>>Hello Def Con. I am p3n3troot0r.
>>I’m ginsback.
>>We are here today to present a framework built into the mainline Linux Kernel four. Hacking connected vehicles. Uh it’s free, open source, free to all. Uh It uses standard commercial off the shelf uh wifi hardware and uh let’s get started. So, the state of the world today. Um automation is becoming widespread in the commercial industry and it’s starting to become available in commercial platforms including in automotive systems so um vehicular network architectures today uh such as CANBUS are not designed for highly complex systems. Not designed to handle the throughput latency uh and security requirements. Um however these architectures are still being used as the basis for uh developing future automotive systems and this is bad right? Um as we develop the next generation of automotive safety standards it is impertinent that we build security and from the bottom up and not use something that is heavily flawed such that we deploy, irreversibly deploy um y’know platforms that are vulnerable and weak, especially in the context of safety, critical infrastructure, like automotive systems that pretty much everyone in the civilized world use, um alright. 
>>Gotcha.
>>Okay so Um I think we’re actually one slide ahead.
>>Yeah buddy.
>>Okay Up Up. Okay so we can classify these autonomous systems um that we’ll see in the future. So we have uh classification of zero to five. We’re right now we can say we’re at stage two. Automation for vehicles where we can say non safety critical functions are automated using the exchange of stayed information on the internal networks and the transition up to stage three requires um inter vehicle communication and synchronization. 
So these safety critical vehicle functions can be automated with the presence of an operator. Um yeah. And so some of the barriers to this are uh so primary issues are who owns the infrastructure and who’s responsible for problems that are resultant from the deployment of these systems, right? You know. Who makes you know, who can make these decisions about public safety you know in the context of automotive systems and who’s responsible when these systems fail and there’s injury and potentially even death. And a good example of this is the machine learning systems we have uh that do vision aren’t actually robust to uh a lot of the adversarial attacks that can be constructed. So you see this, this picture’s an example of that. So in the top layer we have uh images that are fed into a machine learning classifying system to try and determine what the image is representing according to the classifier and you can see in the bottom image we’ve introduced, or not we, but previous resear-researchers introduced noise to these images such that the human eye cannot tell the difference but the actual vision system on the car uh gets tricked and you can imagine for things like a stop sign, a yield sign, you know that are present here. That could lead to some very dangerous effects. 
>>Indeed so this leads us to this concept of be the X. What is stage three autonomy. Um essentially um it can be described as such. Uh using a vehicular ad hoc network. A VANET to enable rapid high throughput exchange of state information between network participants. Uh that as such provides enhanced safety and uh network wide optimization that isn’t possible using the uh sensor systems on board any isolated system. Um so this is done by layering a protocol stack. The V2X protocol stack on top of the control BUS to which reactionary instructions are sent to control the vehicle based on proximal network activity in the VANET. Um and this concept V2X serves as the technological bridge between stage two and stage four automation. Going from traditional automotive systems to self driving cars to the future. So it  will, the deployment of robust successful V2V will shed light on the technological but more so legal advocal and moral challenges that are presented by the use of high stage automation in public systems, in consumer systems. Um so the critical aspects, the critical aspects of this technology um using this VANET promote greater operational awareness in the highly trafficked environment by the exchange of state information between vehicle and infrastructure points with the idea that this can be homogeneously applied to transportation systems worldwide. Um it's designed to be integratable into the existing transportation network leveraging infrastructure that already exists. Um and in fact some V2X systems are being experimentally deployed um however they’re being developed very much in isolation not um coordinated between standard bodies in different countries. Ergo we are uh the standards as they exist are very much fragmented and disorganized. So we will come back to this though.
First uh let's let’s do a little more with the impact of the technology. 
>>So I guess one of the most important questions to ask is y’know why the h**l should we care about this? Um so transportation is obviously a ubiquitous thing that we all engage in. Everyone has to get somewhere in society. Um not only just people but freight. Uh Industrial processes so the increased levels of automation here and the increased connectivity of these systems unprecedentedly expands the threat landscape present um in terms of the automotive cyber security and more generally in terms of uh the security of critical infrastructure as all of these systems are in some way connected to critical infrastructure in the transportation network. Um so I guess more specifically then what does this mean for consumers? 
