance, I can get something in the car so that I can monitor the car, I can see where it's been. There's, so that's surveillance or again, just using it like Zach's gonna do to just find hot chicks.
12:01
It can also be used, these vehicles, for propagating viruses and malware. So my vehicle, get it vehicle for propagation because it's a vehicle. So you can use this car and this car can actually be a virus that is infecting other cars as I drive past it.
12:23
These are just potential things for the future but not that far off in the future. And then forensics, which is where I kind of come into this and that's where the rest of this presentation's gonna kind of go. Oh, and if anyone has any questions,
12:41
please just jump in. Um. So what is stored, what are stored on these devices? Now, these systems can store navigation data,
13:01
where you've been, where you're going, can save track data, save locations, previous destinations, which is a good thing too because you kind of have to, you have to find that mix between privacy and then usability. I personally like it saving my data because then that way I don't have to type it in because I never remember addresses
13:21
and it's just already there. Phone related information, when you pair your phone up, it's going to save the Bluetooth MAC ID, pretty much most of the information on the phone. Your contacts, call logs, SMS messages, call history, save numbers, that's gonna be maintained.
13:43
So hint, if you rent a car from like enterprise Hertz or whatever, and you pair up your phone, just make sure you delete the profile. It's not gonna be completely gone, but at least it'll make it a lot harder for someone to get your data. Music files, image files, the Ford Sync Generation One,
14:07
you can put 32 files, 32 photos on the car. User voice profiles. Information about the car, potentially, this is a kind of now, kind of in the future,
14:23
stats on how am I driving, do I speed, all that kind of good stuff. Previously connected USB devices, wireless access points, where you've been with the wireless, and then in the future, like I said, the driving habits.
14:41
And if anyone can think of more that I missed out, just let me know after, because there's a ton of data that's contained in those cars. Okay, so as a forensic examiner, why would I care about photos or songs? Well, these photos, oh sorry, by the way, Zach,
15:02
I raided your music collection, and you don't mind that I barred your ace of bass, do you? All right, so you think that that's just a MP3 file of ace of bass, it's not. It's stacked with Zach's ways to pick up hot chicks. Just a regular photograph.
15:22
By the way, is that the cutest dog you've ever seen in the world? Yeah, he is. Like his little mohawk, baby. So that's a stacked photo as well. So, or child porn images, malware, really anything that you wanna hide in there, because if you upload any one of these files,
15:43
whether it's stacked or you've manipulated it, as long as the header and footer are gonna match, the car's gonna accept it in, so you can use it as storage. All right, so these are two pictures of vehicles. They're embedded, fully integrated systems
16:02
with the vehicles. There's two different styles that I'm showing you right now in the first generation. The first is a Ford Fusion 2011 without the navigation system. So you can see it's just kinda got the little, the little teeny faceplate on the radio.
16:20
And then you've got the full navigation system. Now, the navigation system gives you the ability to store data. Without the navigation system, the only way you have the ability to store data is on the flash ROM chip in the sync module, which I'm gonna get to a little bit later. But that's kinda what they look like.
16:40
That's, I think, a Ford Edge 2011. Yes. Oh, no, no, no, no, no, it's much more subtle and it's later in the presentation. But you know this free beer means you have to sit and talk with Zach for a while, but maybe he'll go over his rules of finding hot chicks.
17:07
So the first generation, Ford started doing this in 2007, and the first generation is to 2011-ish, maybe 2012-ish, because some cars still have this, some cars are moving on to the second generation.
17:22
Now, there are two separate components. Yes, that's, there is that potential,
17:44
but that's coming up in the end of the presentation. That's gen two. So this is still the gen one. But, so it has separate components on the head unit. So you have a, well, I'll get deeper into that.
18:02
It's got storage, it's got a hard drive in it. The second generation, some of the 2011s already have it, but it's really gonna be the 2012s and 13s and up. It's a single integrated unit. So the sync module and the nav system are all going to be in one.
18:21
And the storage, some of them will still have hard drives but they're moving away from hard drives as storage. They're going to have a SD card that has a software lock on it and external USB storage and streaming for your data. So they're moving away from them having the integrated mass storage.
