>> This is going to be a lot of fun.  I saw a preview of this this morning, and this might be a mistake we are going the play around with some skateboards.  And how many thought it would be a good idea to put a motor on there.  Let give these guys a big hand.  (CLAPPING)  Hello.  How's it going.  So yeah.  I'm Richard.  This the Mike.  I'm Richard.  I work for a company called Stripe, so I work for E-bay and I like Bluetooth and wireless stuff and I am the voice of reason sometimes.  So like why do we do this to your selves the thing for us made me think I'm going the buy electric skateboard so I live in San Fran so this has now paid for itself and it is impossible to get stolen and the kick starter was huge and we thought this should be good maybe we should be the first one to have a good poke at it.  Like high -- it's there.  You saw Chris and Charlie before this.  But not all of us can afford the brick a car repeatedly and we thought that may someone hacking research.  So first up is boosted so h is was the first one we got our hands on.  This is my daily compute.  I can go forward and backwards that is 22-miles an hour in freedom units.  This is an Australian company.  This goes forward and has breaks since it only has one motor when you hit the brakes you pull into traffic and the board called ego this is knock off of boosted.  You -- it's literally as stiff as a blank.  So maybe noted the design friend you back a blackboard with orange wheels that is how it is done so the first thing we want to talk about was boosted.  Can go forward and backward and you go down a big hill you can pick up some of the power that you lost and it uses Bluetooth.  So used live (indiscernible) and I think this boost board is in more countries so I was skating one day and (audio drop) and has this thing called square which is full of signals and train tracks and I was like skating along and going in traffic and the board just loses power under me and so I wonder if we can do this rely and this is only (indiscernible) that has been allocated to a skateboard.  So it turns out that was kind of tricky so like I had this skateboard about fete like there was something Dodge by the and I new it had Bluetooth and I new that Mike knew a lot of things about Bluetooth.  So I bought a bunch of bluetooths and -- I bought a bunch of them and tried to sniff some packets and didn't go well and I called Mike and said how did this work.  And before this research new nothing about Bluetooth and not also in the right places but making some progress so he purchased some over teeth and had no idea what he was doing so the way a over tooth works got a controller and small radio on it that can be reconfigured to talk like Bluetooth so we have some code for following connections and putting the data on the PC.  So we were fired these guys up and got some packets out of it so the interesting thing about modern Bluetooth -- pretty good.  The thing about this electric skateboard they decided not to use it.  If they have everything we are about to show you would have been a lot harder so yeah it was a poor choice because of this lack of crypt to.  25 You can think of it has a key value store in normally it is like you make a request and get some data back and that is not actually how they used It if you take a look at the next slide.  So this is what we first got when we dumped some traffic straight off the board.  So the part that I have highlighted is the value so inside of daily frame there is bunch f of data the value is basically like the payload that gets seem at the application and this says 02,102 that is as key everything is as key and their entire protocol talks ASCII on the wire which is sort of bizarre for talking to embedded device.  So we missed a lot of them because of the amount of nose.  If you just like -- hard to find anything else.  So we drank a bunch of beers and -- and we discovered that it talks duplex protocol where controller messages on the handle and -- having pulled the board apart and looked at it we know there is blue radio part that exposes the serial port.  So this is like the first batch of messages that we got.  We took like a five minute capture of fiddling with the bottle and the thing we did this research on it is expert mode and beginner mode is not much fun.  Let's you control the speed and fuel let's you ask it how much fuel it has and we looked at it one through five and we put at gauge nine hoping it could crash but didn't do that.  So like this got is as far as the language that the bot talks but didn't get as close as we thought we would so Bluetooth is more complicated if you trying to do basic stuff so we got some old school tools for trying to speak Bluetooth.  Rich described minimal.  I would describe as nonexistence.  Blue -- pretty good but complicated to do the right thing and challenging to do the wrong thing.  Has this like bizarre fascination -- and kind of like doing other things with spec mandates which is not very fun so we were trying to do some work in this old system and we were realized wasn't going to work out so I dusted off some code and I thought I'm going to sent some data to this Bluetooth and buzz like mad.  That is how it works.  Actually in the process I accident Bluetooth stack and so we implemented a bunch of stuff on of the of this and so I mean for me coming in outsider and if we are not nothing a lot about Bluetooth -- happens to sent message on the wire.  Whether or not it was running make (indiscernible) welcome change.  So we sat down and we coded up some BT code that could talk to the board in the language that it wanted to and we spun the wheels.  So anyway, we like patted ourselves on the back and like great we can talk to board but the trick is like Bluetooth will only allow one device to be connected at the time and this is problem.  So the point of thing so that meant that it was not immediate obvious how do I get control of his bot and mess with it.  So I was like thinking getting then off to that intersection if you make it everything stops working and I went to Mike about said why don't we just jam Bluetooth -- so turns out jamming Bluetooth -- is challenging and does a bunch of things.  We did not consider that outcome.  That is the right response.  So we would like make so much noise that nothing can talk and then we can sneak in a thing to the bot.  So jamming Bluetooth -- is not that easy so Mike is like it is not that easy but he said to me quote literal never going to work.  So we kind of did some science that looked like this.  It also looked like this.  So this is a analyzer showing 2-point-hertz IV M.  So using hacker RF we configure it to shout a bunch of noise in max band with that it can is that the fourth of the spectrum.  So that didn't work so we -- excuse me.
