[Script Info] Title: [Events] Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text Dialogue: 0,0:00:00.00,0:00:17.29,Default,,0000,0000,0000,,Herald: The second thing I wanted to\Nannounce: there is no scooter sharing. Dialogue: 0,0:00:17.29,0:00:35.86,Default,,0000,0000,0000,,Which brings me to the next talk. We tend\Nto need kind of a security concept for not Dialogue: 0,0:00:35.86,0:00:43.16,Default,,0000,0000,0000,,scooter sharing. So the easiest way would\Nbe to have kind of a scooter lock. But we Dialogue: 0,0:00:43.16,0:00:50.86,Default,,0000,0000,0000,,have the lock picking guys. So that won't\Nwork. So the next option would be we can Dialogue: 0,0:00:50.86,0:00:58.36,Default,,0000,0000,0000,,have a GPS tracker, but we have the GPS\Nspoofing guys. Which isn't also that good. Dialogue: 0,0:00:58.36,0:01:06.60,Default,,0000,0000,0000,,A third option would be an immobilization\Nsystem. We have Wouter Bokslag. Thank you. Dialogue: 0,0:01:06.60,0:01:10.80,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:01:10.80,0:01:15.66,Default,,0000,0000,0000,,Wouter: Hi. Thank you for the\Nintroduction. Thank you guys for the warm Dialogue: 0,0:01:15.66,0:01:20.64,Default,,0000,0000,0000,,welcome. I'm really happy to see that\Nstill some people have come together here Dialogue: 0,0:01:20.64,0:01:27.90,Default,,0000,0000,0000,,at this ungodly hour to watch my talk\Nabout vehicle immobilization. Well, Dialogue: 0,0:01:27.90,0:01:34.40,Default,,0000,0000,0000,,briefly something about me. I'm a\NKerckhoff security master. And the Dialogue: 0,0:01:34.40,0:01:41.31,Default,,0000,0000,0000,,research I will be presenting today, I did\Nas my master's thesis. So I spent about Dialogue: 0,0:01:41.31,0:01:47.20,Default,,0000,0000,0000,,half a year analyzing various systems and\NI wrote something about that. And if you Dialogue: 0,0:01:47.20,0:01:53.76,Default,,0000,0000,0000,,want to read the full story, you can look\Nat my thesis, which is public since some Dialogue: 0,0:01:53.76,0:01:58.97,Default,,0000,0000,0000,,time now. And there's more detail there.\NI'm currently working as an automotive Dialogue: 0,0:01:58.97,0:02:05.50,Default,,0000,0000,0000,,engineer. And if you feel like asking me\Nquestions besides the Q&A, you can always Dialogue: 0,0:02:05.50,0:02:12.54,Default,,0000,0000,0000,,contact me by mail. So first, responsible\Ndisclosure. This kind of stuff is not a Dialogue: 0,0:02:12.54,0:02:19.52,Default,,0000,0000,0000,,joke. Automotive manufacturers think it is\Nvery important. And, well, they have a Dialogue: 0,0:02:19.52,0:02:27.56,Default,,0000,0000,0000,,reason to think so. So naturally we\Ncontacted them ahead of publication even Dialogue: 0,0:02:27.56,0:02:35.23,Default,,0000,0000,0000,,before my defense and we laid out the\Nfindings and I had a couple of conference Dialogue: 0,0:02:35.23,0:02:42.96,Default,,0000,0000,0000,,calls with the manufacturers. And I even\Nwent to one of them to demonstrate the Dialogue: 0,0:02:42.96,0:02:50.72,Default,,0000,0000,0000,,findings on premise. I need to point out\Nthat the research that I did was on fairly Dialogue: 0,0:02:50.72,0:02:57.60,Default,,0000,0000,0000,,old vehicles like 2009 and around. But for\Nthe three cases that I really went in Dialogue: 0,0:02:57.60,0:03:04.16,Default,,0000,0000,0000,,depth we have been able to confirm that\Nthey are still in currently produced Dialogue: 0,0:03:04.16,0:03:09.01,Default,,0000,0000,0000,,models. So this in itself is kind of\Nsurprising because you think automotive, Dialogue: 0,0:03:09.01,0:03:15.70,Default,,0000,0000,0000,,cars, electronics, security, it's a fast\Nmoving industry, but well, no, not really. Dialogue: 0,0:03:15.70,0:03:22.10,Default,,0000,0000,0000,,So everything that was in cars in 2009, at\Nleast regarding to these three systems, Dialogue: 0,0:03:22.10,0:03:27.58,Default,,0000,0000,0000,,can still be found in currently produced\Nmodels. I will disclose the vehicles that Dialogue: 0,0:03:27.58,0:03:34.00,Default,,0000,0000,0000,,I've been working on, because I think that\Nis relevant. I hope you can forgive me Dialogue: 0,0:03:34.00,0:03:38.79,Default,,0000,0000,0000,,that I'm not going to disclose the\Nvehicles that I have identified these Dialogue: 0,0:03:38.79,0:03:43.82,Default,,0000,0000,0000,,systems in that are still being produced.\NI'm not really into facilitating theft and Dialogue: 0,0:03:43.82,0:03:50.78,Default,,0000,0000,0000,,I don't see what would be the added value.