I Heart My Robot Overlords: Infosec Challenges in Emerging Technologies

at this point I'd like to introduce you blind ins the owner merely researcher at CMU in the certain Coordination Center he's gonna kick us off here with our first talk today so gangsta so all my slides are coming up which one day is great to be ending up here again a lot of a lot of familiar faces out there you don't know me I'm Dan klinedinst I I hope to start besides Pittsburgh back in 2011 with Joe and some other people and I don't know about drill but I don't think that we thought at that point that at some point there the 6th annual be tied to Pittsburgh with almost 200 people so that's pretty awesome the

current organizers are doing a great job and so get one more round of applause for all the organizers Brian I'm still getting from us like something hey all right so the top is called I fart my robot overlords postech challenges is emerging technologies this is probably one of these less technical talks today but probably given and getting ready start of the day I'm going to keep walking moving microphone I apologized so this is based on a record that we did it surf and put out a couple months ago called the emerging knology domains mrs. survey and it is by myself and several other people that sir and one who used to work there such want to make sure I acknowledged

their work with probably more than my own copyright information okay so I'm not going to go through this but I'm a vulnerability researcher at the cert Coordination Center which is the subset of the certain division at Carnegie Mellon University we're basically the group that has been putting out the vulnerability notes for the last 30 years so when you get those your email that's from us like I said I helped start besides Pittsburgh and I used to work at Lawrence Berkeley National Laboratory and bunch of other things so our agenda today we're going to cover three main topics we're going to talk about common challenges emerging technology industries so these are things that cut across a lot of

different industries as we see it we're going to then go into some specific technologies we reviewed in this report and talk about specific risks and novell risks that I thought were interesting and then I'm going to do kind of a case study and talk about connected and autonomous cars because that's where most of my research has been done recently I'm go see if I can hold this oops I won't like feedback all right so emerging technologies risk survey is something that we were asked to do by Homeland Security a couple of years ago and they basically asked us to look at things that were coming down the pipe that we might have to be worried about

in the future we as a country and as the infosec industry and we went out and tried to identify technologies that were going to be hitting a like really in the market in the next five to ten years we didn't want to go too far out so we identified these we've been updating it each year since then and really what we did is we identified common and widespread challenges that were new to the security industry that are going to be coming coming up and then we also identified some technology specific risks and then what we did with that is we decided to recommend either we do technical research in it so my car research is a result of this and

basically identified automobiles as one of the highest impact things to society so that's why we decide we should focus our research on that area or if we should just do some outreach so like the medical industry we don't have the you know people to do everything so the medical industry we're not really doing hands-on technical researchers doing outreach or just keep situationally aware of what's going on in those industries because they might not be quite to market saturation yet our technologies we chose are based on a Gartner hype cycle which comes out each year most of the things I'm going to be talking about today kind of fall to the right-hand side of that peak there's a

few from the left with the things to the right of the peak are generally things that are starting to really become widespread in the market things to the left are still a little bit farther out there all right so some of the common things we've seen across these emerging domains one is the fact that you can have genetic effects you can make things happen in the real world so I'm sure everybody in here has probably seen the Jeep video and know that Chris and charlie ray were to take control of the Jeep and drive it down over the embankment as well as control it on the road and things like that there's a whole bunch of industries where this is

going to be a concern that you can now not only hack into a computer and access the information or steal the information or change it or take the computer down now you can actually access things cause things to happen in the real world which obviously has safety implications as well this didn't cause anybody to get hurt but you can easily imagine that hacks on cars on medical devices etc can certainly cause human harm or even death here's another commonality that i like to call semantic attacks there's a situation recently where Microsoft decided to put up this artificial intelligence chatbot on Twitter and within 24 hours the AI had read other Twitter feeds in what comments were made

to it and stuff and it had started spewing all kinds of pro Hitler racist completely inappropriate things and Microsoft had to pull it off of twitter so this was an attack certainly by people that were trying to get the AI to do something that Microsoft had not intended but it wasn't an attack in the sense of trying to you know exploit a buffer overflow or a network protocol vulnerability or anything like that it was sending it valid information but causing a machine-learning behind it to do the wrong thing we're going to talk a little bit more about that when we get to the cars so business models are also different and that actually does concern us and

