1
00:00:00,125 --> 00:00:01,999
How's everybody doing.

2
00:00:03,834 --> 00:00:06,459
All right, just in Defcon style we got this quick video

3
00:00:06,459 --> 00:00:07,999
to show you.

4
00:00:07,999 --> 00:00:10,584
So pay good attention.

5
00:01:16,167 --> 00:01:26,751
(Music)    Yeah, what do you think?

6
00:01:27,834 --> 00:01:29,959
(Applause)    Awesome.

7
00:01:30,999 --> 00:01:34,334
All right, so our first speakers up today are Charlie and Chris.

8
00:01:34,334 --> 00:01:36,959
Adventures in Automotive Network controlling.

9
00:01:36,959 --> 00:01:38,792
Let's give them a big Defcon welcome.

10
00:01:38,792 --> 00:01:47,999
(Applause)    CHRIS VALASEK: Thanks for coming out!

11
00:01:47,999 --> 00:01:49,999
Thanks for getting up early or staying up late, however it

12
00:01:49,999 --> 00:01:51,876
is for you guys.

13
00:01:51,876 --> 00:01:52,667
CHARLIE MILLER: I was disappointed we didn't boo

14
00:01:52,667 --> 00:01:54,999
the general off the stage in Black Hat.

15
00:01:54,999 --> 00:01:58,751
But I've even more disappointed there's this many people awake at 10:00.

16
00:01:58,751 --> 00:01:59,751
Shame on all of you.

17
00:02:00,250 --> 00:02:04,959
CHRIS VALASEK: So, you know, as he said before I'm Chris.

18
00:02:04,959 --> 00:02:05,959
He's Charlie.

19
00:02:06,083 --> 00:02:10,083
I don't know some people may know me for Windows heap crap.

20
00:02:10,083 --> 00:02:13,709
I think people know Charlie for computers of some sort.

21
00:02:13,709 --> 00:02:15,375
CHARLIE MILLER: I do computers.

22
00:02:15,375 --> 00:02:17,999
CHRIS VALASEK: He does computers and so can you.

23
00:02:17,999 --> 00:02:20,918
So we're going to talk about the cars we have today.

24
00:02:20,999 --> 00:02:24,083
We're going to talk about the ECUs in those cars and then we're going give

25
00:02:24,083 --> 00:02:26,999
you a brief kind of overview of CAN.

26
00:02:26,999 --> 00:02:28,751
Most people are familiar with it.

27
00:02:28,751 --> 00:02:30,292
But we'll give you our $0.02.

28
00:02:30,459 --> 00:02:33,125
Charlie's going to go over some standards and protocols

29
00:02:33,125 --> 00:02:37,375
then we'll go into the cool shit which is CAN message injection.

30
00:02:37,375 --> 00:02:38,959
This is how we're actually doing physical

31
00:02:38,959 --> 00:02:41,834
control of the car, stuff like that.

32
00:02:41,834 --> 00:02:44,209
And from there we can talk about firmware reprogramming

33
00:02:44,209 --> 00:02:47,999
of these ECUs and that's how you would get what are referred

34
00:02:47,999 --> 00:02:52,626
to in the business as persistence to be on the car forever.

35
00:02:52,626 --> 00:02:53,626
CHARLIE MILLER: So if you need any work

36
00:02:53,626 --> 00:02:55,959
on cars we're mechanics now.

37
00:02:57,125 --> 00:02:59,542
All you got to do is get on the internet and you can order

38
00:02:59,542 --> 00:03:00,999
the stuff.

39
00:03:00,999 --> 00:03:03,083
CHRIS VALASEK: And walk right into the garage and start working

40
00:03:03,083 --> 00:03:04,417
on them.

41
00:03:04,417 --> 00:03:06,250
If you have a Toyota or Ford that you want Charlie

42
00:03:06,250 --> 00:03:10,501
to fix, we'll bring our laptops over and tune it up for you.

43
00:03:10,501 --> 00:03:11,792
CHARLIE MILLER: Everyone says how hard it is to get a job

44
00:03:11,792 --> 00:03:13,667
but just order the stuff.

45
00:03:13,667 --> 00:03:15,959
CHRIS VALASEK: Job creators right here.

46
00:03:17,999 --> 00:03:21,250
CHARLIE MILLER: Let's talk about, like, what's been done

47
00:03:21,250 --> 00:03:24,626
before and why we decide to build on that.

48
00:03:24,751 --> 00:03:26,959
So in 2010/2011 a couple of papers came out by a group

49
00:03:26,959 --> 00:03:29,999
of researchers from university of Washington and the University

50
00:03:29,999 --> 00:03:32,083
of California San Diego.

51
00:03:32,125 --> 00:03:35,417
And they did, like, awesome work.

52
00:03:35,417 --> 00:03:36,792
Like, I read their paper.

53
00:03:36,792 --> 00:03:40,584
It was incredible and immediately I was like how can I expand on this?

54
00:03:40,584 --> 00:03:41,999
I was like well I can't.

55
00:03:41,999 --> 00:03:42,999
Right.

56
00:03:42,999 --> 00:03:43,999
They did everything.

57
00:03:43,999 --> 00:03:45,584
They looked at remote attacks.

58
00:03:45,584 --> 00:03:48,999
They looked at, you know, the attack service, vulnerabilities.

59
00:03:48,999 --> 00:03:50,375
They wrote remote exploits.

60
00:03:50,375 --> 00:03:52,501
They controlled things through the CAN.

61
00:03:52,501 --> 00:03:53,834
They did the whole thing.

62
00:03:54,083 --> 00:03:55,584
Super impressive work.

63
00:03:55,584 --> 00:03:58,375
But one thing they didn't do was they didn't tell anyone

64
00:03:58,375 --> 00:04:00,584
about any details.

65
00:04:00,584 --> 00:04:04,417
So there's this video where they you can see this big black dot.

66
00:04:04,417 --> 00:04:07,792
So it's, like, the guy walks in and unlocks the car and drives off.

67
00:04:07,792 --> 00:04:08,999
When I first saw it I was like shit they just stole someone's car

68
00:04:08,999 --> 00:04:11,501
for real and they don't want the cops to bust them that's why

69
00:04:11,501 --> 00:04:13,250
they covered it up.

70
00:04:13,250 --> 00:04:14,667
But turns out they covered it up because they didn't want anyone

71
00:04:14,667 --> 00:04:16,626
to know what car they worked on.

72
00:04:18,334 --> 00:04:20,876
Then if you look in their paper you see things

73
00:04:20,876 --> 00:04:24,999
like this where instead of giving you the actual data packets they use to, like,

74
00:04:24,999 --> 00:04:28,125
control the car, they, like, they avoid giving all the bytes

75
00:04:28,125 --> 00:04:29,876
out to you.

76
00:04:29,876 --> 00:04:30,918
CHRIS VALASEK: It is a great paper

77
00:04:30,918 --> 00:04:33,834
with no real data information in it.

78
00:04:33,834 --> 00:04:35,083
CHARLIE MILLER: Right.

79
00:04:35,083 --> 00:04:38,876
So they said I can remotely attack your car, control aspects of your car,

80
00:04:38,876 --> 00:04:41,209
but you can't do that.

81
00:04:41,626 --> 00:04:42,626
Right?

82
00:04:42,626 --> 00:04:45,999
So that was, like that made us want to say, we want everyone to be able

83
00:04:45,999 --> 00:04:47,999
to do this, right.

84
00:04:47,999 --> 00:04:50,083
I wanted to share what we know how to do.

85
00:04:50,083 --> 00:04:52,083
It took us, like, ten months to do this.

86
00:04:52,083 --> 00:04:52,999
So we don't want everyone to go through ten months of pain

87
00:04:52,999 --> 00:04:54,250
like we did.

88
00:04:54,250 --> 00:04:56,751
We want people to go through two months of pain.

89
00:04:56,751 --> 00:04:59,375
CHRIS VALASEK: Hopefully instead of the first few months flopping

90
00:04:59,375 --> 00:05:02,959
around knowing what you to do you will be able to get a cool,

91
00:05:02,959 --> 00:05:07,999
cut it open and reading and writing stuff on your car within a few hours.

92
00:05:08,501 --> 00:05:12,292
CHARLIE MILLER: So if I wanted to actually attack you in your car,

93
00:05:12,292 --> 00:05:16,334
which I don't want do, you would have to do two things.

94
00:05:16,334 --> 00:05:19,626
A remote attack which the university guys already showed.

95
00:05:19,626 --> 00:05:21,999
They showed remote attacks through the blue tooth interface

96
00:05:21,999 --> 00:05:24,417
of a car then a pretty cool one where you stick

97
00:05:24,417 --> 00:05:27,999
a CD into the radio and get code running that way.

98
00:05:28,083 --> 00:05:31,542
The second part is doing something to the car itself.

99
00:05:31,751 --> 00:05:34,125
Our research was focused on the second part.

100
00:05:34,209 --> 00:05:36,999
We've written exploits our whole life and they're boring but the cool thing

101
00:05:36,999 --> 00:05:39,250
is making cars drive around.

102
00:05:40,083 --> 00:05:42,542
What we wanted to do is to use new vehicles

103
00:05:42,542 --> 00:05:45,751
they never said what vehicle they used.

104
00:05:45,751 --> 00:05:47,876
But everyone thinks it is a GM.

105
00:05:48,999 --> 00:05:51,459
So some guy who is up here who I have no idea who it

106
00:05:51,459 --> 00:05:54,083
is and he would have no right answer as to what the answer

107
00:05:54,083 --> 00:05:56,250
is says it's Chevy Malibu.

108
00:05:56,250 --> 00:05:57,250
He's right.

109
00:05:59,209 --> 00:06:01,417
So we chose different cars.

110
00:06:01,417 --> 00:06:03,792
We also chose cars that have more, like, electronic features than

111
00:06:03,792 --> 00:06:05,584
the cars they use.

112
00:06:05,584 --> 00:06:07,792
Such as stuff that had to do with steering.

113
00:06:07,792 --> 00:06:09,250
That was, like, something new.

114
00:06:09,250 --> 00:06:11,626
But the main thing that's different that is we want to share all the data

115
00:06:11,626 --> 00:06:15,083
and hard work we did so everyone can do the same thing.

116
00:06:15,083 --> 00:06:16,250
Car research is cool.

117
00:06:16,250 --> 00:06:19,792
CHRIS VALASEK: I'm sure more people than us want to do this stuff.

118
00:06:19,792 --> 00:06:21,375
So we'll try to help everyone out.

119
00:06:21,375 --> 00:06:25,167
CHARLIE MILLER: The first thing I learned, we're software guys.

120
00:06:25,167 --> 00:06:27,834
We don't know that much about hardware, cars.

121
00:06:27,834 --> 00:06:29,417
CHRIS VALASEK: I know Windows.

122
00:06:29,417 --> 00:06:30,417
That's about it.

123
00:06:30,459 --> 00:06:33,834
CHARLIE MILLER: I was like a car is just like a big iPhone right?

124
00:06:33,834 --> 00:06:34,834
I'll be good.

125
00:06:34,834 --> 00:06:36,209
This is going to be no problem.

126
00:06:36,792 --> 00:06:37,999
Turns out it's not.

127
00:06:38,209 --> 00:06:40,542
In the old days when I wanted to do research I would just download

128
00:06:40,542 --> 00:06:42,999
software and start looking at it.

