Web browsing from the car, what's the worse that can happen?

thank you first things first Who am I I'm a network security architect currently currently studying for OCP I'm a bit of a IT geek and Carnot you could say I'm the ultimate car hacker because I built that 13 years ago and it's been of gradius numerous times since however it is slightly different from the car I'm going to show you in the only has 3 C used tool which I built the one shown in the top right-hand corner there is a data logger I built for that users can bus to the ECU so that I can know what the hell is going on on the engine itself it's gonna be about car hacking it's the first info SEC related issue

I've ever discovered and disclosed this is not only anything in the league's of Christopher Chris valasek and Charlie Miller's Ford Jeep or co2 hack or Ken Monroe's Mitsubishi hack in July 2015 I purchased the six of Citroen I've ever had owned ds5 1955 edition it's a limited edition had all the toys all the bells and whistles and in the middle of the dashboard had a 7-inch touchscreen you could tell it to your phone and surf the internet on why you'd want to do that when you've got a phone with a perfectly good user interface anyway I don't know but it's there didn't do anything to start with but in 2016 I was working away from home with quite a lot and you

know got a bit bored so I thought I'd tell them earphone to it and map it and see what I could see yeah there was four ports open 23 one one one three three thirty three and twenty thousand the most interesting one there actually is twenty thousand which is um D mp3 which I believe will give you direct access to the canvas however I currently can't find any information on how to craft a packet to do that but I have been in communication with someone that actually does industrial control system stuff to actually find out that information because they write packet generators for protocol but as a network engineer everyone knows telling it don't think so

telling it under the box and yep straight in shell no authentication no nothing great there's a slightly better view of the wireless configuration and there's the details of the actual operating system itself it's au VxWorks box running on the free scale in x6 solo the Xbox is actually the same stuff that runs on the Mars rover so hopefully I did security slightly better than that so yeah unless we did this in 2016 and a 44 con in 2016 I spoke to care Monro about their findings and he said well why haven't you disclosed it to anyone so I sort of said well there's nothing actually I've found it's only telling it but I actually explained I didn't want

to brick my daily driver note to yourself don't try and hack your daily driver twice in the last month I British my jag with all the lights like a Christmas tree because I put the canvas speed wrong and it just basically bricked itself not fun with a 40 grown car trying to explain that Judge Aguilar but however two years ago last year I decided to sell the Citroen so I thought I'd have a look through the command reference guide and see what come ons I could find so I've had another go there's a USB port in the centre console and some of the cons commands were a copy and X copy so you could do an X

copy of the file system from the head unit to your USB Drive which is great onto the contents all that use of the USB Drive in the system data folder there are a load of sequel like databases some of them are just placeholders for the user data or to you in a minute but other ones have things like VIN number and things in so it's to actually set the hid unit up to the core so it knows what core is talking to if you open them some of them would open fine other ones would look like they've got a password it wasn't actually a password it was just she zipped but I didn't found out how to later after I'd

actually finished the disclosure process but more interesting stuff is the user data so you've got some of the same user data sequel like fire and you've got a corresponding INF file with it so these INF files have a CLC check-in that sir just uncompressed see our chief check and there is a fact and there's the compressed CSC check the interesting files in their agenda that we call light which just happens to be the entire contents of your phonebook from your phone while we were tethered over bluetooth so if anyone gets onto your head unit they know all your contacts and all their names numbers absolutely everything and the other two interesting ones are navigation SQL

light and now desta sq alright we'll show you the contents of navigation and SQL the light there are two tables in their lost destinations which has as it says all the last destinations including any favorites that you have home work etc which is great and it also has waypoints which would be anywhere you visited on the way to any of those day locations so some of the things might be in both tables some might not just going on for the actual data inside the sequel like the eight weeks I have redacted this for my own personal security does anyone know where those three locations off the top one is their building you're in the second one down is a carriage