>> How are these guys doing?  (CLAPPING).  So I figured it was appropriate because these things have wheels and we have one of tesla crew this is Jeff.  Say hi to Jeff.  Now I don't know about the shooting glen lib its stuff but we will give it a try.  What do we do with new speakers.  He says that was pretty lame.  What do we do with new speakers.  I heard a few other choices but we will just do a shot.  We do not kill the speakers.  Def Con.

>> Shooting glen nothing like it.  Please give that back.  Where the guy riding the skateboard he really need as drink.  I think we should get -- a shot.  I think he needs more than one.   Dominic is going to be part of your entertainment has made some poor life choices leading up to this moment.  Everyone say good buy to Dominic.  (CLAPPING).  We took the kid gloves off and wrote fir wear and screamed as much as possible.  Doesn't matter we are trying to do bad things here so I was talking to Mike and it was like the designed the protocol to stop us from doing this kind of thing.  So we went back the drawing board and so I had done a little bit of Bluetooth -- jamming in the past but it is easy to jam connect as hey are created but hard to jam existing connections.  And put in magic to jam those guys and actually turns out to be effective.  But the problem is -- mode works by capturing -- so you have to capture the address.  And then after that you have to capture the hop interval.  So we go coded this up and looked like this.  Yeah, this was surprisingly a lot more effective than the previous things.  So in case this is not clear the bottom graph if you look at the magnitude looks lower and in the top chart the red parts is when the radio was screaming and the reason it has the stepping pattern because recovered what frequency the other radios are on and just jumps with that and then no one else -- and then we win which brings us to Dominic has me ridden this thing before.  So we set up these jammers and jam his connection and connect in the meantime and do some stuff to it.  I'm not ready yet.  So then I'm going the slam into reverse and Dominic is going to go flying.  Would you like a cigarette Dominic.  Come on let's do it.  We have three for three jamming.  We tried this so many times.  Just keep skating around.  Come closer.  You're being shy.  Why are you doing this wrong.  This is embarrassing.  I hate live demos.  I hate them so much.  I hate demos so much.  This is really dissatisfying.  Go back and forth once more and then we will quit and drink very heavy this sucks.  It should be working.  (laughter) fuck it let's pass be the bot and I will flip it up.  It is jammed.  By Dominic.  (CLAPPING) that was not a success but we tried.  So we will talk about what was supposed to happen.  We have like had spurring times trying to jam things in noisy environments when we filmed this thing one worked great and another one didn't.  This Ali way is the one next to office.  People are using a lot of technology in this room.  So anyway, he is series about using the clicker on this talk.  I am so excited to use this so we had a demo ready and we were not sure Def Con would let us get away with it and they would not.  So we were like how do we get close to the rider.  There it goes.  So we stuck it to drone and we were concerned about the bot ending up on the engineer of the hotel.  So this is about where we turned the jam on.  And so (CLAPPING) it turns out strapping a Bluetooth and three over teeth and over is shit to a drone causes weight issues.  This is best idea that we had.  So a agent X around.  This is a different thing.  (audio drop) this is really ease -- that was one of the most terrifying things I have e seen.  A massive drone with four huge carbon reinforced propellers flying at you.  We got off to a shaky start last year and they have never dealt with security before.  They were really surprised that were not using crypt to and they were quite sure they were and we are sure you are not.  So we did wind up working with them towards the end and they implemented a fix.  They published a book yet.  They are just beta testing in.  Security research.  Making the world a better place.  I can't even say it with a straight face.  So next on the hit list was (indiscernible) we didn't bring this one to vegas because it is huge.   So it has a better range than boost did because the entire thing is made up of batteries and have this very odd looking remote instead of having a thumb trigger has the finger trigger.  I took one look of this thing and thought yeah but got on it and said no.  So kind of neat.  So a friend of ours lent awes bot and says Bluetooth -- like in a lot of places on the marketing material and we are convinced that we are good at this at this point.  So I think this should be easy I don't need Mike so we have the same hair theses that we used last time hooked them up and got nothing.  So spent while to figure out whether it was a environment again.  I live in San Fran so when I just like sniffing without the board on there was so much noise -- I was likely don't you come over and built the faraday cage.  