129
00:06:42,999 --> 00:06:43,999
That's super easy.

130
00:06:43,999 --> 00:06:47,167
Turns out, like, starting car hacking not so easy.

131
00:06:47,167 --> 00:06:48,167
We had to buy a car.

132
00:06:48,999 --> 00:06:50,999
Turns out this is really hard.

133
00:06:50,999 --> 00:06:54,918
Especially when you are, like, okay I want a 2010 Toyota Prius

134
00:06:54,918 --> 00:06:57,918
with intelligent park assist.

135
00:06:57,918 --> 00:06:59,375
And they're like okay what car.

136
00:06:59,459 --> 00:07:00,999
CHRIS VALASEK: Don't care.

137
00:07:00,999 --> 00:07:04,375
CHARLIE MILLER: What about if it's scratched up.

138
00:07:04,375 --> 00:07:05,375
I don't care.

139
00:07:05,375 --> 00:07:06,417
Mileage don't care.

140
00:07:06,417 --> 00:07:09,083
I don't care what color.

141
00:07:09,083 --> 00:07:10,667
I don't care where it's at.

142
00:07:10,667 --> 00:07:11,999
Anywhere in the country.

143
00:07:11,999 --> 00:07:14,292
I need to find this car and want to buy it from you.

144
00:07:14,292 --> 00:07:17,209
CHRIS VALASEK: They would say what do you want to spend.

145
00:07:17,209 --> 00:07:18,709
We would say give me the car.

146
00:07:18,792 --> 00:07:21,209
CHARLIE MILLER: Just get us a car.

147
00:07:21,209 --> 00:07:22,542
CHRIS VALASEK: I am sure our backers have enough money

148
00:07:22,542 --> 00:07:24,209
to afford this car.

149
00:07:24,209 --> 00:07:25,999
CHARLIE MILLER: Absolutely.

150
00:07:26,876 --> 00:07:28,959
We're like Iron Man.

151
00:07:28,959 --> 00:07:32,999
We have our own corporation and we're independently wealthy.

152
00:07:33,918 --> 00:07:36,751
So we got the cars.

153
00:07:36,751 --> 00:07:40,626
The first thing that comes up when they pull up it's, like, can it park itself?

154
00:07:40,626 --> 00:07:41,626
They're like yes.

155
00:07:41,626 --> 00:07:42,626
I'll buy it.

156
00:07:42,999 --> 00:07:44,999
So getting the cars was hard.

157
00:07:44,999 --> 00:07:46,959
Then we're use to working like this.

158
00:07:46,959 --> 00:07:49,125
CHRIS VALASEK: Usual work day right there.

159
00:07:49,125 --> 00:07:51,999
CHARLIE MILLER: This is called working from home.

160
00:07:51,999 --> 00:07:54,999
Turns out in car research you have to, like, be out in your car.

161
00:07:54,999 --> 00:07:58,375
And it's, like, 20 degrees out and, you know, you can't turn the car

162
00:07:58,375 --> 00:08:02,083
on because you fucked up the ECUs and stuff.

163
00:08:02,125 --> 00:08:03,918
So I'm sitting out there at 20 degrees

164
00:08:03,918 --> 00:08:06,501
with all the clothes I own on.

165
00:08:06,501 --> 00:08:09,375
CHRIS VALASEK: Looking like the Unabomber by the way.

166
00:08:09,375 --> 00:08:11,125
CHARLIE MILLER: Yes a little bit.

167
00:08:11,125 --> 00:08:13,083
And my computer's about to freeze up.

168
00:08:13,083 --> 00:08:14,999
It's much harder to do car research.

169
00:08:14,999 --> 00:08:16,459
This is, like, normally when you are ready to start,

170
00:08:16,459 --> 00:08:19,709
like, attaching your de bugger    CHRIS VALASEK: That's how you work when

171
00:08:19,709 --> 00:08:21,459
you come to Vegas.

172
00:08:21,792 --> 00:08:25,125
CHARLIE MILLER: This is regular software research.

173
00:08:25,125 --> 00:08:26,125
It's easy.

174
00:08:26,125 --> 00:08:27,501
Hardware research sucks.

175
00:08:27,501 --> 00:08:30,083
You are constantly cutting up your hands and stuff.

176
00:08:30,083 --> 00:08:31,083
It is a total pain.

177
00:08:32,999 --> 00:08:37,709
When it comes time to do assembling, I can handle idle pro all day.

178
00:08:37,709 --> 00:08:39,083
But then disassemble a car.

179
00:08:41,334 --> 00:08:43,292
This is hard.

180
00:08:43,959 --> 00:08:46,626
CHRIS VALASEK: The steps with 388 easy steps you can have

181
00:08:46,626 --> 00:08:48,125
the dash off.

182
00:08:48,125 --> 00:08:49,999
I was like fuck this give me a crowbar.

183
00:08:50,209 --> 00:08:52,501
CHARLIE MILLER: So we disassemble cars

184
00:08:52,501 --> 00:08:54,999
but don't reassemble cars.

185
00:08:55,999 --> 00:09:01,999
CHRIS VALASEK: When it comes down to debug I'm use to bust out GDB.

186
00:09:05,918 --> 00:09:12,083
I just cut 17 wires and one of them is a problem.

187
00:09:12,083 --> 00:09:14,083
I should have stopped at 16.

188
00:09:14,083 --> 00:09:16,501
And I don't remember which ones they were.

189
00:09:16,918 --> 00:09:23,375
Then when you are writing your exploit or code, your payload, there's a bug.

190
00:09:23,918 --> 00:09:28,375
Bug when you are writing your payload for your car you call the flatbed

191
00:09:28,375 --> 00:09:31,292
and they come and pick up your car and take it

192
00:09:31,292 --> 00:09:35,584
to the dealer then you explain to the dealer why your dash is tore

193
00:09:35,584 --> 00:09:40,542
out and why your computers are hanging from wires in your car.

194
00:09:40,542 --> 00:09:43,459
I said don't worry about the inside of the car.

195
00:09:43,459 --> 00:09:45,667
You are going to get this car and freak out.

196
00:09:45,667 --> 00:09:46,999
Don't freak out just call me.

197
00:09:47,626 --> 00:09:49,709
When they couldn't fix the car because imagine that

198
00:09:49,709 --> 00:09:52,125
they had never seen this problem before.

199
00:09:52,501 --> 00:09:56,209
Seriously they had too get like corporate Toyota on the line.

200
00:09:56,209 --> 00:09:58,083
They were like we've never seen this.

201
00:09:58,083 --> 00:09:59,999
I'm like I am sure of that.

202
00:10:00,292 --> 00:10:02,209
So then they call Chris and they're

203
00:10:02,209 --> 00:10:06,334
like Toyota says that we should put everything back together.

204
00:10:06,334 --> 00:10:07,999
Chris is like don't do that.

205
00:10:07,999 --> 00:10:08,999
Just make it run.

206
00:10:08,999 --> 00:10:10,417
CHRIS VALASEK: I was like I have 500 parts

207
00:10:10,417 --> 00:10:13,834
in my garage you are not getting them.

208
00:10:13,834 --> 00:10:14,834
Just fix it.

209
00:10:14,834 --> 00:10:16,792
CHARLIE MILLER: Finally, when your application finally crashes

210
00:10:16,792 --> 00:10:18,751
that's a good thing.

211
00:10:18,751 --> 00:10:19,751
People are happy.

212
00:10:20,250 --> 00:10:22,083
When you crash in your car research it

213
00:10:22,083 --> 00:10:24,626
is a totally different story.

214
00:10:24,876 --> 00:10:27,334
The short story of this is I have this feature that I'll show you

215
00:10:27,334 --> 00:10:30,792
guys later how you can make the brakes not work in your car.

216
00:10:31,459 --> 00:10:33,959
When you are I was pulling in my driveway

217
00:10:33,959 --> 00:10:38,626
with this feature engaged and I was, like, oh no it's too late.

218
00:10:39,999 --> 00:10:41,083
(Laughter).

219
00:10:41,083 --> 00:10:42,918
And there was my real car on this side of the driveway

220
00:10:42,918 --> 00:10:45,042
and my house on this side.

221
00:10:45,042 --> 00:10:48,334
All I had was a tunnel into my garage and no brakes.

222
00:10:48,334 --> 00:10:50,959
So I was like I tried whatever I could.

223
00:10:50,959 --> 00:10:51,959
I panicked.

224
00:10:51,959 --> 00:10:53,999
I just rammed into the back of my garage.

225
00:10:53,999 --> 00:10:56,876
CHRIS VALASEK: Charlie called me he's like I wrecked.

226
00:10:56,876 --> 00:10:58,167
I was, like, that's awesome.

227
00:10:58,167 --> 00:10:59,167
We did it.

228
00:10:59,167 --> 00:11:01,584
CHARLIE MILLER: Chris was not supportive.

229
00:11:01,584 --> 00:11:04,209
CHRIS VALASEK: I didn't care about his wellbeing.

230
00:11:04,209 --> 00:11:06,334
CHARLIE MILLER: So I crashed the wall.

231
00:11:06,334 --> 00:11:08,083
Here is more photos of my lawn mower.

232
00:11:08,083 --> 00:11:09,125
Totally destroyed.

233
00:11:09,542 --> 00:11:11,250
You can see the back of my garage.

234
00:11:11,999 --> 00:11:14,501
It's no longer flat anymore.

235
00:11:14,667 --> 00:11:16,459
The food is all splintered.

236
00:11:17,999 --> 00:11:21,999
The first ever cyber victim in the physical world.

237
00:11:21,999 --> 00:11:25,083
CHRIS VALASEK: When it goes on Wikipedia you can say we were

238
00:11:25,083 --> 00:11:27,709
the first people to cause harm to an object

239
00:11:27,709 --> 00:11:30,250
through automobile research.

240
00:11:30,250 --> 00:11:31,501
CHARLIE MILLER: Yep.

241
00:11:31,501 --> 00:11:32,667
That poor, poor thing.

242
00:11:32,667 --> 00:11:34,876
Let's talk about the cars we actually got.

243
00:11:34,876 --> 00:11:38,083
This isn't like breaking research since no one talks about this.

244
00:11:38,083 --> 00:11:40,918
So we decided to get the hardest possible cars

245
00:11:40,918 --> 00:11:42,959
to hack it seems.

246
00:11:42,959 --> 00:11:44,834
But really what we did was we just said we ordered what's

247
00:11:44,834 --> 00:11:47,626
the cheapest car that has auto part.

248
00:11:48,792 --> 00:11:50,167
2010 Ford escape.

249
00:11:50,250 --> 00:11:54,999
It has advanced features such as cruise control, back up camera.

250
00:11:54,999 --> 00:11:56,999
But what we cared about is park assist.

251
00:11:56,999 --> 00:12:00,834
So here is a video of real park assist in action.

252
00:12:00,834 --> 00:12:01,834
This is not hacking.

253
00:12:01,834 --> 00:12:03,209
This is a feature from the car.

254
00:12:03,209 --> 00:12:06,542
You are driving along it tells you, like, put it in reverse.

255
00:12:06,542 --> 00:12:07,626
You put it in reverse.

256
00:12:07,626 --> 00:12:10,626
Then you back up and then it steers for you.

257
00:12:10,626 --> 00:12:12,626
So it doesn't make the car move.

