(upbeat suspenseful music) - [Occupy The Web] And by jamming it, the signal is never
received by the vehicle, and the car never locks. What he's doing is that he
is sniffing the CAN network. Some of these simple attacks that we're gonna be
showing today still work against Honda cars. - And you know that
just by research, right? - [Occupy The Web] Exactly. (upbeat bass theme music) - Hey everyone, David Bombal,
back with Occupy The Web. If you haven't seen our previous videos, he's once again the author of this book, "Linux Basics For Hackers", a fantastic book from No Starch. He's also got this book, and he's busy working on some new books. Occupy The Web, welcome. - [Occupy The Web] Thank you,
David, it's good to be back. - This is our sort of our
third episode talking about "Mr. Robot" hacks, what
have you got for us today? - [Occupy The Web] There's a episode, I think it's season one, episode four. They go ahead and hack into a vehicle before they go to Steel Mountain. They're planning this
trip to Steel Mountain, to be able to get that
raspberry pie inside of the facility to turn
up the temperature, to degrade the tapes. So that E Corp can't restore their data after they've basically
encrypted all their data. - Sure you don't wanna just blow it up? - [Occupy The Web] But to get
there, they don't have a car. They live in New York
City, so they have no car. So they've got to steal a car, and let's put a caveat in here right now. This is for educational purposes only. I'm not encouraging illegal activity. This is all for educational
and research purposes. And we're gonna look at multiple
ways of stealing a vehicle like they did in the episode. And we're gonna do look a little bit of how to do research into car hacking. And basically what we're
doing is we're combining, in essence, two of the
classes that I teach. One of 'em is software
defined radio for hackers, and car hacking, both of
those courses coming up. I got the software defined
radio hacking course coming up in mid-August, and the car
hacking course coming up in October. So we're gonna take elements
of both of those courses. - I see cars are becoming
more and more like computers. I don't think manufacturers
have always thought about what they're doing,
or haven't put security in. So I'm glad that you're highlighting this because it wasn't so easy in the old days to steal a car using
software, but now it is, so I'm glad that you're doing this. - [Occupy The Web] Yeah, it's obvious that the car
manufacturers were not thinking about security when they
first designed these. Some of these simple attacks that we're gonna be
showing today still work against Honda cars up to 2020. Whereas, some of the other
manufacturers have gone to more secure systems. What we're gonna be doing
here is probably the attack that Mobley and Romero
used on their vehicle. Let's start off by talking a little bit about software defined radio. Software defined radio, I think is one of the cutting edge fields of cyber security. One that people really
aren't paying attention to. And if you think about it, so many things in our society
are run by radio signals. And we're seeing, for instance, right now in the war in Ukraine, that they're using drones as a way to spy, and reconnaissance for
sending rockets, and missiles, and what have you. Of course, those drones are
all run by radio signals. And now both sides are
in there trying to hack and jam the radio signals
from these drones. Your wifi is a radio signal, right? We all know it runs at
two and a half gigahertz and five gigahertz. Your phone is sending
off a Bluetooth signal. It's sending off an NFC signal. There's so many different radio signals that are controlling our
lives, and all, not all of 'em, but many of 'em are
relatively easy to hack. In the past, radio signals all had to
have separate hardware. All your radios, you had
the separate hardware for different purposes. But now we can pick up these
signals, and transmit signals with very inexpensive
receiver transmitter, and then use the computer to be able to manipulate those signals. So what I'm gonna start off with first is the really inexpensive, the RTL-SDR. This is a little device
that you can buy on Amazon, and it's basically a receiver. - And you just plug that by
USB into your laptop, right? - [Occupy The Web] Exactly. So I just plug it into
my laptop, all right. And it's a receiver, it works pretty good. Especially if your interest is
in trying to receive signals. I'm gonna open it up
with an application here. This is HDSDR, it's a windows application. The reason I'm using it is because it's pretty easy
to work with for a beginner. This is the waterfall down here, and we have all of the
signal, see these spikes here. There's a spike here, and
I've got it centered on 315, 315 megahertz. The reason I have it centered there is because that's where the key fobs that the car manufacturers make. That's where they operate
in the US and Japan. In Europe, I think they use 433.9, but I'm in the US, I'm using
a US, Japanese key fob. So it's gonna be probably
in the 315 megahertz range. Well, one of the things
that's important to note is that whenever you
work in radio signals, any device that is using a
part of the radio spectrum has to be registered with the FCC. So if you have a question about what frequency the device is using, all you have to do is look