\NSo the talk will be structured as follows: Dialogue: 0,0:03:50.78,0:03:58.00,Default,,0000,0000,0000,,I will first introduce some standard stuff\Nabout immobilization systems and about Dialogue: 0,0:03:58.00,0:04:04.80,Default,,0000,0000,0000,,computer networks inside vehicles. I will\Ntell you something about how I addressed Dialogue: 0,0:04:04.80,0:04:10.90,Default,,0000,0000,0000,,the challenge. So for all three models, I\Nkind of followed a similar approach and I Dialogue: 0,0:04:10.90,0:04:16.12,Default,,0000,0000,0000,,think it's more practical to lay that out\Nonce and then skip the details later on. Dialogue: 0,0:04:16.12,0:04:21.47,Default,,0000,0000,0000,,And then I will present the three\Nprotocols that I uncovered in a Peugeot, a Dialogue: 0,0:04:21.47,0:04:27.19,Default,,0000,0000,0000,,Fiat and an Opel vehicle. I will then\Nsummarize the findings in a series of Dialogue: 0,0:04:27.19,0:04:34.74,Default,,0000,0000,0000,,takeaways and there will be some time for\Nquestions. Right. So modern vehicles are Dialogue: 0,0:04:34.74,0:04:41.38,Default,,0000,0000,0000,,full of electronics and full of computer\Nsystems. They operate largely independent. Dialogue: 0,0:04:41.38,0:04:47.35,Default,,0000,0000,0000,,They are all connected through a variety\Nof different buses that talk to each other Dialogue: 0,0:04:47.35,0:04:53.47,Default,,0000,0000,0000,,with different protocols. And there is a\Nplethora of different standards, ISO Dialogue: 0,0:04:53.47,0:04:59.06,Default,,0000,0000,0000,,standards, all kinds of standards. And\Nthen the manufacturer wants a lot of Dialogue: 0,0:04:59.06,0:05:05.01,Default,,0000,0000,0000,,freedom to, well, do it in their own way.\NSo even if you read these hundreds of Dialogue: 0,0:05:05.01,0:05:11.92,Default,,0000,0000,0000,,pages of standards, still every vehicle\Nyou will look at will be kind of Dialogue: 0,0:05:11.92,0:05:20.11,Default,,0000,0000,0000,,different. There are some practical\Nhandles that you can use, and one of them Dialogue: 0,0:05:20.11,0:05:29.59,Default,,0000,0000,0000,,is that every car has a OBD-II port. Yeah,\Nthis is required by law, both in the US Dialogue: 0,0:05:29.59,0:05:38.18,Default,,0000,0000,0000,,and in Europe for quite some time now. And\Nit needs to be conveniently located and Dialogue: 0,0:05:38.18,0:05:44.83,Default,,0000,0000,0000,,that is very near the driver's seat. So\Nthis is a universal connector and all cars Dialogue: 0,0:05:44.83,0:05:50.18,Default,,0000,0000,0000,,with a combustion engine need to have one.\NAnd cars with electronic engines also need Dialogue: 0,0:05:50.18,0:05:55.76,Default,,0000,0000,0000,,to have one. But the functionality that\Nhas to be implemented is much more Dialogue: 0,0:05:55.76,0:06:04.21,Default,,0000,0000,0000,,limited. So in regular internal combustion\Nengine powered cars, you have to be able Dialogue: 0,0:06:04.21,0:06:10.65,Default,,0000,0000,0000,,to read out emissions data and that kind\Nof stuff. So many manufacturers felt this Dialogue: 0,0:06:10.65,0:06:17.16,Default,,0000,0000,0000,,was a very convenient thing to also use\Nfor garage purposes, for workshops to read Dialogue: 0,0:06:17.16,0:06:23.75,Default,,0000,0000,0000,,out error codes, to perform all kinds of\Nroutines on vehicles. You might need to Dialogue: 0,0:06:23.75,0:06:30.37,Default,,0000,0000,0000,,teach new keys to your car if you lost one\Nor if you just want a third one. If you Dialogue: 0,0:06:30.37,0:06:35.72,Default,,0000,0000,0000,,add a towbar to your car, you need to tell\Na couple of ECUs in the car that it now Dialogue: 0,0:06:35.72,0:06:42.34,Default,,0000,0000,0000,,has a towbar. Depends on the vehicle, but\Ntelling this to 5 individual ECUs is not Dialogue: 0,0:06:42.34,0:06:48.67,Default,,0000,0000,0000,,an exception. And since it is a bus, the\NCAN bus, it can be directly addressed Dialogue: 0,0:06:48.67,0:06:53.100,Default,,0000,0000,0000,,through the OBD connector on many vehicles\Nand you can talk to a lot of different Dialogue: 0,0:06:53.100,0:06:59.44,Default,,0000,0000,0000,,components. So the ECM, the Engine Control\NModule, is one, the body control module is Dialogue: 0,0:06:59.44,0:07:04.83,Default,,0000,0000,0000,,another. That one controls, for instance,\Npowered windows and all kinds of interior Dialogue: 0,0:07:04.83,0:07:13.54,Default,,0000,0000,0000,,stuff, but also the airbag, infotainment\Nsystem, fancy interior lighting, stability Dialogue: 0,0:07:13.54,0:07:21.88,Default,,0000,0000,0000,,control systems. Another feature of it\Nbeing a bus is that you can also see the Dialogue: 0,0:07:21.88,0:07:28.46,Default,,0000,0000,0000,,inter-component communication. So if the\Ninstrument panel cluster, the dashboard, Dialogue: 0,0:07:28.46,0:07:36.07,Default,,0000,0000,0000,,needs to talk to, say, the body control\Nmodule, you can see that packet going over Dialogue: 0,0:07:36.07,0:07:42.50,Default,,0000,0000,0000,,the