Warning! This is how cars are hacked. Just like in Mr Robot.

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
(upbeat suspenseful music) - [Occupy The Web] And by jamming it, the signal is never received by the vehicle, and the car never locks. What he's doing is that he is sniffing the CAN network. Some of these simple attacks that we're gonna be showing today still work against Honda cars. - And you know that just by research, right? - [Occupy The Web] Exactly. (upbeat bass theme music) - Hey everyone, David Bombal, back with Occupy The Web. If you haven't seen our previous videos, he's once again the author of this book, "Linux Basics For Hackers", a fantastic book from No Starch. He's also got this book, and he's busy working on some new books. Occupy The Web, welcome. - [Occupy The Web] Thank you, David, it's good to be back. - This is our sort of our third episode talking about "Mr. Robot" hacks, what have you got for us today? - [Occupy The Web] There's a episode, I think it's season one, episode four. They go ahead and hack into a vehicle before they go to Steel Mountain. They're planning this trip to Steel Mountain, to be able to get that raspberry pie inside of the facility to turn up the temperature, to degrade the tapes. So that E Corp can't restore their data after they've basically encrypted all their data. - Sure you don't wanna just blow it up? - [Occupy The Web] But to get there, they don't have a car. They live in New York City, so they have no car. So they've got to steal a car, and let's put a caveat in here right now. This is for educational purposes only. I'm not encouraging illegal activity. This is all for educational and research purposes. And we're gonna look at multiple ways of stealing a vehicle like they did in the episode. And we're gonna do look a little bit of how to do research into car hacking. And basically what we're doing is we're combining, in essence, two of the classes that I teach. One of 'em is software defined radio for hackers, and car hacking, both of those courses coming up. I got the software defined radio hacking course coming up in mid-August, and the car hacking course coming up in October. So we're gonna take elements of both of those courses. - I see cars are becoming more and more like computers. I don't think manufacturers have always thought about what they're doing, or haven't put security in. So I'm glad that you're highlighting this because it wasn't so easy in the old days to steal a car using software, but now it is, so I'm glad that you're doing this. - [Occupy The Web] Yeah, it's obvious that the car manufacturers were not thinking about security when they first designed these. Some of these simple attacks that we're gonna be showing today still work against Honda cars up to 2020. Whereas, some of the other manufacturers have gone to more secure systems. What we're gonna be doing here is probably the attack that Mobley and Romero used on their vehicle. Let's start off by talking a little bit about software defined radio. Software defined radio, I think is one of the cutting edge fields of cyber security. One that people really aren't paying attention to. And if you think about it, so many things in our society are run by radio signals. And we're seeing, for instance, right now in the war in Ukraine, that they're using drones as a way to spy, and reconnaissance for sending rockets, and missiles, and what have you. Of course, those drones are all run by radio signals. And now both sides are in there trying to hack and jam the radio signals from these drones. Your wifi is a radio signal, right? We all know it runs at two and a half gigahertz and five gigahertz. Your phone is sending off a Bluetooth signal. It's sending off an NFC signal. There's so many different radio signals that are controlling our lives, and all, not all of 'em, but many of 'em are relatively easy to hack. In the past, radio signals all had to have separate hardware. All your radios, you had the separate hardware for different purposes. But now we can pick up these signals, and transmit signals with very inexpensive receiver transmitter, and then use the computer to be able to manipulate those signals. So what I'm gonna start off with first is the really inexpensive, the RTL-SDR. This is a little device that you can buy on Amazon, and it's basically a receiver. - And you just plug that by USB into your laptop, right? - [Occupy The Web] Exactly. So I just plug it into my laptop, all right. And it's a receiver, it works pretty good. Especially if your interest is in trying to receive signals. I'm gonna open it up with an application here. This is HDSDR, it's a windows application. The reason I'm using it is because it's pretty easy to work with for a beginner. This is the waterfall down here, and we have all of the signal, see these spikes here. There's a spike here, and I've got it centered on 315, 315 megahertz. The reason I have it centered there is because that's where the key fobs that the car manufacturers make. That's where they operate in the US and Japan. In Europe, I think they use 433.9, but I'm in the US, I'm using a US, Japanese key fob. So it's gonna be probably in the 315 megahertz range. Well, one of the things that's important to note is that whenever you work in radio signals, any device that is using a part of the radio spectrum has to be registered