at the back of the device, and it'll have an FCC number on it. Look it up, it'll tell you exactly what frequency it's operating at. I know that these operate at
315, so what I'm gonna do, I'm gonna go ahead and
hit the lock and unlock on my key fob, watch what
happens right here around 315. See that spike right there? - Yep. - [Occupy The Web] And
you see it right here. That's the signal from my
key fob, I'll do it again, There it is, that's the
signal to unlock my door. See it's centered right on it, right. Looks like it's 315.05,
you see it right there? - Yep. - [Occupy The Web] 315. So, and now we know what
frequency its operating on. What they did in the show. They're sitting on a porch
step in New York City, and a woman is leaving
her minivan on the street, and she locks it with
her key fob remotely. There's a number of different strategies for being able to unlock this vehicle. One of 'em that they may have
done, it works in some cases. Is you can simply jam that signal. So somebody goes ahead
and pushes the key fob to lock the door, like I did here. You see I've done it three times, right there, you can see them passing by. I can jam it, and by jamming it, the signal is never
received by the vehicle, and the car never locks. The weakness of that strategy is that people often will
listen for that beep, that little beep that
says the car is locked. But some people don't,
some people just careless, and they push the button
and they keep going. I'm gonna show you first of
all how to jam the signal. And then also, what we can
do is to actually capture the signal and then replay it. Radio transmitters all have, essentially, a password in each of 'em. Those passwords are all different. So as they make a key fob,
they put different passwords. Just basically a set of numbers, right? They don't change the password
each time it's transmitted. If I can capture the signal, then I can store it and replay it. This is probably what
they did in "Mr. Robot". This strategy will work
on Honda cars up to 2020. About 2014, the big luxury
car manufacturers got a clue. So the Mercedes, and
the BMWs, and the Lexus, and a few others got a clue. And they started putting in
what's called a rolling code, so that the password changes each time. And that can be broken as well,
but it's just harder to do. For older vehicles,
okay, those before 2014, and especially those that
are in the first decade of the 21st century, or older, especially on the luxury cars. So you've got an old
Mercedes sitting around, it's a good test vehicle
to test out this strategy. One of the things that, going
back to the Ukraine war, is that we found that in many cases, that the Russians have not been encrypting the radio communication. So we've been able, the Ukrainians have, to pick up these signals, because they're just
sending over the airwaves, and you can just pick 'em
up and listen into 'em. But you can listen into
all kinds of signals with this inexpensive
device on your computer. So you can listen into,
say the communication between airport control towers and planes. You can pick up the signals
that the aircraft give off. You can pick up the signals that, say, boats and ships give off. All of these vehicles give off a radio signal for geolocation. We did the geolocation of the yachts of the Russian oligarchs. The way we were able to do that is because all those
ships give off a signal. They all have to give off a signal. Some of 'em now have
turned it, but legally, they have to give off this radio signal. In the very large ships,
they'll give off a GPS signal and they'll give off
an ADS signal as well. So you got both of these
signals that can be, you can just simply listen in on, and use them for geolocation. So lots of things that you
can do with just a receiver. The whole kit is about 35. That includes an antenna, what have you. Antennas are pretty important,
so we can't ignore that. And we'll talk about more
about antenna technology and theory in the SDR course, because when you're starting
to talk about trying to receive very weak signals,
or trying to jam signals, you have to just the right kind of antenna to be able to do that effectively. But in our case here, that's beyond the scope of
what we're talking about here. What we're trying to do here now, is we're simply gonna
try to jam the signal. And we're gonna try to
capture and replay the signal. Both of which may be effective at being able to get into this car. To be able to do that, we
need a different device. This right here, this $20
device is great at receiving, but it cannot transmit. To transmit, you need a
device that can transmit. And the cheapest good
one is the HackRF One, and it runs about $320. I'm gonna go switch over to
a different piece of software and a different piece of hardware. - I've put links below to
the software and the devices. So if you wanna use the Amazon links, please note that there
are affiliate links. So if you wanna support the channel, you can buy using those links if you like. - [Occupy The Web] So what I have here now is a virtual machine of a
operating system called Dragon. And it's relatively new. It's specifically designed
for SDR, that's all it does. I mean, it can do anything, right? It's a Linux operating system, but the beauty of it is that