258
00:12:12,999 --> 00:12:14,375
But it will steer for you.

259
00:12:14,751 --> 00:12:16,709
You see the wheel move.

260
00:12:16,876 --> 00:12:18,999
Is there sound anyone?

261
00:12:18,999 --> 00:12:20,250
Can you make sound.

262
00:12:20,250 --> 00:12:23,999
CHRIS VALASEK: We had to try to figure out what type

263
00:12:23,999 --> 00:12:27,459
of Kodak we were dealing with which we did

264
00:12:27,459 --> 00:12:33,083
by downloading every single RMC for codex whose holy shit.

265
00:12:33,918 --> 00:12:38,083
CHARLIE MILLER: I don't remember grapping or saying that.

266
00:12:38,083 --> 00:12:40,834
CHRIS VALASEK: Likewise.

267
00:12:40,834 --> 00:12:42,501
CHARLIE MILLER: So maybe sound from the video and not

268
00:12:42,501 --> 00:12:44,918
the next room would be awesome.

269
00:12:47,083 --> 00:12:49,876
So this thing it was like this is really cool.

270
00:12:49,876 --> 00:12:50,959
The car parks itself.

271
00:12:50,959 --> 00:12:52,083
That means there's a computer in the car that can make

272
00:12:52,083 --> 00:12:54,125
the steering wheel move.

273
00:12:54,334 --> 00:12:59,250
CHRIS VALASEK: I had a 2010 Toyota Prius and this was, like,

274
00:12:59,250 --> 00:13:02,999
your super luxury end Toyota Prius.

275
00:13:02,999 --> 00:13:04,292
Had radar cruise control.

276
00:13:04,292 --> 00:13:05,501
So if you are going down the highway and a car in front

277
00:13:05,501 --> 00:13:08,542
of you was going slower it would slow down for you.

278
00:13:08,667 --> 00:13:11,999
Which meant the brakes are going to slow you down.

279
00:13:11,999 --> 00:13:12,999
We thought.

280
00:13:12,999 --> 00:13:14,083
Has lane keep assist.

281
00:13:14,209 --> 00:13:17,459
Where you can set it if you are going off the road it sees the lines and

282
00:13:17,459 --> 00:13:19,999
will correct the car for you.

283
00:13:19,999 --> 00:13:22,375
CHARLIE MILLER: This is the car of the future.

284
00:13:22,375 --> 00:13:23,792
CHRIS VALASEK: This is.

285
00:13:23,792 --> 00:13:24,959
CHARLIE MILLER: When Chris was driving to South Bend for testing

286
00:13:24,959 --> 00:13:27,083
he says I was kicked back.

287
00:13:27,083 --> 00:13:29,626
CHRIS VALASEK: I was tweeting the whole time.

288
00:13:32,834 --> 00:13:34,792
If you are going to wreck it beeps.

289
00:13:34,792 --> 00:13:37,999
If it starts beeping I know I have to get off Twitter for a second.

290
00:13:39,667 --> 00:13:42,999
Had a pre collision system which again was really neat.

291
00:13:42,999 --> 00:13:45,083
Even if you had your foot on the acceleration pedal it would pre

292
00:13:45,083 --> 00:13:48,167
tighten the seatbelt and apply the brakes if it thought you were going

293
00:13:48,167 --> 00:13:49,667
to wreck.

294
00:13:52,999 --> 00:13:56,417
Again, it also had intelligent park assist.

295
00:13:56,417 --> 00:13:57,999
Which is what we really wanted?

296
00:13:57,999 --> 00:13:59,876
I think one of our main goals was have

297
00:13:59,876 --> 00:14:03,959
the car steer itself without anything, you know, that is doing it

298
00:14:03,959 --> 00:14:05,959
with a computer.

299
00:14:05,959 --> 00:14:08,083
We didn't even know if it would be possible.

300
00:14:08,083 --> 00:14:08,083
So wanted to make sure there was

301
00:14:08,083 --> 00:14:09,918
a computer doing steering for you.

302
00:14:10,083 --> 00:14:14,083
So ECUs or electronic control units.

303
00:14:14,292 --> 00:14:19,209
These control almost every aspect of your modern automobile.

304
00:14:19,209 --> 00:14:21,417
That is especially true for the Prius.

305
00:14:21,999 --> 00:14:26,999
Almost all of the Prius was controlled by computers, right.

306
00:14:26,999 --> 00:14:29,209
And these computers take input from sensors.

307
00:14:29,209 --> 00:14:31,999
Sensors tell you things like how fast you are going.

308
00:14:32,083 --> 00:14:34,334
And then they control actuators.

309
00:14:34,792 --> 00:14:38,083
Things that say clamp the brakes or put fuel into the engine,

310
00:14:38,083 --> 00:14:40,125
things like that.

311
00:14:40,250 --> 00:14:43,083
They're located kind of everywhere within the car.

312
00:14:43,083 --> 00:14:45,542
In the Prius most were in the dash.

313
00:14:45,709 --> 00:14:49,999
The ABS ones actually built into the main brake cylinders.

314
00:14:49,999 --> 00:14:50,834
So you can't just yank it out U.

315
00:14:50,834 --> 00:14:53,542
Have to take the whole car apart.

316
00:14:53,542 --> 00:14:55,083
So they're everywhere.

317
00:14:55,083 --> 00:14:58,334
And I think one of the question we got was oh yeah it's

318
00:14:58,334 --> 00:15:02,083
some kind of Linux on all these things.

319
00:15:02,250 --> 00:15:03,250
It's not.

320
00:15:03,250 --> 00:15:06,542
It's just custom code on arbitrary hardware and there's no,

321
00:15:06,542 --> 00:15:09,751
like, general thing you can do.

322
00:15:09,751 --> 00:15:11,209
They're not running services.

323
00:15:11,209 --> 00:15:12,999
It is a computer that does stuff.

324
00:15:12,999 --> 00:15:14,999
CHARLIE MILLER: And you might know there's a computer

325
00:15:14,999 --> 00:15:17,876
in my car because there's a screen.

326
00:15:17,876 --> 00:15:19,167
Well there that is computer.

327
00:15:19,167 --> 00:15:21,125
But there's, like, 30 other computers.

328
00:15:21,125 --> 00:15:23,584
CHRIS VALASEK: And they're all interacting and it's hard

329
00:15:23,584 --> 00:15:25,584
to figure it out.

330
00:15:26,375 --> 00:15:30,459
The ECUs were connected by a CAN bus.

331
00:15:30,626 --> 00:15:33,375
All these computers are on the same bus.

332
00:15:33,375 --> 00:15:34,751
It's broadcast in nature.

333
00:15:34,751 --> 00:15:36,999
So every CU that is on the same bus can hear

334
00:15:36,999 --> 00:15:39,667
and see every other ECU.

335
00:15:40,209 --> 00:15:44,083
This is good because you can see all the traffic.

336
00:15:44,083 --> 00:15:47,542
It's bad because there's no real addressing.

337
00:15:47,542 --> 00:15:49,459
So you don't know where things are going or where they came

338
00:15:49,459 --> 00:15:53,459
from without physically, like, isolating one of these things.

339
00:15:53,459 --> 00:15:56,167
One of the hardest things is we'd see all this cool traffic and be, like,

340
00:15:56,167 --> 00:15:59,209
I don't know where this came from, right.

341
00:15:59,834 --> 00:16:02,584
While it's good and bad, it's good if you want to say inject

342
00:16:02,584 --> 00:16:04,792
into this network because they don't ask where

343
00:16:04,792 --> 00:16:06,999
messages came from either.

344
00:16:06,999 --> 00:16:10,501
As long as you are on there, you can send messages.

345
00:16:10,501 --> 00:16:13,125
I think this is important to understand because I think a lot

346
00:16:13,125 --> 00:16:17,334
of the first feedback we goat when doing this, we're like they're Jacked

347
00:16:17,334 --> 00:16:19,083
into the car.

348
00:16:19,083 --> 00:16:20,501
They didn't do it remotely.

349
00:16:20,751 --> 00:16:23,501
It doesn't matter if you are Jacked in or do it remotely.

350
00:16:23,501 --> 00:16:23,626
Once you are on the CAN bus you are

351
00:16:23,626 --> 00:16:25,083
on the CAN bus.

352
00:16:26,125 --> 00:16:28,876
If you pop remote access good.

353
00:16:28,876 --> 00:16:32,167
If you have limited physical access good.

354
00:16:32,667 --> 00:16:36,292
If you compromise an ECU or are connected physically it's

355
00:16:36,292 --> 00:16:37,999
all good.

356
00:16:44,751 --> 00:16:46,999
CHARLIE MILLER: The ECUs they basically talk on this network

357
00:16:46,999 --> 00:16:48,999
and send message to each earth and different cars have

358
00:16:48,999 --> 00:16:50,876
different typologies.

359
00:16:50,999 --> 00:16:56,626
So the Ford had two different networks that were sort of isolated.

360
00:16:56,626 --> 00:16:57,292
But some of the ECUs were on both networks and

361
00:16:57,292 --> 00:16:59,417
the Toyota basically had one.

362
00:16:59,417 --> 00:17:02,209
CHRIS VALASEK: Yeah one but another segregated one.

363
00:17:03,459 --> 00:17:07,584
CHARLIE MILLER: If you want to see what an ECU looks like.

364
00:17:07,584 --> 00:17:08,999
This is from the Ford.

365
00:17:08,999 --> 00:17:10,584
The power train control module.

366
00:17:10,709 --> 00:17:12,542
This controls, like, your engine.

367
00:17:12,792 --> 00:17:14,626
The thing to see here is there must be

368
00:17:14,626 --> 00:17:17,792
like 300 wires that run into this.

369
00:17:17,792 --> 00:17:21,459
And each of these wires run to, like, an oxygen sensor in a piston

370
00:17:21,459 --> 00:17:23,542
or I don't know.

371
00:17:23,542 --> 00:17:24,542
Some car thing.

372
00:17:24,542 --> 00:17:26,209
CHRIS VALASEK: Car lingo stuff.

373
00:17:26,209 --> 00:17:28,501
CHARLIE MILLER: They're all important.

374
00:17:28,501 --> 00:17:31,250
If you start cutting them the car doesn't work anymore.

375
00:17:31,250 --> 00:17:36,083
This is just a computer with, like, lots of, you know, wires that run to it.

376
00:17:36,083 --> 00:17:37,999
If you rip it open it looks like this.

377
00:17:37,999 --> 00:17:40,334
So you've got basically one chip and then it's like, you know,

378
00:17:40,334 --> 00:17:43,334
the CPU and lots of other little chips.

379
00:17:44,250 --> 00:17:48,626
That's the inside of what a ECU looks like.

380
00:17:48,626 --> 00:17:50,292
CHRIS VALASEK: The CAN network.

381
00:17:50,417 --> 00:17:53,584
We were interested in CAN specifically.

382
00:17:53,584 --> 00:17:56,083
You know, we are aware there's Lynn and flex ray.

383
00:17:56,751 --> 00:17:58,751
But we want to look at CAN.

384
00:17:58,751 --> 00:18:00,292
We knew both cars would have CAN.

385
00:18:00,584 --> 00:18:05,250
The IDs can really be 11 bits or 29 in length.