with the FCC. So if you have a question about what frequency the device is using, all you have to do is look at the back of the device, and it'll have an FCC number on it. Look it up, it'll tell you exactly what frequency it's operating at. I know that these operate at 315, so what I'm gonna do, I'm gonna go ahead and hit the lock and unlock on my key fob, watch what happens right here around 315. See that spike right there? - Yep. - [Occupy The Web] And you see it right here. That's the signal from my key fob, I'll do it again, There it is, that's the signal to unlock my door. See it's centered right on it, right. Looks like it's 315.05, you see it right there? - Yep. - [Occupy The Web] 315. So, and now we know what frequency its operating on. What they did in the show. They're sitting on a porch step in New York City, and a woman is leaving her minivan on the street, and she locks it with her key fob remotely. There's a number of different strategies for being able to unlock this vehicle. One of 'em that they may have done, it works in some cases. Is you can simply jam that signal. So somebody goes ahead and pushes the key fob to lock the door, like I did here. You see I've done it three times, right there, you can see them passing by. I can jam it, and by jamming it, the signal is never received by the vehicle, and the car never locks. The weakness of that strategy is that people often will listen for that beep, that little beep that says the car is locked. But some people don't, some people just careless, and they push the button and they keep going. I'm gonna show you first of all how to jam the signal. And then also, what we can do is to actually capture the signal and then replay it. Radio transmitters all have, essentially, a password in each of 'em. Those passwords are all different. So as they make a key fob, they put different passwords. Just basically a set of numbers, right? They don't change the password each time it's transmitted. If I can capture the signal, then I can store it and replay it. This is probably what they did in "Mr. Robot". This strategy will work on Honda cars up to 2020. About 2014, the big luxury car manufacturers got a clue. So the Mercedes, and the BMWs, and the Lexus, and a few others got a clue. And they started putting in what's called a rolling code, so that the password changes each time. And that can be broken as well, but it's just harder to do. For older vehicles, okay, those before 2014, and especially those that are in the first decade of the 21st century, or older, especially on the luxury cars. So you've got an old Mercedes sitting around, it's a good test vehicle to test out this strategy. One of the things that, going back to the Ukraine war, is that we found that in many cases, that the Russians have not been encrypting the radio communication. So we've been able, the Ukrainians have, to pick up these signals, because they're just sending over the airwaves, and you can just pick 'em up and listen into 'em. But you can listen into all kinds of signals with this inexpensive device on your computer. So you can listen into, say the communication between airport control towers and planes. You can pick up the signals that the aircraft give off. You can pick up the signals that, say, boats and ships give off. All of these vehicles give off a radio signal for geolocation. We did the geolocation of the yachts of the Russian oligarchs. The way we were able to do that is because all those ships give off a signal. They all have to give off a signal. Some of 'em now have turned it, but legally, they have to give off this radio signal. In the very large ships, they'll give off a GPS signal and they'll give off an ADS signal as well. So you got both of these signals that can be, you can just simply listen in on, and use them for geolocation. So lots of things that you can do with just a receiver. The whole kit is about 35. That includes an antenna, what have you. Antennas are pretty important, so we can't ignore that. And we'll talk about more about antenna technology and theory in the SDR course, because when you're starting to talk about trying to receive very weak signals, or trying to jam signals, you have to just the right kind of antenna to be able to do that effectively. But in our case here, that's beyond the scope of what we're talking about here. What we're trying to do here now, is we're simply gonna try to jam the signal. And we're gonna try to capture and replay the signal. Both of which may be effective at being able to get into this car. To be able to do that, we need a different device. This right here, this $20 device is great at receiving, but it cannot transmit. To transmit, you need a device that can transmit. And the cheapest good one is the HackRF One, and it runs about $320. I'm gonna go switch over to a different piece of software and a different piece of hardware. - I've put links below to the software and the devices. So if you wanna use the Amazon links, please note that there are affiliate links. So if you wanna support the channel, you can buy using those links if you like. - [Occupy The Web] So what I have here now is a virtual machine of a operating system called Dragon. And it's relatively new. It's specifically designed for SDR, that's all it does. I mean, it can do anything, right? It's a Linux operating system, but the beauty of