>>Okay. Okay cool. 
>>Um Uh let’s see. Okay so the deployment of these strong y’know ubiquitous-ubiquitous-ubiquitously adopted V2V systems uh have y’know a number of benefits. These are all estimated from the US department of transportation from three pilot studies they ran in Tampa Bay, New York City and I believe Wyoming and uh you see a significant reduction in fatalities, crashes, property damage and y’know significant improvements in traffic throughput in general um roadside optimization. Um so y’know by integrating these systems in with the actual cars you can reduce the stress of the driver uh remove certain safety hazards and just generally improve it for the consumer. 
>>Uh but uh let’s expand that. Let’s expand that perspective. What’s the impact on the global industry. So this allows us uh to scale V2X technologies across industrial platforms to optimize economic operations right like freight and agriculture. Uh it provides the same kind of enhancement to safety uh of the uh of the operators of the machines. Uh it allows for the synchronization and coordination of logistical operations, right? Think uh air traffic control for trucks. So it-it sheds or enables uh greater transparency to the root uh cause of inefficiencies and failures. Um these are these are what’s attractive right? From from industrial perspective. Um Let’s-let’s keep going, right? What’s the impact on critical infrastructure systems. So, it the VANET outside the context of inter vehicle communications serves as a potential carrier for data in the absence of something like LTE so it’s a uh it’s-it provides access to a, uh, a network that you can easily propagate messages across from one single entry point uh across the national and potentially global transportation network. Um and it uh therefore you can like distribute information about emergency events. You can distribute uh you can use it for distributing uh software updates right to vehicles to infrastructure systems or potentially for the people in this room, you can use it to do a whole lot of uh interesting ward driving and data collection and fuzzing of critical infrastructure systems that simply wasn’t possible before. The-the barrier um to a lot of automoti-automotive security is wireless access I mean we-we’ve seen it’s trivially easy to physically modify CANBUS but can you get in wirelessly well not you eliminate having to break a 4G modem um now we have a wifi like protocol that is becoming standardized in every consumer vehicle that doesn’t use strong authentication or encryption or association that you can rapidly propagate information across um arbitrarily and compromise from one single entrance point. That is pretty cool, right? Um now.
>>So, So uh y’know what’s the impact for automotive security in general? I mean Duncan went over some of the points but uh I guess generally the exposure of this wireless attack surface means that you can very rapidly propagate messages from one point to another. Say you are at the bottom of some highway system and you send a message off to one car that carries it to another car, they carry it to another and so on and so on and now all of a sudden you’re in New York. Um, so that’s y’know a huge impact and beyond that you can actually do uh sort of packet sniffing. You can place either on the road- y’know on the roadside little sniffers or have your car y’know actively while driving and actually listening to these this traffic and reconstruct behavioral profiles of the cars as they move across the road and this allows you to reverse engineer some of their behaviors. You can send probe responses, try to figure out what firmware they’re running, or potentially. And use that knowledge of their firmware and their system architecture to actually exploit. Um right. So that means that you can hack cars easier than has ever been possible before. But it also means that your cars are gonna get hacked a lot easier. 