386
00:18:05,250 --> 00:18:07,999
The IDs are what the ECUs use since its broadcast

387
00:18:07,999 --> 00:18:11,209
to say which message is for me.

388
00:18:11,667 --> 00:18:13,999
CHARLIE MILLER: Identifiers.

389
00:18:14,334 --> 00:18:18,999
CHRIS VALASEK: Then the data can be zero to eight bytes.

390
00:18:19,209 --> 00:18:22,501
We'll talk more later how you can send more than that.

391
00:18:22,751 --> 00:18:25,999
Generally you see zero bytes and up to eight bytes.

392
00:18:26,167 --> 00:18:30,667
And the CAN identifiers are used as priority fuel right.

393
00:18:30,667 --> 00:18:34,999
So to figure out arbitration on the bus, the lower IDs have precedent

394
00:18:34,999 --> 00:18:37,417
over higher ones.

395
00:18:37,751 --> 00:18:41,999
You know, the highest priority ID on a CAN bus for 11 bit is, you know,

396
00:18:41,999 --> 00:18:43,876
zeros, right.

397
00:18:44,125 --> 00:18:46,999
So, again, broadcast nature they have these IDs.

398
00:18:46,999 --> 00:18:50,542
You can kind of look these IDs up, categorize them.

399
00:18:50,542 --> 00:18:53,667
We spent a lot of time just figuring out what certain IDs were

400
00:18:53,667 --> 00:18:57,834
by spending hours and hours and months in the car.

401
00:18:57,834 --> 00:18:59,918
CHARLIE MILLER: Instead of sitting in front of your computer,

402
00:18:59,918 --> 00:19:03,209
I would drive up and down my street all night and parallel park my car, like,

403
00:19:03,209 --> 00:19:04,751
200 times.

404
00:19:04,751 --> 00:19:06,459
CHRIS VALASEK: People had to think I was, like, a prowler

405
00:19:06,459 --> 00:19:08,375
in the neighborhood.

406
00:19:08,375 --> 00:19:11,542
I would just circumstance them block for four days straight.

407
00:19:11,542 --> 00:19:14,334
With a laptop in my land, cables over my shoulder.

408
00:19:14,876 --> 00:19:17,542
And the lovely Pittsburgh police stopped me once and just saw me

409
00:19:17,542 --> 00:19:20,542
with cables and shit everywhere, like, Bro, I got to X what

410
00:19:20,542 --> 00:19:22,751
the hell are you doing.

411
00:19:22,751 --> 00:19:24,083
I'm, like, I'm hacking cars.

412
00:19:24,083 --> 00:19:25,626
They're that's cool.

413
00:19:25,626 --> 00:19:26,626
Have a good day.

414
00:19:26,751 --> 00:19:29,999
Actually told me I'd tell to you drive safe.

415
00:19:29,999 --> 00:19:31,209
I was, like, yeah I know.

416
00:19:35,083 --> 00:19:38,999
So these are kind of the normal style CAN messages.

417
00:19:38,999 --> 00:19:40,667
You will see the format we used was made

418
00:19:40,667 --> 00:19:43,083
up by Charlie and I to be human readable

419
00:19:43,083 --> 00:19:47,542
and also digestible by our API which we'll talk about.

420
00:19:47,667 --> 00:19:51,250
IDH and IDL are a byte apiece.

421
00:19:51,250 --> 00:19:56,083
Combine them it is a 16 bit well 11 bits ID.

422
00:19:56,375 --> 00:19:58,083
There's one from the Ford escape.

423
00:19:58,083 --> 00:19:59,459
It has eight bytes.

424
00:19:59,459 --> 00:20:01,751
One from the Toyota that has four bytes.

425
00:20:01,751 --> 00:20:04,375
The Toyota really, really liked putting a checksum

426
00:20:04,375 --> 00:20:06,501
as the last byte.

427
00:20:06,501 --> 00:20:10,959
If you look at the Prius traffic the last one's 95.

428
00:20:10,959 --> 00:20:16,709
That's IDH plus IDL plus length plus data which is 33880 then

429
00:20:16,709 --> 00:20:19,959
a one byte checksum.

430
00:20:19,959 --> 00:20:20,959
This happens a lot.

431
00:20:20,959 --> 00:20:24,542
If you don't check that checksum right, messages are ignored by the ECU.

432
00:20:24,709 --> 00:20:26,626
When we're injecting traffic we had to make sure to always fix

433
00:20:26,626 --> 00:20:28,999
the checksum for each message we sent.

434
00:20:30,167 --> 00:20:33,375
The other is diagnostic examples.

435
00:20:33,375 --> 00:20:38,083
You will see here how it's IDHO seven and IDL 60.

436
00:20:38,083 --> 00:20:41,167
A, that's an address.

437
00:20:41,167 --> 00:20:44,042
Each ECU is going to have this diagnostic address.

438
00:20:44,042 --> 00:20:46,250
And this is although the CAN bus is broadcast

439
00:20:46,250 --> 00:20:51,792
in nature you actually identify individual ECUs by this address.

440
00:20:51,959 --> 00:20:54,417
The reply back from the ECU is always going

441
00:20:54,417 --> 00:20:59,083
to be eight greater than one what the ID was before it, right.

442
00:20:59,083 --> 00:21:01,792
So it's 0768.

443
00:21:01,999 --> 00:21:04,999
If you saw the academics papers they didn't cut off the front half

444
00:21:04,999 --> 00:21:07,999
of a lot of messages they were using and not so shockingly

445
00:21:07,999 --> 00:21:10,751
they all started with, what, 0007.

446
00:21:10,918 --> 00:21:16,292
There were a lot of stuff they ended up that were diagnostic messages.

447
00:21:16,292 --> 00:21:18,999
CHARLIE MILLER: So there's normal messages and that's basically what

448
00:21:18,999 --> 00:21:20,999
your car normally uses.

449
00:21:20,999 --> 00:21:22,918
The computer talking to each other.

450
00:21:22,918 --> 00:21:26,417
Diagnostic messages you would never see in your car unless in the shop.

451
00:21:26,417 --> 00:21:27,459
CHRIS VALASEK: Mechanics use them to figure out what's wrong

452
00:21:27,459 --> 00:21:28,999
with your car right.

453
00:21:29,792 --> 00:21:33,626
CHARLIE MILLER: So these are used to talk to one particular EC unit

454
00:21:33,626 --> 00:21:35,959
and ask how it's doing.

455
00:21:38,375 --> 00:21:42,999
So different cars will follow different standards.

456
00:21:43,209 --> 00:21:46,667
Our two cars followed the standards sometimes when

457
00:21:46,667 --> 00:21:49,375
they felt like it I guess.

458
00:21:49,959 --> 00:21:52,209
CHRIS VALASEK: They did all their own thing however

459
00:21:52,209 --> 00:21:54,083
they wanted to do.

460
00:21:54,083 --> 00:21:55,751
CHARLIE MILLER: The first standard you need to read if you want

461
00:21:55,751 --> 00:21:58,542
to figure out what the traffic is ISO (inaudible).

462
00:21:59,792 --> 00:22:03,083
This is where you are, like, so you can only send eight bytes

463
00:22:03,083 --> 00:22:04,876
in a message?

464
00:22:04,876 --> 00:22:05,999
That's kind of weak.

465
00:22:06,083 --> 00:22:08,459
Then especially if you want one per checksum.

466
00:22:08,459 --> 00:22:10,876
So it's hard to communicate only seven bytes.

467
00:22:10,876 --> 00:22:12,999
So it is a way to send more than eight bytes at a time

468
00:22:12,999 --> 00:22:15,876
over the eight byte messages.

469
00:22:15,999 --> 00:22:18,417
And the way it works is basically your very first byte

470
00:22:18,417 --> 00:22:22,083
is like a meta metadata for the rest of the data.

471
00:22:22,501 --> 00:22:26,209
Depending if it's a 0, one, two or three like the first four bits tells

472
00:22:26,209 --> 00:22:29,542
you whether it's one frame, whether the first of many,

473
00:22:29,542 --> 00:22:34,083
whether it's other ones, whether it's response and so forth.

474
00:22:34,083 --> 00:22:37,751
So here's what that looks like in ISTP data.

475
00:22:37,918 --> 00:22:43,584
On the top one it's 03 which means it is a single message.

476
00:22:43,626 --> 00:22:46,667
And the data is three bytes in length.

477
00:22:47,083 --> 00:22:49,083
14 FS 00.

478
00:22:49,542 --> 00:22:52,876
The next one you can send a one which means there's

479
00:22:52,876 --> 00:22:55,999
more than eight bytes all together.

480
00:22:55,999 --> 00:22:57,334
And then the length is 082.

481
00:22:59,083 --> 00:23:00,999
Then the data starts.

482
00:23:00,999 --> 00:23:03,083
Then you get a response back of 30 saying okay I know you are

483
00:23:03,083 --> 00:23:04,918
talking ISOTPM.

484
00:23:05,584 --> 00:23:08,999
The next one is two which means this is a follow up.

485
00:23:09,334 --> 00:23:11,751
And one means is the first follow up packet.

486
00:23:12,999 --> 00:23:16,999
CHRIS VALASEK: We explain this much more detail in the paper.

487
00:23:16,999 --> 00:23:19,959
CHARLIE MILLER: The paper is, like, 100 pages.

488
00:23:19,959 --> 00:23:21,584
It's full of information.

489
00:23:21,584 --> 00:23:23,083
So    CHRIS VALASEK: If you ever wanted to be

490
00:23:23,083 --> 00:23:27,999
inside Charlie's brain you can read this paper and it's just like that.

491
00:23:27,999 --> 00:23:30,083
CHARLIE MILLER: And it's just as boring.

492
00:23:31,250 --> 00:23:33,999
That's the way that, like, you are going to see data actually

493
00:23:33,999 --> 00:23:36,751
on the network if it's actually ISTP.

494
00:23:37,959 --> 00:23:42,417
It just says how to send lots of data but doesn't say what it looks like.

495
00:23:42,459 --> 00:23:48,918
There's another standard that describes what the data is suppose to look like.

496
00:23:48,918 --> 00:23:50,083
At least in some respects.

497
00:23:50,834 --> 00:23:54,209
The thing is each ECU may or may not implement the things

498
00:23:54,209 --> 00:23:56,250
in that standard.

499
00:23:56,709 --> 00:23:59,999
And when they do, even that is just like sort of the first layer then there

500
00:23:59,999 --> 00:24:03,375
would be more data you would have to understand.

501
00:24:03,375 --> 00:24:04,626
So the standards sort of help you learn

502
00:24:04,626 --> 00:24:07,584
the first three bytes out of 20 bytes.

503
00:24:07,584 --> 00:24:09,709
But after that you are kind of on your own.

504
00:24:09,709 --> 00:24:11,250
CHRIS VALASEK: Also with it being that every ECU doesn't

505
00:24:11,250 --> 00:24:14,334
have these when we did this we looked up the spec and it's

506
00:24:14,334 --> 00:24:19,167
like they're going have read memory by address we'll rip the firmware off.

507
00:24:19,999 --> 00:24:22,125
None of mine has any of that functionality U.

508
00:24:22,125 --> 00:24:24,959
Are like this is going be simple.

509
00:24:25,709 --> 00:24:27,918
All the car is going to follow this.

510
00:24:27,918 --> 00:24:30,334
I'm get the firmware and the car will do whatever.