the developers have built much of the software
that you need to do SDR, software defined radio, into
a single operating system. I should point out that
there's a lot of software in this field. Probably the most commonly
used piece of software in the field is SDR sharp. There's also a Universal Radio Hacker, which is good as well. And of course, in the Linux
environment, there's GQRX, which we'll be using here in a little bit. And I'm not gonna recommend
one over the other. They're all free, which
is also really nice. Now what we need to do,
is we're gonna take that and connect our SDR device. So what we're gonna do is we're gonna use a piece of software that's
built into Dragon OS. And DragonOS has so much
good software in it, otherwise you'd be spending all your time downloading
different pieces of software. So what we're gonna do is we're gonna use a piece of software that
we can use to be able to. It's osmocom, siggen, signal generator. With nogui, all right,
and then just do a dash H. This is gonna just show
us the help screen on it. Lots of good stuff, but
what we're gonna do, is we're gonna use it for
generating a jamming signal. Now, we have to be close to the car. In "Mr. Robot", you're sitting on a step on the street next to the car, they can even see the
car in the background, so they're really close to the vehicle. Because one of the things
if you're jamming signals, is you have to have a stronger signal than the one that's being sent. One of the options also is to go out and purchase an amplifier. If you purchase an amplifier, you can send the stronger signals. Most of these inexpensive
devices don't send out a very strong signal. If you're really gonna jam, you probably want to use an amplifier. The device that they're using
in the show, by the way, there was a company who
sells those devices. And they run 10 to $15,000 each, right? - Oh, wow, yeah. - [Occupy The Web]
Yeah, there's a company, kind of an undercover
company who sells 'em online for 10 to $15,000 each. But essentially, what we're
doing is doing the same thing, but with your laptop and
a $300 device, right? So notice here there's a Gaussian output, generate Gaussian random output. That's what we're gonna be doing. Probably the best analogy
is this is like a DoS attack against a radio signal. Basically throwing out
random garbage at the signal to block it from ever being
received by the receiver. So there's a transmitter,
which is the key fob. And it's sending a signal to
a receiver in the vehicle, but if something blocks it, it's never gonna get to the vehicle. And it could be a physical block, or it can actually be another
radio signal blocking it. So it's gonna be up arrow, and then we gotta tell it
what device we're using. Dash A, HackRF is what
we're using in this case. What the frequency is,
dash F, 315 megahertz. And then we're gonna send
out a Gaussian signal, which is just a random signal. And then dash X is gonna
be the bandwidth, 2EX. What's the Y is the
wave form you see here. And we we're gonna select 10
and verbose, V is for verbose. Keep our fingers crossed, and pray to the hacking
guards that this works. And we're gonna go out and
just send out a Gaussian signal to try to be able to jam. So it goes here, and says, "Built in sink types using HackRF." Supporting sample type,
setting up the antennas, Its center frequency at 350
megahertz using frequency. Okay, "Press enter to quit",
so it's running right now. It set the bandwidth
modulation to Gaussian noise. So my HackRF right now is
sending out just a bunch of noise to try to block signals. Those of you who are
into physical security, I guess it's also cyber security, probably recognize that in some cases, certainly in the US it's true, that when a major political
figure is speaking, the security around them jams all signals. So they jam all the signals
around a prime minister, president, what have you. And those devices are for sale, but you can only buy 'em
if you're law enforcement. I guess you actually can buy them. You can buy them, but you
can't use them. (laughs) So you can buy them,
but you can't use them. It's illegal to use them, I
think they're still for sale. Essentially, what we've done is we've done what the secret service or whatever the particular
security service does around every major political figure when they're speaking in public, is they jam the signals around them. Why is that, well, because
those signals can be used to, say, trigger a bomb. As we all know that
many times, these IUDs, as they were used in
Afghanistan, and Iraq, and other places, are
triggered by a radio signal. So what they'll do is they'll
block all the radio signals in the area of the political figure. So that's essentially
what we've just done, is we have blocked the radio signals in our immediate vicinity so
that none of them can transmit. Hopefully it's not blocking my wifi, because wifi is a radio signal, right? And one of the things that
we teach in the SDR class is how to block wifi. You can actually use an SDR device to basically DoS a wifi connection by simply doing what
we're doing right here, except doing it at 2.5 gigahertz, right? So here, what we're doing is we're set up next to a vehicle,
maybe with an amplifier, and we're sending out a very,
hopefully, strong signal. That's just a bunch of noise to block the fob from