[inaudible off mic]
>>Okay. Um so here’s some here’s some examples of some of the features that are intended to be implemented through these uh coordinated systems. So we have uh collision avoidance so say you have a blind spot. A car in front of you y’know off to the blind spot is gonna send a message and say “hey I’m here.” Now you know they’re there so you don’t hit them. Um advanced driver assistance, uh cooperative adaptive cruise control, which is where you have um messages cascading back throughout traffic to try and synchronize how the cars actually accelerate and deccelerate to y’know optimize the gaps between them and y’know make traffic smoother. And of course you have things like y’know, automated ticketing, automated tolling and other y’know application level um products that we’ll-we’ll go into a bit later. Uh so this gives our primary motivation for developing this y’know free and open source and easily accessible V2X stack so that we can and you can communicate using just y’know a Linux box with some cheap hardware and mess around with these systems 
>>And participate and participate in the national and potentially global VANET. Um so let’s talk vision. Um Vision of socket V2V our platform right is uh the history, history tells us that security through obscurity leads to inevitable PWNing. Um we have allowed security standards for safety critical systems to be developed behind closed doors and in the general case those have developed these standards have wildly failed us. Um this is the counterpoint of our vision here in releasing this. We are providing a means for security researchers and global researchers alike to participate in the development of the V2X standards because they affect us. They affect our daily lives and our families. Our Wives and our children if uh if we could ever find them. Um they um and the deployment of another set of weak standards will inevitably lead to the compromise of systems that are integral to the continuing functioning of our society. It's not just a transportation network but what will the transportation network, the connected transportation network touch. It will touch financial systems. It will touch energy. And like all of the thirteen or so current infrastructure sectors alone alike as we move into higher levels of automation. Um this is why perhaps it's particularly interesting to all of us here. From hacking uh cars using wifi we can potentially gain access to a-the global transportation infrastructure and to the energy systems that control it. Um so this is neat for us but at the same time there’s a clear uh need to make this-these standards not suck as badly as they have before. Um so, we uh let’s see. The biggest, probably the selling point here is that previously to do this it required a two to five to ten thousand dollar DSRC radio. We are enabling you to do it with a twenty dollar commercial off the shelf wifi card that can run five gigahertz. Um and we’ll tell you the couple simple modifications you need to make to your standard Linux Kernel and pretty much after you take our stack and compile it in your Kernel and make a few little changes to our W you can immediately start participating in the VANET which pretty much doesn’t really exist yet. Um and that’s why we’re giving it you. 
So a little background. Uh began development circa 2015. Um there had been a good amount of uh of work done and published previously in this space which we quickly found was um non-existent, non-functional. Pretty much every project that had been started had been orphaned. Um, or those that they stated they were developing an open source made them closed source and um or they’re no longer compliant as they’re being deployed. So um we basically spent. Took me two years of digging deep into the soulless chasm that is Linux Kernel driver development and at last have managed to service here again. Um and now I would say V2V is more real than it had ever been before. Um, so we already touched on some of these motivations but just to reiterate a little bit. Increase in automation leads to increase in attack service. Um the industry is calling for proprietary closed source implementation of V2V. Well lets think about this for a moment. The standards are incomplete and bound for change. In fact, the security uh layer of the V2X standards is non existent as it stands today so, so OEM, as big corporate is going closed source uh and developing these standards in isolation while the standards are b-well developing these systems in isolation while the standards are bound for change. This will inevitably lead to the deployment of obsolete systems and hinder the development of V2V any further. And it's already happening today. So um this is one of the lessons we learned from previous epic failure. Right? Um closed source leads to weakness. Um and also Kernel dev is hard, y’know you keep you keep using those words Kernel dev. I don’t I don’t think they mean what you think they mean. This is an example right of uh, we we pulled this from a patch that was submitted to the main Linux Kernel developer thinking uh thinking he was enabling ADEX 11P which is the physical layer of the V2X stack. Well if you, if you look right here I commented something out “WTF.” If it’s this frame return false. If it’s this return false. This return false. Otherwise return false, right? So pretty much the accepted solution is completely dysfunctional with like no frame whatever would actually be accepted and passed through the wireless interface. That took a- that took about a year to find in y’know the billions of lines of code. And this is- this is one of the many many many critical mistakes. While there’s things that are very very partially implemented and then widely accepted as functional. Um just simply isn’t true and it took two years of clawing my eyes out to, to get here. To tell you that. Um so let’s see. Now we’re gonna do a stack overview. Uh Real quick.
>>So, yeah. Okay. Oop. Is it working?
>>Yeah Buddy.
>>So we’ll start at the uh the physical layer of this stack. That is eight oh two eleven P. This operates on uh five point eight to five point nine gigahertz um OFDM. Um five to ten megahertz sub character width. And uh right above that we got um I triple E sixteen oh nine four. Which is the multichannel operation modes. It determines how you switch between the service channel and the control channel. Y’know service channel has well services and control channel has privileged controls that propagate through the network. Um and then going above that even further we have sixteen oh nine three. Which handles the messaging coding for the short messages that are used as the primitives in communication. And we also have things that uh deal with the uh RF parameters um the uh routing advertisements, the service advertisements y’know and so on. And at the application layer there’s J2735. Which it contains basic safety messages um emergency vehicle alerts and roadside alerts. As long as y’know um along with many others. And those are y’know packed inside of the short messages that end up getting down and dispatched finally along the physical layer of eight oh two eleven P. Um. Yep. 