CAN bus. All my research has been\Nfocused on this OBD-II connector and what Dialogue: 0,0:07:42.50,0:07:49.17,Default,,0000,0000,0000,,you can do and what you can see from this\Nperspective. Immobilizer systems are Dialogue: 0,0:07:49.17,0:07:56.41,Default,,0000,0000,0000,,nowadays required to be implemented in\Nvehicles. Since the late 90s, legislation Dialogue: 0,0:07:56.41,0:08:02.62,Default,,0000,0000,0000,,has been adopted in both the States and\NEurope, mandating the use of an electronic Dialogue: 0,0:08:02.62,0:08:09.70,Default,,0000,0000,0000,,immobilization system. And the purpose, of\Ncourse, was to reduce the risk of theft. Dialogue: 0,0:08:09.70,0:08:17.00,Default,,0000,0000,0000,,This is proven to be effective: According\Nto one study, theft rates dropped by Dialogue: 0,0:08:17.00,0:08:26.01,Default,,0000,0000,0000,,almost 40% in, I think, a 7 year span they\Nbased their data on. This is because car Dialogue: 0,0:08:26.01,0:08:33.83,Default,,0000,0000,0000,,theft used to be quite simple. You could\Njust put two wires together and you could Dialogue: 0,0:08:33.83,0:08:39.12,Default,,0000,0000,0000,,power the starting circuit and you could\Nactually start the engine. And the Dialogue: 0,0:08:39.12,0:08:45.23,Default,,0000,0000,0000,,immobilizer system adds another step to\Nthat. The engine control module that Dialogue: 0,0:08:45.23,0:08:50.96,Default,,0000,0000,0000,,finally controls the engine wants to have\Nsome kind of assurance that the key Dialogue: 0,0:08:50.96,0:08:55.85,Default,,0000,0000,0000,,presented in the system is actually valid\Nand does so by validating a security Dialogue: 0,0:08:55.85,0:09:01.74,Default,,0000,0000,0000,,transponder. First generations of these\Nsecurity transponders have been widely Dialogue: 0,0:09:01.74,0:09:08.12,Default,,0000,0000,0000,,studied and often were found insecure. Of\Ncourse this is a problem because well, if Dialogue: 0,0:09:08.12,0:09:13.28,Default,,0000,0000,0000,,it's insecure, it doesn't add any security\Nand cars can be stolen nonetheless. So Dialogue: 0,0:09:13.28,0:09:17.72,Default,,0000,0000,0000,,there has been kind of an arms race in\Nthis domain and we see that nowadays Dialogue: 0,0:09:17.72,0:09:24.09,Default,,0000,0000,0000,,security transponders have become a lot\Nbetter. Your car might even use AES to Dialogue: 0,0:09:24.09,0:09:31.62,Default,,0000,0000,0000,,validate that the key you're putting in\Nthe ignition is an actual key that is Dialogue: 0,0:09:31.62,0:09:37.71,Default,,0000,0000,0000,,recognized by your vehicle. And this is\Nreally necessary because car thieves have Dialogue: 0,0:09:37.71,0:09:43.21,Default,,0000,0000,0000,,shown to be able to wield quite high tech\Nsolutions, procure them from shady Dialogue: 0,0:09:43.21,0:09:51.44,Default,,0000,0000,0000,,companies or just use official tools that\Ncan be used in illegitimate ways. A nice Dialogue: 0,0:09:51.44,0:09:58.05,Default,,0000,0000,0000,,example of this is shown here. For certain\Nmodels of Range Rover, they have a blind Dialogue: 0,0:09:58.05,0:10:03.93,Default,,0000,0000,0000,,spot sensor, so you can see if there is a\Ncar in your blind spot. And if you pop off Dialogue: 0,0:10:03.93,0:10:09.50,Default,,0000,0000,0000,,a cap, then you can connect a 12V battery,\Npower the internal ECUs of the vehicle. Dialogue: 0,0:10:09.50,0:10:15.29,Default,,0000,0000,0000,,Then you can access the CAN bus, put the\Ncar into key teaching mode and hold a Dialogue: 0,0:10:15.29,0:10:20.86,Default,,0000,0000,0000,,blank key to the window and it will\Nprogram the key and recognize it as a Dialogue: 0,0:10:20.86,0:10:24.56,Default,,0000,0000,0000,,valid key. Well, needless to say, this was\Nnot intended behavior Dialogue: 0,0:10:24.56,0:10:27.71,Default,,0000,0000,0000,,{\i1}laughter{\i0} Dialogue: 0,0:10:27.71,0:10:33.25,Default,,0000,0000,0000,,and this has had consequences for\Nconsumers. Because insurance companies saw Dialogue: 0,0:10:33.25,0:10:38.89,Default,,0000,0000,0000,,a rise in theft for these models - these\Nare quite expensive cars - and they Dialogue: 0,0:10:38.89,0:10:45.36,Default,,0000,0000,0000,,started adding demands before they would\Nallow you to insure your car. So the Dialogue: 0,0:10:45.36,0:10:51.07,Default,,0000,0000,0000,,insurance would get more expensive or you\Nwould not be able to get the insurance if Dialogue: 0,0:10:51.07,0:10:57.49,Default,,0000,0000,0000,,at least at your own home, you couldn't\Npark it in a secured area. There is a Dialogue: 0,0:10:57.49,0:11:05.35,Default,,0000,0000,0000,,common misconception about how immobilizer\Nsystems work, and it's actually one of the Dialogue: 0,0:11:05.35,0:11:10.09,Default,,0000,0000,0000,,reasons