I've bought my new car from and the third one is steel con if anyone has a ticket let me know couldn't get one so I had to play with the files itself tried to modify fall managed to swap two characters around and it worked fine because I didn't know how to recreate the CRC check if you did any more than swap two characters around because the CRC check wasn't correct it basically thought it had a blank database so you lost all your history so it's not not great but actual physical access is a bit boring so had another look through the command reference and you can actually do acceleration over wireless so you have to add your host create a device the one

indicates FTP zero would indicate NFS I didn't actually try NFS but as long as you get the 0x0 at the bottom after you've run the command it actually works and is copied your file across the biggest problem in that is X copy doesn't work over FTP so it takes a while so onto the disclosure process itself first of all I wrote up my findings into a document saying what I'd found how I think the issues are I contacted Kim Munroe to see whether he had any contacts within photo citroen which he did so i sent over a brief outline of what my findings were to them and they arranged a conference call in very very strange broken French so they

was trying to speak English I can't speak a word of French so I explained my findings and they were like I don't get it so okay put it this way you're at my college if the mobile phone is dead and you want to get on the Wi-Fi to find that something on you might be doing later on in the evening so you do join the McDonald's Wi-Fi and anyone that just happens to be on the same Wi-Fi if there doesn't have client isolation that you can get into your box after finding your IP address and tone it and in and find out where you live etc exception I've already explained that they sort of got it but then they had to go away and

make sure it just wasn't a fluke so we gave them a couple of weeks to go away and repeat see if they keep find that issue on other vehicles in the meantime I spoke to Ken Munroe again at Steel Con last year and peugeot citroen were actually under the impression that ken Munroe was a bug bounty hunter and we were both trying to extort money out of them photo citroen which is quite strange because at the time they were buying over GM motors Europe Vauxhall and Opel and General Motors do actually have a bug bounty program I never actually got anything from Peugeot Citroen so thanks great wonderful eventually I had a second conference call with the

French and they had confirmed that they have seen the issue in other vehicles and their general consensus was it's up to the customer to secure their own Wi-Fi so we haven't got any authentication but yeah it's up to you if you connect to a crap Wi-Fi good luck they did however say the next generation of head units of being developed at the time were not going to have Wi-Fi chips s in and any existing chipset any existing head unit would be disabled at a later date okay what if you paid extra to have this and they've now obvious able to eventually published my findings at the weekend of Def Con last year and managed to get a tweet from Charlie

Miller himself about my findings which was I get another question does anyone know who this chap is yep it's the French president and he just happens to earn to be driven around in the same type of vehicle so is this not a matter of French national security purrs oh Rijn didn't think it was I'd sort of disagree with him personally because I'm sure nation states might be able to hack the Wi-Fi and the Bluetooth ever since then I've tried to recreate my findings but off the car so I purchase a head unit and screen and stuff and know if I don't know it's a little thing in the middle it says Wi-Fi so tried to try to get it working out

the car the fly 12-volt strip nothing happens because you need all of that stuff so the instrument cluster the indicator stalks the ignition key the wiring loom body control module and all the bits that you see on the screen there the plan is to actually create a car hacking a car on a bench so that people can hack it a conference in the future once I actually get it working on the on the bench so rollin have all this out I actually tried to get the head unit working offline oh it's working and so that kind of that then on to some actual canvas bit got an Arduino an are doing a rosca PI with a PI can hat sniff

the canvas traffic to find out what actually messages were actually required to turn on the head unit did a replay on that and then worked out the five messages that were actually required to get the head unit working so that then came around to little Arduino module little thing on the left is Arduino Nano on the right is a cam bus controller and transceiver program that to control the head unit and send all the correct refugees at the right time scales wonderful note if you are going to be doing anything with that type of module which has got the mCP to five one five its crystal frequency is eight megahertz all over the sample code has 16

megahertz if you don't change it it don't work and you won't get anything eventually it comes to this it's my head unit on bench which if I don't want to play with I will be around later and it's working down here if they want to have a go at it finally on to thank you I like to thank my mentor Thomas for his support preparation first talk also like to thank Ken I know he's not here that I'm sure someone who works with it is and finally I'd like to thank my missus for putting off of all my rubbish while trying to create a car on a bench the amount of times when you turn the

ignition key it beeps about a dozen times and it's like are you playing with that again it's like stop it finally any questions