connecting to the car. Now, if the individual doesn't know that the car didn't get locked, they're walking away,
they're going into the home, and the car never get locked. They push the button,
but the car never locked. So now our friends, Romero and Mobley, can walk in and they'll be inside the car. Now, that doesn't mean they're actually gonna
be able to start it. Although many of these key
fobs now have remote start. That is the next step. This is only going to keep
them from locking the door. It's not gonna start the car. - So how did you know which interface to? Is there a command that shows you, like you can do IW config
to see a wifi adapter, or do you just need to
know that's what it is when you connect it? - [Occupy The Web] That's a good question. I'm not sure that there
is a command yet in. I mean, one of the things
you could do is do LSUSB. Here's my Great Scott Gadgets HackRF, it just shows me all of
the USB devices connected to this system. I don't know that there
is yet a, there might be, if anybody knows or let me know, but I don't know of a command that's gonna show you
just the SDR devices. In this case, this will show me all of the USB connected devices. And this is the one I'm using, and the reason that I'm using this, okay, just so it's clear, it's probably the least expensive
and effective SDR device. Now you can spend several thousand dollars on SDR devices, right, you can
spend a lot of money on them. There's some really high end devices. The drawback to this
one device, the HackRF, is that it's only half duplex. And so that's a drawback to it. If you wanna send and
receive simultaneously, the HackRF is not gonna work for you. So in our case here, we don't
wanna go send and receive. We're just basically,
in this case, sending. But if you had to send and receive, you're probably gonna have to move into a more expensive device. Also, the advantage of
the HackRF is that, one, it can send and receive, but also, that it covers a much
broader range of the spectrum then, say, the RTL-SDR,
it'll go up to six gigahertz. I've got 'em on the website Hackers Arise, I've got a comparison of
all the SDR devices there. And you can look at the
various specifications, and the prices for them. But this is the one that
we're gonna be using in class. It's inexpensive, relatively inexpensive. I know $300 is a lot for some folks, but when we're talking about SDR, and you're talking about
being able to do the things that we can do with this device, it's really a small investment, especially when you start comparing it to the high end devices that
running three, five, $10,000. Now, for just listening,
the RTL-SDR is great. Okay, we used it to be able to identify where the key fob was transmitting. And that's how you got your 3150E6, right? - [Occupy The Web] Exactly. - Like the X2, E6, Y10, that kind of stuff you just have to learn. It's like the wave form,
you just have to know that. Is that right, is that
something you can just learn by taking your class, or
documentation, or something? - [Occupy The Web] From
documentation, taking the class, either one, or both, right? And so the Y is the wave form. So here we got the X and
the Y are the wave forms, the wave form frequency, and this one works pretty well
for these key fob signals. Now, so that's simply jamming signals, and jamming signals can be useful. I mean, you might think of
it as just like a DoS attack, a DoS attack is a very simple attack. What you're doing is you're simply just
throwing out random stuff into the airwaves to be
able to block a signal from being able to communicate. All right, let's look at then an attack against what's called a replay attack. There's man in the middle
attacks we can do in TCP/IP. Wifi attacks that allow
for replay attacks. So what we're gonna be
doing is very similar. What we're gonna do is capture the signal, and then be able to replay it. There's a lot of
different ways to do this. There's been much software we're using. Since we're using the HackRF,
and we're using a DragonOS, it's pretty simple to do. If you're using some
of the other software, basically what you have to
do is record and then send. And once again, it requires a SDR device that's capable of transmitting. So if you're using the HackRF, and we can just use a command line, most of the other software devices are all kind of gooey base, But HackRF has some
nice command line tools that make it straightforward and simple. All right, to be able to do this attack, so we can go transfer. Okay, HackRF transfer, dash S, and then the bandwidth comes first. And then the frequency, 315500000. And then we'll call this... Oh, we'll call it Mr. Robot. (chuckles) So what it's going ahead,
and it's capturing the signal at that frequency, I'm gonna stop it. So this is the command
right here to capture what's going on at that frequency. This is the frequency that
our key fob is working at. So once we've captured it, then we can go ahead and send it out. And that's what we're gonna be doing next. - Does it say caught signal two? That's where you pressed
the button, is that right? - [Occupy The Web] Yeah,
that's where I did a control C. It says right here,
"Stop with a control C." - Did you actually press
your button on your key fob and then capture it? - [Occupy The Web] I didn't, I'm just showing the process.