the reason why i use this specific little graph from an income statement here is the biggest difference i see between traditional software vulnerabilities in these emerging domains where computing and networking is built into products is that there are now physical products and your business model has to account for that so software has a really large margins because once you've created a copy of software you can resell it you know unlimited number of times for virtually no additional unit costs hardware or physical goods are not like that so if you are making home routers or something it costs money to produce each one of those so that's going to change your economics change how much you can expect

to spend to support those over the lifetime of the device and patching for security problems becomes more of an issue because now you can't just push software patches over the air necessarily you might have to go out and find these devices in warehouses or store shelves or somebody's house where they just stuck it and forgot about it for three years and so people I don't think companies are taking that into effect right now when they do their business models and say hey how much is this going to cost me they're not including the fact that they're gonna have to pay for maintenance now with fixing vulnerabilities or even just general software maintenance down the road being a maintenance so I was going

to use a different picture for this but then I saw this on Twitter just the other day so somebody just took this in an airplane they're still running windows 98 18 years ago and you know this pictures like this come up a lot of it conferences like this and we all kind of laugh that's ridiculous but I bet a lot of us in here have devices that are attached to computers which we really don't want to ever upgrade because we're worried that that device is not going to continue working industrial control systems are famous for this I used to work at Berkeley National Lab and there was a lot of computers that controlled scientific equipment that they never

ever wanted to upgrade or change because when you have a particle accelerator that costs a million dollars a day to run you don't want to risk changing it because windows botched another upgrade so this is a problem I think and it's going to be more of a problem as software get baked into more things and has to be updated and patched and maintained in general the automation in general I would say the automations of security is a good thing and we had a good conversation about this yesterday and it's great when you do can do over-the-air updates to automatically update security patches and things like that on your devices but there's like an incident recently with

Microsoft with Windows 10 where they forced an update on to all of the computers and for some subset of Windows 10 computers it cause the computer to go in this endless loop of just crashing and rebooting so that's the kind of thing where years ago if people did manual updates somebody would have done that they would have realized it was a problem would it become public Microsoft would have warned people not to use that patch and probably a lot less people were would have been affected and now that Microsoft pushes automatic patches automation is good but there's also risks involved in it and Google had a similar thing that didn't actually crash anything but when they act the stage

fright bug the patch originally didn't fix all the security issues that they had to go through and redo a patch and redeploy that to the 950 million Android devices assuming that the Android devices get patches to begin with which is if you proposition at best so then in our security industry specifically there's some processes that we need to think about as we're scaling up and putting computing and Internet in billions of devices now one of those is the CVE the note individual numbers for vulnerabilities SI ve already cannot keep up with a number of vulnerabilities that there are in software so i think there's no way it's gonna be able to keep up with all these devices that may

now have vulnerabilities in them and they recognize that and they're not trying for a hundred percent coverage and there's some new alternatives to c ve that are coming out to try to address this and automate it so it'll scale better the problem is now we don't have a single identifier for vulnerabilities we may have three different vulnerabilities and different sets of vulnerabilities being covered by the different identifiers patch management so this kind of goes back to the windows 98 thing but no it's already hard to patch all of your Windows servers patch all of your desktops laptops third-party software now you're gonna have to worry about patching your elevators and your HVAC systems and your

cars and your fleet and everything else it becomes a either a massive nightmare or a massive market or opportunity depending on how you look at it and then CBS s and CIA kind of go together so the CBS has scores that score the impact of vulnerabilities are currently mostly based on the CIA triad so confidentiality integrity and availability but that doesn't take into other take into account other things like safety so for example if you've got a denial of service attack on a car makes a big difference to me whether that denial of service stops the car as soon as I turn it on and I can never go anywhere versus it stops the brakes and

steering from working when it's already going 70 miles an hour but to me those are two very different vulnerabilities as far as the impact of them that would it but but they would probably the same cvss score those are a bunch of things that we're going to have to worry about in the industry specifically whether our processes can scale and handle all these billions of new devices I'm going to go into some of the specific interesting challenges i saw in specific technologies this is the list of near-term domains that we identified I'm not going to talk about all of them just the ones that I think are more interesting if I'm doing pretty good on

time so it's good i did this talk yesterday and it took an hour and i only have 45 minutes today so I'm trying to talk fast ok so the connected home also if a few people in here that saw my talk yesterday I think this video actually work this time I can find almost

