SlideShare a Scribd company logo

Gabrial Cirlig & Stefan Tanase - Smart Car Forensics and Vehicle Weaponization

Download as PPTX, PDF
H
hacktivity

As “smart” is becoming the new standard for everything, malicious threat actors are quick to capitalize on the insecurity of IoT devices. Hackers compromising your network and spying on you is not something new in the world of personal computers, but definitely an emerging threat in the world of personal cars.

Technology
1 of 30
1© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Smart car forensics & vehicle weaponization Gabriel Cirlig – Software Engineer Stefan Tanase – Security Researcher
2© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | INGENIOUS! A ROMANIAN managed to modify public transportation cards! whoami
3© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | whoami2
4© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ./shameless_plug.sh @hookgab @stefant
5© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
6© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE CONNECTED CAR
7© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE MOTIVATION
8© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE START
9© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE TECH • Freescale i.MX6 ARM Cortex-A9 • random *nix distribution • GPS soldered on board (even if you didn’t buy the nav package) • 1GB RAM • WIFI!!!1!1111 • revolutionary usb debugging ™ A lot of power for a car, eh?
10© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 10© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Smart car forensics
11© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | GETTING IN • Abuse “autorun” script from USB • disable iptables • run SSHD for our platform • …prophit! • root/jci • ez ‘till now
12© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | WHAT WE FOUND everything?
13© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | EXTRA • voice profiles • vehicle status • directory listings for your phone (wtf, the car is crawling me)
14© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | AUTO INDUSTRY IN A NUTSHELL
15© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | AUTO INDUSTRY IN A NUTSHELL
16© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 16© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Vehicle weaponization
17© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | WHAT WE CAN EXPLOIT • deployed via the same script that granted ssh access • uses cron to keep itself alive • constantly looks for open wifis • constantly logs GPS coordinates • whenever we connect, upload new data • WARDRIVING WITHOUT A LAPTOP!
18© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | GIVING IT SOME LOVE
19© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | LIVE DEMO
20© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | https://www.youtube.com/watch?v=q0CjVHlEJuQ&feature=em-upload_owner
21© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | SMART CAR RANSOMWARE
22© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE FUTURE
23© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE FUTURE
24© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE FUTURE
25© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE FUTURE
26© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE FUTURE
27© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE FUTURE
28© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Our privacy is threatened Travelers always rent cars, car sharing programs are becoming popular in big cities, shared corporate car fleets Evolution of technology – a double edged sword We *want* smartphones, tablets, smart watches, smart cars, self driving cars, internet of things etc. EURONCAP for automotive cybersecurity We already have crash-tests for physical safety. Seatbelts and airbags are mandatory. Why is the industry ignoring cybersecurity? CONCLUSIONS
29© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE AFTERMATH
30© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Follow us on Twitter! @hookgab @stefant

Recommended

РИФ 2016, Sabre: Настоящее и будущее технологий для Клиента 3.0
РИФ 2016, Sabre: Настоящее и будущее технологий для Клиента 3.0РИФ 2016, Sabre: Настоящее и будущее технологий для Клиента 3.0
РИФ 2016, Sabre: Настоящее и будущее технологий для Клиента 3.0Тарасов Константин
 
How is The Internet of Things Impacting the Contact Center?
How is The Internet of Things Impacting the Contact Center?How is The Internet of Things Impacting the Contact Center?
How is The Internet of Things Impacting the Contact Center?Erica Marois
 
Cwin 2016 hybrid plus the future of digital_v1_201609627
Cwin 2016 hybrid plus the future of digital_v1_201609627Cwin 2016 hybrid plus the future of digital_v1_201609627
Cwin 2016 hybrid plus the future of digital_v1_201609627Har Gootzen
 
How to Measure & Communicate Contact Center ROI
How to Measure & Communicate Contact Center ROIHow to Measure & Communicate Contact Center ROI
How to Measure & Communicate Contact Center ROIErica Marois
 
10 Tips to Master Networking at Events
10 Tips to Master Networking at Events10 Tips to Master Networking at Events
10 Tips to Master Networking at EventsErica Marois
 