511
00:24:30,334 --> 00:24:31,334
The car will blowup.

512
00:24:31,334 --> 00:24:33,709
I'll be internet famous and it will be great.

513
00:24:33,709 --> 00:24:34,876
And it's ten months of in your car crying wondering why

514
00:24:34,876 --> 00:24:37,999
your neighbors think you are weird.

515
00:24:37,999 --> 00:24:41,125
CHARLIE MILLER: Couldn't have said it better myself.

516
00:24:41,125 --> 00:24:45,417
So here is an example of some of that ISO interaction.

517
00:24:45,417 --> 00:24:47,417
Here you are trying to establish a diagnostic session

518
00:24:47,417 --> 00:24:49,584
with one of the ECUs.

519
00:24:49,584 --> 00:24:52,918
Here the 02 is the ISO two part.

520
00:24:54,209 --> 00:24:56,999
The ten says diagnostic session control and

521
00:24:56,999 --> 00:25:00,918
the three says extended diagnostic session.

522
00:25:00,999 --> 00:25:03,083
The EC replies back.

523
00:25:03,584 --> 00:25:05,999
It says if it's successful it adds 40 to the number that

524
00:25:05,999 --> 00:25:09,292
is the I forget what they're called the ID.

525
00:25:09,459 --> 00:25:12,083
CHRIS VALASEK: Service number.

526
00:25:12,083 --> 00:25:13,542
CHARLIE MILLER: Oh yeah.

527
00:25:13,751 --> 00:25:16,542
Then repeats the three then sends more data.

528
00:25:16,542 --> 00:25:17,999
This is what it looks like back and forth communications

529
00:25:17,999 --> 00:25:20,292
with these diagnostic packets.

530
00:25:21,999 --> 00:25:23,918
Anything else?

531
00:25:23,918 --> 00:25:25,876
Here's one that is pretty interesting.

532
00:25:25,876 --> 00:25:30,167
In order to talk to the ECUs and make them do things, you need

533
00:25:30,167 --> 00:25:32,999
to authenticate them.

534
00:25:33,501 --> 00:25:37,709
To do that you use this thing called security access.

535
00:25:37,709 --> 00:25:39,459
So security access rolls like this.

536
00:25:39,459 --> 00:25:41,999
So again two bytes of data then 2701.

537
00:25:41,999 --> 00:25:43,999
27 means security access.

538
00:25:43,999 --> 00:25:46,209
01 says I want the first level of access.

539
00:25:46,209 --> 00:25:47,626
There's multiple levels.

540
00:25:48,542 --> 00:25:49,999
Then the response back from the ECU

541
00:25:49,999 --> 00:25:52,584
is these three bytes that are highlighted.

542
00:25:52,584 --> 00:25:54,751
This is a seed.

543
00:25:54,751 --> 00:25:57,167
And the idea is this is just some random number then you

544
00:25:57,167 --> 00:26:01,167
have a secret key and you can do some crypto algorithm with their seed

545
00:26:01,167 --> 00:26:04,999
and key and the end result is three more bytes.

546
00:26:08,626 --> 00:26:13,459
Then you send them back the three bytes that you generated.

547
00:26:13,459 --> 00:26:16,542
And that proves that you had the key so they know to trust you.

548
00:26:16,542 --> 00:26:19,959
Here I send back the three bytes then it says 67 which

549
00:26:19,959 --> 00:26:25,417
is 40 plus 27 which says yes you are now authenticated at level two which

550
00:26:25,417 --> 00:26:29,999
is like the lowest secure level you can be at.

551
00:26:29,999 --> 00:26:31,792
So anyway that is the part that makes it if you wanted

552
00:26:31,792 --> 00:26:34,876
to do cool things like we sat around a long time trying to figure

553
00:26:34,876 --> 00:26:36,999
out how to get it to do    CHRIS VALASEK: We sat

554
00:26:36,999 --> 00:26:39,292
for quite a bit doing that.

555
00:26:39,292 --> 00:26:41,709
CHARLIE MILLER: Luckily you won't have to.

556
00:26:41,999 --> 00:26:47,501
Here's more things that you can do to ECUs with diagnostic sessions.

557
00:26:47,876 --> 00:26:49,334
Input/output control is cool.

558
00:26:50,125 --> 00:26:54,083
You can tell it that suppose that your sensors are reading one thing pretend

559
00:26:54,083 --> 00:26:57,792
your sensor is reading one thing or ask what are your sensors telling

560
00:26:57,792 --> 00:26:59,999
you and stuff like that.

561
00:27:00,501 --> 00:27:06,999
It's 0307 which means, you know, that is the control to be tested.

562
00:27:06,999 --> 00:27:09,375
That's suppose to correspond to some sensor.

563
00:27:09,375 --> 00:27:10,834
You don't know what that is.

564
00:27:11,083 --> 00:27:13,167
It's not part of the standard.

565
00:27:13,167 --> 00:27:14,417
It's just proprietary.

566
00:27:14,417 --> 00:27:15,667
CHRIS VALASEK: Each manufacturer and model can be

567
00:27:15,667 --> 00:27:17,709
different for this stuff.

568
00:27:17,709 --> 00:27:20,083
CHARLIE MILLER: Then there's even more data.

569
00:27:20,083 --> 00:27:22,083
So if you don't know all that the ECU is, like, I don't know what you are

570
00:27:22,083 --> 00:27:23,834
talking about.

571
00:27:23,834 --> 00:27:27,417
CHRIS VALASEK: This is one of the services that's basically do stuff.

572
00:27:27,417 --> 00:27:29,417
CHARLIE MILLER: Right.

573
00:27:29,417 --> 00:27:32,125
Then here's some so PIDs was the thing.

574
00:27:32,918 --> 00:27:33,999
Anyway.

575
00:27:33,999 --> 00:27:34,999
So here's some of the other one that's sound

576
00:27:34,999 --> 00:27:36,459
really cool.

577
00:27:36,709 --> 00:27:39,834
Like routine control is pretty cool.

578
00:27:39,834 --> 00:27:43,125
It's like    CHRIS VALASEK: RPC.

579
00:27:43,125 --> 00:27:45,792
CHARLIE MILLER: Yeah on Windows or something.

580
00:27:45,999 --> 00:27:49,375
Then there's other ones like I'll talk about that later

581
00:27:49,375 --> 00:27:51,959
to update the firmware.

582
00:27:51,999 --> 00:27:56,459
Like Chris said there are ones that are, like, read memory by address.

583
00:27:56,459 --> 00:27:57,459
Like sweet.

584
00:27:57,459 --> 00:27:58,709
Just dump the firmware.

585
00:27:58,709 --> 00:27:59,834
But that never works.

586
00:27:59,999 --> 00:28:03,999
CHRIS VALASEK: Yeah that it does on some.

587
00:28:03,999 --> 00:28:05,167
But certainly not ours.

588
00:28:05,334 --> 00:28:07,709
CHARLIE MILLER: You would Google, like, remember my address

589
00:28:07,709 --> 00:28:11,999
and there would be all these guys like tuners trying to rev up their car.

590
00:28:11,999 --> 00:28:13,709
They're like that totally works.

591
00:28:13,709 --> 00:28:16,375
CHRIS VALASEK: Everyone is like oh dude the tuner.

592
00:28:16,375 --> 00:28:18,542
I was like guess what we're not trying to do that we're trying to get

593
00:28:18,542 --> 00:28:20,209
the firmware off.

594
00:28:20,876 --> 00:28:23,626
No one is tuning a Toyota Prius.

595
00:28:23,626 --> 00:28:27,083
(Laughter) It's not like I had an option.

596
00:28:27,083 --> 00:28:29,959
I don't think anyone is on the Ford escape on track day.

597
00:28:29,959 --> 00:28:32,918
CHARLIE MILLER: No one cares to tune their Ford escape.

598
00:28:32,918 --> 00:28:35,250
CHRIS VALASEK: We had hardware tools as well.

599
00:28:35,250 --> 00:28:37,999
Our main thing we used was an ECOM cable.

600
00:28:37,999 --> 00:28:39,999
You can buy these things for 200 bucks.

601
00:28:39,999 --> 00:28:43,918
Unfortunately, they don't have direct ODB ll access so

602
00:28:43,918 --> 00:28:49,083
we had to find the wiring schematic on the website, cut some wires

603
00:28:49,083 --> 00:28:52,667
and put it into an ODB ll shell.

604
00:28:52,667 --> 00:28:56,209
So, basically, we turned this thing into our own personal ODB ll reader

605
00:28:56,209 --> 00:28:58,999
and writer which was great.

606
00:28:58,999 --> 00:29:01,083
Because ECOM provided an API and we augmented it

607
00:29:01,083 --> 00:29:04,626
and wrote all of our stuff that we're going release

608
00:29:04,626 --> 00:29:09,667
where it makes it very, very easy to read, filter, write, store externally,

609
00:29:09,667 --> 00:29:14,626
bring it in from external files and all that kind of stuff.

610
00:29:14,626 --> 00:29:18,125
CHARLIE MILLER: And we were very proud that we could cut those wires.

611
00:29:18,125 --> 00:29:18,125
CHRIS VALASEK: When I cut those wires it worked I was

612
00:29:18,125 --> 00:29:19,417
like hardware hacker.

613
00:29:19,626 --> 00:29:22,834
CHARLIE MILLER: Absolutely.

614
00:29:24,083 --> 00:29:27,584
(Laughter) I had him mail me one once.

615
00:29:27,584 --> 00:29:27,999
CHRIS VALASEK: We met in South Bend for a football game

616
00:29:27,999 --> 00:29:29,959
and I brought him one in a box.

617
00:29:29,959 --> 00:29:31,209
It was happy about it.

618
00:29:31,918 --> 00:29:35,209
I used a CarDAQ plus as well.

619
00:29:35,459 --> 00:29:38,999
It's a J2535 pass through device.

620
00:29:39,667 --> 00:29:43,834
It's kind of a medium between the manufacturer software

621
00:29:43,834 --> 00:29:45,999
and ODB ll port.

622
00:29:45,999 --> 00:29:47,375
This is really cool.

623
00:29:47,375 --> 00:29:49,999
Because when some bad things happened in my car I could clear

624
00:29:49,999 --> 00:29:51,918
the DCT codes.

625
00:29:51,918 --> 00:29:55,999
I could perform some level of maintenance, things like that.

626
00:29:55,999 --> 00:30:01,042
It was really good because I had the Toyota tool, had it hooked up.

627
00:30:01,042 --> 00:30:02,999
You can buy a Y splitter I.

628
00:30:02,999 --> 00:30:08,667
Had our ECOM cat software that we wrote sniffing.

629
00:30:08,667 --> 00:30:10,876
I'd like the tool do stuff then sniff it and analyze

630
00:30:10,876 --> 00:30:14,959
the packet and say this does this and this does this.

631
00:30:16,417 --> 00:30:20,334
Those are just the ODB ll shells with a bunch of pins.

632
00:30:21,999 --> 00:30:24,042
If you are going do this buy 20.

633
00:30:24,167 --> 00:30:26,375
They end up breaking from time to time.

634
00:30:26,375 --> 00:30:28,999
So get a bunch of them.

635
00:30:29,167 --> 00:30:31,667
This brings us to the software that we had.

636
00:30:31,667 --> 00:30:35,751
The first thing the cool that we wrote is a thing called ECOM cat.