>>So um so to quickly go over each of those in a little bit more depth. Um eight oh two eleven P comprised the physical and MAC layer of the V2X stack. Um as so right the kernel components are um five ten megahertz uh with subcarriers using a DM over five point nine gigahertz. Five point eight to five point nine gigahertz.  Uh frequency band. Um reserve freeze by intelligent transportation systems. Um using multicast addressing with no association, no authentication, no encryption this is specified to uh exist at a higher layer. Um such as in the sixteen oh nine NJ twenty-seven thirty-five. Um and the uh and to define this networking mode called OCB mode uh out of context it would be assessed that pretty much uh allows you. Its-its like ad hoc mesh networking just with the beaconing association, authentication, encryption all disabled. Um so next is wave DSR. Oh! Oh! Oh buddy. Looks like you got a little preview thereof our entire presentation, um. Alright here we are. 
>>So a WAVE, slash DSRC, so wave is the basis of the wave short message protocol. WAVE stands for Wireless Access in Vehicular Environments specified in I triple E sixteen oh nine. So it's an encoding scheme and its also management plan for V2V so that includes multi channel operation uh service identifier allocations, um y’know all of the stuff you might expect in this kind of ad hoc networking that allows the communication of the kind of fields you would expect in vehicles. Y’know location, telemetry, um trajectory, these kinds of things. Um, Kay and J twenty-seven- oh sorry. This is a WAVE, this is an example of a WAVE short message so you can see that this is a- a fairly bare bones. Y’know Quite literally a hello world example. So you have the version, the subtype, information element block which is similar to that found in other y’know eight oh two dot eleven stuff. And then at the bottom here we have um y’know the transfer interfire which determines how the message is actually forwarded along the network whether it hops or floods out. And then we have the data field which contains hello world. 
>>This brings us to the advocation layer. SAE J2735. Um provides a grammar and and dictionary set of safety messages in interoperating V2V systems. So probably the most uh common example is the basic safety message uh a message that will be continuously transmitted at a periodic interval between every member of the VANET to exchange state information about say the dimensionality of the car, heading, acceleration. So you can uh use this to to y’know do predictive optimization of the traffic flow. Um there’s collision avoidance which uh is exchanged when there’s a collision imminent to try and and and reduce or uh mitigate the harm to the driver and the and the and the stan- and those standing nearby. Um there’s emergency vehicle alerts which the emergency vehicles will use to um y’know modify traffic flow in the event that like an ambulance needs to get through or uh or a cop wants to pull you over. Um so say or in like the case of a natural disaster. Um really what this this allows you to do is um. Define um, y’know autonomously define direction or behavior that will happen um independent of the driver in order to, to create a safer VANET. Um by y’know by orders of magnitude has it been has it been sited in studies for the last fifteen years. So this is a great idea, right? This is, this sounds awesome and people have been talking about it since 2004 and people have been making slides and presentations and nobody’s really been doing anything and the standards are continually getting changed and there. And we’re going to talk a little bit now actually uh about the the state of the standards. Um the, there have been multiple major revisions made to, uh to WAVE and to J2735 and they are not backwards compatible. Um they have, they lack a complete trust management framework. Um they-the current uh the current standards that are deployed are proprietary and closed source uh and incomplete. And-so this is a clear attempt at monopolization of the connected vehicle industry but it’s the-the inevitable outcome is the development of uh is the deployment of-of an incomplete, obsolete and vulnerable platforms. Um some, let’s-let’s go a little more in depth about these changes, right? 
>>Okay so some of the major changes that we’ve seen uh is that the-the certificate management system has actually been totally overhauled uh they-they’ve added um support for some implicit certificates and also a peer to peer certificate distribution system. Um there have been proposals for a trust management system that use uh misbehavior reporting so like y’know if you listen to a car next to you and they do something you don’t like you report em and then if enough people report em they’ll eventually get their certificate revoked. I mean that’s the idea. Um obviously that is uh quite a number of ways to actually manipulate that potentially. Um and y’know the-the J2735 standard has been completely overhauled. Several times. Such that y’know the old encodings don’t even work. Like at all. And we y’know with respect to the new encoding so the question is y’know how are these completely incompatible, not backwards compatible systems and systems where the security is just totally influx supposed to actually work properly without exposing huge vulnerabilities. And the answer is, they’re not supposed to work. I mean.