Velocity Booth Presentation - Which 3rd Party Resources Are Eating Your Profits?
Velocity Booth Presentation - Which 3rd Party Resources Are Eating Your Profits?Velocity Booth Presentation - Which 3rd Party Resources Are Eating Your Profits?
Velocity Booth Presentation - Which 3rd Party Resources Are Eating Your Profits?SOASTA
 
2016 Mobile State of the Union [RWD Summit]
2016 Mobile State of the Union [RWD Summit]2016 Mobile State of the Union [RWD Summit]
2016 Mobile State of the Union [RWD Summit]Tammy Everts
 
Going Global 101: How to Manage Your Websites Worldwide Using Drupal
Going Global 101: How to Manage Your Websites Worldwide Using DrupalGoing Global 101: How to Manage Your Websites Worldwide Using Drupal
Going Global 101: How to Manage Your Websites Worldwide Using DrupalAcquia
 

Recommended

РИФ 2016, Sabre: Настоящее и будущее технологий для Клиента 3.0
РИФ 2016, Sabre: Настоящее и будущее технологий для Клиента 3.0РИФ 2016, Sabre: Настоящее и будущее технологий для Клиента 3.0
РИФ 2016, Sabre: Настоящее и будущее технологий для Клиента 3.0Тарасов Константин
 
How is The Internet of Things Impacting the Contact Center?
How is The Internet of Things Impacting the Contact Center?How is The Internet of Things Impacting the Contact Center?
How is The Internet of Things Impacting the Contact Center?Erica Marois
 
Cwin 2016 hybrid plus the future of digital_v1_201609627
Cwin 2016 hybrid plus the future of digital_v1_201609627Cwin 2016 hybrid plus the future of digital_v1_201609627
Cwin 2016 hybrid plus the future of digital_v1_201609627Har Gootzen
 
How to Measure & Communicate Contact Center ROI
How to Measure & Communicate Contact Center ROIHow to Measure & Communicate Contact Center ROI
How to Measure & Communicate Contact Center ROIErica Marois
 
10 Tips to Master Networking at Events
10 Tips to Master Networking at Events10 Tips to Master Networking at Events
10 Tips to Master Networking at EventsErica Marois
 
Velocity Booth Presentation - Which 3rd Party Resources Are Eating Your Profits?
Velocity Booth Presentation - Which 3rd Party Resources Are Eating Your Profits?Velocity Booth Presentation - Which 3rd Party Resources Are Eating Your Profits?
Velocity Booth Presentation - Which 3rd Party Resources Are Eating Your Profits?SOASTA
 
2016 Mobile State of the Union [RWD Summit]
2016 Mobile State of the Union [RWD Summit]2016 Mobile State of the Union [RWD Summit]
2016 Mobile State of the Union [RWD Summit]Tammy Everts
 
Going Global 101: How to Manage Your Websites Worldwide Using Drupal
Going Global 101: How to Manage Your Websites Worldwide Using DrupalGoing Global 101: How to Manage Your Websites Worldwide Using Drupal
Going Global 101: How to Manage Your Websites Worldwide Using DrupalAcquia
 
Codemotion Warsaw 2016
Codemotion Warsaw 2016Codemotion Warsaw 2016
Codemotion Warsaw 2016Karina Popova
 
Official Devoxx 2016 e-health
Official Devoxx 2016 e-healthOfficial Devoxx 2016 e-health
Official Devoxx 2016 e-healthKarina Popova
 
Expert Insight on Implementing New Service Channels
Expert Insight on Implementing New Service ChannelsExpert Insight on Implementing New Service Channels
Expert Insight on Implementing New Service ChannelsErica Marois
 
Mesh the Gears: Mastering the Economics of Digital Leverage
Mesh the Gears: Mastering the Economics of Digital LeverageMesh the Gears: Mastering the Economics of Digital Leverage
Mesh the Gears: Mastering the Economics of Digital LeverageApigee | Google Cloud
 
Hello Watch! Build your First Apple Watch App
Hello Watch! Build your First Apple Watch AppHello Watch! Build your First Apple Watch App
Hello Watch! Build your First Apple Watch AppKristina Fox
 
Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)
Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)
Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)Nordic APIs
 
WSI Digital Summit Brasil 2016 - Harnessing Digital
WSI Digital Summit Brasil 2016 - Harnessing DigitalWSI Digital Summit Brasil 2016 - Harnessing Digital
WSI Digital Summit Brasil 2016 - Harnessing DigitalGustavo de Boer
 
Genivi paris open source summit 2016 intro
Genivi paris open source summit 2016 introGenivi paris open source summit 2016 intro
Genivi paris open source summit 2016 introFabMob
 
Acquiaご紹介(クラウドファーストとオープンソースで進めるデジタル変革)[動画あり]
Acquiaご紹介(クラウドファーストとオープンソースで進めるデジタル変革)[動画あり]Acquiaご紹介(クラウドファーストとオープンソースで進めるデジタル変革)[動画あり]
Acquiaご紹介(クラウドファーストとオープンソースで進めるデジタル変革)[動画あり]CI&T Japan
 
Getting smart about identity management in air transport - Renaud Irminger, D...
Getting smart about identity management in air transport - Renaud Irminger, D...Getting smart about identity management in air transport - Renaud Irminger, D...
Getting smart about identity management in air transport - Renaud Irminger, D...SITA
 
How to Deliver a More Seamless Customer Experience
How to Deliver a More Seamless Customer Experience How to Deliver a More Seamless Customer Experience
How to Deliver a More Seamless Customer Experience Erica Marois
 
Microservices: The Building Blocks for a Digital Future
Microservices: The Building Blocks for a Digital FutureMicroservices: The Building Blocks for a Digital Future
Microservices: The Building Blocks for a Digital FutureSAP Customer Experience
 
Hal Yang Diharapkan Pelanggan Pada Brand Anda
Hal Yang Diharapkan Pelanggan Pada Brand AndaHal Yang Diharapkan Pelanggan Pada Brand Anda
Hal Yang Diharapkan Pelanggan Pada Brand Anda8COMMERCE
 
NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...
NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...
NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...ForgeRock
 
How the Dutch Police became “Chatbot” interactive
How the Dutch Police became “Chatbot” interactiveHow the Dutch Police became “Chatbot” interactive
How the Dutch Police became “Chatbot” interactiveSoham Dasgupta
 
Talent Acquisition Technology Trifecta: Where Recruitment Marketing Fits
Talent Acquisition Technology Trifecta: Where Recruitment Marketing FitsTalent Acquisition Technology Trifecta: Where Recruitment Marketing Fits
Talent Acquisition Technology Trifecta: Where Recruitment Marketing FitsSmashFly Technologies
 
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...CODE BLUE
 
World Rail Festival 2017 - Preparing for today, tomorrow and the day after by...
World Rail Festival 2017 - Preparing for today, tomorrow and the day after by...World Rail Festival 2017 - Preparing for today, tomorrow and the day after by...
World Rail Festival 2017 - Preparing for today, tomorrow and the day after by...Amadeus Rail
 
The Revolution to Stay Relevant in Travel
The Revolution to Stay Relevant in TravelThe Revolution to Stay Relevant in Travel
The Revolution to Stay Relevant in TravelSabre Corporation
 
SIM based connectivity solution for IoT
SIM based connectivity solution for IoTSIM based connectivity solution for IoT
SIM based connectivity solution for IoTKarina Popova
 
Zsombor Kovács - Cheaters for Everything from Minesweeper to Mobile Banking ...
Zsombor Kovács - Cheaters for Everything from Minesweeper to Mobile Banking ...Zsombor Kovács - Cheaters for Everything from Minesweeper to Mobile Banking ...
Zsombor Kovács - Cheaters for Everything from Minesweeper to Mobile Banking ...hacktivity
 
Vincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking KubernetesVincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking Kuberneteshacktivity
 

More Related Content

Similar to Gabrial Cirlig & Stefan Tanase - Smart Car Forensics and Vehicle Weaponization

Codemotion Warsaw 2016
Codemotion Warsaw 2016Codemotion Warsaw 2016
Codemotion Warsaw 2016Karina Popova
 