18:43
Both of these generations are updatable through USB, which is gonna be important later. All right, so the first generation, which is what you probably see on the road right now, the sync module, the operating system is Microsoft Automotive
19:03
and it's a Windows CE-based operating system. Data is stored in this module, this chip, which I'm gonna show you a picture of later. You can get all the phone-related information, music indexes, user voice profiles. And then there's a couple of other little stuff
19:21
that's gonna be in there too that could be relevant or might not be relevant too. But it's stored in this NAND flash chip. The head unit, which is the nav system, it contains, it's got the operating system, it's Clarion VX works. And the way that we first found out
19:41
that there were two different operating systems on the nav and on the sync module, we took the sync module out of the car and the navigation system still worked. And we're like, huh. So that's kind of, that was a hint for us that there were two different operating systems. It's got a 40-gigabyte PETA hard drive
20:00
with a TPM-style protection on it. Data stored, you can get music files, photos, navigation data. So this is the inside of the sync module. You can see where the little arrow's pointing. That's the Samsung NAND flash.
20:21
Now, when you open these up, it doesn't mean that in every car you're gonna have a Samsung NAND flash. It could be a different manufacturer. It just kind of depends on where that car was built. But it's gonna be in roughly the same place and it's gonna work the same way. So again, this is gonna contain
20:41
the Microsoft operating system, paired, previously paired Bluetooth information, contacts, call logs, SMS messages, phone history, save numbers. So it is of relevance if you're a forensic examiner. If you're trying to hide the data, it's also of relevance because you don't want it to be accessed.
21:00
So you wanna, again, delete the profile or wipe it or whatever. Now, I don't know how many of you guys have done a lot of work with doing forensics on NAND flash but it's not fun. So what you have to do is, there's a few ways you can do it. As you saw, there's a spare USB port on this device
21:21
that you could try to acquire the NAND flash from. We actually didn't do that, so I don't know. There's also the JTAG ports right over here, kind of at the bottom, you can see them. We also didn't do that.
21:40
What we did was we, not what we did, because we didn't do anything necessarily, remember, hint, hint, but what could be done is you could take the chip, you could remove it, put it in this flash pack device, stick it in one of the sockets that it fits,
22:01
and what's gonna happen is it's gonna spit out a binary file. And for those of you who have done any forensics on the NAND flash, it's kind of a pain because the way that it works is you have the wear leveling, which is gonna be different for each chip manufacturer, but you can still figure it out.
22:20
So for this one, you have every sector on the flash can be written over only 10,000 times. So what's gonna happen is you're not gonna have consecutive sectors. And there's gonna be, I always forget if it's a 4K chunk or if it's a 16K chunk that has a numbering sequence.
22:42
So it's numbered, a chunk right in front of each sector that tells you where that sector goes. So what you have to do is you have to get this binary file out of this thing and you have to manually remove those chunks that tell you the number of where each chunk is, reorder them, and then you can pop it
23:01
into any forensic tool. It'll just be a regular raw DD image file. So that's how you have to do it. Maybe it sounds complicated to you, maybe for some of you it doesn't, but it's really not that difficult. It sounds a lot worse than it is, so it is doable. So removing the sync module.
23:21
I had a lot of other pictures. I mean, we just tore these cars apart. And this one, actually, I got permission. My good friend, Ben, who I wish he was here, when I asked him if I could tear apart his car, he not only said, yeah, of course, he said, I'll help you. So he did. And this is a Ford Edge 2010. The Ford Sync Module is located behind the center console.
23:44
Really easy to get to. It's just held in place with clips. And then there's four screws and you just remove it. And then you take the face plate off and then you have access to what I saw. Oh, one thing, quickly, with this, when you pop out the chip to do the analysis on it,
24:02
you're probably not gonna get it back in. Just saying. You will void the warranty and unless you're a pro with a soldering iron, you're not getting it back in. Sorry, Ben.
24:22
So this is the head unit. This is the front of it. It's got, again, the 40 gig paid-a-hard drive. This would happen to be a Hitachi EnduraStar. That doesn't necessarily mean that you'll have a Hitachi if you were to get one out or if you were to buy the car. I think they just kinda use whatever they have in batches.
24:43
This is gonna contain, because it's generation one, navigation data, track data, breadcrumbs, saved locations, previous destinations, and all your music files, which as we know could be Steg files. So acquiring the head unit.