I want to give this talk and\Npresent this, because I think it's Dialogue: 0,0:11:10.09,0:11:16.61,Default,,0000,0000,0000,,important to realize that an immobilizer\Nsystem is a bit more complicated than the Dialogue: 0,0:11:16.61,0:11:23.44,Default,,0000,0000,0000,,single cryptographic step that seems\Nlogical. So what you might think is that Dialogue: 0,0:11:23.44,0:11:28.25,Default,,0000,0000,0000,,the engine control module sends a\Nchallenge to the body control module, Dialogue: 0,0:11:28.25,0:11:34.28,Default,,0000,0000,0000,,which communicates with the key. It\Nimplements the radio layer and it can then Dialogue: 0,0:11:34.28,0:11:41.22,Default,,0000,0000,0000,,relay the challenge to the key. The key\Ncan compute the proper response based on a Dialogue: 0,0:11:41.22,0:11:47.10,Default,,0000,0000,0000,,secret it shares with ECM, send back the\Nresponse, which the BCM will in turn Dialogue: 0,0:11:47.10,0:11:52.100,Default,,0000,0000,0000,,forward to the ECM. The ECM can verify the\Nvalidity, and if this seems to be the Dialogue: 0,0:11:52.100,0:11:58.56,Default,,0000,0000,0000,,right response, immobilization is\Ndeactivated and the car can start. Sounds Dialogue: 0,0:11:58.56,0:12:05.100,Default,,0000,0000,0000,,good. Sounds easy, but this is in modern\Ncars no longer the case. 'course. What we Dialogue: 0,0:12:05.100,0:12:12.96,Default,,0000,0000,0000,,see is that there is a second step. The\NECM does an authentication with the BCM. Dialogue: 0,0:12:12.96,0:12:20.22,Default,,0000,0000,0000,,The BCM does an authentication with the\Nkey. So if your key uses say AES for its Dialogue: 0,0:12:20.22,0:12:28.45,Default,,0000,0000,0000,,authentication, then this will be an AES\Nsecured authentication between the BCM and Dialogue: 0,0:12:28.45,0:12:34.31,Default,,0000,0000,0000,,the key. The BCM, if it can validate the\Nlegitimacy of the key, will then send the Dialogue: 0,0:12:34.31,0:12:38.92,Default,,0000,0000,0000,,correct response to the engine control\Nmodule. But this is a whole different Dialogue: 0,0:12:38.92,0:12:45.20,Default,,0000,0000,0000,,protocol, using different cryptographic\Nprimitives, using different keys, Dialogue: 0,0:12:45.20,0:12:52.53,Default,,0000,0000,0000,,sometimes, often, don't know. And more\Nimportantly, it has not yet been covered. Dialogue: 0,0:12:52.53,0:12:58.34,Default,,0000,0000,0000,,So in the scientific literature, I have\Nfound absolutely zero reference of this Dialogue: 0,0:12:58.34,0:13:04.19,Default,,0000,0000,0000,,step being identified. And here and there\Nyou find a reference that people know that Dialogue: 0,0:13:04.19,0:13:10.80,Default,,0000,0000,0000,,this happens, but no actual analysis of\Nthe security or the cryptographic Dialogue: 0,0:13:10.80,0:13:18.55,Default,,0000,0000,0000,,primitives involved. Right. So that is an\Nopen question then and asks for further Dialogue: 0,0:13:18.55,0:13:24.81,Default,,0000,0000,0000,,research. So how do you do that? You can\Nsniff CAN traffic from the OBD connector Dialogue: 0,0:13:24.81,0:13:31.99,Default,,0000,0000,0000,,with tooling. And by disconnecting ECUs\Nand placing yourself in the middle you can Dialogue: 0,0:13:31.99,0:13:38.58,Default,,0000,0000,0000,,also modify CAN traffic. You can analyze\Nthis CAN traffic, see if you can find Dialogue: 0,0:13:38.58,0:13:44.32,Default,,0000,0000,0000,,immobilizer-related messages. And of\Ncourse, by the messages, you cannot deduce Dialogue: 0,0:13:44.32,0:13:48.82,Default,,0000,0000,0000,,the algorithm, most of the time. So you\Nwill need a firmware image or something Dialogue: 0,0:13:48.82,0:13:54.06,Default,,0000,0000,0000,,else you can reverse engineer to actually\Nfind the code that does the magic stuff. Dialogue: 0,0:13:54.06,0:13:59.38,Default,,0000,0000,0000,,If you have that and if you are able to\Npinpoint where the algorithm is, then you Dialogue: 0,0:13:59.38,0:14:04.65,Default,,0000,0000,0000,,can start looking at if it's actually\Ndecent. And once you are all there you Dialogue: 0,0:14:04.65,0:14:10.70,Default,,0000,0000,0000,,will want to test if all the assumptions\Nyou've made on the way are correct and if Dialogue: 0,0:14:10.70,0:14:15.30,Default,,0000,0000,0000,,it's actually working as you think it's\Nworking. So the first step, protocol Dialogue: 0,0:14:15.30,0:14:19.88,Default,,0000,0000,0000,,identification, is actually quite\Nstraightforward because you have some Dialogue: 0,0:14:19.88,0:14:26.46,Default,,0000,0000,0000,,knowledge. You know that this is a message\Nexchange that happens when you switch the Dialogue: 0,0:14:26.46,0:14:32.42,Default,,0000,0000,0000,,ignition to the on position. And you know\Nthat there