Official Devoxx 2016 e-health
Official Devoxx 2016 e-healthOfficial Devoxx 2016 e-health
Official Devoxx 2016 e-healthKarina Popova
 
Expert Insight on Implementing New Service Channels
Expert Insight on Implementing New Service ChannelsExpert Insight on Implementing New Service Channels
Expert Insight on Implementing New Service ChannelsErica Marois
 
Mesh the Gears: Mastering the Economics of Digital Leverage
Mesh the Gears: Mastering the Economics of Digital LeverageMesh the Gears: Mastering the Economics of Digital Leverage
Mesh the Gears: Mastering the Economics of Digital LeverageApigee | Google Cloud
 
Hello Watch! Build your First Apple Watch App
Hello Watch! Build your First Apple Watch AppHello Watch! Build your First Apple Watch App
Hello Watch! Build your First Apple Watch AppKristina Fox
 
Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)
Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)
Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)Nordic APIs
 
WSI Digital Summit Brasil 2016 - Harnessing Digital
WSI Digital Summit Brasil 2016 - Harnessing DigitalWSI Digital Summit Brasil 2016 - Harnessing Digital
WSI Digital Summit Brasil 2016 - Harnessing DigitalGustavo de Boer
 
Genivi paris open source summit 2016 intro
Genivi paris open source summit 2016 introGenivi paris open source summit 2016 intro
Genivi paris open source summit 2016 introFabMob
 
Acquiaご紹介(クラウドファーストとオープンソースで進めるデジタル変革)[動画あり]
Acquiaご紹介(クラウドファーストとオープンソースで進めるデジタル変革)[動画あり]Acquiaご紹介(クラウドファーストとオープンソースで進めるデジタル変革)[動画あり]
Acquiaご紹介(クラウドファーストとオープンソースで進めるデジタル変革)[動画あり]CI&T Japan
 
Getting smart about identity management in air transport - Renaud Irminger, D...
Getting smart about identity management in air transport - Renaud Irminger, D...Getting smart about identity management in air transport - Renaud Irminger, D...
Getting smart about identity management in air transport - Renaud Irminger, D...SITA
 
How to Deliver a More Seamless Customer Experience
How to Deliver a More Seamless Customer Experience How to Deliver a More Seamless Customer Experience
How to Deliver a More Seamless Customer Experience Erica Marois
 
Microservices: The Building Blocks for a Digital Future
Microservices: The Building Blocks for a Digital FutureMicroservices: The Building Blocks for a Digital Future
Microservices: The Building Blocks for a Digital FutureSAP Customer Experience
 
Hal Yang Diharapkan Pelanggan Pada Brand Anda
Hal Yang Diharapkan Pelanggan Pada Brand AndaHal Yang Diharapkan Pelanggan Pada Brand Anda
Hal Yang Diharapkan Pelanggan Pada Brand Anda8COMMERCE
 
NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...
NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...
NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...ForgeRock
 
How the Dutch Police became “Chatbot” interactive
How the Dutch Police became “Chatbot” interactiveHow the Dutch Police became “Chatbot” interactive
How the Dutch Police became “Chatbot” interactiveSoham Dasgupta
 
Talent Acquisition Technology Trifecta: Where Recruitment Marketing Fits
Talent Acquisition Technology Trifecta: Where Recruitment Marketing FitsTalent Acquisition Technology Trifecta: Where Recruitment Marketing Fits
Talent Acquisition Technology Trifecta: Where Recruitment Marketing FitsSmashFly Technologies
 
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...CODE BLUE
 
World Rail Festival 2017 - Preparing for today, tomorrow and the day after by...
World Rail Festival 2017 - Preparing for today, tomorrow and the day after by...World Rail Festival 2017 - Preparing for today, tomorrow and the day after by...
World Rail Festival 2017 - Preparing for today, tomorrow and the day after by...Amadeus Rail
 
The Revolution to Stay Relevant in Travel
The Revolution to Stay Relevant in TravelThe Revolution to Stay Relevant in Travel
The Revolution to Stay Relevant in TravelSabre Corporation
 