we plan a bad video game so I think there's three things to be concerned about in connected homes one is a privacy issue so there's already been issues where Samsung has warned customers that if they walk in front of their smart TV and they're talking the TV might record their voice and send it up to Samsung when they don't realize it there's been smart Barbie dolls where they were recording the kids voices and sending them off in an insecure manner up to cloud services at Mattel or whatever and so privacy issues are one of the concerns second concern to me is that now all of these devices that are seeing up here that you're putting in

your house become entry points into your home network so even if your doorbell is not that important to you if it gets compromised the person is now inside your network and can use that to jump and pivot to your computer your laptop your phone whatever and then the third thing is the fact that these devices themselves can be attacked and whatever they're supposed to do can be overridden so think about garage door openers or door locks or something like that these being put on Wi-Fi now an internet-enabled and so if a hacker can get to that then they can just tell the door to open and then walk in and take your stuff now I think people are

thinking about this too much like my parents just bought a security system and they can check their security system and turn it on and off and stuff over the internet and like it just seems like a really bad idea to me you can do it then I pretty sure I can do it

the augmented reality is another one that we looked at this is interesting it's instead of virtual reality where everything you see is fake you wear some kind of golf smart goggles or glasses like this is the microsoft hololens and you see the real world but then you see virtual information superimposed over the real world so in this example this guy's supposedly designing this motorcycle and he's seeing what the motorcycle will look like with his new pieces even though he hasn't actually created them yet I think augmented reality in the beginning is probably going to be used for things like this for engineering and architecture and medical things but people are already talking about hey in 10 years we might

all be walking around with smart glasses on hopefully they look a little better than the google apps but so if you're walking around with glasses and your glasses or show you the real world but with digital data superimposed what's to say that the real world information you think you're seeing through those glasses is still real if they can potentially be a hacked if I'm going to step out in the street I look for cars I want to be really sure there's no cars coming I'm not sure I trust a device considering the history of security devices that make that assumption and step in front of the or not step in front of a car hopefully so changing

gears a little bit cryptocurrency is another thing that came up in our report so as of a few days ago the market capitalization of Bitcoin all Bitcoin in the world was almost nine billion dollars that's a fair chunk of money and I think the interesting thing about bitcoin is that you can attack the servers that store bitcoins and wallets and keys and things like that just like you would attack any traditional servers but you can also attack the protocols and algorithms themselves that make up bitcoin bitcoin all it is is data and protocols that are agreed upon by millions of people and so vulnerability and that actually changes the value of the currency so that's kind of a novel

attack path and you could argue that our current financial system is mostly just data and algorithms it's not backed by gold or anything anymore and there are people who can quote unquote hack it already you know they're just financial people rather than computer people but I think the concern is that current regulators and people that watch this kind of activity are really good at doing accounting and finance and things like that they're probably not as good yet at doing analysis of algorithms and protocols and that kind of thing and to be honest bitcoin is I find it very confusing myself and not in computers

machine learning so this is probably going to affect almost everybody no matter what industry you're in but II I want to talk about how it's going to affect our industry specifically because I think that in the next five to ten years this whole pattern where there's vulnerabilities and they get announced and patched and the patches get rolled out and eventually deployed and all that it's going to become too fast for humans to be able to keep up with it so we already see situations where people are trying to automate patches to apply to security issues as soon as they're found well the service is still running and I can foresee that at some point that

whole cycle of doing the patches and finding the vulnerabilities everything is going to become automated but this year at Def Con there will be the cyber Grand Challenge first the first Grand Challenges it has a bunch of teams trying to design these systems that can attack each other so they're competing in the CTF without human intervention and then those automated systems are going to compete against the best human teams in the world or type of DEFCON CTF so no we're not quite there yet but we're definitely on our way to the point where we as humans cannot do the current jobs that we're doing in security because it'll be just too fast we'll have to rely on AI and machine learning

to do it but I think what our jobs will be will be more to define what those rules are that the AIS and the machine learning is using figure out what it should do which of course opens up a new attack path

medical devices have already gotten some press with the insulin pump hacks and stuff like this I found this the other day on the internet this is called the i-limb it's a bionic either hand or just fingers and yes it can be controlled from an app on your phone you can preset different hand positions and I'm just not sure that I'm ready to have an art well I'd rather not have an artificial limb at all but if I had when I don't think that I would want to have one that's controlled by an app on a smartphone especially Android it really this is kind of a superset of a lot of these other things what we're talking