must be at least two high Dialogue: 0,0:14:32.42,0:14:37.35,Default,,0000,0000,0000,,entropy messages because the challenge has\Nto be different every time. And the Dialogue: 0,0:14:37.35,0:14:40.97,Default,,0000,0000,0000,,response is the output of some\Ncryptographic function. So it may be Dialogue: 0,0:14:40.97,0:14:46.37,Default,,0000,0000,0000,,expected that that looks quite random,\Ntoo. Also, if you switch the ignition on Dialogue: 0,0:14:46.37,0:14:52.13,Default,,0000,0000,0000,,but no valid transponder is present, you\Nshould be able to detect some kind of Dialogue: 0,0:14:52.13,0:14:55.92,Default,,0000,0000,0000,,difference. And it will probably be the\Nvery first moment you observe a Dialogue: 0,0:14:55.92,0:15:01.04,Default,,0000,0000,0000,,difference, because before that point, the\Ncar didn't know there was no valid Dialogue: 0,0:15:01.04,0:15:06.57,Default,,0000,0000,0000,,transponder. So with a bit of fiddling and\Nsome patience and going through CAN Dialogue: 0,0:15:06.57,0:15:12.51,Default,,0000,0000,0000,,traffic logs, you can probably find this.\NOK. Next step is to get a firmware image Dialogue: 0,0:15:12.51,0:15:19.09,Default,,0000,0000,0000,,in which you hope to be able to find the\Nactual cryptographic protocol. So there Dialogue: 0,0:15:19.09,0:15:24.78,Default,,0000,0000,0000,,are several options. Of course you already\Nhave the firmware, but it's in the Dialogue: 0,0:15:24.78,0:15:30.70,Default,,0000,0000,0000,,microcontroller in an ECU that is either\Nlying on your desk or inside some vehicle. Dialogue: 0,0:15:30.70,0:15:38.19,Default,,0000,0000,0000,,So you could try to get it straight out of\Nthat device. Debugging headers are a good Dialogue: 0,0:15:38.19,0:15:44.88,Default,,0000,0000,0000,,option. You have JTAG, you have BDM, UART\Noccasionally can be used, but sometimes Dialogue: 0,0:15:44.88,0:15:49.85,Default,,0000,0000,0000,,these are deactivated. Sometimes it just\Ndoesn't seem to work. Sometimes the Dialogue: 0,0:15:49.85,0:15:55.04,Default,,0000,0000,0000,,tooling is prohibitively expensive. So if\Nthat doesn't work, you can always go to Dialogue: 0,0:15:55.04,0:16:00.31,Default,,0000,0000,0000,,the internet. Some manufacturers provide a\Nmeans to download a set of information Dialogue: 0,0:16:00.31,0:16:06.90,Default,,0000,0000,0000,,about the vehicle based on its VIN number.\NYou can find all kinds of configurations, Dialogue: 0,0:16:06.90,0:16:13.10,Default,,0000,0000,0000,,you might be able to find actual parts or\Nfull firmwares, often encrypted, not Dialogue: 0,0:16:13.10,0:16:18.51,Default,,0000,0000,0000,,always. And then there is the tuning\Nscene. And while you might think of neon Dialogue: 0,0:16:18.51,0:16:23.27,Default,,0000,0000,0000,,lighting and stuff like that, these guys\Nare actually pretty knowledgeable about Dialogue: 0,0:16:23.27,0:16:28.48,Default,,0000,0000,0000,,the internals of engine control modules in\Nparticular. And you might just be able to Dialogue: 0,0:16:28.48,0:16:34.72,Default,,0000,0000,0000,,find a full firmware image or parts of it\Nor some model that is highly related. And Dialogue: 0,0:16:34.72,0:16:40.31,Default,,0000,0000,0000,,this is kind of a viable approach to\Ngetting your hands on the firmware. But Dialogue: 0,0:16:40.31,0:16:45.01,Default,,0000,0000,0000,,also very practical can be to just\Nleverage the functionality that is Dialogue: 0,0:16:45.01,0:16:51.56,Default,,0000,0000,0000,,implemented in the ECU. The ECU allows for\Ndiagnostic commands such as read memory by Dialogue: 0,0:16:51.56,0:16:59.92,Default,,0000,0000,0000,,address and request upload, which from the\Nperspective of an ECU is sending new data. Dialogue: 0,0:16:59.92,0:17:07.40,Default,,0000,0000,0000,,And you might be able to just dump the\Nwhole firmware or dump memory or dump at Dialogue: 0,0:17:07.40,0:17:13.82,Default,,0000,0000,0000,,least parts of the the internals of the\NECU. Then there is some kind of mechanism Dialogue: 0,0:17:13.82,0:17:19.69,Default,,0000,0000,0000,,that's called second bootloader. It's a\Nsort of standard. Not every manufacturer Dialogue: 0,0:17:19.69,0:17:26.50,Default,,0000,0000,0000,,implements it, but quite some do. That\Nallows you to actually send binary code to Dialogue: 0,0:17:26.50,0:17:33.62,Default,,0000,0000,0000,,the ECU. And it then jumps to it. So very\Nconvenient functionality. It's maybe very Dialogue: 0,0:17:33.62,0:17:38.60,Default,,0000,0000,0000,,painstaking to get it working, but yeah,\Nit's basically free code execution. Except Dialogue: 0,0:17:38.60,0:17:42.92,Default,,0000,0000,0000,,for the fact that you often need to\Nauthenticate before you're allowed to use Dialogue: 