SIM based connectivity solution for IoT
SIM based connectivity solution for IoTSIM based connectivity solution for IoT
SIM based connectivity solution for IoTKarina Popova
 

Similar to Gabrial Cirlig & Stefan Tanase - Smart Car Forensics and Vehicle Weaponization (20)

Codemotion Warsaw 2016
Codemotion Warsaw 2016Codemotion Warsaw 2016
Codemotion Warsaw 2016
 
Official Devoxx 2016 e-health
Official Devoxx 2016 e-healthOfficial Devoxx 2016 e-health
Official Devoxx 2016 e-health
 
Expert Insight on Implementing New Service Channels
Expert Insight on Implementing New Service ChannelsExpert Insight on Implementing New Service Channels
Expert Insight on Implementing New Service Channels
 
Mesh the Gears: Mastering the Economics of Digital Leverage
Mesh the Gears: Mastering the Economics of Digital LeverageMesh the Gears: Mastering the Economics of Digital Leverage
Mesh the Gears: Mastering the Economics of Digital Leverage
 
Hello Watch! Build your First Apple Watch App
Hello Watch! Build your First Apple Watch AppHello Watch! Build your First Apple Watch App
Hello Watch! Build your First Apple Watch App
 
Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)
Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)
Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)
 
WSI Digital Summit Brasil 2016 - Harnessing Digital
WSI Digital Summit Brasil 2016 - Harnessing DigitalWSI Digital Summit Brasil 2016 - Harnessing Digital
WSI Digital Summit Brasil 2016 - Harnessing Digital
 
Genivi paris open source summit 2016 intro
Genivi paris open source summit 2016 introGenivi paris open source summit 2016 intro
Genivi paris open source summit 2016 intro
 
Acquiaご紹介(クラウドファーストとオープンソースで進めるデジタル変革)[動画あり]
Acquiaご紹介(クラウドファーストとオープンソースで進めるデジタル変革)[動画あり]Acquiaご紹介(クラウドファーストとオープンソースで進めるデジタル変革)[動画あり]
Acquiaご紹介(クラウドファーストとオープンソースで進めるデジタル変革)[動画あり]
 
Getting smart about identity management in air transport - Renaud Irminger, D...
Getting smart about identity management in air transport - Renaud Irminger, D...Getting smart about identity management in air transport - Renaud Irminger, D...
Getting smart about identity management in air transport - Renaud Irminger, D...
 
How to Deliver a More Seamless Customer Experience
How to Deliver a More Seamless Customer Experience How to Deliver a More Seamless Customer Experience
How to Deliver a More Seamless Customer Experience
 
Microservices: The Building Blocks for a Digital Future
Microservices: The Building Blocks for a Digital FutureMicroservices: The Building Blocks for a Digital Future
Microservices: The Building Blocks for a Digital Future
 
Hal Yang Diharapkan Pelanggan Pada Brand Anda
Hal Yang Diharapkan Pelanggan Pada Brand AndaHal Yang Diharapkan Pelanggan Pada Brand Anda
Hal Yang Diharapkan Pelanggan Pada Brand Anda
 
NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...
NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...
NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...
 
How the Dutch Police became “Chatbot” interactive
How the Dutch Police became “Chatbot” interactiveHow the Dutch Police became “Chatbot” interactive
How the Dutch Police became “Chatbot” interactive
 
Talent Acquisition Technology Trifecta: Where Recruitment Marketing Fits
Talent Acquisition Technology Trifecta: Where Recruitment Marketing FitsTalent Acquisition Technology Trifecta: Where Recruitment Marketing Fits
Talent Acquisition Technology Trifecta: Where Recruitment Marketing Fits
 
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
 
World Rail Festival 2017 - Preparing for today, tomorrow and the day after by...
World Rail Festival 2017 - Preparing for today, tomorrow and the day after by...World Rail Festival 2017 - Preparing for today, tomorrow and the day after by...
World Rail Festival 2017 - Preparing for today, tomorrow and the day after by...
 