>>So we-we like to call this possibly unintentional obfuscation of the standards, right? Um cause we’re-we’re gonna allow the possibility that this could be somewhat on this-this could possibly be a mistake, right? Um we in-in revisions of the J2735 uh measures verification codes CRCs are moved from emergency vehicle alerts from roadside advertisements. Um and some of these there almost no specification given for a lot of design choices. I mean here’s-here’s some pulled out of uh the trip sixteen oh nine spec. Um th-this guy here effect a receipt, nothing. So we see there’s ambiguity right? And what does ambiguity mean in terms of communication systems? Um it means that there’s a, yet another attack service in-in the way the messages are received. Um so uh like what gives, right? What fricken gives? Um 
>>To go over some of the subtleties that are uh in the protocol y’know to drive home the point a little bit. Uh there are typing congruity and there’s actually there’s type redundancy in these messages so you actually have lower layer protocols that will specify, or lower layer segments of the protocols that’ll specify certain things like location and GPS data and they’ll also be redundantly specified on the high level-higher layer protocols. And if these two things are incompatible. Y’know the values are different then you can actually have issues where you can confuse the software and y’know cause the car to go swerve off somewhere. Um the-the actual uh encoding of the um sixteen oh nine messages is-it’s a little poor I mean so there-there are points in some of the routing advertisements where there’s actually a byte that uh depending on who you interpret in the committee should be there or maybe shouldn’t be there. Um so that can-that can lead to very obvious parsing issues. That can just cause memory to crash and do whatever. Uh and the channel switching mechanisms on single antenna systems are actually such that you can um you can jam the actual, the effectively jam the communications for however long you want just by broadcasting off sync with the rest of the network and that can just shut down communication and disrupt peer to peer sift gear distribution and no one can talk in some closed area for a very long time. 
>>So um what does the, are we on attack services yet? No. No. Attack surfaces. Um in the-so let-let’s move on to the juicy interesting stuff here right? Um what are the attack surfaces for uh V2X. Uh Well the entire VA network is accessible from one single endpoint. Um due to the-the ad hoc mesh nature of it so you can propagate a message uh from one single point of entry. Uh massively distribute malware uh of course it was meant for safety information. Um you compromise one radio in one vehicle and that could be a compromise due to a proprietary implementation uh weakness. Then you can therefore potentially compromise all vehicles um in the nearby proximity uh which would propagate to the global network. Um you can highjack emergency vehicle authority uh and execute services like platooning that are built into the V2X standards. Uh in order to disable uh vehicles um y’know for law enforcement uh or whatever reason y’know some of you might want to make your vehicle stop in the middle of the road on a, in the middle of the highway. Um so what does the adversary look like? Um a passive adversary can do y’know sniffing and mapping of the uh of the network uh both in terms of y’know mapping uh services that are available built into the sixteen oh nine standards and those that are left reserved for the manufacturers to implement. So what this means is diagnostic functions built into DSRC that allow you to execute uh routines on y’know on-on each vehicle. Um and there’s a lot of services that are defined and there’s a lot of that are left very ambiguous in the sixteen oh nine standards. Um what else? Let’s see. We can uh gain a lot of visibility into the global transportation network that is gonna be rather unique to the individual right. So think if you can understand um where y’know the nature of the economic operations in terms of the transportation network. You know where our supply and distribution networks are operating poorly and efficiently then you can perform arbitrage and and-and gain y’know economic advantage. Um and then use it for y’know for-for evil s**t right? Uh but more interesting, what is the active adversary look like? Uh I mean he might look like that. Um uh he could he might perform denial of service, man in the middle attacks between vehicles and infrastructure points so you can manipulate the misbehavior reporting schemes for example. Um you can disrupt vehicle traffic uh and target individuals. Not just individuals you can target uh y’know classes of systems so not only perform y’know target individual, uh you can target a company or a corporate entity or a s-some kind of other um governing body that uh that uses these kinds of systems that is gonna use it highly proprietary or-or highly specific uh you custom tailored implementation of it. Um I-and and I mean who-who wants to deal with that guy right there? He looks like a d**k. Um so now if we consider the threat model that we introduced earlier from a theoretical level and then apply what the information gave you about the state of the standards etcetera, how does the threat model change? 