And so this is our faraday cage.  This is snow board box wrapped in layer tinfoil but it worked pretty well, with the remote inside of box and board outside the remote was not able to bond with it so we capture this data from inside so we think the Bluetooth -- should be here somewhere but nothing nothing at all.  So we're kind of like puzzling over this for a while and -- (audio drop) we thought we should pull it apart and still unclear if we told him we were going to do this.  So hi Ryan if you are here we pulled your skateboard apart.  So this is labeled RF on it and it was a little bit bizarre and called the -- it is not Bluetooth -- chip.  Which like led me to ask some questions.  This is small.  This is big bigger and this is the word Bluetooth.  So I had some confusion about this.  So fuck I went too soon.  So talks about this thing call power -- so talks about shock birrs with the trademarks that are in the data sheet.  So we were like okay.  This is not Bluetooth -- we don't know anything about it.  That is weirds so we still at my place and hanging out with our faraday cage and at this point we can clearly had too much beer.  And so we didn't have a hacker F.  So I got as far as sniffing USB once and put it in a drawer and me looked at it again and we like dumped a bunch of traffic and we still got nothing and we were like looked like that (indiscernible) at this point had no idea why we were not getting anything.  Kind ever aside don't yell it out but if you come up to us afterward and you can guess why this thing is strapped back to thing I will buy you a beer.  I have asked several different engineers what is used for and got several different answers.  So we didn't get anywhere with the remote so we pulled the other thing apart.  So inside of bar is odd.  95 percent of surface area the taken up by battery and this compartment that is cramped so we pulled everything out and bunch of off the shelf parts.  It is above the front wheel which makes sense from a design perspective but just a bizarre design so they have the video on the website education planing how to like fix a flaw in if you remote the not bonding properly and involves tape to stuff and unclear what hey were doing at the time.  Our hunch given that it says Bluetooth -- but they just shipped it off to contractor.  This is why we were not seeing data from the remote because nothing to see.  Does have a nine member bit field in it.  So we went ahead and looked at this and new we're were not going to use a you we're tooth to pick at it all -- radio version of the NRF chip that was in the remote and I was looking at this trying to figure out how the recovery this data and I saw that Travis wrote a blog post and had a code that do the right thing out to box.  So high five for making my job easy.  So we wrote some code to sniff evolve using this device.  A little bit of code on top of good fit so I may send in a request for that.  We came up with the jamming attack and was not amazing but beyond that there was nothing to do the bot didn't know how to do enough stuff for it to do the main things to it.  This thing had a throttle and that was it so we jammed it and made one roll down the hill.  So anyway, so brings up to ego.  This one says Bluetooth -- over it and has smart phone appearance you figure out that point has they be Bluetooth -- so you see where this going.  So rich pulls out over teeth and at this point doesn't know how to use them properly.  So he attempted to sniff it and didn't see any packets and we were still at a lost.  So the next thing I did was I was attacking the remote because that was like your the thing that we are interested in with dicking with so they did say downloaded from the store and I like turned it on and said searching for device and still nothing.  And I was looking at the board and there was this switch on the side but the grum it say BT/WiFi and I said no.  Surely not.  No one would build a skateboard that talks WiFi that would be crazy.  So turns out they didn't.  They just put words that don't mean the things inside the bot on them and I looked at the smart phone appearance.  There was not a whole lot in there but turns otophone Bluetooth -- is crazy hard the jam.  So io phones and talk to Bluetooth -- chip and tell it to avoid the channels that are being used by the LT connections so they don't use all of the data commands and the mode jammer that we talked about with boosted doesn't work at all with ego working on the iphone.  So talks something.  So we like had a good look at it and what does this thing talk.  So based on the position of the switch -- the (indiscernible) so we like pulled it open as we want do and we identified the radio part kind of but it had the serial numbers scratched off and unclear whether or not this was a technique or damaging in chipping so we were at this for a little while and we had this moment when Mike has contribution the research.  So this is a hacker of portapak.  This is shield that it is on top of the hacker F and turns it into a hand held video and we used it for a wide band spectrum analyzer.  That is not Bluetooth.  