25:01
So I'm gonna go over a couple of techniques that will probably work. Hint, hint, hint. All right, so we removed the head unit. That's kinda what it looked like. There's also a picture that Ben wouldn't let me use
25:21
of Ben standing there with almost a heart attack on his face that I ripped his car apart. And that's the back. You can kinda see on the second one where the hard drive was. You just pull it out. It's really easy to get the hard drive. Although I gotta tell you, when you take the car apart, it's a lot easier to take apart again
25:42
than it is to put back together. So any of you who are forensic analysts, you see this, you see that the drive's connected to a right blocker and I've got it into some forensic tool. Yeah, that's not gonna work. Now why is that not gonna work? Because Ford is really concerned
26:01
with digital rights management and protecting music being imported to the hard drive. So they've implemented this TPM lock style protection where the hard drive is essentially looking for a serial number on a module in the head unit,
26:20
so in the chassis. So without that, it's locked and it's really difficult to get around that, but it is doable. So for example, if the hard drive gets corrupt or breaks, Ford's just gonna replace the entire chassis. They're not gonna get stuff off your hard drive.
26:40
They're not gonna fix it for you. They're just gonna give you a whole new head unit with a new drive. So you can't take this hard drive and put it in another unit and have it work. It just won't, well, without some manipulation. So ways to get around this, Clarion maintains a master password
27:02
that will help you unlock this device. If you can get to Clarion and you're nice to them and not necessarily lie, but tell them what you're interested in doing, they might give you that master password. Just saying.
27:22
But if you're not nice, what you've gotta do is you've gotta find a way to get around the TPM-style lock. And how do you do that the easiest way? You just keep the car running. You keep power to the vehicle and then it's not gonna be an issue. So there's a hardware component that is in creation
27:41
that what it does is it connects the head unit, the hard drive, and the laptop. So you can actually image this device. You can see in that map. It's a middleware component that keeps power to the car. So the car's still going. So you can just image it like you would normally image a drive.
28:01
And that's probably the easiest way to do it. Now, my favorite way to do this, and you might wanna look at these pictures because they're interesting. Hint, hint. Maybe, why do you say that?
28:24
Yeah, where's it from? Enterprise, yeah. You have no idea how hard it is to go to Enterprise and actually request a specific car. They don't do it. I mean, it took a lot of social engineering to just be nice and friendly and say,
28:42
you know, I really am trying to buy this car but I wanna test it first, you know. And the woman was so nice. She kept the car for me, hid the key in the fridge so no one else would get that car. And it was nice, I appreciated that. I actually thanked her in the beginning. So, this is a way that actually is probably
29:01
might be your easiest bet. This is exploiting the update process. So, you go to the Ford website, you update the latest file and you put it on your USB stick and then you stick it in the car and you go through this update process that you can see that we're doing right here.
29:23
And it's a cab file. Now, if you were able to get some code into this cab file and still make it readable as a cab file, you would be able to put software on the device that would allow you to exfil a drive
29:43
through Bluetooth or through the wireless. So, I don't wanna call it malware because it's not necessarily malware because the purpose of it is different. All right, it's malware, whatever. Whatever, you know what? Sorry, DOD, it's malware.
30:02
You can exploit this update process, customize this cab file, put your malware on there that will then allow you to exploit the Bluetooth and use it to image your file and that way you're getting around the TPM lock. Now, this way is kinda cool too. There's a guy in Florida, kind of a bit of a hermit,
30:25
ecostal.com, and what he's done is he's created some hardware that you put on the back. It puts the system into a canned diagnostic mode and what he does is he flashes the radio with predefined options.
30:40
So again, you could use this method, you could flash the radio with these predefined options and some of those options you put on are again, malware that allow you to access the car. And I'm saying this because this is what a forensic analyst would do, but keep in mind that these are also things that someone with not so good intentions
31:01
could do as well. So they could put stuff, so they could constantly get access to your car. I don't know, we haven't tried that.
31:22
It could be something worth trying. So the second generation. So the second generation's gonna be a little bit different. It's gonna be a single integrated component. So the Microsoft Sync chip is going to be in the head unit
31:42
and they're getting away from the Clarion VxWorks and the operating system for the nav unit and for the chip is going to be Microsoft Office and again, Windows CE based. So again, exploits that were gonna work against Windows CE might work against this as well.
32:00
They're moving away from having a hard drive. They're moving toward having all of their storage be an external USB drive or an SD card. And the SD card has a software lock protection on it. I haven't been able to get one yet, but I'm going to get one and play around with that.