>>So the-the threat model that we have um in light of this information so we can corrupt traffic over the air wirelessly on y’know on the road. You can use the um diagnostic information and the DSRC radios to manipulate and control vehicles, exfiltrate data, do whatever the h**l you want. You can use the RF signatures of the actual radios on these things to break the pseudonym uh and non the pseudonymity schemes that they use to try and protect the identity of drivers. So what they do is uh you randomize your MAC address and your certificates time out and you generate new certificates but the problem with this is that if you have great enough visibility over the network you can trivially track this and identify anyone as they move across the road regardless of this, y’know kind of like slapped on attempt at anonymity. Um so obviously V2V has quite a number of problems and you know our solution right is to. So just put it on Linux
>>Yeah man just use Linux dude. Uh just use Linux. So, um, right we we have this free and open source platform uh that is uh I mean its. So we have a little asterisk here its platform independence. It’s uh accessible in a generic Linux environment so it's uh we we took the V2X stack and implemented it in the Linux kernel network and subsystems. The asterisk there is because uh hardware that manufacture- uh manufacturers specify a regulatory domain in the hardware that they’ve produced so you have to go into the driver and make slight modifications to participate in the intelligent transportation bands um but past that the modifications to each driver are pretty slight right now. We have published support for atheros 9k. We’re extending it to RTL wifi um and y’know ideally soon enough to-to all standard um networking driver architectures. Um so just use Linux. It’s-it’s always-it's never been that easy right? Um how we do this, uh first we’ll start with eight oh two eleven P. So we’ll go up up the stack um. You just define the ad definitions for the intelligent transportation channels in the wifi drivers so this one we stick in the atheros 9k. The same one goes into RTL etcetera. Uh next you uh modify the kernel and you just space regulatory domains uh so this is what we’re saying um the, the FCC and the-the manufacturers alike so specify um a specific regulatory domain that you’re allowed to use in each country so you can pretty easily modify this by going and doing a little bit of kernel hacking and forcing uh the kernel to accept a regulatory domain that you specify. Um so what we do here is we add the intelligent transportation bands. Um make it OCB only because there’s no channel sharing um uh etcetera and we do the same thing here in the atheros driver on the bottom um and then we add support for filtering of eight oh two eleven P frames. Um so this is just a function that we that we’ve pulled we stuck it in there and we did the sorts of frames you accept uh management data um and QRS frames and then
>>Uh you just make to-to finish the uh integration eight oh two eleven P the um modify standard Lin-uh Linux space utilities so desired W. Uh the wireless reg DP which we went over a second ago and CRDA so in IW. What we do is add uh you specify command that allows you to join an OCB channel. Specify the uh frequency and the uh megahertz whether you’re gonna use five or ten megahertz with sub carriers. Uh we add definitions for the five and ten megahertz uh with sub carriers in uh in the IW regulatory domain and using uh the command specified above you can see we’ve successfully joined uh a y’know an OCB five gigahertz network. Uh we published the code to do this in in the github group that we’ll give you at the end. Um so moving up to..
>>Moving up sorry moving up to uh wave or sixteen oh nine. So we have to specify or rather we had to specify all the relevant data structures you know the short message, service advertisements, the routing advertisements and-and so on. Um and all y’know full modificati-er full ability to modify any of the fields in there to create custom packets that you just inject off to the wireless interface and send over the air. Um as well as uh managing the channels uh channel synchronization and channel hopping and um just the MAC level extensions of the actual uh management plane in-inside y’know. Inside the operations. Click. Click. [inaudible off mic]
>>Okay Um so okay so the usage of the uh WSMP so you have the ability to take the structs that are defined and encode them, conversely decode them as they come over the air cause they’ll come up through a socket interface and you just take the byte stream and decode it. And uh use the user specified WSMP packets using libpcap or y’know whatever you want to just inject it into the wireless interface and it’s-it’s there. It’s on the air. 