about is the fact that we're now going to have all these machines that have autonomy and artificial intelligence and the ability to affect the real world and also have internet connections or just local radio connections apps whatever and so do we trust these machines do we have confidence in them for safety engineering but also for security engineering that they can't be under mind or used nefariously and I think there's gonna be a strong motivation for people to attack these because a lot of these machines are going to be taking humans jobs away and humans often don't like that but there's a big motivation to attack you know autonomous cars because I'll take away taxi driver jobs

and their jobs or whatever and all these robots already actually exists except for the Terminator that one doesn't exist yet roans is another area that we're actually researching right now which is really interesting you've got a couple worries here one is the fact that being in downtown Pittsburgh and seeing that there's hundreds of drones flying around over your head delivering lunch or packages for Amazon or whatever that's already kind of scary enough when you worry about whether you can attack either the drone itself or the systems that are scheduling flight paths and all that kind of thing but then there's also has added motivation of trying to steal whatever the drones are trying to deliver so if you can

think that like terminally ill patients might think it's great to be able to have a drone deliver them morphine or something as soon as they need it from the local pharmacy not have to wait for a driver or something but there's a really strong motivation for an attacker to try to over you know take control that drone and land the morphine somewhere else so they can get it and the intended recipient doesn't so there's a couple you know different motivations and we normally see all right I'm actually talking too fast when won't slow down so connected on autonomous vehicles is something that I've been working on a lot the last year or so and kind of a big thing around

Pittsburgh with it were advanced technology center and everything we have anybody that's willing to admit that they work at rue HEC in here today oh so either they're not here they're not willing to admit it oh this is kind of a combination of three different domains that we recognize and I figured I'd put them together and go to do with a little bit more technical depth since this is what I've been doing specific recently so this is networks telematics this means the in-vehicle infotainment system basically a little thing in the center console of your car which now has maps navigation and also can say like what miles per gallon you're getting and all kinds of information about your car

obviously still has entertainment radio and all that and then autonomous vehicles or vehicles that can self drive to some degree weather that's just the current Tesla can take control or go park itself and you know going a whole way up to fully autonomous cars that don't need a human driver at all and then intelligent transportation systems are coming up and this is sometimes called be 2x and what that is is cars and road infrastructure communicating with each other through short-range radio messages the stop sign can actually send a message to your car they hey there's a stop sign coming up your car can be saying hey I'm at this location I'm going this fast and

broadcast that to all the other cars around with the idea that you can your car make decisions based on those it'll be too fast for you to make a decision but your car might be able to adjust itself the network telematics is the area that I've been looking at the most recently we just put out a report a couple months ago that where we looked at devices that plug into your car they're called obd two devices and this on the right hand side as an example of one of these and we examined a whole bunch of these because the concern is that they plug into your car and this therefore give you a network access to

the network that's in the are and they also have a radio on them which allows access from smartphone over bluetooth or Wi-Fi or over a cellular connection and so we examined a bunch of these and found that pretty much all of them had some security problems there were ones that we've got off of Amazon for ten dollars and they really were just like a serial connection from bluetooth to the inside of your car and I'll talk in a little bit more depth about those in a minute then self-driving cars I think everybody kind of knows what those are this is the self-driving car that CMU build a couple years ago right down the street it's

actually part of the national robotics engineering center whose name I always flub but the interesting thing about this self-driving car is it's not obvious from the outside that it can drive itself all of the cameras and radar and lidar and stuff for built in although I've been in it and if you open the back the whole trunk is basically taken up by racks of 1u servers running Linux so not quite as practical as a real car yet but we know that the uber cars are already driving around Pittsburgh so this is definitely something it's coming up quickly then I mentioned v2x and this is kind of a visual depiction from department transportation of how this might work

but involves both vehicle to vehicle and vehicle to infrastructure services which are called V to V and V 2 I um and you can kind of see from the picture that what it's showing is that both the vehicles themselves any infrastructure along the roads can broadcast information so this ambulance could be broadcasting hey I'm an ambulance you should get out of the way and your car car automatically change lanes to clear the way Construction Equipment could be broadcasting there's a lane closed up ahead you should move to the left the car could broadcast messages back behind it saying that they're slowing down suddenly for some reason so all the other cars behind it would know hey