it is that the developers have built much of the software that you need to do SDR, software defined radio, into a single operating system. I should point out that there's a lot of software in this field. Probably the most commonly used piece of software in the field is SDR sharp. There's also a Universal Radio Hacker, which is good as well. And of course, in the Linux environment, there's GQRX, which we'll be using here in a little bit. And I'm not gonna recommend one over the other. They're all free, which is also really nice. Now what we need to do, is we're gonna take that and connect our SDR device. So what we're gonna do is we're gonna use a piece of software that's built into Dragon OS. And DragonOS has so much good software in it, otherwise you'd be spending all your time downloading different pieces of software. So what we're gonna do is we're gonna use a piece of software that we can use to be able to. It's osmocom, siggen, signal generator. With nogui, all right, and then just do a dash H. This is gonna just show us the help screen on it. Lots of good stuff, but what we're gonna do, is we're gonna use it for generating a jamming signal. Now, we have to be close to the car. In "Mr. Robot", you're sitting on a step on the street next to the car, they can even see the car in the background, so they're really close to the vehicle. Because one of the things if you're jamming signals, is you have to have a stronger signal than the one that's being sent. One of the options also is to go out and purchase an amplifier. If you purchase an amplifier, you can send the stronger signals. Most of these inexpensive devices don't send out a very strong signal. If you're really gonna jam, you probably want to use an amplifier. The device that they're using in the show, by the way, there was a company who sells those devices. And they run 10 to $15,000 each, right? - Oh, wow, yeah. - [Occupy The Web] Yeah, there's a company, kind of an undercover company who sells 'em online for 10 to $15,000 each. But essentially, what we're doing is doing the same thing, but with your laptop and a $300 device, right? So notice here there's a Gaussian output, generate Gaussian random output. That's what we're gonna be doing. Probably the best analogy is this is like a DoS attack against a radio signal. Basically throwing out random garbage at the signal to block it from ever being received by the receiver. So there's a transmitter, which is the key fob. And it's sending a signal to a receiver in the vehicle, but if something blocks it, it's never gonna get to the vehicle. And it could be a physical block, or it can actually be another radio signal blocking it. So it's gonna be up arrow, and then we gotta tell it what device we're using. Dash A, HackRF is what we're using in this case. What the frequency is, dash F, 315 megahertz. And then we're gonna send out a Gaussian signal, which is just a random signal. And then dash X is gonna be the bandwidth, 2EX. What's the Y is the wave form you see here. And we we're gonna select 10 and verbose, V is for verbose. Keep our fingers crossed, and pray to the hacking guards that this works. And we're gonna go out and just send out a Gaussian signal to try to be able to jam. So it goes here, and says, "Built in sink types using HackRF." Supporting sample type, setting up the antennas, Its center frequency at 350 megahertz using frequency. Okay, "Press enter to quit", so it's running right now. It set the bandwidth modulation to Gaussian noise. So my HackRF right now is sending out just a bunch of noise to try to block signals. Those of you who are into physical security, I guess it's also cyber security, probably recognize that in some cases, certainly in the US it's true, that when a major political figure is speaking, the security around them jams all signals. So they jam all the signals around a prime minister, president, what have you. And those devices are for sale, but you can only buy 'em if you're law enforcement. I guess you actually can buy them. You can buy them, but you can't use them. (laughs) So you can buy them, but you can't use them. It's illegal to use them, I think they're still for sale. Essentially, what we've done is we've done what the secret service or whatever the particular security service does around every major political figure when they're speaking in public, is they jam the signals around them. Why is that, well, because those signals can be used to, say, trigger a bomb. As we all know that many times, these IUDs, as they were used in Afghanistan, and Iraq, and other places, are triggered by a radio signal. So what they'll do is they'll block all the radio signals in the area of the political figure. So that's essentially what we've just done, is we have blocked the radio signals in our immediate vicinity so that none of them can transmit. Hopefully it's not blocking my wifi, because wifi is a radio signal, right? And one of the things that we teach in the SDR class is how to block wifi. You can actually use an SDR device to basically DoS a wifi connection by simply doing what we're doing right here, except doing it at 2.5 gigahertz, right? So here, what we're doing is we're set up next to a vehicle, maybe with an amplifier, and we're sending out a very, hopefully, strong signal. That's just a bunch of noise to block the fob from connecting to the car. Now, if