- Okay, great. Okay, great, yeah. Okay, yes, yeah, no worries, no worries. - [Occupy The Web] Really, I could do it. Let's do it that, I'll do it that way. So let's go here, and let's go ahead and
send the key fob out. And so it's capturing
my key fob now, okay. I'm sending out the signal,
control C to stop it. And then now that I captured
it, it's pretty simple. I can just go dash S, and then the bandwidth
we wanna send it out on, the frequency, 315500000. And the file's gonna be Mr. Robot dash A1, and then we're going to send
it out to transfer with 24. Okay, its sent it out. And if the car was close enough, it would've opened the door. And of course, assuming that
the vehicle is vulnerable to a replay attack, these are
gonna be on older vehicles, and including Honda made
vehicles to about 2020. If you're close enough
to capture the signal, and then replay the signal in a vehicle that doesn't change the passcode, then you've opened the vehicle. On more modern vehicle,
more secure vehicles, They've gone ahead and made
it a little harder to do, but it can still be done. So what they've now done is
they put in a rolling code. So the password changes each time the user clicks on the key fob. And the way that that can be broken, is that you have to first
jam the first signal, 'cause it sends two signals. Jam the first signal, capture it, and then when the user goes ahead and sets the next time,
the next click through, the next signal, capture that. Those two signals together, you can go ahead and
determine the algorithm that's generating the numbers, and then go ahead and
essentially do a replay attack. It's a little more complicated, it takes a little social engineering, because imagine that
if you were the person, and your first time you clicked and you didn't hear the door open, you had to click again. So what you've now gone
is you've clicked it twice and your car still hasn't
opened, maybe three times. You might start to wonder, but this is probably the best approach to be able to get into
more secure vehicles with the rolling code. I recently was testing another car, and I'm not gonna tell you what it is. (both laugh) I was testing another car, and it's sending out spread spectrum, which to me seems like the
most secure technology. But I'm surprised that
not everybody's using it. That's gonna be a little more
difficult to be able to hack, but it still can be done, it's
just a little more difficult. It's a whole thing of this chess game between security and hackers. The hackers develop a
method to break a security, and then the manufacturers
come up with a better security, and then they come up with
a better way of hacking it, and they come up better security. So right now it looks to
me like spread spectrum, which I haven't seen anybody
else write about yet online. I may be the only one doing research in that field right now, I don't know, I don't know if anybody else is. But spread spectrum appears
to be state of the art in terms of security. The BMWs and the Mercedes are
all using this rolling code, which can be broken, okay. By basically jamming and
then capturing the signal. We'll give Sammy Kamkar a shout out there, because he's the one who
figured that one out. That technology is now being built into some of the new devices, hacking devices for hacking cars. Okay, so that's how to
get in the door. (laughs) Or maybe you can start the vehicle too. If they have an auto start, you
can capture the remote start and be able to send it out. On many of these vehicles, the
signal between remote start and door opening are very similar. Sometimes all you gotta
do is flip a couple bits in the signal, and you can
start the vehicle as well. in "Mr. Robot", after they
get inside the vehicle, of course the vehicle's not running. We see Mobley opening up his laptop, and he connects the laptop directly into the ODB2 connector. ODB2 connector, I'll
show you a picture of it, is the connector that's
under the dashboard, where, say, your mechanic
will connect into the network. That's what it looks like
under your dashboard. So your mechanic will go
ahead, or you can too, connect into this with a device. You can buy 'em in an auto parts store for about 50, a hundred bucks. And what it does is it connects into the network of the vehicle
and we'll read the codes. So if, for instance, if your
check engine light is on, and you gotta go pay
somebody to go find out, you can buy these devices for 50 bucks to plug into the ODB2
connector under your dashboard. And it'll tell you what's
wrong with your car. It's not always the end of the world. I mean, oftentimes those
lights will come on just because the sensors fail. But any case, this is the ODB2 connector. That's what they're connecting
to under the dashboard. Okay, so this is what he's using, 9.24. All he's doing is connecting his laptop to the ODB2 connector. And you can also get 'em
that have wifi and Bluetooth, so you don't have to
necessarily use a wire, and that allows you to do it remotely. But then once you're connected
into the car's network, then all things are possible, okay. We talked earlier, one