there's something going on because a car up there slowed down all of a sudden that's kind of the idea behind this glorious vision we're gonna dive into just a little bit of technical stuff I promise not to much hexadecimal first thing in the morning but um just to explain a little bit about how cars work on the insides they basically have a whole bunch of things called electronic control units ECU's communicate over various types of networking but one of the most common networks they use internally is called the can bus or controller area network and the thing about cars is that there's no central server or brain inside the car that knows what all these

different ECU's do each one of them operates on its own and all it knows is I receive certain inputs I should do certain things so there's nothing that's looking for patterns of activity that might be suspicious or something that the car wouldn't normally do but somebody asked me yesterday like so if a car says that it's going 90,000 miles an hour is the car to me smart enough to realize that its odometer cannot probably also be at 70,000 miles after our doing that and the answer is no but there's no nothing that correlates those different pieces of data that realizes that's a problem so the can bus specifically is a problem basically there is no security built into the car

because they never expected the internal network of a car to be attached to the internet which it now is so just briefly to explain why this is a problem this the canvas is a simple serial protocol most of these devices that plug into your car or they're already built into the car like your infotainment system they just use this simple 80 command set same thing that we used in our haste modems back in like the 90s to send serial commands to the can bus and the format of a can bus message is extremely simple there's a can identifier which says which ECU that message is intended for and then there's a length and the data that up to eight bytes of data that

can go in it you'll note that there's no source identifier so that's a problem if my speedometer gets a message and it's addressed to it and it says the current wheel speed is 70 miles an hour it has no idea whether that actually came from a wheel speed sensor on the wheel or if it came from the canvas because I just injected it there's no idea where it came from so it's just going to act on it without that kind of authentication and this will be totally unacceptable in a network protocol that we put in our enterprise IT networks but this is how powers and lots of other machinery have operated for decades then down at the

bottom here is just a couple of examples of can messages so you can see what they look like you can see they've got an identifier and then ages the length and then they've got a few bites explaining what they're doing one is just requesting the list of all diagnostic trouble codes from the car and another is I've been working on a Chevy Volt that we have up at CMU which is currently inoperable oops hey and but that you can request the current amps of the battery meaning the big three hundred volt battery the runs it consists electric car well those are just some examples to show you that how simple the protocol is couple other

examples so i sent these commands over one of the devices i compromised i sent these commands into the car and got back likely for an engine RPM and the outside ambient air temperature and so all i had to do is send messages to specific can ids and once you know the messages that are applied with whatever they print information is so that's just reading information not terrible although it's kind of bad that i can do it over the internet even better is this one that i found for the volt this is a can ID for the door lock control system and so you can send these messages that you see on the side and you can cause the front

door and walk or all the doors to lock for all the doors to unlock you can set off the panic button or disable the panic button if it's going off and you're trying to steal the car so at this point I was like sweet i got to the point where i can steal my own car um i haven't actually got in the car to start yet by doing this because i have to spoof the little remote key thing the key fob so i can get it to start an accessory mood but all that does is turn on the radio and the no air conditioning and things so not quite to the point where i can totally steal the car just

using this compromise device but i'm getting there by next year i should have actually moved the car though changing gears a little we're going to talk about the pki system that's used for this vehicle to vehicle so you can imagine that it's a concern if you've got all these cars and all these infrastructure elements on the road that are sending messages to each other and taking actions based on those messages if you can spoof those messages you can cause accidents you can cause traffic jams whatever and so this is a public picture of what the transportation is recommending for their test of this kind of system that they're conducting in Detroit and a couple other

cities and if you have built this incredibly complicated looking pki system which is in fact incredibly complicated and this is gonna be the largest pki system ever built 250 million cars with over a trillion public key certificates in it and they've done a pretty good job of this and I've actually skimmed through what I could understand of the like 100 page document on it it seems like it's pretty good they've got like some real crypto experts and stuff it's got some good things built in like so it's got a Miss behavior Authority built right into it so your car is driving along it will get a certificate revocation lists on a regular basis so you know that if for