637
00:30:35,999 --> 00:30:38,083
You can probably guess why we named it that.

638
00:30:38,083 --> 00:30:40,209
CHARLIE MILLER: Because we like cats.

639
00:30:40,209 --> 00:30:42,792
CHRIS VALASEK: Because I'm allergic to cats.

640
00:30:43,209 --> 00:30:45,334
It was our Swiss Army knife.

641
00:30:45,334 --> 00:30:47,999
This is a thing that we kind of started writing I was writing some

642
00:30:47,999 --> 00:30:49,584
on a plane.

643
00:30:49,584 --> 00:30:51,999
So when you read the code, our string parser for this

644
00:30:51,999 --> 00:30:54,876
is actually a state machine.

645
00:30:55,042 --> 00:30:56,918
Because I was, like, I couldn't look I didn't have internet

646
00:30:56,918 --> 00:30:59,334
and couldn't look up any of the documents.

647
00:30:59,334 --> 00:31:02,959
It was like I know how to write a state machine I'll just do it that way.

648
00:31:02,959 --> 00:31:06,834
But this can read and write to the CAN bus.

649
00:31:06,834 --> 00:31:11,250
It can store, you know, output from the CAN bus into a file.

650
00:31:11,250 --> 00:31:13,999
It can read from that file and write out the CAN bus.

651
00:31:13,999 --> 00:31:16,709
It can do levels of flittering for ID.

652
00:31:16,709 --> 00:31:18,751
Say you figure out an ID for steering and want

653
00:31:18,751 --> 00:31:22,125
to only see messages from it on your screen because you want

654
00:31:22,125 --> 00:31:25,834
to see what happens when you turn the wheel.

655
00:31:25,834 --> 00:31:27,501
Which is a lot of what we did right.

656
00:31:27,501 --> 00:31:28,542
You are looking for reactions in the data bytes

657
00:31:28,542 --> 00:31:31,626
for things you are physically doing to the car.

658
00:31:31,999 --> 00:31:33,167
This does it all.

659
00:31:33,167 --> 00:31:35,459
And it's probably a bit of a mess.

660
00:31:35,459 --> 00:31:39,751
But you should be able to kind of look through it and figure it out.

661
00:31:39,751 --> 00:31:43,083
CHARLIE MILLER: We're going release this weekend or something.

662
00:31:43,083 --> 00:31:45,751
CHRIS VALASEK: Then we have our E com cat API.

663
00:31:45,999 --> 00:31:47,584
It's written in C.

664
00:31:47,584 --> 00:31:50,999
The E com cat EPI is also written in C.

665
00:31:50,999 --> 00:31:55,999
API functions for abstracting a lot of E com cat.

666
00:31:55,999 --> 00:31:59,834
So instead of having to I don't know, like, change we have like defines

667
00:31:59,834 --> 00:32:03,792
at the top for the ID that you want to look for.

668
00:32:03,792 --> 00:32:05,999
CHARLIE MILLER: It's actually in python.

669
00:32:07,083 --> 00:32:10,626
Obviously he really worked hard on that aspect of the project.

670
00:32:10,626 --> 00:32:13,709
CHRIS VALASEK: I've been asleep at the wheel far too long.

671
00:32:13,918 --> 00:32:19,083
But the ECOM cat EPI the Python portion of what we did

672
00:32:19,083 --> 00:32:21,375
for ECOM cat.

673
00:32:21,375 --> 00:32:24,417
And there's another thing called car lib that is the thing written in C that

674
00:32:24,417 --> 00:32:26,626
the ECOM cat API uses.

675
00:32:26,626 --> 00:32:28,918
There we go.

676
00:32:28,918 --> 00:32:30,999
It's just an easy way to do car stuff without having

677
00:32:30,999 --> 00:32:34,626
to write C and then it makes it really easy.

678
00:32:34,626 --> 00:32:39,876
We also did PYECOM which is just more Python stuff.

679
00:32:39,876 --> 00:32:42,999
The neat stuff is you don't have to worry about ISO TP.

680
00:32:43,334 --> 00:32:45,751
You can just say send data bytes.

681
00:32:45,751 --> 00:32:48,959
If it's going send you 2,000 bytes back it takes care

682
00:32:48,959 --> 00:32:54,876
of you and you get it back and can do whatever you want with it.

683
00:32:54,876 --> 00:32:56,083
Here's some example code.

684
00:32:56,083 --> 00:32:58,167
Open a device and then you can say, hey, here's one

685
00:32:58,167 --> 00:33:00,918
of those debug lines we know.

686
00:33:00,918 --> 00:33:01,918
Send it.

687
00:33:01,918 --> 00:33:02,918
Done.

688
00:33:02,918 --> 00:33:05,167
So instead of having to do all this in C and do eight months

689
00:33:05,167 --> 00:33:07,751
of research you can buy an ECOM cable,

690
00:33:07,751 --> 00:33:11,125
copy and paste this and your car happy.

691
00:33:11,125 --> 00:33:13,125
CHARLIE MILLER: The idea is you can read and write cam traffic

692
00:33:13,125 --> 00:33:15,501
with two lines of Python now.

693
00:33:15,959 --> 00:33:20,459
CHRIS VALASEK: So, you know, not all the functions

694
00:33:20,459 --> 00:33:25,250
in the automobiles are performed by CAN.

695
00:33:25,250 --> 00:33:27,959
For example in Charlie's car the acceleration pedal was directly

696
00:33:27,959 --> 00:33:30,250
wired into the engine ECU.

697
00:33:30,709 --> 00:33:32,375
Not everything is going to happen.

698
00:33:32,375 --> 00:33:35,083
CHARLIE MILLER: There's no way it's ever going to listen to anything

699
00:33:35,083 --> 00:33:39,334
on the cam bus that tells it to do anything related to the throttle.

700
00:33:39,542 --> 00:33:41,667
It just knows that doesn't happen on CAN.

701
00:33:41,667 --> 00:33:43,999
CHRIS VALASEK: Al you have to realize there's contention

702
00:33:43,999 --> 00:33:48,167
between what the ECU is sending and what you are trying forge.

703
00:33:48,167 --> 00:33:50,626
So you are not going have completely proper reactions all the time

704
00:33:50,626 --> 00:33:52,417
for certain things.

705
00:33:53,083 --> 00:33:56,709
Then there's going to be actually safety features involved.

706
00:33:56,709 --> 00:33:58,999
We'll talk more about steering with park assist right we couldn't go

707
00:33:58,999 --> 00:34:00,999
over a certain speed.

708
00:34:00,999 --> 00:34:05,792
CHARLIE MILLER: So let's get to some of the things that we can inject.

709
00:34:07,459 --> 00:34:09,292
There's one packet.

710
00:34:09,792 --> 00:34:14,626
You can set the speedometer and the tachometer on the Ford.

711
00:34:14,626 --> 00:34:17,417
This is the code, the Python code that would do that.

712
00:34:17,417 --> 00:34:18,209
CHRIS VALASEK: If you had a Ford escape you could literally copy

713
00:34:18,209 --> 00:34:19,709
and paste that.

714
00:34:19,709 --> 00:34:20,999
CHARLIE MILLER: Right.

715
00:34:20,999 --> 00:34:22,250
Oops I did the wrong thing.

716
00:34:22,542 --> 00:34:24,209
Here is a video.

717
00:34:24,626 --> 00:34:29,209
This is like I'm on a closed test track that I rented out.

718
00:34:29,209 --> 00:34:30,209
(Laughter).

719
00:34:30,209 --> 00:34:32,999
CHRIS VALASEK: You can tell we were really careful.

720
00:34:32,999 --> 00:34:35,667
CHARLIE MILLER: I'm not really driving 60 miles an hour

721
00:34:35,667 --> 00:34:38,083
but sure looks like it.

722
00:34:38,083 --> 00:34:40,125
Then you can do the same thing for Toyota.

723
00:34:40,584 --> 00:34:42,459
Let's see.

724
00:34:46,542 --> 00:34:49,083
CHRIS VALASEK: I want to show people    CHARLIE MILLER:

725
00:34:49,083 --> 00:34:51,209
It's like a magic trick.

726
00:34:52,999 --> 00:34:57,083
Really the garage is moving on a flatbed truck and it's all a trick.

727
00:34:57,167 --> 00:34:59,667
We don't really know what the hell we're doing.

728
00:34:59,667 --> 00:35:02,626
CHRIS VALASEK: We hired Michael Bay to figure this out.

729
00:35:02,626 --> 00:35:05,292
CHARLIE MILLER: So you can change the speedometer.

730
00:35:05,292 --> 00:35:07,999
CHRIS VALASEK: In the Toyota you can do braking.

731
00:35:07,999 --> 00:35:07,999
Before I talked about how the pre collision system can brake

732
00:35:07,999 --> 00:35:08,999
for you.

733
00:35:09,083 --> 00:35:11,125
We isolated the messages sent.

734
00:35:11,125 --> 00:35:14,999
Usually they would come across saying hey don't brake.

735
00:35:14,999 --> 00:35:17,542
Finally I took some garbage cans out and backed the car

736
00:35:17,542 --> 00:35:21,584
up about 200 meters and floored it then went right for the garbage cans

737
00:35:21,584 --> 00:35:26,584
and hit them and it would beep and the brakes pumped when it happened.

738
00:35:27,999 --> 00:35:30,417
Not enough to stop from destroying the garbage cans

739
00:35:30,417 --> 00:35:33,999
but enough that we found out what the messages were.

740
00:35:35,083 --> 00:35:36,959
Here's the code for that.

741
00:35:36,959 --> 00:35:38,167
You can copy and paste that.

742
00:35:38,167 --> 00:35:40,876
We just decided we want the brakes at full force.

743
00:35:40,876 --> 00:35:42,792
So here is a video of us    CHARLIE MILLER: Again we're

744
00:35:42,792 --> 00:35:44,918
on a closed test track.

745
00:35:44,918 --> 00:35:46,999
CHRIS VALASEK: Right now you will see when

746
00:35:46,999 --> 00:35:51,375
the car stops    CHARLIE MILLER: We're driving about 50.

747
00:35:51,792 --> 00:35:53,792
Right now we do it.

748
00:35:54,999 --> 00:35:56,999
Then we're like errr.

749
00:35:56,999 --> 00:35:58,959
CHRIS VALASEK: You can even press on the acceleration pedal

750
00:35:58,959 --> 00:36:00,667
and you can't move.

751
00:36:00,667 --> 00:36:02,542
This completely immobilizes the car.

752
00:36:03,125 --> 00:36:07,125
Steering in Toyota was a bit tricky.

753
00:36:07,125 --> 00:36:08,459
But eventually like Charlie said we were

754
00:36:08,459 --> 00:36:12,626
the people outside parallel parking our cars for two months straight looking

755
00:36:12,626 --> 00:36:16,375
like crazy people and trying to get these messages.

756
00:36:16,542 --> 00:36:17,834
We figured these out.

757
00:36:17,999 --> 00:36:19,709
The only thing with a Toyota it refused

758
00:36:19,709 --> 00:36:22,667
to do it unless you were in reverse.

759
00:36:22,667 --> 00:36:23,626
Then we had to figure out how do we trick the car

760
00:36:23,626 --> 00:36:25,459
to think it's in reverse?

761
00:36:25,542 --> 00:36:27,083
So we did that.