So we started digger further so using the hacker F and regular hacker forking mode and it looks like this and if you kind of hard to see on here but if you look at it collies I will it is SFK so one frequency for zero and one for one and we were able to do a little bit of radio and demoderate that into something that we could look at and counts the bits so we were able to recovery the offset and access code use to identify the packets and the rate and later we could plug that into something like a over tooth and sniff it.  But we had the fire up a new radio and connect a bunch of boxes with a bunch of lines.  But it is quite difficult to work with especially if you don't know anything about DSV.  Felt like this when I was using it.  We could see the packets and how frequently they were occurring and these slides are way out of order.  This is my fault.  So we had -- so we bluing this stuff into the over tooth but the device used a different channels and it time between packets as a single channel and we could measure packets on the different channel and we could figure out the hot order between those channels so first up is this histogram where I sat on the single channel.  Using the high resolution channel and you see they cluster neatly into these buckets so on a single channel you get two packets 44m s apart and you see the first packet and second and third and turns out there is 11m s between those guys so we found out there were four channels this thing used and time between the first three channels was 11m s guess what the time was between the next channel was 11m s so we black boxed reverse engineered the way the protocol hops through the channels and have some code in over tooth to do all of this.  So I think -- I don't know if we pushed this stuff out yet.  So once we reimplemented we are like great.  Why don't we have a stab at jamming this thing so as we mentioned doesn't have a reverse.  So this is what your jammer looks like in practice.  So jammer works by listening to single word of packet and turns to over tooth around in -- mode and hop to the next channeling a spews out data and if you do for a while the board gives up and loses connection.  So I'm going to spin the wheels here so thing done have a notion of reverse which is I'm practical which means we can't throw people off directly one thing we can do know meaning that if you grab someone past the hill they are on the mechanical spear.  Works like every time 90 percent of the time.  We had a slide for that demo.  Out of order again.  So we ran into the same issues.  We looked at it and was really fun to Dick with but only interbase was take message out of the wire so no at lot that we can do with interfering of functions of the bot and means it that unlikely the vendors will be and the patch these things.  So towards the end we were working on this thing and thought like fuck it there is some more stuff in boosted and sing like the very start of this research I wanted to show on the skateboard.  That is thing I wanted so we got to thinking what if we can code on skateboard.  So we pulled the board apart.  (indiscernible) but as we start to dig into it we found them but couple of months after we started this research (indiscernible) if you look at bottom it says firmware update available and we were like neat.  So we were like firmware facilities good so give it some code and sounds like fun so we took one of bot and we dumped the platelet traffic that was heading between the bot as well as back end and we figure we could work out how we send firmware to bot and what it looks like.  So a lot of hours later we stip together some that looks like a firmware bot and combination of these things and they're were things about it the string had (indiscernible) we got a list of all the things that you do with the board.  You can get the current version.  Numb skull command and I worked out what it was, it was the number of skill levels.  And in doing so our good friend -- (audio drop) so we wanted to know how do we get new firm where that is key thing that we wanted to do.  But looks like (indiscernible) so like this is the firmware that we unpack and this is Bluetooth -- packet they are the same bytes and before that there are extra commands and BTLD says give me your firmware so accepts region and says like to me BBR is the thing that we interested in.  So we are like what do we do with this.  I mean you can do something shitty to a rider.  I like believe in learning my own hardware but at this point we break the board.  So we are done to would be minute so we will talk about golf board that use the same stuff and has hit people riding down gulf courses.  Neither of us plays gulf but would be interesting to play with these.  Someone should hack a gulf bot.  And safe hex is welcome to come up if they escort us off the stage.  So I want to shout out to Bruce for being great to work with in the sense they didn't try to run us financially but they were cooperative and implemented a fix and if buy electric skateboard buy a boosted board.  This is stuff that we worked on and we are releasing everything.  Thanks for having us.