the individual doesn't know that the car didn't get locked, they're walking away, they're going into the home, and the car never get locked. They push the button, but the car never locked. So now our friends, Romero and Mobley, can walk in and they'll be inside the car. Now, that doesn't mean they're actually gonna be able to start it. Although many of these key fobs now have remote start. That is the next step. This is only going to keep them from locking the door. It's not gonna start the car. - So how did you know which interface to? Is there a command that shows you, like you can do IW config to see a wifi adapter, or do you just need to know that's what it is when you connect it? - [Occupy The Web] That's a good question. I'm not sure that there is a command yet in. I mean, one of the things you could do is do LSUSB. Here's my Great Scott Gadgets HackRF, it just shows me all of the USB devices connected to this system. I don't know that there is yet a, there might be, if anybody knows or let me know, but I don't know of a command that's gonna show you just the SDR devices. In this case, this will show me all of the USB connected devices. And this is the one I'm using, and the reason that I'm using this, okay, just so it's clear, it's probably the least expensive and effective SDR device. Now you can spend several thousand dollars on SDR devices, right, you can spend a lot of money on them. There's some really high end devices. The drawback to this one device, the HackRF, is that it's only half duplex. And so that's a drawback to it. If you wanna send and receive simultaneously, the HackRF is not gonna work for you. So in our case here, we don't wanna go send and receive. We're just basically, in this case, sending. But if you had to send and receive, you're probably gonna have to move into a more expensive device. Also, the advantage of the HackRF is that, one, it can send and receive, but also, that it covers a much broader range of the spectrum then, say, the RTL-SDR, it'll go up to six gigahertz. I've got 'em on the website Hackers Arise, I've got a comparison of all the SDR devices there. And you can look at the various specifications, and the prices for them. But this is the one that we're gonna be using in class. It's inexpensive, relatively inexpensive. I know $300 is a lot for some folks, but when we're talking about SDR, and you're talking about being able to do the things that we can do with this device, it's really a small investment, especially when you start comparing it to the high end devices that running three, five, $10,000. Now, for just listening, the RTL-SDR is great. Okay, we used it to be able to identify where the key fob was transmitting. And that's how you got your 3150E6, right? - [Occupy The Web] Exactly. - Like the X2, E6, Y10, that kind of stuff you just have to learn. It's like the wave form, you just have to know that. Is that right, is that something you can just learn by taking your class, or documentation, or something? - [Occupy The Web] From documentation, taking the class, either one, or both, right? And so the Y is the wave form. So here we got the X and the Y are the wave forms, the wave form frequency, and this one works pretty well for these key fob signals. Now, so that's simply jamming signals, and jamming signals can be useful. I mean, you might think of it as just like a DoS attack, a DoS attack is a very simple attack. What you're doing is you're simply just throwing out random stuff into the airwaves to be able to block a signal from being able to communicate. All right, let's look at then an attack against what's called a replay attack. There's man in the middle attacks we can do in TCP/IP. Wifi attacks that allow for replay attacks. So what we're gonna be doing is very similar. What we're gonna do is capture the signal, and then be able to replay it. There's a lot of different ways to do this. There's been much software we're using. Since we're using the HackRF, and we're using a DragonOS, it's pretty simple to do. If you're using some of the other software, basically what you have to do is record and then send. And once again, it requires a SDR device that's capable of transmitting. So if you're using the HackRF, and we can just use a command line, most of the other software devices are all kind of gooey base, But HackRF has some nice command line tools that make it straightforward and simple. All right, to be able to do this attack, so we can go transfer. Okay, HackRF transfer, dash S, and then the bandwidth comes first. And then the frequency, 315500000. And then we'll call this... Oh, we'll call it Mr. Robot. (chuckles) So what it's going ahead, and it's capturing the signal at that frequency, I'm gonna stop it. So this is the command right here to capture what's going on at that frequency. This is the frequency that our key fob is working at. So once we've captured it, then we can go ahead and send it out. And that's what we're gonna be doing next. - Does it say caught signal two? That's where you pressed the button, is that right? - [Occupy The Web] Yeah, that's where I did a control C. It says right here, "Stop with a control C." - Did you actually press your button on your key fob and then capture it? - [Occupy The Web] I didn't, I'm just showing the process. - Okay, great. Okay, great, yeah. Okay, yes, yeah, no worries, no worries. - [Occupy