0,0:17:42.92,0:17:47.02,Default,,0000,0000,0000,,such functionality. So that might leave\Nyou with some kind of chicken and egg Dialogue: 0,0:17:47.02,0:17:51.22,Default,,0000,0000,0000,,problem, because you don't know how to\Nauthenticate, you don't have the algorithm Dialogue: 0,0:17:51.22,0:17:56.41,Default,,0000,0000,0000,,for this authentication. And lastly, there\Nare sometimes firmware updates for ECUs Dialogue: 0,0:17:56.41,0:18:02.68,Default,,0000,0000,0000,,and you might be able to use an official\Ndealer tool, you might be able to sniff Dialogue: 0,0:18:02.68,0:18:08.61,Default,,0000,0000,0000,,CAN traffic. Multiple ways of trying to\Nupdate the firmware on your ECU Dialogue: 0,0:18:08.61,0:18:12.93,Default,,0000,0000,0000,,reconstructed from the CAN traffic. Once\Nmore, you have to go through an ISO Dialogue: 0,0:18:12.93,0:18:18.12,Default,,0000,0000,0000,,standard before you understand how it's\Nexactly chunked in 8 byte messages, but Dialogue: 0,0:18:18.12,0:18:25.16,Default,,0000,0000,0000,,you'll get there eventually. So once you\Nhave this firmware, you have to pinpoint Dialogue: 0,0:18:25.16,0:18:30.09,Default,,0000,0000,0000,,the cryptographic algorithm and ECU\Nfirmwares are typically between half a Dialogue: 0,0:18:30.09,0:18:35.06,Default,,0000,0000,0000,,megabyte and 2 megabytes. And that is a\Nlot, if we're talking assembly. And the Dialogue: 0,0:18:35.06,0:18:41.18,Default,,0000,0000,0000,,information density is extremely low. And\Nif you have to go through it line by line, Dialogue: 0,0:18:41.18,0:18:46.71,Default,,0000,0000,0000,,it's hardly doable. So you need to have\Nsome tricks. I think we're at a conference Dialogue: 0,0:18:46.71,0:18:51.47,Default,,0000,0000,0000,,where we've seen a lot of reverse\Nengineering. So this is not going to be my Dialogue: 0,0:18:51.47,0:18:56.36,Default,,0000,0000,0000,,focus during this talk, but a couple of\Npointers. Maybe someone is helped by that. Dialogue: 0,0:18:56.36,0:19:01.17,Default,,0000,0000,0000,,Of course, you know the protocol because\Nyou have observed CAN traffic. So you can Dialogue: 0,0:19:01.17,0:19:07.18,Default,,0000,0000,0000,,search for immediate values, for numerical\Nvalues that are used in the protocol to Dialogue: 0,0:19:07.18,0:19:13.82,Default,,0000,0000,0000,,designate a packet type, for instance. It\Nmust be in the firmware somewhere. Also, Dialogue: 0,0:19:13.82,0:19:18.71,Default,,0000,0000,0000,,you know that crypto usually uses XOR\Ninstructions and you would be surprised Dialogue: 0,0:19:18.71,0:19:23.55,Default,,0000,0000,0000,,how little XOR instructions there are in a\Nfirmware. Depending on the architecture, Dialogue: 0,0:19:23.55,0:19:28.34,Default,,0000,0000,0000,,you might immediately dismiss most of\Nthose as a single bit flip or maybe Dialogue: 0,0:19:28.34,0:19:34.29,Default,,0000,0000,0000,,inversion of a whole register, and then\Nyou will find some XORs with either weird Dialogue: 0,0:19:34.29,0:19:40.34,Default,,0000,0000,0000,,constants or variables. So those are\Npoints to focus on. Lastly, you can make Dialogue: 0,0:19:40.34,0:19:46.91,Default,,0000,0000,0000,,some assumptions on the structure of the\Ncryptographic function, so it certainly Dialogue: 0,0:19:46.91,0:19:53.03,Default,,0000,0000,0000,,doesn't do IO, it will not invoke a lot of\Nother external functions, maybe some round Dialogue: 0,0:19:53.03,0:19:57.91,Default,,0000,0000,0000,,function once or twice, maybe some\Ninitialization. It will probably have some Dialogue: 0,0:19:57.91,0:20:03.53,Default,,0000,0000,0000,,loops and you can sometimes recognize the\Nlength of the challenge. You can sometimes Dialogue: 0,0:20:03.53,0:20:09.04,Default,,0000,0000,0000,,recognize the length of the response. That\Nbeing said, let's dive in the first case Dialogue: 0,0:20:09.04,0:20:15.57,Default,,0000,0000,0000,,study. So I reverse engineered the Peugeot\N207, which is, as I said, not the most Dialogue: 0,0:20:15.57,0:20:21.62,Default,,0000,0000,0000,,recent of vehicles. And this was my test\Nsetup. It doesn't look like much, but Dialogue: 0,0:20:21.62,0:20:27.41,Default,,0000,0000,0000,,everything that's relevant to me is there.