762
00:36:27,083 --> 00:36:30,083
CHARLIE MILLER: It would only work if you were going slow.

763
00:36:30,083 --> 00:36:32,083
CHRIS VALASEK: So if you saw the Nintendo controller demo wee did

764
00:36:32,083 --> 00:36:34,999
that before we figured out how to trick it.

765
00:36:35,125 --> 00:36:36,584
We're like now we need to make it figure

766
00:36:36,584 --> 00:36:38,876
out how it thinks it's going to slow.

767
00:36:38,876 --> 00:36:43,083
So we have code and files we're going put up.

768
00:36:43,083 --> 00:36:45,459
And it's like we're going slow.

769
00:36:45,459 --> 00:36:46,459
We're in reverse.

770
00:36:46,459 --> 00:36:47,999
Hey jerk that wheel man.

771
00:36:48,751 --> 00:36:51,417
This is a really good video of Charlie and I almost dying

772
00:36:51,417 --> 00:36:53,626
on our closed test track.

773
00:36:53,626 --> 00:36:54,876
CHARLIE MILLER: Yes.

774
00:36:54,876 --> 00:36:56,999
I'm driving along minding my own business.

775
00:36:56,999 --> 00:36:59,125
CHRIS VALASEK: And I'm next to Charlie.

776
00:36:59,375 --> 00:37:00,375
(Laughter).

777
00:37:01,959 --> 00:37:04,083
I could even hold the go pro.

778
00:37:04,417 --> 00:37:06,876
I think here is where we almost died.

779
00:37:06,876 --> 00:37:08,999
CHARLIE MILLER: I make the mistake of trying

780
00:37:08,999 --> 00:37:13,959
to adjust my seatbelt right when it was going to happen.

781
00:37:14,292 --> 00:37:15,459
Almost killed me.

782
00:37:15,459 --> 00:37:20,417
So here's the if you are driving what it looks like.

783
00:37:20,417 --> 00:37:23,083
CHRIS VALASEK: That's not good times in traffic.

784
00:37:23,083 --> 00:37:35,334
(Applause)    CHRIS VALASEK: So we have acceleration.

785
00:37:35,334 --> 00:37:36,959
Acceleration was a bit weird.

786
00:37:36,999 --> 00:37:40,501
Charlie mentioned before there was two CAN buses.

787
00:37:40,501 --> 00:37:42,999
They both ran at the same rate.

788
00:37:42,999 --> 00:37:44,959
This one was kind of segregated.

789
00:37:44,959 --> 00:37:47,792
So although we had to just clip into this individual CAN bus

790
00:37:47,792 --> 00:37:51,792
and couldn't do it over ODB ll, if you are going to compromise

791
00:37:51,792 --> 00:37:56,999
the ECU, this ECU is this bus and this is the one you want to pump.

792
00:37:57,292 --> 00:38:01,792
Basically I found out here is what happens when you send

793
00:38:01,792 --> 00:38:03,999
these messages.

794
00:38:03,999 --> 00:38:05,999
And it kind of, you know, simulates pressing

795
00:38:05,999 --> 00:38:08,626
the acceleration pedal.

796
00:38:08,626 --> 00:38:11,626
Unfortunately, for the Toyota it's hybrid synergy drive.

797
00:38:11,626 --> 00:38:14,167
CHARLIE MILLER: So we're going tell it that the accelerator's

798
00:38:14,167 --> 00:38:16,501
all the way floored.

799
00:38:16,501 --> 00:38:19,667
What you will see in the video is Chris will be driving and he'll pick his

800
00:38:19,667 --> 00:38:20,999
legs up.

801
00:38:20,999 --> 00:38:24,292
If you look super close you can see the speedometer start to go up.

802
00:38:24,292 --> 00:38:26,667
Listen to the engine too if the sound is good.

803
00:38:26,667 --> 00:38:29,501
CHRIS VALASEK: Trying to listen to the engine I guess.

804
00:38:29,501 --> 00:38:32,876
CHARLIE MILLER: His legs are not on the accelerator right now.

805
00:38:32,876 --> 00:38:37,292
CHRIS VALASEK: You can see I am a bit scared.

806
00:38:37,459 --> 00:38:43,876
CHARLIE MILLER: Then notice we stop but you can hear the engine

807
00:38:43,876 --> 00:38:46,999
is still at full rev.

808
00:38:46,999 --> 00:38:49,918
CHRIS VALASEK: You can hear the RPMs are way up, right?

809
00:38:49,918 --> 00:38:54,667
CHARLIE MILLER: Then he can't turn off the car.

810
00:38:54,959 --> 00:38:57,459
And this is the last time that car's ever started.

811
00:38:57,792 --> 00:39:00,083
CHRIS VALASEK: Seriously if we would have filmed this two

812
00:39:00,083 --> 00:39:02,751
seconds longer you heard a pop.

813
00:39:02,751 --> 00:39:04,626
I was like that never happened before.

814
00:39:05,417 --> 00:39:07,083
And it just died.

815
00:39:07,083 --> 00:39:08,876
We actually blew up the inverter.

816
00:39:08,876 --> 00:39:11,709
It's going to cost us $5,000 to get it out of the shop.

817
00:39:11,709 --> 00:39:13,999
They're like we've never seen this happen.

818
00:39:13,999 --> 00:39:14,999
I was like well.

819
00:39:14,999 --> 00:39:21,999
(Laughter) (Applause)    CHARLIE MILLER: Luckily stark enterprises

820
00:39:21,999 --> 00:39:25,501
going to foot the bill.

821
00:39:25,999 --> 00:39:27,792
CHRIS VALASEK: So we're all good.

822
00:39:27,792 --> 00:39:28,999
CHARLIE MILLER: That was all the stuff we did

823
00:39:28,999 --> 00:39:31,417
by injecting normal cam traffic.

824
00:39:31,626 --> 00:39:33,375
The traffic you would normally see.

825
00:39:33,375 --> 00:39:36,375
Now we're going look at if we start to do diagnostic things.

826
00:39:36,709 --> 00:39:41,083
So we had to first figure out how to get around the security access.

827
00:39:41,334 --> 00:39:46,125
The way we did that was well for the one this is, like, really funny.

828
00:39:46,125 --> 00:39:49,083
One of the module ECUs didn't send a random thing it just sent

829
00:39:49,083 --> 00:39:51,918
the same thing every time.

830
00:39:51,918 --> 00:39:53,792
So you could watch it once and play it.

831
00:39:53,999 --> 00:39:57,125
In the paper you can see the explanation of why that happens.

832
00:39:57,542 --> 00:39:59,667
But the other ECUs do send random things.

833
00:39:59,834 --> 00:40:02,375
So you can't force it, replay things.

834
00:40:02,375 --> 00:40:03,584
So what we did was we bought all the tools

835
00:40:03,584 --> 00:40:06,626
the mechanics using then reversed them.

836
00:40:06,626 --> 00:40:08,751
CHRIS VALASEK: Along with the shirts.

837
00:40:09,584 --> 00:40:11,167
CHARLIE MILLER: Yes.

838
00:40:11,167 --> 00:40:14,626
So this is the IDS tool you can get from Ford.

839
00:40:14,999 --> 00:40:18,459
You know, only qualified mechanics can get it.

840
00:40:18,459 --> 00:40:19,459
Like us.

841
00:40:19,459 --> 00:40:21,125
So then you can start to reverse it.

842
00:40:21,125 --> 00:40:22,375
We're good at software.

843
00:40:22,375 --> 00:40:23,834
So this was the easy part.

844
00:40:23,834 --> 00:40:26,167
CHRIS VALASEK: This was the easiest part.

845
00:40:26,167 --> 00:40:27,417
CHARLIE MILLER: This is the algorithm it uses

846
00:40:27,417 --> 00:40:29,292
to compute the response.

847
00:40:30,792 --> 00:40:34,999
Then you can find where they store all the keys for all the cars.

848
00:40:35,083 --> 00:40:36,125
(Laughter).

849
00:40:36,125 --> 00:40:40,542
CHRIS VALASEK: For 200 easy dollars you too can have all the keys.

850
00:40:40,542 --> 00:40:43,083
CHARLIE MILLER: That's all in our Python script.

851
00:40:43,999 --> 00:40:46,375
The keys it turns out on five byte values

852
00:40:46,375 --> 00:40:49,876
but sometimes would make them ASCII bytes.

853
00:40:50,334 --> 00:40:55,501
CHRIS VALASEK: Those are all Ford keys by the way.

854
00:40:55,999 --> 00:40:58,999
CHARLIE MILLER: Hackers the movie they said God

855
00:40:58,999 --> 00:41:01,375
is the most used password.

856
00:41:01,375 --> 00:41:03,792
And they didn't use God but they did use Jesus.

857
00:41:03,792 --> 00:41:05,083
CHRIS VALASEK: God bless.

858
00:41:05,083 --> 00:41:08,999
CHARLIE MILLER: Here's the keys for the 2010 Ford escape.

859
00:41:09,083 --> 00:41:11,292
CHRIS VALASEK: All on API.

860
00:41:13,999 --> 00:41:15,999
Toyota is much the same.

861
00:41:15,999 --> 00:41:17,417
They actually just used two bytes and (inaudible)them

862
00:41:17,417 --> 00:41:19,501
with two static values.

863
00:41:22,999 --> 00:41:24,876
I think we can all do that.

864
00:41:24,876 --> 00:41:27,375
CHARLIE MILLER: But we do it for you in Python.

865
00:41:28,292 --> 00:41:31,626
Then you can send these diagnostic ones.

866
00:41:31,626 --> 00:41:32,999
Here is killing the engine.

867
00:41:32,999 --> 00:41:36,959
I'm driving up a hill and then I kill the engine here.

868
00:41:36,959 --> 00:41:38,792
Then you can see like we stop then trying start the car

869
00:41:38,792 --> 00:41:40,751
but it won't start.

870
00:41:40,751 --> 00:41:42,083
So I'm rolling downhill.

871
00:41:43,792 --> 00:41:44,876
(Laughter).

872
00:41:45,167 --> 00:41:47,375
My son is actually filming it.

873
00:41:47,375 --> 00:41:49,209
And he's talking to me.

874
00:41:49,209 --> 00:41:52,999
You can kill the engine at any time and I won't start until you turn that off.

875
00:41:52,999 --> 00:41:54,334
CHRIS VALASEK: You can turn the lights on and off in the Toyota

876
00:41:54,334 --> 00:41:56,292
if they're in auto state.

877
00:41:56,292 --> 00:41:57,959
Turn them on, turn them off.

878
00:41:58,584 --> 00:42:01,209
Car blew up, we didn't get a chance to film it.

879
00:42:01,209 --> 00:42:03,459
Check the paper we'll have a Python script.

880
00:42:03,709 --> 00:42:05,209
CHARLIE MILLER: We were going to film this right

881
00:42:05,209 --> 00:42:07,459
after the acceleration video.

882
00:42:08,834 --> 00:42:10,999
But we don't have a video for that.

883
00:42:11,083 --> 00:42:15,876
And the Ford you can take out the ECU that is in control

884
00:42:15,876 --> 00:42:19,083
of all the lights in the car.

885
00:42:19,209 --> 00:42:23,125
And so here is an example of that.

886
00:42:23,125 --> 00:42:24,375
You can hear me talking.