some reason my car is misbehaving and I'm no longer allowed to send messages to other cars that certificate will be revoked I'll get it on the next certificate other cars will get the certificate revocation list and they'll no longer trust my messages it also has a couple things for privacy because people were department transportation were they figured that the average citizen would be concerned about the privacy of having all this information about their car being broadcast everybody all the time but there's a location obscure proxy which does exactly what it says it blocks the location of the car from being able to be figured out based on the network traffic so you can't essentially do a

traceroute to somebody's car and then there's the up here the pseudonym CA so it turns out and I didn't know this that you can create public key certificates and public key private key pairs where many different private keys can sign for the same public key and so that enables all these different cars to sign using our own individual key but to the system it just looks like one public key that may represent any of thousands of cars so that helps obfuscate which car is broadcasting which signals where otherwise you can imagine would be really easy to trace a car as it moves between these different points in a city just based on the messages received by

stop plates or something so this is actually really good I think they did a good job designing this and they took a lot of things into consideration but it's a really massive complex system and do we know of any massive complex systems that don't have vulnerabilities in them we know of any simple systems a ton of vulnerabilities in them probably not so it's a little bit concerning but they're really working on it so it's a good sign this is just an example of how those messages like how far they'll go so this is a google maps with little red circle that shows about the range and a little black dot and there was a car right there so

you're talking about range of like 200 meters so it's not you know that attack surface of the radios themselves the range isn't very far the concern is more attacking the certificate authority system itself because that's as attackers that's usually what we do right we don't attack the end nodes we try to attack the systems that run all the credentials if we can much rather have domain admin and have just a user's workstation now a couple good things about this I know everything I've been saying this morning has been bad and made you have bad dreams tonight but there are a couple good things this proposed system is only pushing out what are called basic safety messages they're

just real short things like hey I'm slowing down all of a sudden it's nothing real complicated and these messages are only one way so there's no kind of request response sort of thing just I'm broadcasting my information about my car you can use it or not as you see fit you don't wanna trust me that's fine it requires internet connectivity which is with a good and a bad thing the good thing is that you can push down the certificate revocation lists in real time so you know as soon as a car or a stop sign or whatever starts misbehaving and sending spoof traffic or bad messages I can get us thinking revoking their certificate the

bad thing is that requires internet connectivity obviously to get that pushed to you there's currently no like peer-to-peer way to do it over the radios so as soon as you lose internet connectivity in your car like if you're driving through a spot where there's no cellphone receptive atif your car stops actually trusting any certificates until it can reconnect to the internet and get the new crl so i can see that as a possible like a denial of service or something problem there and then you currently you must be enrolled at a dealer this is obviously not being installed in real cars quite yet but their plan at the moment is that you would have to take your car to the

dealer and there's a fairly long process of authorizing your car and saying yes this really belongs to this person and all that kind of thing and downloading all the certificates so it's a pretty high overhead they're looking to possibly change that so it's a little easier all right a couple of cool things to wrap up here so this is a light Arsene like radar except uses lasers and this is one of the main things that autonomous cars used to figure out their environment this is actually Market Street in San Francisco as seen by a lidar system and these actually create a pretty accurate picture like there's a lot of details you can see the rails

going up the street for the street cars and stuff like that the problem is it's not that difficult to attack these systems directly rather than attacking the network components so if you just take a regular laser and shine it at the light our system on the car you see that it's clay nothing now granted most of the cars have multiple lidar systems on them so just because you can blind one assume you can hit the camera with laser doesn't mean you're going to blind all of them but if you have an autonomous car driving through the middle of downtown San Francisco like I'm concerned of even one with my cameras is not working correctly and I know Google

and uber and stuff are working on this but the fact is there are are already known attacks on these autonomous systems so getting back to the semantic attacks that I mentioned earlier on that's kind of interesting so pop quiz what's this a picture of a car yes a red car it's really obvious that this is a red car because bright red and it's very car shaped and it stands out from the background really good so a visual recognition system that like camera that actually uses visible light waves just like we would see would be able to figure out that's a car based on machine learning it looks like all the other cars that's ever seen this car does not

so obviously camouflage is it intended to trick our visual systems and make us not be able to recognize things so this vehicle has all these blotches of weirdly shaped color and the colors kind of blend into the background on the foreground so our current visual recognition systems will have a bear hard time figuring out that that was a car if this ancient world war two truck was driving from his building towards an autonomous vehicle the vehicle might not even realize it was there so that's a problem if I can't see other cars but it's also potentially a problem with pedestrians so it's gonna be really hard for current visual recognition systems on cameras to figure out that those are