of the earlier videos, about SCADA hacking, and the SCADA networks are very
similar to the car networks. They're different than what
we're accustomed to using in terms of TCP/IP and ethernet. They're generally serial,
they're lightweight. There's no authentication,
okay, there's no encryption. Once you're inside the vehicle, then everything's available to you once you plug into the network. Now, some vehicles actually are using wifi to connect their network
from different devices. And so you may not even have to connect to the ODB2 connector. You might be able to
connect right into the wifi, and be able to do what
we're gonna do next. All right, so what we're doing is I'm gonna show you a little
bit of car hacking research. Let's go to my Kali here. There's a number of tools
that you need to acquire to be able to do any
research in car hacking. And most of these tools came
out of research at Volkswagen. Volkswagen's kind of
been one of the leaders in security research. Although their vehicles
are almost as susceptible as everybody else's. They've put together some
good tools to analyze. So what we need are a number of tools that are called the
SocketCAN or CAN utilities, and we gotta go ahead and download those. Let's go sudo apt install CAN utils. CAN is the name of the type of network that are inside of vehicles, right? So this is a CAN utilities or
SocketCAN often referred to. And these are simply utilities for working in the car network. Tells me it's already been
installed, imagine that. Okay. - You're prepared as always, yep. - Now, if we've plugged
into the car ODB2 connector like Mobley has, that's all
basically we need to do. But in our case we're not connected, we're some distance from a vehicle. So what we're gonna do is
we're gonna run a simulator. And those of you who are into
car hacking may be familiar with Craig Smith, wrote a book
from No Starch Press called, I think it was called "Car Hacking". Good book, it's a little bit dated, but he still has some good stuff in there. He put together a simulator here. He teaches classes on car hacking. What we're gonna do is we're
going to go ahead and grab it as a said GitHub. And it's a great little tool for being able to learn how to hack cars. So it's gonna be sudo git clone HTTPS. You can go ahead and do your research, and learn about the CAN network without having to connect to a car. You can see it's coming
up there on the screen. He goes by Zombie Craig, Zombie Craig, and it's gonna be the ICSim. I use this in my classes to
teach people how to hack cars. It already exists and it's
not an empty directory. There you go, you've
got the URL to be able to download it yourself. Then you want to go ahead and
go through that directory. Whoop, CD, ICSim, we're in
that, we can go to LS-L. You can see there's a setup
for the VCAN right there. So we gotta neat run that setup. I've already run it, I'm not gonna go ahead and run it again. There's a couple things in there. We have the controls, we
have data, we have the ICSim. So what we need to do is to
simply go and run our ICSim, and the VCAN0, which is basically
a CAN protocol interface. So it's basically, we've created
an interface that can talk to the CAN protocol. That's what this setup
VCAN does right here. So now we're gonna go ahead
and start the simulator. Open Garages is Craig
Smith's organization. Then go ahead and start the controls. - It's great to have this though. 'Cause it means you can practice without having to have
a car, yeah, brilliant. - If you've ever done
this sitting in your car, trying to work. (laughs) It makes it difficult to
have classes, remote classes, and it's not always the
most comfortable place to be able to sitting with your computer. So Craig put this together,
and it works pretty good. Now, there have been some
issues with setting this up. Now, some of the make
files, they just don't work with some of the newer versions of Linux. So when I run class, I'm gonna
be using an older version. This particular speedometer
here, I can get the speed. I can get this thing to accelerate, and do everything it's supposed to do, but it doesn't show up on the speedometer. There's something that
isn't quite connected there, but I've got most of the other
issues worked out with it. Let's see, newer controls. I gotta go to the right
directory, CD, ICSim. Then we can go and run the controls. He's got it set up so it'll
run off a game controller or your keyboard, and
here's the game controller. So run off your keyboard as well, use up arrow or right
shift to do the doors. And then the last step
is we've got to open up the CAN Sniffer, CAN Sniffer. Now, what this is is very
similar to Wireshark, but it's for the CAN protocol. So what I'm doing here is
simply saying CAN Sniffer, I'm invoking the CAN
Sniffer, I'm starting it, I'm executing the CAN Sniffer, and I'm telling it to use color, that's what the dash C is for. And then I gotta tell it what interface to be able to sniff on,
VCAN0, and then run it. You'll see this on the screen, on his computer in "Mr. Robot". What he's doing is that he