The Revolution to Stay Relevant in Travel
The Revolution to Stay Relevant in TravelThe Revolution to Stay Relevant in Travel
The Revolution to Stay Relevant in Travel
 
SIM based connectivity solution for IoT
SIM based connectivity solution for IoTSIM based connectivity solution for IoT
SIM based connectivity solution for IoT
 

More from hacktivity

Zsombor Kovács - Cheaters for Everything from Minesweeper to Mobile Banking ...
Zsombor Kovács - Cheaters for Everything from Minesweeper to Mobile Banking ...Zsombor Kovács - Cheaters for Everything from Minesweeper to Mobile Banking ...
Zsombor Kovács - Cheaters for Everything from Minesweeper to Mobile Banking ...hacktivity
 
Vincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking KubernetesVincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking Kuberneteshacktivity
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnelhacktivity
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
 
Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...
Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...
Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...hacktivity
 
Csongor Tamás - Examples of Locality Sensitive Hashing & their Usage for Malw...
Csongor Tamás - Examples of Locality Sensitive Hashing & their Usage for Malw...Csongor Tamás - Examples of Locality Sensitive Hashing & their Usage for Malw...
Csongor Tamás - Examples of Locality Sensitive Hashing & their Usage for Malw...hacktivity
 
Matthias Deeg - Bypassing an Enterprise-Grade Biometric Face Authentication S...
Matthias Deeg - Bypassing an Enterprise-Grade Biometric Face Authentication S...Matthias Deeg - Bypassing an Enterprise-Grade Biometric Face Authentication S...
Matthias Deeg - Bypassing an Enterprise-Grade Biometric Face Authentication S...hacktivity
 
Gergely Biczók - Interdependent Privacy & the Psychology of Likes
Gergely Biczók - Interdependent Privacy & the Psychology of LikesGergely Biczók - Interdependent Privacy & the Psychology of Likes
Gergely Biczók - Interdependent Privacy & the Psychology of Likeshacktivity
 
Paolo Stagno - A Drone Tale: All Your Drones Belong To Us
Paolo Stagno - A Drone Tale: All Your Drones Belong To UsPaolo Stagno - A Drone Tale: All Your Drones Belong To Us
Paolo Stagno - A Drone Tale: All Your Drones Belong To Ushacktivity
 
Jack S (linkcabin) - Becoming The Quiz Master: Thanks RE.
Jack S (linkcabin) - Becoming The Quiz Master: Thanks RE.Jack S (linkcabin) - Becoming The Quiz Master: Thanks RE.
Jack S (linkcabin) - Becoming The Quiz Master: Thanks RE.hacktivity
 
Zoltán Balázs - Ethereum Smart Contract Hacking Explained like I’m Five
Zoltán Balázs - Ethereum Smart Contract Hacking Explained like I’m FiveZoltán Balázs - Ethereum Smart Contract Hacking Explained like I’m Five
Zoltán Balázs - Ethereum Smart Contract Hacking Explained like I’m Fivehacktivity
 

More from hacktivity (11)

Zsombor Kovács - Cheaters for Everything from Minesweeper to Mobile Banking ...
Zsombor Kovács - Cheaters for Everything from Minesweeper to Mobile Banking ...Zsombor Kovács - Cheaters for Everything from Minesweeper to Mobile Banking ...
Zsombor Kovács - Cheaters for Everything from Minesweeper to Mobile Banking ...
 
Vincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking KubernetesVincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking Kubernetes
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnel
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
 
Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...
Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...
Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...
 
Csongor Tamás - Examples of Locality Sensitive Hashing & their Usage for Malw...
Csongor Tamás - Examples of Locality Sensitive Hashing & their Usage for Malw...Csongor Tamás - Examples of Locality Sensitive Hashing & their Usage for Malw...
Csongor Tamás - Examples of Locality Sensitive Hashing & their Usage for Malw...
 
Matthias Deeg - Bypassing an Enterprise-Grade Biometric Face Authentication S...
Matthias Deeg - Bypassing an Enterprise-Grade Biometric Face Authentication S...Matthias Deeg - Bypassing an Enterprise-Grade Biometric Face Authentication S...
Matthias Deeg - Bypassing an Enterprise-Grade Biometric Face Authentication S...
 