pedestrians again because their outlines are broken up their weird colors they blend into the background etc and so this is again a semantic attack if you dressed like this and stood in front of an autonomous car which I'm not sure why you would want to attack in that way but assuming you did what you're doing is you're providing valid information you're not doing a buffer overflow or anything like that the camera is accurately recording the colors it sees the shapes that sees etc it's just that when it feeds it into its machine-learning inside the car you're going to override its algorithms for what it thinks a pedestrian looks like I think it's interesting that you can you

know potentially trick these things not using traditional software laws that we're used to using admittedly if you did this when you'd be a suicidal attacker and you wouldn't hack anything else but I'm sure there's some way to abuse that and these are not just hypothetical so I just met last week a guy named dr. Jonathan petit from security innovation who actually did some of these tests including the light our thing and the breaking up cars with blocks of color thing to trick cameras and has found that these are actual problems in current systems that they're using me as a bunch of other experiments that he wants to do on other things but so the point is that there are active

attacks against these systems easy even as these systems haven't been deployed yet yes

so that's a good point and one second notice okay yeah let me talk about that for a second so the question if you couldn't hear him was why are we not hearing about attackers hacking cars and driving people off the street and things like that for 1 i'm not sure there's a motivation necessarily to just drive cars off the street for a lot of hackers certainly there's a subset where there is that motivation but i think the biggest thing is the fact that it's actually really difficult to reverse engineer car currently if i want to write an exploit for Windows or Linux pretty easy I know have a good idea once I've got the vulnerability I've got an

idea of how to do the shellcode to create an exploit on cars how to affect steering wheels and brakes and things like that it varies definitely for a manufacturer of a manufacturer and even between models and even model years in order to write a an exploit that works it's only going to work on very small subset of cars so unless you have a known person that has a car that you and you know the exact year and everything and you really don't like that person it's it's still hard to do that but I think what we're going to see is people are already reverse engineering these cars which is why I have some of the can

IDs and things from the Chevy Volt and we're going to see people putting together exploit kits and putting them out on the internet saying eh this is all the information for how to control way deep Cherokee or Chevy bogor whatever answer the question

alright so bringing this all together I actually made of my own pictures you can probably tell it's not as good as the other pictures but what we're gonna have is we're gonna have this cars driving around and going to be talking to the internet all the time getting it certificate revocation lifts gonna be getting updates to its maps because self-driving cars are heavily dependent on maps much more so even in GPS but it is also be get beaten going to be getting things from space like satellite radio and GPS signals you might think satellite radio well that's not a big deal like so somebody hacks it and they force my sirius XM to play a Taylor

Swift all the time you know pretty annoying but not the worst thing that could happen I don't know maybe some of you think that is the worst thing that could happen but the problem is that satellite radio is used in place of cellular especially on like long-distance trucks and heavy equipment construction equipment things like that because they in addition to cellular because they know that they might be in a lot of areas where they will be in areas where there's no cell receptivity so it's not just radio going over those radios not just music it's also this other information that might come from the internet might come from a satellite that we've seen owner abilities already

in satellite systems that cert has published on so this is definitely being exploited for real the little blue cone that's sticking out the front of the car that's your automated driver assist system so the radar and the light are we talked about the fact that all of those can be spoofed in some way ultrasonic is interesting you Orca sonic actually you can spoof messages without even having any original message go out to the car and then you've got all these things that are talking to your car sending messages that it should trust you know the Vita I and the b2b stuff that I was talking about but the bottom middle picture is kind of interesting that's

trucks doing what's called platooning this is something where these big heavy trucks take advantage of these messages to drive up really close behind one another to take advantage of drafting you get better gas mileage and stuff and they can do this because radios in them are talking to each other so if the first one slows down the automatic brakes and the other ones behind it can also slow them down far faster than a human could do it which is great as long as the system has no security issues now somebody brought up well with a cart or another truck actually try to hack the system in order to get a place in line I don't know with the machine