is sniffing the CAN network. These are all the commands that are going across the network. The idea here, if you're
doing research in car hacking, is that you want to identify
what command does what. One of the key issues in
doing research on vehicles, there's little standardization. The CAN protocol is standardized,
but the commands are not. If you know the command
to say start the vehicle in one vehicle, it may not
work in another vehicle. That's one of the issues
that you're gonna face. I think the vehicle in "Mr. Robot" is a, it's a Chrysler minivan. I kind of watched it up close, and zoomed in to see what it was. It's an older Chrysler minivan. So to be able to start the vehicle, they're gonna have to
know what the command is, and then be able to
essentially do a replay attack. So you capture, and then replay, very similar to what we do
with opening the door, right? We've got these commands. Each one of these is a command
with data attached to it. We can go ahead and capture
a command as it goes across, and then replay it on the same network. And let me do that for you next. We've got this vehicle
running in the background, we've got a sniffer running here. Now, what we can do is that we can capture this traffic into a file,
CANdump, dash C, dash L, VCAN0. So we're sniffing on that interface. Now what we're gonna
do is that we're going to be able to grab that
traffic and put it into a file. And you see it's creating
this file right here. I'm gonna go ahead and control C. Now what I can do is go more, and let's take the name of
this file, and I can view it. There it is. In doing research, what
I would want to do, is I would want to go ahead
now and discover the commands that are going to control,
say, the doors or the ignition. And I can do that by executing,
say, speed up the vehicle, or slow down the vehicle,
or open the doors, close the doors. By watching this traffic, I can determine what
command is doing what. Once I know that I can identify, say that I've gone ahead
and determined that... I've determined that, say, command 116. Okay, 161, I think is what it is on this particular simulator, actually accelerates the vehicle. Let's go ahead and
search for that command, see if there are any. So I'll do more, and then
I'm gonna go ahead and grip, and I'm gonna grip for 161. The command to be able to
accelerate this vehicle is this one right here. - And you know that
just by research, right? - [Occupy The Web] Well,
I've done it from research, exactly, it's kind of a
tedious process, right? What you gotta do is you
gotta accelerate the vehicle, watch the traffic, and keep on. So rather than doing that on screen, I've already done the work. So this is is the command and the data that will accelerate the vehicle. So what I can do then, okay, is go ahead and just send
that command with CAN send. So basically this is a replay
attack, that's what it is. Is I've just captured the data, and then I'm gonna go CAN send. And then this is gonna be over VCAN0, 161. It's just gonna be this
command right here? So I could just copy and paste it, right, this right here. By tedious research of watching,
accelerating the vehicle, slowing it down, I'd able to identify what
command accelerates the vehicle. I'm looking for what opens the doors. Opening the doors is not
gonna be that interesting because we're already inside the vehicle. What we want to do is to
be able to speed it up, slow it down, what have you. And maybe you can do
this remotely as well. So let's go ahead and
send it on that network. So what we've done is gone ahead and sent a accelerate
command into the network to speed up the vehicle. So that's kinda what automobile
hacking research is like. It's kind of a tedious process. Once again, we don't have
to authenticate ourselves. There's no encryption going on. Once we're inside and connected to the network of the vehicle, we can actually get inside
and view all of the traffic. Think of this as a Wireshark inside the network of the vehicle. - How realistic is the "Mr. Robot" hack where they open the doors,
and then start the vehicle and drive off. - [Occupy The Web] The way I assess it is that they probably did a replay attack. Given that they're really close. You notice that the woman
who's closing the doors is close by. - Yeah. - And they could intercept,
and do a replay attack, and open the door. The part that is more difficult to believe is being able to start the
vehicle with the laptop. Because like I was saying here, is you gotta do your research to be able to determine
what the command is. Now, maybe before they did this, they've got exactly that vehicle, and they've figured out
what that command is, which you could do it in
a couple hours, right. Maybe less, but you'd have
to have the same vehicle. Because even the same manufacturers
use different commands in different vehicles. Given that you know that, then you could've gone
right into the vehicle and pushed the button
just like I did there, and said CAN send, right,
and started the vehicle. That's the part that's a little...