\NAnd you can toggle the ignition and lights Dialogue: 0,0:20:27.41,0:20:32.43,Default,,0000,0000,0000,,will show and all the ECUs are connected\Nthrough a CAN bus and an OBD connector Dialogue: 0,0:20:32.43,0:20:39.22,Default,,0000,0000,0000,,that you can see on the left side of the\Ninstrument panel. And I investigated a Dialogue: 0,0:20:39.22,0:20:46.44,Default,,0000,0000,0000,,tool that had a kind of peculiar function\Nand that is that you could obtain the Dialogue: 0,0:20:46.44,0:20:51.06,Default,,0000,0000,0000,,vehicle PIN - some kind of secret you\Nneeded to authenticate for diagnostics - Dialogue: 0,0:20:51.06,0:20:56.50,Default,,0000,0000,0000,,by connecting this tool and toggling the\Nignition a couple of times. So that kind Dialogue: 0,0:20:56.50,0:21:00.86,Default,,0000,0000,0000,,of gives you a hunch that the\Nimmobilization system might be involved, Dialogue: 0,0:21:00.86,0:21:07.22,Default,,0000,0000,0000,,because it's triggered upon toggling the\Nignition, and that you can derive in some Dialogue: 0,0:21:07.22,0:21:14.56,Default,,0000,0000,0000,,way the vehicle pin from this. So for this\NPeugeot and for most BSA vehicles in Dialogue: 0,0:21:14.56,0:21:21.22,Default,,0000,0000,0000,,general, the PIN is a four digit uppercase\Nand numeric code excluding the O and I, Dialogue: 0,0:21:21.22,0:21:27.19,Default,,0000,0000,0000,,because that would be confusing. So that\Nleaves us with roughly one point three Dialogue: 0,0:21:27.19,0:21:33.83,Default,,0000,0000,0000,,million keys, which is nothing in terms of\Ncrypto. I finally reversed the algorithm. Dialogue: 0,0:21:33.83,0:21:40.56,Default,,0000,0000,0000,,It is obviously in the engine control\Nmodule and the body control module. And Dialogue: 0,0:21:40.56,0:21:46.02,Default,,0000,0000,0000,,the main part looked like, oh wait, wait\Nfor it. And the protocol looks like this. Dialogue: 0,0:21:46.02,0:21:51.94,Default,,0000,0000,0000,,So if you observe CAN traffic, you will\Nsee that some CAN ID 72. On that ID is Dialogue: 0,0:21:51.94,0:21:58.68,Default,,0000,0000,0000,,sent a message that starts with 00 and\Nthen followed by a 4 byte challenge. And Dialogue: 0,0:21:58.68,0:22:04.83,Default,,0000,0000,0000,,if the BCM is able to verify that a valid\Nkey is present, it will respond with 04 Dialogue: 0,0:22:04.83,0:22:11.88,Default,,0000,0000,0000,,and a four byte response. So this is a\Nvery small, straightforward protocol, Dialogue: 0,0:22:11.88,0:22:19.52,Default,,0000,0000,0000,,which, well, does the bare necessary. And\None of the first things I did was Dialogue: 0,0:22:19.52,0:22:25.13,Default,,0000,0000,0000,,injecting challenges. Just inject a\Nchallenge, send it to the BCM with a valid Dialogue: 0,0:22:25.13,0:22:30.36,Default,,0000,0000,0000,,key and see what the response is going to\Nbe. And if I replace the zeros by dots, Dialogue: 0,0:22:30.36,0:22:37.86,Default,,0000,0000,0000,,you see that there's an extremely apparent\Npattern is visible. So the ideal case that Dialogue: 0,0:22:37.86,0:22:45.60,Default,,0000,0000,0000,,a single bit flip in a challenge leads to\Na 50/50 chance of a bit flip in every Dialogue: 0,0:22:45.60,0:22:51.99,Default,,0000,0000,0000,,response bit is not exactly respected. You\Nsee that the effect of changing the Dialogue: 0,0:22:51.99,0:22:58.31,Default,,0000,0000,0000,,challenge has a very localized effect on\Nthe response. Another weird feature, which Dialogue: 0,0:22:58.31,0:23:04.36,Default,,0000,0000,0000,,is not very clearly visible here, but it's\Nvisible in the last one, is that on Dialogue: 0,0:23:04.36,0:23:10.39,Default,,0000,0000,0000,,average, when you give average just random\Nchallenges, 75% of the bits of the Dialogue: 0,0:23:10.39,0:23:16.38,Default,,0000,0000,0000,,response will be set. So that is a very,\Nvery heavy bias. And it was quite puzzling Dialogue: 0,0:23:16.38,0:23:23.43,Default,,0000,0000,0000,,to me what kind of cryptographic primitive\Nwould exhibit such behavior. And then it Dialogue: 0,0:23:23.43,0:23:30.58,Default,,0000,0000,0000,,became clear. this is the main function of\Nthe algorithm and there is a transform Dialogue: 0,0:23:30.58,0:23:36.95,Default,,0000,0000,0000,,function that I left out, but it basically\Ndoes some multiplication, some division, Dialogue: 0,0:23:36.95,0:23:43.26,Default,,0000,0000,0000,,some modulo, mathematical operations, It\Nsplits the challenge in two parts and it Dialogue: 0,0:23:43.26,0:23:49.74,Default,,0000,0000,0000,,splits the vehicle PIN, so the secret in\Ntwo parts. And the total of four parts are Dialogue: 0,0:23:49.74,0:23:55.52,Default,,0000,0000,0000,,all used as inputs for this transform\Nfunction and we obtain a challenge Dialogue: 0,0:23:55.52,0:24:02.14,Default,,0000,0000,0000,,transformed left challenge transformed\Nright and similarly for the PIN a left and Dialogue: 0,0:24:02.14,0:24:08.46,Default,,0000,0000,0000,,right transformed part. And then something\Ninteresting happens because the left Dialogue: 0,0:24:08.46,0:24:14.69,Default,,0000,0000,0000,,transformed part of the challenge is ORed\Nwith a part of the PIN. And an OR Dialogue: 0,0:24:14.69,0:24:24.71,Default,,0000,0000,0000,,operation will lead to a, well, on average\N75% set result. So that