887
00:42:24,999 --> 00:42:26,667
I'll turn that down.

888
00:42:26,959 --> 00:42:30,751
So the lights go out and, like, it's like the air conditioning goes out,

889
00:42:30,751 --> 00:42:33,292
the radio goes out, the brake lights go out,

890
00:42:33,292 --> 00:42:35,709
the headlights go out.

891
00:42:35,709 --> 00:42:38,999
If you can imagine driving down a dark street you would be

892
00:42:38,999 --> 00:42:41,999
in super stealth mode engaged.

893
00:42:41,999 --> 00:42:45,999
You can see me, like, I can't get out of park either.

894
00:42:45,999 --> 00:42:47,999
Because the electronics to control the thing that stops you

895
00:42:47,999 --> 00:42:51,999
from jamming it into gear wouldn't let me out of parking.

896
00:42:51,999 --> 00:42:54,876
CHRIS VALASEK: We can do the horn in Toyota.

897
00:42:54,876 --> 00:42:56,584
You can blast the horn forever.

898
00:42:56,999 --> 00:42:58,375
Or until it malfunctions.

899
00:42:58,375 --> 00:43:00,417
Here is us messing with Andy Greenberg.

900
00:43:05,918 --> 00:43:07,667
Could not do anything.

901
00:43:07,876 --> 00:43:10,083
CHARLIE MILLER: Even if you turn off the car the horn

902
00:43:10,083 --> 00:43:11,751
is still going.

903
00:43:11,751 --> 00:43:14,999
CHRIS VALASEK: We talked about the pre collision system.

904
00:43:14,999 --> 00:43:17,584
Toyota we can yank the seatbelts.

905
00:43:17,667 --> 00:43:20,667
So if the driver is driving you see here it's me versus

906
00:43:20,667 --> 00:43:22,999
Charlie via seatbelt.

907
00:43:24,083 --> 00:43:25,999
CHARLIE MILLER: I'm going fight it.

908
00:43:25,999 --> 00:43:27,918
CHRIS VALASEK: Fight it Charlie.

909
00:43:29,459 --> 00:43:32,125
CHARLIE MILLER: I'm like stop it.

910
00:43:32,125 --> 00:43:34,083
CHRIS VALASEK: It's not that great.

911
00:43:34,083 --> 00:43:35,209
It is really annoying.

912
00:43:37,584 --> 00:43:38,876
(Laughter).

913
00:43:38,876 --> 00:43:40,751
I kept telling him that's the last one.

914
00:43:40,751 --> 00:43:41,751
I'm done I swear.

915
00:43:41,918 --> 00:43:43,999
You can unlock and lock all the doors in the Prius via

916
00:43:43,999 --> 00:43:45,709
the CAN bus.

917
00:43:46,083 --> 00:43:47,501
We meant to do that video.

918
00:43:47,667 --> 00:43:48,792
Car blew up.

919
00:43:48,792 --> 00:43:49,792
We don't have it.

920
00:43:49,792 --> 00:43:54,542
Check the paper we have Python script unlock and lock all doors.

921
00:43:54,709 --> 00:43:56,167
And that could be great if you had

922
00:43:56,167 --> 00:43:58,999
a remote and wanted interior access.

923
00:43:58,999 --> 00:44:01,250
Fuel gauge.

924
00:44:01,292 --> 00:44:04,751
We can tell the Toyota it has as much or little gas as we please.

925
00:44:04,751 --> 00:44:08,334
You see we have a quarter tank of Petro and now we have a full tank.

926
00:44:08,584 --> 00:44:11,626
This would be a good joke on friends.

927
00:44:11,918 --> 00:44:13,999
Tell him he always has a full tank of gas.

928
00:44:14,083 --> 00:44:18,125
CHARLIE MILLER: Here's one for the Ford that I made Chris wet

929
00:44:18,125 --> 00:44:19,999
himself on.

930
00:44:19,999 --> 00:44:22,751
He knew that I was going to make the brakes not work

931
00:44:22,751 --> 00:44:25,999
but he didn't know that it comes with this super loud scary sound

932
00:44:25,999 --> 00:44:27,999
at the same time.

933
00:44:27,999 --> 00:44:29,999
CHRIS VALASEK: I have a lot of cackles.

934
00:44:29,999 --> 00:44:33,292
But you will see in this video this is my I'm deathly afraid cackle.

935
00:44:33,292 --> 00:44:34,334
We're not stopping.

936
00:44:34,334 --> 00:44:34,751
CHARLIE MILLER: This only happens if you are going, like, five

937
00:44:34,751 --> 00:44:35,751
or ten miles an hour.

938
00:44:35,751 --> 00:44:39,709
CHRIS VALASEK: But imagine the orphanage let out that day.

939
00:44:39,709 --> 00:44:42,334
CHARLIE MILLER: He is going to come park over here.

940
00:44:44,709 --> 00:44:46,083
That's the noise.

941
00:44:46,250 --> 00:44:47,667
Now we're over the curb.

942
00:44:47,667 --> 00:44:49,292
Now we're driving into the weeds.

943
00:44:49,292 --> 00:44:50,083
Now he    CHRIS VALASEK: I even tried

944
00:44:50,083 --> 00:44:51,918
to use my left foot.

945
00:44:51,918 --> 00:44:52,999
I didn't know what to do.

946
00:44:53,584 --> 00:44:56,083
CHARLIE MILLER: Turns out the brakes are disabled

947
00:44:56,083 --> 00:44:57,999
for either foot.

948
00:44:59,626 --> 00:45:00,999
(Laughter).

949
00:45:02,667 --> 00:45:06,626
So we're pretty much out of time but you can actually dump

950
00:45:06,626 --> 00:45:08,542
the frameware.

951
00:45:08,667 --> 00:45:11,999
Check out the paper for details and you can reverse the whole thing,

952
00:45:11,999 --> 00:45:13,999
disassemble it.

953
00:45:14,709 --> 00:45:18,667
So here's just a video that shows I will rewrite the firmware

954
00:45:18,667 --> 00:45:22,999
of an ECU so it continues to send out a packet even though I'm not

955
00:45:22,999 --> 00:45:25,083
connected anymore.

956
00:45:29,999 --> 00:45:33,501
Now I've overwritten the ECU firmware.

957
00:45:33,501 --> 00:45:36,918
So now I'm not connected anymore to the OBD II port.

958
00:45:36,918 --> 00:45:38,417
The reverse family is still on even though I'm going forward

959
00:45:38,417 --> 00:45:40,501
on the closed test track.

960
00:45:41,834 --> 00:45:44,999
Even though I'm driving, I'm not connected to the ODB ll port.

961
00:45:47,918 --> 00:45:50,459
CHRIS VALASEK: In the malware game I believe this

962
00:45:50,459 --> 00:45:52,626
is called persistence.

963
00:45:55,209 --> 00:45:57,999
So that's a big deal because that's the difference

964
00:45:57,999 --> 00:46:01,834
between just spoofing CAN messages then completely taking control

965
00:46:01,834 --> 00:46:06,083
of a computer that exist in that car and making it do stuff.

966
00:46:06,083 --> 00:46:09,209
So those are the things that are, like, the scary stuff.

967
00:46:09,209 --> 00:46:12,999
Toyota reflashing is astronomically weird.

968
00:46:12,999 --> 00:46:13,999
Check out the paper.

969
00:46:13,999 --> 00:46:17,626
I think I wrote 14 pages on how to reverse their file format.

970
00:46:19,999 --> 00:46:21,501
CHARLIE MILLER: So the good thing

971
00:46:21,501 --> 00:46:23,417
is now that we released to data you can think

972
00:46:23,417 --> 00:46:26,083
about how you could stop these attacks.

973
00:46:26,292 --> 00:46:28,626
Couple things really stick out.

974
00:46:28,999 --> 00:46:32,334
One is that you should never so the normal packets are very

975
00:46:32,334 --> 00:46:34,792
regularly scheduled.

976
00:46:34,792 --> 00:46:36,999
So you can always and we flood the network.

977
00:46:36,999 --> 00:46:39,709
So, if you see floods going on then something's going.

978
00:46:39,709 --> 00:46:42,083
This is like a histogram of what you would expect.

979
00:46:42,999 --> 00:46:46,083
When we would attack it would not look anything like this.

980
00:46:46,375 --> 00:46:48,834
Also you probably shouldn't see diagnostic packets while driving

981
00:46:48,834 --> 00:46:50,834
around on the highway.

982
00:46:50,834 --> 00:46:52,626
CHRIS VALASEK: Disabling the brakes via diagnostics probably

983
00:46:52,626 --> 00:46:54,999
shouldn't happen while driving.

984
00:46:55,375 --> 00:46:56,459
That's just us.

985
00:46:56,584 --> 00:46:59,250
CHARLIE MILLER: We're not car experts or anything.

986
00:46:59,250 --> 00:47:02,999
Then we gave our white paper to Ford and Toyota, you know,

987
00:47:02,999 --> 00:47:05,626
like a few weeks back.

988
00:47:05,959 --> 00:47:10,542
Toyota issued this statement that says that they don't consider this "hacking."

989
00:47:10,542 --> 00:47:11,459
CHRIS VALASEK: We're not hackers, and we didn't hack

990
00:47:11,459 --> 00:47:13,167
the car so no big deal.

991
00:47:13,584 --> 00:47:17,834
CHARLIE MILLER: And it says that we can do this and it says our focus

992
00:47:17,834 --> 00:47:23,250
is to stop the remote part and they don't care about the local stuff.

993
00:47:23,250 --> 00:47:24,751
And they have, like, super expensive R & D facilities just

994
00:47:24,751 --> 00:47:25,999
like that.

995
00:47:25,999 --> 00:47:28,375
CHRIS VALASEK: They have test tracks as we.

996
00:47:28,501 --> 00:47:30,876
CHARLIE MILLER: So sort of the take away is that

997
00:47:30,876 --> 00:47:33,417
they really focus on remote attacks.

998
00:47:33,417 --> 00:47:36,083
So, you know    CHRIS VALASEK: That's the same thing.

999
00:47:36,083 --> 00:47:38,999
You have a firewall and you have AV, don't worry about it.

1000
00:47:38,999 --> 00:47:40,751
Nothing's going to get in.

1001
00:47:40,751 --> 00:47:44,125
CHARLIE MILLER: That's basically the way their cars are running.

1002
00:47:44,125 --> 00:47:45,125
Which is cool.

1003
00:47:45,125 --> 00:47:47,542
So anyway check out the paper.

1004
00:47:47,542 --> 00:47:49,999
It's got everything you want to know about ECUs.

1005
00:47:49,999 --> 00:47:53,375
CHRIS VALASEK: If you are really interested check out the paper.

1006
00:47:53,375 --> 00:47:54,375
It's 101 pages.

1007
00:47:54,375 --> 00:47:55,375
All the code.

1008
00:47:55,375 --> 00:47:56,375
All of our data.

1009
00:47:56,375 --> 00:47:57,375
Everything.

1010
00:47:57,375 --> 00:47:59,667
You are going to get every thing we ever had.

1011
00:47:59,667 --> 00:48:01,542
Hope it helps everyone get in the game.

1012
00:48:01,542 --> 00:48:03,459
CHARLIE MILLER: Thanks a lot guys!

1013
00:48:03,459 --> 00:48:05,083
CHRIS VALASEK: Yeah, thanks!