That stretches credulity. Is that they went into a vehicle
that they never saw before. Apparently, maybe they did, I don't know. And they were able to
start it with a laptop. That's unlikely, unless
they've done the research, or somebody else has done the research, and put it up on the internet,
and they even download it. There's not a whole lot of research online about car hacking. As you mentioned, Alissa
Knight has done a book, and has done some research. Craig Smith has done some, and
there's a number of others, but there's not that much
information out there. Metasploit has now built
car hacking into Metasploit, but they don't have
many exploits in there. I'll just show you what they have. But the important point
is that they've built in the capabilities of being able
to hack cars into Metasploit. - That might come later, right? - [Occupy The Web] Well, they
put it in, I think it's 2018. They built the capability in 2018, and Craig Smith has written that part. And I was hopeful in 2018
there was gonna be more coming. Apparently there's not that much interest in car hacking, unfortunately. But we can go in here and see, I think they call it hardware hacking. Let's go hardware, search hardware. Yeah, I can see the scan the
CAN bus for diagnostic modules. Okay, here's identify the modules. These are post exploitation posts. Once again, there's a hardware bridge you need to go ahead and put in. So to be able to hack the vehicle, you've gotta basically
simulate a serial connection in your laptop, that's the first step. You gotta put in a
simulated serial connection, and then be able to connect Metaslpoit to that serial connection. And then you can go ahead and
use some of these exploits. There's not a whole lot. Here's a Mazda 2 instrument
cluster accelerometer mover. So it's gonna change the accelerometer. There's another one that's an overheating a vehicle, I think. Here's a ECU hard reset under automotive. Maybe we just to do better
search, just look at automotive. But yeah, they put it
under hardware hacking. Here we go, there's seven modules here. Here's a flood of the CAN. This is a new one, I don't
think I've seen this one before. Maybe I just missed it. This is a pyrotechnic devices,
the airbags, battery clamps. basically looks like it's gonna
start a fire in the vehicle. (David laughs) - Wow. - [Occupy The Web]
Notice that they're post, 'cause they're assuming
that you've exploited the network already. Some diagnostics, the
entertainment control unit, hard reset, here's the Mazda
IC mover, here's the CAN probe. Here's the Malibu overheat,
and then identify modules. So I think that Craig Smith
has written all of these. Maybe I'll write some in the future, and put 'em into Metaslpoit, we'll see. So I think it gives us a good
idea of what they were doing. - Whenever we get you on for
a presentation like this, if you like, or a demo like this, it's amazing how much you know. Thank you for sharing your
knowledge with all of us. Thanks for doing all
these videos and sharing. - [Occupy The Web] Oh, of
course, I enjoy doing this. So I'm ready and willing to
come back whenever, David. - Please put below what
you want us to cover. We've discussed some ideas, and one of them is like
hacking an Android phone. I think the FBI sting rate type thing. - [Occupy The Web] We
were talking about doing, in season one, Elliot goes ahead and
hacks the Android phone on one of the drug dealers
who are in his house, and it's on a local area network. He connects to Elliot's wifi network, and Elliot than is able to hack his phone, and get all the information out. That's a lot easier to do than being able to hack a phone remotely
that's on a cellular network. So we'll do that one, and then we'll also talk about
how to create a femto cell, which is essentially a mini cell tower that you can intercept all
the cellular communication when people connect to it. There's a hack that Elliot
does, and his team does, where they actually blow up the buildings. Elliot has some regrets
about his involvement, and basically crashing the global economy. But his team still goes
ahead with this hack of the buildings that store
all the hard data, okay, the hard copies of the data. And to keep Evil Corp from
being able to restore that data, they blow up the buildings. And they blow up the
buildings by manipulating the uninterruptable power supplies. Now, that is a really common
hack, and very doable. That's the same route, by the way, that the Russians used to
hack the electrical grid of Ukraine in 2014, they
got in through the APCs. Now, we think of APCs as
simply a battery, right, but it's a little computer in there. And so you can hack that, and there was just a brand
new vulnerability found in those things just a month ago. It's very doable, that
hack against the Evil Corp, where they blew up the
buildings, we'll do that one too. - We've kind of mentioned
it, but just to reiterate, you do the SDR stuff, you do a
lot of this car hacking stuff as part of your courses, right? - [Occupy The Web] I do, I have the SDR class coming up in August. Car hacking coming up in October. - Brilliant, so I'll put
links to those below. So if you wanna sign up for
the courses, then do that. You closing registration
on some of the options, is that right? - [Occupy The Web] Yeah, we've
had so many people sign up for the monthly program that
we've gotta close it down for right now. We may reopen it again, but right now we've just
got too many students in that program. - Occupy The Web, thanks so much, and we look forward to
having you back again. - [Occupy The Web] Thanks
David, good being here. See you all again soon. (upbeat bass music)