The Web] Really, I could do it. Let's do it that, I'll do it that way. So let's go here, and let's go ahead and send the key fob out. And so it's capturing my key fob now, okay. I'm sending out the signal, control C to stop it. And then now that I captured it, it's pretty simple. I can just go dash S, and then the bandwidth we wanna send it out on, the frequency, 315500000. And the file's gonna be Mr. Robot dash A1, and then we're going to send it out to transfer with 24. Okay, its sent it out. And if the car was close enough, it would've opened the door. And of course, assuming that the vehicle is vulnerable to a replay attack, these are gonna be on older vehicles, and including Honda made vehicles to about 2020. If you're close enough to capture the signal, and then replay the signal in a vehicle that doesn't change the passcode, then you've opened the vehicle. On more modern vehicle, more secure vehicles, They've gone ahead and made it a little harder to do, but it can still be done. So what they've now done is they put in a rolling code. So the password changes each time the user clicks on the key fob. And the way that that can be broken, is that you have to first jam the first signal, 'cause it sends two signals. Jam the first signal, capture it, and then when the user goes ahead and sets the next time, the next click through, the next signal, capture that. Those two signals together, you can go ahead and determine the algorithm that's generating the numbers, and then go ahead and essentially do a replay attack. It's a little more complicated, it takes a little social engineering, because imagine that if you were the person, and your first time you clicked and you didn't hear the door open, you had to click again. So what you've now gone is you've clicked it twice and your car still hasn't opened, maybe three times. You might start to wonder, but this is probably the best approach to be able to get into more secure vehicles with the rolling code. I recently was testing another car, and I'm not gonna tell you what it is. (both laugh) I was testing another car, and it's sending out spread spectrum, which to me seems like the most secure technology. But I'm surprised that not everybody's using it. That's gonna be a little more difficult to be able to hack, but it still can be done, it's just a little more difficult. It's a whole thing of this chess game between security and hackers. The hackers develop a method to break a security, and then the manufacturers come up with a better security, and then they come up with a better way of hacking it, and they come up better security. So right now it looks to me like spread spectrum, which I haven't seen anybody else write about yet online. I may be the only one doing research in that field right now, I don't know, I don't know if anybody else is. But spread spectrum appears to be state of the art in terms of security. The BMWs and the Mercedes are all using this rolling code, which can be broken, okay. By basically jamming and then capturing the signal. We'll give Sammy Kamkar a shout out there, because he's the one who figured that one out. That technology is now being built into some of the new devices, hacking devices for hacking cars. Okay, so that's how to get in the door. (laughs) Or maybe you can start the vehicle too. If they have an auto start, you can capture the remote start and be able to send it out. On many of these vehicles, the signal between remote start and door opening are very similar. Sometimes all you gotta do is flip a couple bits in the signal, and you can start the vehicle as well. in "Mr. Robot", after they get inside the vehicle, of course the vehicle's not running. We see Mobley opening up his laptop, and he connects the laptop directly into the ODB2 connector. ODB2 connector, I'll show you a picture of it, is the connector that's under the dashboard, where, say, your mechanic will connect into the network. That's what it looks like under your dashboard. So your mechanic will go ahead, or you can too, connect into this with a device. You can buy 'em in an auto parts store for about 50, a hundred bucks. And what it does is it connects into the network of the vehicle and we'll read the codes. So if, for instance, if your check engine light is on, and you gotta go pay somebody to go find out, you can buy these devices for 50 bucks to plug into the ODB2 connector under your dashboard. And it'll tell you what's wrong with your car. It's not always the end of the world. I mean, oftentimes those lights will come on just because the sensors fail. But any case, this is the ODB2 connector. That's what they're connecting to under the dashboard. Okay, so this is what he's using, 9.24. All he's doing is connecting his laptop to the ODB2 connector. And you can also get 'em that have wifi and Bluetooth, so you don't have to necessarily use a wire, and that allows you to do it remotely. But then once you're connected into the car's network, then all things are possible, okay. We talked earlier, one of the earlier videos, about SCADA hacking, and the SCADA networks are very similar to the car networks. They're different than what we're accustomed to using in terms of TCP/IP and ethernet. They're generally serial, they're lightweight. There's no authentication, okay, there's no encryption. Once you're inside the vehicle, then everything's