So this is the uh the WSM struct. The wave short message. This is a top level structure of the actual message encoding. This um specifies the transport identifier which is how the message will actually be routed across the network. Whether you’re gonna hop y’know however many times you want. And also uh the um the data fields and all of the ancillary data gets packed into here. So this is the, this is the information element extension which includes the RF parameters um the routing information and all, all of this other fun stuff.Uh and other ancillary structures that include y’know routing advertisements, service advertisements, channel info and service info. Right? 
>>So then how do we apply this? Um we take some of the uh, we-we define J2735 uh critical messages uh somewhat based on the, the SA provided it, broken ASN1 spec that we fixed and made a heck of a lot more pretty and then you see we just filled up with uh parameters that are compliant within the limitations of uh of each field. Then what we can do, generate a WSM message as uh he just showed uh and these-these fields are uh are from the sample uh given y’know a couple, twenty slides up. Uh We serialize it using a-a encoding function that we wrote. Uh well first we pack the basic safety meshes that we made right here. And you pack it right into the data field of the WSM uh serialize it and dispatch it to uh the wireless interface using peak app inject and the result is um successfully transmitted WSMP messages. So Wireshark has a-a plugin for WSMP uh that’s-that’s outdated uh doesn’t uh support the current coding types but it sorta at least sorta recognized what uh what we did here. Uh figured given the-the nature of the week we would avoid uh doing uh a wireless demo with 5G tech. Um But, what we can see here is we successfully transmit and inject a WSM message. Uh using Linux open source stack and an atheros 9K twenty dollar wifi chip. Uh and now you can do this too, right? So the exact same thing is possible for the other types of safety messages using the exact same methodology so we show an emergency vehicle alert, roadside advertisement. You pack it into the um into the WSM struct and you can, you can serialize and transmit it um just as easy and actually start interfacing with infrastructure and connected vehicle systems that exist today in isolation. Um so yeah what are you gonna do with this? You wanna be a master? Uh You wanna pwn some connected vehicles? Well we’re gonna sorta go here in increasing level of uh of when.
>>Right so level one would be you can imagine a denial of service, so f**k with the channel synchronization and just kind of disrupt the network, prevent people from broadcasting. It's very possible for single antenna systems. I’m sure there are more clever ways to do it by breaking the parsers. Um stage two, sorry, level two would be to enumerate, essentially map out all of the proprietary services offered at the application layer to get an understanding of the attack surface of each car and actually exploit that. [inaudible off mic] Oh oh. Okay. Level-sorry level three would be uh sir masquerading as a toll booth so um electronic toll collection is actually a future imple- er future um aspect of this technology so if you’re able to hijack that- hijack that certificate you can essentially prop up a mobile toll station and go around collecting fare from everyone y’know as you pass by. Uh then of course you bump up a little bit and you can start dealing with emergency vehicles y’know going-uh pretend you’re a squad car and uh force someone to pull over.
>>I’m an ambulance. And if you really want to be a elite maybe you can figure out how to execute the platooning service that’s built into J2735 that lets you uh take full control uh or rather assume direct control of any vehicle particip-participating in the VANET, right? But um I think we have a few more types of pwning here right? Um what do we got? What do we got? We can not read at all. Um so, you can you can pwn in a bunch more clever ways um but really it really-this isn’t just about pwning vehicles. Um completely. This is about providing an interface that allows you to participate in the development of secure good standards by hacking them so we’re using all these evil superpowers to deploy systems that will be homogenous in transportation systems worldwide. Um we don’t want another CANBUS. We-we don’t want um to-to get stuck with a fully deployed completely vulnerable arbitrarily hackable uh network protocol alright? So we give this to you so that we together can make something that doesn’t suck, y’know in layman's terms, right? Um as always hack the planet. See what you can break. Use it to make the world better and please come and uh please reach out to us with any thoughts, ideas, questions. We are releasing this. It’s posted already on Github. Um you can find us in the car hacking village. We’re giving a talk immediately after this at three o’clock and we’ll be in the car hacking village afterwards at four. Um so thank you Def Con. [applause]