Gergely Biczók - Interdependent Privacy & the Psychology of Likes
Gergely Biczók - Interdependent Privacy & the Psychology of LikesGergely Biczók - Interdependent Privacy & the Psychology of Likes
Gergely Biczók - Interdependent Privacy & the Psychology of Likes
 
Paolo Stagno - A Drone Tale: All Your Drones Belong To Us
Paolo Stagno - A Drone Tale: All Your Drones Belong To UsPaolo Stagno - A Drone Tale: All Your Drones Belong To Us
Paolo Stagno - A Drone Tale: All Your Drones Belong To Us
 
Jack S (linkcabin) - Becoming The Quiz Master: Thanks RE.
Jack S (linkcabin) - Becoming The Quiz Master: Thanks RE.Jack S (linkcabin) - Becoming The Quiz Master: Thanks RE.
Jack S (linkcabin) - Becoming The Quiz Master: Thanks RE.
 
Zoltán Balázs - Ethereum Smart Contract Hacking Explained like I’m Five
Zoltán Balázs - Ethereum Smart Contract Hacking Explained like I’m FiveZoltán Balázs - Ethereum Smart Contract Hacking Explained like I’m Five
Zoltán Balázs - Ethereum Smart Contract Hacking Explained like I’m Five
 

Recently uploaded

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Gabrial Cirlig & Stefan Tanase - Smart Car Forensics and Vehicle Weaponization

  • 1. 1© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Smart car forensics & vehicle weaponization Gabriel Cirlig – Software Engineer Stefan Tanase – Security Researcher
  • 2. 2© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | INGENIOUS! A ROMANIAN managed to modify public transportation cards! whoami
  • 3. 3© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | whoami2
  • 4. 4© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ./shameless_plug.sh @hookgab @stefant
  • 5. 5© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
  • 6. 6© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE CONNECTED CAR
  • 7. 7© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE MOTIVATION
  • 8. 8© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE START
  • 9. 9© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE TECH • Freescale i.MX6 ARM Cortex-A9 • random *nix distribution • GPS soldered on board (even if you didn’t buy the nav package) • 1GB RAM • WIFI!!!1!1111 • revolutionary usb debugging ™ A lot of power for a car, eh?
  • 10. 10© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 10© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Smart car forensics
  • 11. 11© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | GETTING IN • Abuse “autorun” script from USB • disable iptables • run SSHD for our platform • …prophit! • root/jci • ez ‘till now
  • 12. 12© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | WHAT WE FOUND everything?
  • 13. 13© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | EXTRA • voice profiles • vehicle status • directory listings for your phone (wtf, the car is crawling me)
  • 14. 14© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | AUTO INDUSTRY IN A NUTSHELL
  • 15. 15© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | AUTO INDUSTRY IN A NUTSHELL
  • 16. 16© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 16© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Vehicle weaponization
  • 17. 17© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | WHAT WE CAN EXPLOIT • deployed via the same script that granted ssh access • uses cron to keep itself alive • constantly looks for open wifis • constantly logs GPS coordinates • whenever we connect, upload new data • WARDRIVING WITHOUT A LAPTOP!
  • 18. 18© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | GIVING IT SOME LOVE
  • 19. 19© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | LIVE DEMO
  • 20. 20© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | https://www.youtube.com/watch?v=q0CjVHlEJuQ&feature=em-upload_owner
  • 21. 21© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | SMART CAR RANSOMWARE
  • 22. 22© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE FUTURE
  • 23. 23© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE FUTURE
  • 24. 24© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE FUTURE
  • 25. 25© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE FUTURE
  • 26. 26© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE FUTURE
  • 27. 27© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE FUTURE
  • 28. 28© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Our privacy is threatened Travelers always rent cars, car sharing programs are becoming popular in big cities, shared corporate car fleets Evolution of technology – a double edged sword We *want* smartphones, tablets, smart watches, smart cars, self driving cars, internet of things etc. EURONCAP for automotive cybersecurity We already have crash-tests for physical safety. Seatbelts and airbags are mandatory. Why is the industry ignoring cybersecurity? CONCLUSIONS
  • 29. 29© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | THE AFTERMATH
  • 30. 30© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Follow us on Twitter! @hookgab @stefant