available to you once you plug into the network. Now, some vehicles actually are using wifi to connect their network from different devices. And so you may not even have to connect to the ODB2 connector. You might be able to connect right into the wifi, and be able to do what we're gonna do next. All right, so what we're doing is I'm gonna show you a little bit of car hacking research. Let's go to my Kali here. There's a number of tools that you need to acquire to be able to do any research in car hacking. And most of these tools came out of research at Volkswagen. Volkswagen's kind of been one of the leaders in security research. Although their vehicles are almost as susceptible as everybody else's. They've put together some good tools to analyze. So what we need are a number of tools that are called the SocketCAN or CAN utilities, and we gotta go ahead and download those. Let's go sudo apt install CAN utils. CAN is the name of the type of network that are inside of vehicles, right? So this is a CAN utilities or SocketCAN often referred to. And these are simply utilities for working in the car network. Tells me it's already been installed, imagine that. Okay. - You're prepared as always, yep. - Now, if we've plugged into the car ODB2 connector like Mobley has, that's all basically we need to do. But in our case we're not connected, we're some distance from a vehicle. So what we're gonna do is we're gonna run a simulator. And those of you who are into car hacking may be familiar with Craig Smith, wrote a book from No Starch Press called, I think it was called "Car Hacking". Good book, it's a little bit dated, but he still has some good stuff in there. He put together a simulator here. He teaches classes on car hacking. What we're gonna do is we're going to go ahead and grab it as a said GitHub. And it's a great little tool for being able to learn how to hack cars. So it's gonna be sudo git clone HTTPS. You can go ahead and do your research, and learn about the CAN network without having to connect to a car. You can see it's coming up there on the screen. He goes by Zombie Craig, Zombie Craig, and it's gonna be the ICSim. I use this in my classes to teach people how to hack cars. It already exists and it's not an empty directory. There you go, you've got the URL to be able to download it yourself. Then you want to go ahead and go through that directory. Whoop, CD, ICSim, we're in that, we can go to LS-L. You can see there's a setup for the VCAN right there. So we gotta neat run that setup. I've already run it, I'm not gonna go ahead and run it again. There's a couple things in there. We have the controls, we have data, we have the ICSim. So what we need to do is to simply go and run our ICSim, and the VCAN0, which is basically a CAN protocol interface. So it's basically, we've created an interface that can talk to the CAN protocol. That's what this setup VCAN does right here. So now we're gonna go ahead and start the simulator. Open Garages is Craig Smith's organization. Then go ahead and start the controls. - It's great to have this though. 'Cause it means you can practice without having to have a car, yeah, brilliant. - If you've ever done this sitting in your car, trying to work. (laughs) It makes it difficult to have classes, remote classes, and it's not always the most comfortable place to be able to sitting with your computer. So Craig put this together, and it works pretty good. Now, there have been some issues with setting this up. Now, some of the make files, they just don't work with some of the newer versions of Linux. So when I run class, I'm gonna be using an older version. This particular speedometer here, I can get the speed. I can get this thing to accelerate, and do everything it's supposed to do, but it doesn't show up on the speedometer. There's something that isn't quite connected there, but I've got most of the other issues worked out with it. Let's see, newer controls. I gotta go to the right directory, CD, ICSim. Then we can go and run the controls. He's got it set up so it'll run off a game controller or your keyboard, and here's the game controller. So run off your keyboard as well, use up arrow or right shift to do the doors. And then the last step is we've got to open up the CAN Sniffer, CAN Sniffer. Now, what this is is very similar to Wireshark, but it's for the CAN protocol. So what I'm doing here is simply saying CAN Sniffer, I'm invoking the CAN Sniffer, I'm starting it, I'm executing the CAN Sniffer, and I'm telling it to use color, that's what the dash C is for. And then I gotta tell it what interface to be able to sniff on, VCAN0, and then run it. You'll see this on the screen, on his computer in "Mr. Robot". What he's doing is that he is sniffing the CAN network. These are all the commands that are going across the network. The idea here, if you're doing research in car hacking, is that you want to identify what command does what. One of the key issues in doing research on vehicles, there's little standardization. The CAN protocol is standardized, but the commands are not. If you know the command to say start the vehicle in one vehicle, it may not work in another vehicle. That's one of the issues that you're gonna face. I think the vehicle in "Mr. Robot" is a, it's a Chrysler minivan. I kind of watched it up close, and zoomed in to see what it was. It's an older