32:23
How come no one's drinking? I just said, oh, come on. So they have a full suite of wireless products. You can turn your car into a wireless hotspot. You can connect to any wireless network that you want. Again, that information's gonna be stored in the chip.
32:42
So that's information that you can get access to as well. Yeah, drink. How come no one's a drink? Someone drank. Saw you drink, all right. All right, so this is the second generation
33:02
2012 Ford Explorer with the second generation system. And I thought that I was being a master social engineer here. I thought I was being so smart. So we dress up, we go to the Ford dealer, and I start asking them all kinds of questions, pretending like I'm gonna buy the car,
33:21
and ask if I can take pictures of stuff so that I could show you guys what's gonna be there. And I should have known that the true social engineer masters are car salesmen, because if my husband hadn't been there with me, I would have walked out with that car and an $800 car payment,
33:42
because my car is still in the lease. Yeah, I hate, they're like, what can I do to get you in this car today? And I've got stars, I'm like, anything. Yeah, that was, but that car is really nice, really nice. So again, this includes the SD card in the center console.
34:04
You can see it, this is the Ford Explorer 2012. Or is this the F-150 Explorer, okay. It's got two USB ports. Oh, that's important to note too. The USB ports are not connected to the head unit, the hard drive. So you can stream stuff from it,
34:23
but you can't use them as points of doing a forensic acquisition. And this is important to note too, the only way that you can get information onto the hard drive, the photos, currently is through the CD. But then again, using some of these methods
34:42
that I spoke about are ways of cracking that so that you can get your music on there through Bluetooth, through wireless. If you put that piece of malware on there using those other methods.
35:02
It is. Yeah, it is. Can you say that louder? It is. Ford has attempted to firewall it off. But, and I'm saying, Ford is really leading this.
35:23
They've really thought of a lot of things, but GM hasn't, Dodge hasn't. And as pretty much everyone in this audience knows, you can find ways to get around a firewall, but at least they're making an effort. So you can see on this SD card case,
35:42
this contains the maps. It says on there, this card is write protected. It can't be used in any other system. So that just kind of shows you also it's software protected. But then I had my boy like, there is no information about this stuff on the internet. There just really isn't.
36:01
So we had to do a lot of work. And Ford, Ford dealers know nothing about this because they ship out the systems to Clarion or to some other radio manufacturer. And they just bring it back. Like no one fixes them. So I had to work my way through Ford dealer
36:23
to a radio manufacturer to Clarion and to Ford finally, Ford engineer. So there wasn't a lot of information out there. So anyway, so this is the plastic case that comes with it, it's your maps. I think you can see that when the card is not in,
36:43
the navigation system will just not work. So you have no access to your nav data. And since this is an all in one component, you need that SD card in there. So I think one of these is a SD card fault. You need to insert it. And then the other one says it's now enabled so it can work.
37:04
This is kind of an okay picture. I mean, the guy was like standing over me, like telling me all the options on the car. So I'm like sitting here drooling while Matt's like trying to lean over me to like take photos. So this is just showing you what it looks like, the second generation. The wireless and internet is what I was most interested in.
37:24
So you see, you've got your Wi-Fi settings, USB mobile broadband, Bluetooth, and then the prioritize connection methods. So you have a lot of options here. Oh, it even has a nice little map
37:41
that kind of shows you what you can do too. And then here, this is just to show you the wireless options. You can go to Starbucks and get on their network. And I don't know, I mean, I guess this really means you could really, really do more driving because you're in your car and you're driving.
38:00
Hey, I think I'm funny, yeah. So again, I haven't done a ton with the wireless, but I will tell you that most of the wireless hacks that you've seen at this conference that you know about, that you've researched about, they're gonna work here. So again, what my concern is is I saw this CSI episode,
38:21
which is the way they did it wasn't accurate, but what they said kind of was that they had a hacker who wirelessly got into a car and he was able to make the car drive to some location that a guy ended up getting murdered at or something crazy like that.
38:40
But there are ways to get in wirelessly to the car and eventually control the car, as these young gentlemen will probably be talking about later today at three. So just kind of be thinking about that. So what's the future? So future integration.