learning system decided that's a good thing to do so there's potentially issues there and then the bottom right I just had to put it for Orion yeah yeah that's mine yeah come on you know where I work okay yeah no comment all right so this is the actual record if you want all the details this includes things like expected market share and expected amount of revenue in the industry and stuff so you can go download it from that URL and I'm going to take questions until they kick me off the stage someone back here so 22 inches to that I guess so on the one hand we've already put out some best practices for devices that

plug into your car and I think that those are going to get formalized and we're working with the SAE on a more secure obd2 port which is the port that a lot of these plug into in your car and then inside the car there are a lot of people that are doing research into adding things like firewalls network segmentation doing encryption and authentication is in crypto the difficulty there is that a lot of these ec years are running on an 8-bit or even four bit processors but they really can't do a es encryption and things like that so there's also an sae standard on cyber security in cars that is thinking draft right now and should be coming out

soon so the good thing is that manufacturers are aware of this and we're working with a lot of them to try to fix some of these problems but it's not there yet and the cars they're putting the security fixes in now aren't gonna be on the road for five years and I've read estimates that by 2020 we're going to see about like 20 million cars self-driving cars fully autonomous on the roads in the US so it's a question of whether the cars or the security will get here first Adam

the question is with the v-tex technologies with law enforcement use that for things I'm sure that are going to want to that's one of the main reasons why do t design these location obscure proxies and the second ama student couldn't say this word yesterday either the pseudonym certificate authority to prevent that information from being collected whether they'll be successful in staving off people that want that I don't know but I think certainly as far as like speed control and stuff yes but wouldn't be surprised if it's essentially impossible to speed in 10 years on the flip side they'll probably raise the speed limits because the autonomous systems are adapt a lot faster kind of dark in here so if you're

in the back and you have your hand out duck George so that's something that comes up a lot yeah

I say yes there are known kinetic attacks against cars which are much easier to do than me reverse engineering the unlock codes for the Chevy Volt the difference one is the fact that you can probably do it less traceable so brick thru window causes a pretty big obvious thing and the other thing is that you can potentially do this at scale so even ones that have only short-range radio connections like Bluetooth or Wi-Fi or connecting two phones or ivi systems or something that are connecting to the internet you know Chris and Charlie found that the vulnerability they found in the Jeeps there's like seven hundred thousand cars on the internet with those because Kristen charlie didn't release

the details of how the jeeps control systems worked yep

right um well you can get software kits for specific models of cars but it's right it's per car yeah yeah you can't just buy a bus powder download metasploit or something like that um so believe me I hope that I'm wrong about this yeah and we find that there are not security problems yeah I think I do um I said I've been talking to a lot of manufacturers and standards organizations and Department of Transportation and people really do care about this largely because of the cheap hack love it or hate it and so I think that people are taking this seriously and we're going to get a handle on it to the degree that we have a handle on car

security already so it's going to be better than what we have now which is humans driving cars and killing 30,000 people a year in the u.s. is it are there with our be security issues well there you can potentially be hacks where people possibly die probably and I mean we kind of know from car security in general or car safety in general that it takes a bunch of people dying before manufacturers are actually willing to go to the cost of a recall and fix problems a lot of times so that's a concern but yeah I mean there's a question of what the impact or risk of this is compared to traditional attacks yes

yeah it does similar to SSL uses nonsense and stuff that are agreed upon in and it does the same kind of thing where uses the public keys to establish an encrypted connection with Kenny keys that are unique to that session so it's got similar functions I mean my question is more are the radios themselves secure from attacking outside of that encrypted channel at all but I don't know yet other questions I don't think I see any hands so that's it thank you very much

so like to thank dan is the presenters gift also like to thank dampers presentation and further he is report of Pittsburgh b-side since the beginning in 2011 that's either an organizer a presenter or both and over the past years I'll they stepped down your left organize your role while these continue to support us through submitting sympathies and speaking your winch's and says thanks this year we have decided to give out one very special badge watching bolt rubber bag to the end to think of brawls contributions is a information security community or camera so like to thank you and this family get you in the whole future b-sides Pittsburgh events differ so bad so I really appreciate

that guys so please think

i'd also wanted to thank our sponsors again this time our premier sponsor is tres a sec platinum is a slimy security risk advisors a lovato was consoling foresight and served so another round of applause for our visitors you have a date now logistical e we have a break and in about a half hour so sort of