Chrysler minivan. So to be able to start the vehicle, they're gonna have to know what the command is, and then be able to essentially do a replay attack. So you capture, and then replay, very similar to what we do with opening the door, right? We've got these commands. Each one of these is a command with data attached to it. We can go ahead and capture a command as it goes across, and then replay it on the same network. And let me do that for you next. We've got this vehicle running in the background, we've got a sniffer running here. Now, what we can do is that we can capture this traffic into a file, CANdump, dash C, dash L, VCAN0. So we're sniffing on that interface. Now what we're gonna do is that we're going to be able to grab that traffic and put it into a file. And you see it's creating this file right here. I'm gonna go ahead and control C. Now what I can do is go more, and let's take the name of this file, and I can view it. There it is. In doing research, what I would want to do, is I would want to go ahead now and discover the commands that are going to control, say, the doors or the ignition. And I can do that by executing, say, speed up the vehicle, or slow down the vehicle, or open the doors, close the doors. By watching this traffic, I can determine what command is doing what. Once I know that I can identify, say that I've gone ahead and determined that... I've determined that, say, command 116. Okay, 161, I think is what it is on this particular simulator, actually accelerates the vehicle. Let's go ahead and search for that command, see if there are any. So I'll do more, and then I'm gonna go ahead and grip, and I'm gonna grip for 161. The command to be able to accelerate this vehicle is this one right here. - And you know that just by research, right? - [Occupy The Web] Well, I've done it from research, exactly, it's kind of a tedious process, right? What you gotta do is you gotta accelerate the vehicle, watch the traffic, and keep on. So rather than doing that on screen, I've already done the work. So this is is the command and the data that will accelerate the vehicle. So what I can do then, okay, is go ahead and just send that command with CAN send. So basically this is a replay attack, that's what it is. Is I've just captured the data, and then I'm gonna go CAN send. And then this is gonna be over VCAN0, 161. It's just gonna be this command right here? So I could just copy and paste it, right, this right here. By tedious research of watching, accelerating the vehicle, slowing it down, I'd able to identify what command accelerates the vehicle. I'm looking for what opens the doors. Opening the doors is not gonna be that interesting because we're already inside the vehicle. What we want to do is to be able to speed it up, slow it down, what have you. And maybe you can do this remotely as well. So let's go ahead and send it on that network. So what we've done is gone ahead and sent a accelerate command into the network to speed up the vehicle. So that's kinda what automobile hacking research is like. It's kind of a tedious process. Once again, we don't have to authenticate ourselves. There's no encryption going on. Once we're inside and connected to the network of the vehicle, we can actually get inside and view all of the traffic. Think of this as a Wireshark inside the network of the vehicle. - How realistic is the "Mr. Robot" hack where they open the doors, and then start the vehicle and drive off. - [Occupy The Web] The way I assess it is that they probably did a replay attack. Given that they're really close. You notice that the woman who's closing the doors is close by. - Yeah. - And they could intercept, and do a replay attack, and open the door. The part that is more difficult to believe is being able to start the vehicle with the laptop. Because like I was saying here, is you gotta do your research to be able to determine what the command is. Now, maybe before they did this, they've got exactly that vehicle, and they've figured out what that command is, which you could do it in a couple hours, right. Maybe less, but you'd have to have the same vehicle. Because even the same manufacturers use different commands in different vehicles. Given that you know that, then you could've gone right into the vehicle and pushed the button just like I did there, and said CAN send, right, and started the vehicle. That's the part that's a little... That stretches credulity. Is that they went into a vehicle that they never saw before. Apparently, maybe they did, I don't know. And they were able to start it with a laptop. That's unlikely, unless they've done the research, or somebody else has done the research, and put it up on the internet, and they even download it. There's not a whole lot of research online about car hacking. As you mentioned, Alissa Knight has done a book, and has done some research. Craig Smith has done some, and there's a number of others, but there's not that much information out there. Metasploit has now built car hacking into Metasploit, but they don't have many exploits in there. I'll just show you what they have. But the important point is that they've built in the capabilities of being able to hack cars into Metasploit. - That might come later, right? - [Occupy The Web] Well, they put it in, I think it's 2018. They built the capability in 2018, and Craig Smith has