39:01
One thing that I'm kind of interested and I'm sure is gonna happen is what I had mentioned before, using your car itself as a virus, whether you send the virus out over a wireless Bluetooth or this new IntelliDrive that I'm gonna show you or various other methods. I mean, it's kind of cool, but it's kind of scary too.
39:23
I mean, you could set up some kind of hotspot and have someone drive by and their car just shuts down. And using the car as a communication channel. Say I, 10 minutes, wow, all right. Say I had something that I had to talk to Matt about
39:42
and I didn't want for Zane to be able to read it. So I use my car and his car and we communicate on a protocol that Zane might not be looking for. And obviously that's not something you'd really use it for. You broaden your mind, like think about it in covert channels, ways that you need to hide your data.
40:05
So I'm gonna show you this video because it's damn cool. And this is showing you the future of this IntelliDrive. And while you're watching it, think about the possibilities and the potentials for this technology, using it as a communication device, surveillance,
40:25
sending out viruses or just saving lives, which is what it was meant to do. Back now at 745 with remarkable new technology designed to keep you safer behind the wheel. CNBC's Phil LaVoe is at RFK Stadium in Washington, DC
40:40
with an exclusive first look at something that could prevent thousands of potentially deadly collisions. Good morning to you, Phil. Good morning, Meredith. Imagine your car could talk to any other car or truck on the road and warn you if you were about to crash into each other. It's called IntelliDrive and it may sound like something out of the Jetsons, but it's closer than you think to becoming reality.
41:05
It happens every six seconds in the US. Car crashes, head-on side impact or rear-end collisions. More than 5 million in 2009,
41:22
killing almost 34,000 and injuring 2 million more. A group of major automakers, including Ford, GM and Toyota are developing a technology called IntelliDrive that will allow cars to communicate with each other and warn drivers. When they're about to crash.
41:40
We feel that the IntelliDrive program fully implemented can save up to 80% of traffic accidents for non-impaired drivers. Here's how it works. Using GPS transmitters and Wi-Fi, cars constantly send out signals with their location and speed. So a driver about to be broadsided at an intersection
42:00
would be warned to hit the brakes and avoid a collision. We want it to be like a vigilant co-pilot that they have with them all the time. We tested the technology with engineers from Ford, first at a blind intersection. Looks like it's safe for me to go, so at this point I'm gonna decelerate. Whoa, not a good idea.
42:21
And attempting to change lanes. With this system, it warns you if you're gonna lane change into another car. So here's an example. And right there, the system warns me that in the lane right next to me, there was a car that I would have hit. With technology that helps prevent rollovers and drifting across lanes,
42:42
cars are already doing some of the thinking for you. And Google is testing a car that does the driving for you. It's possible that someday cars will drive themselves like the space vehicles on the Jetsons. Hey, looks like I'm opening up ahead. Until that day, Intellidrive
43:01
will make a big impact on safety. I think this has huge potential, a huge potential to reduce crashes on our freeways. And save lives. And save lives, which is really the ultimate goal. So when might we see Intellidrive and all new cars and trucks? Well, maybe five or six years down the road.
43:21
It'll take the federal government some time to make the rules and mandate everything for the automakers. But make no mistake, Meredith, talking cars are coming and it could save thousands of lives. Yeah, I love the idea. Phil Lebow, thank you so much. All right, thank you, Meredith.
43:41
So you can see where that's going and I hope that your gears are turning. We're probably gonna be presenting this at the DOD Cybercrime Conference. Maybe I might submit for SchmooCon, I don't know. But I think at those conferences, we'll be able to release the tool
44:01
that we were talking about through the update file that will actually enable you to get the Bluetooth back and hopefully demo it. If there's enough room to bring one of the cars in, I might try to do that too. So, does anyone have any questions?
44:33
Will you say that louder? Oh, he wanted to know if you could go get
44:43
one of the pineapples and use it against cars. The answer is yes. And any other questions?
45:05
It's the operating system is on top of the chip. So there's firmware that's the chip manufacturer that's gonna be in there, but then there's also the Microsoft that does have the firmware on there. Yes?
45:53
Not in the exact way, but yes, every car is affected. Every car that has these systems is affected. Hey, before you guys leave, wait, stop.
46:01
Which one of you guys was the one who picked out that that was an Enterprise car and gets to have Zach buy you a drink? Who was that? It was you? Oh, come on up to the front then. My time?
46:21
Three minutes, all right, any other questions? All right, thank you.