written that part. And I was hopeful in 2018 there was gonna be more coming. Apparently there's not that much interest in car hacking, unfortunately. But we can go in here and see, I think they call it hardware hacking. Let's go hardware, search hardware. Yeah, I can see the scan the CAN bus for diagnostic modules. Okay, here's identify the modules. These are post exploitation posts. Once again, there's a hardware bridge you need to go ahead and put in. So to be able to hack the vehicle, you've gotta basically simulate a serial connection in your laptop, that's the first step. You gotta put in a simulated serial connection, and then be able to connect Metaslpoit to that serial connection. And then you can go ahead and use some of these exploits. There's not a whole lot. Here's a Mazda 2 instrument cluster accelerometer mover. So it's gonna change the accelerometer. There's another one that's an overheating a vehicle, I think. Here's a ECU hard reset under automotive. Maybe we just to do better search, just look at automotive. But yeah, they put it under hardware hacking. Here we go, there's seven modules here. Here's a flood of the CAN. This is a new one, I don't think I've seen this one before. Maybe I just missed it. This is a pyrotechnic devices, the airbags, battery clamps. basically looks like it's gonna start a fire in the vehicle. (David laughs) - Wow. - [Occupy The Web] Notice that they're post, 'cause they're assuming that you've exploited the network already. Some diagnostics, the entertainment control unit, hard reset, here's the Mazda IC mover, here's the CAN probe. Here's the Malibu overheat, and then identify modules. So I think that Craig Smith has written all of these. Maybe I'll write some in the future, and put 'em into Metaslpoit, we'll see. So I think it gives us a good idea of what they were doing. - Whenever we get you on for a presentation like this, if you like, or a demo like this, it's amazing how much you know. Thank you for sharing your knowledge with all of us. Thanks for doing all these videos and sharing. - [Occupy The Web] Oh, of course, I enjoy doing this. So I'm ready and willing to come back whenever, David. - Please put below what you want us to cover. We've discussed some ideas, and one of them is like hacking an Android phone. I think the FBI sting rate type thing. - [Occupy The Web] We were talking about doing, in season one, Elliot goes ahead and hacks the Android phone on one of the drug dealers who are in his house, and it's on a local area network. He connects to Elliot's wifi network, and Elliot than is able to hack his phone, and get all the information out. That's a lot easier to do than being able to hack a phone remotely that's on a cellular network. So we'll do that one, and then we'll also talk about how to create a femto cell, which is essentially a mini cell tower that you can intercept all the cellular communication when people connect to it. There's a hack that Elliot does, and his team does, where they actually blow up the buildings. Elliot has some regrets about his involvement, and basically crashing the global economy. But his team still goes ahead with this hack of the buildings that store all the hard data, okay, the hard copies of the data. And to keep Evil Corp from being able to restore that data, they blow up the buildings. And they blow up the buildings by manipulating the uninterruptable power supplies. Now, that is a really common hack, and very doable. That's the same route, by the way, that the Russians used to hack the electrical grid of Ukraine in 2014, they got in through the APCs. Now, we think of APCs as simply a battery, right, but it's a little computer in there. And so you can hack that, and there was just a brand new vulnerability found in those things just a month ago. It's very doable, that hack against the Evil Corp, where they blew up the buildings, we'll do that one too. - We've kind of mentioned it, but just to reiterate, you do the SDR stuff, you do a lot of this car hacking stuff as part of your courses, right? - [Occupy The Web] I do, I have the SDR class coming up in August. Car hacking coming up in October. - Brilliant, so I'll put links to those below. So if you wanna sign up for the courses, then do that. You closing registration on some of the options, is that right? - [Occupy The Web] Yeah, we've had so many people sign up for the monthly program that we've gotta close it down for right now. We may reopen it again, but right now we've just got too many students in that program. - Occupy The Web, thanks so much, and we look forward to having you back again. - [Occupy The Web] Thanks David, good being here. See you all again soon. (upbeat bass music)
Info
Channel: David Bombal
Views: 633,877
Rating: undefined out of 5
Keywords: mr robot, sdr, car jacking, car hacking movies, car hacking device, car hacking village, car hacking app, car hacking tutorial, car hacking defcon, car hacking tools, software defined radio explained, software defined radio hacking, software defined radio with hackrf, software defined radio (sdr), software defined radio, rtl sdr, sdr radio, car hack, replay attack, great scott gadgets, rtl sdr hacking, rtl sdr v3, rtl sdr dongle, rtl sdr linux
Id: 5LvqU3-iINk
Channel Id: undefined
Length: 43min 41sec (2621 seconds)
Published: Sun Aug 21 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.