kind of explains Dialogue: 0,0:24:24.71,0:24:34.00,Default,,0000,0000,0000,,the weird behavior we saw before. Strange\Nand maybe not so smart, because an Dialogue: 0,0:24:34.00,0:24:41.90,Default,,0000,0000,0000,,adversary will be able to either control\Nor observe the challenge that is used as Dialogue: 0,0:24:41.90,0:24:47.76,Default,,0000,0000,0000,,input for this algorithm. So if you know\Nthe challenge, you know the transform Dialogue: 0,0:24:47.76,0:24:52.26,Default,,0000,0000,0000,,challenge, and if you know to transform\Nchallenge, you know something about the Dialogue: 0,0:24:52.26,0:24:59.67,Default,,0000,0000,0000,,output. Because if the transform challenge\Nhas a one bit, then the response will have Dialogue: 0,0:24:59.67,0:25:05.76,Default,,0000,0000,0000,,a one bit in that same position. There is\Nanother property for the transform Dialogue: 0,0:25:05.76,0:25:10.28,Default,,0000,0000,0000,,function, and that is that if the input is\Na zero, the further parameters of Dialogue: 0,0:25:10.28,0:25:16.10,Default,,0000,0000,0000,,transform vary a bit, but it doesn't\Naffect this property: if the input is a Dialogue: 0,0:25:16.10,0:25:22.13,Default,,0000,0000,0000,,zero, the output is a zero. So that gives\Nus that if you have a challenge of all Dialogue: 0,0:25:22.13,0:25:27.87,Default,,0000,0000,0000,,zeros, you will obtain a transform\Nchallenge of all zeros. And that means Dialogue: 0,0:25:27.87,0:25:33.81,Default,,0000,0000,0000,,that when you're doing the OR you're ORing\Nwith nothing and the response will be Dialogue: 0,0:25:33.81,0:25:41.10,Default,,0000,0000,0000,,entirely determined by the transformed\NPIN. Then another property is that the Dialogue: 0,0:25:41.10,0:25:47.88,Default,,0000,0000,0000,,PIN, which is an alphanumeric PIN, is\Ninvertable once. Let me restart. Dialogue: 0,0:25:47.88,0:25:58.36,Default,,0000,0000,0000,,Transform: If it takes a PIN as input,\Nthen the output can be inverted. There is Dialogue: 0,0:25:58.36,0:26:04.61,Default,,0000,0000,0000,,only one PIN part input that maps to one\Noutput of the transform function. So if Dialogue: 0,0:26:04.61,0:26:09.91,Default,,0000,0000,0000,,you are able to supply the vehicle with a\Nchallenge of zeros, you will get one Dialogue: 0,0:26:09.91,0:26:14.73,Default,,0000,0000,0000,,response and you can uniquely identify the\Nsecret of the car, the PIN. And this PIN Dialogue: 0,0:26:14.73,0:26:19.22,Default,,0000,0000,0000,,can later be used to, for instance,\Nauthenticate for diagnostics or key Dialogue: 0,0:26:19.22,0:26:24.01,Default,,0000,0000,0000,,teaching or whatever you want. If you're\Nnot able to control the challenge, you can Dialogue: 0,0:26:24.01,0:26:28.94,Default,,0000,0000,0000,,just collect a couple of random challenge\Nresponses and you will still have the PIN. Dialogue: 0,0:26:28.94,0:26:34.84,Default,,0000,0000,0000,,So that's bad. What's worse is that there\Nare a lot of collisions because the bits Dialogue: 0,0:26:34.84,0:26:42.36,Default,,0000,0000,0000,,that are set in the challenge transformed\Nwill hide the bits that are set in the PIN Dialogue: 0,0:26:42.36,0:26:49.89,Default,,0000,0000,0000,,transformed. So a challenge transformed\Nwith a lot of ones set will accept a lot Dialogue: 0,0:26:49.89,0:26:56.02,Default,,0000,0000,0000,,of different PINs as proper input and\Nresult in the same response. So there is a Dialogue: 0,0:26:56.02,0:27:02.43,Default,,0000,0000,0000,,quite simple attack we can mount here and\Nthat is that we get a challenge from the Dialogue: 0,0:27:02.43,0:27:08.45,Default,,0000,0000,0000,,car without a valid key present and we\Nthen compute for that challenge for all Dialogue: 0,0:27:08.45,0:27:14.04,Default,,0000,0000,0000,,PINs what response it would yield. And you\Nwill see that some PINs, sorry, some Dialogue: 0,0:27:14.04,0:27:18.79,Default,,0000,0000,0000,,responses are generated by a lot of\Ndifferent PINs. It could easily be two-, Dialogue: 0,0:27:18.79,0:27:23.66,Default,,0000,0000,0000,,three thousand PINs resulting in the same\Nchallenge. So you choose the most probable Dialogue: 0,0:27:23.66,0:27:29.23,Default,,0000,0000,0000,,response and you send it and either the\NECU accepts it and disables immobilization Dialogue: 0,0:27:29.23,0:27:35.04,Default,,0000,0000,0000,,or it doesn't. And if it doesn't accept\Nit, then you know for three thousand pins Dialogue: 0,0:27:35.04,0:27:40.89,Default,,0000,0000,0000,,that it was not that. In general this\Ntakes far less than 4000 attempts and and Dialogue: 0,0:27:40.89,0:27:47.55,Default,,0000,0000,0000,,far less than 15 minutes. I don't know\Nexactly. I've tried it a couple of times Dialogue: 0,0:27:47.55,0:27:53.81,Default,,0000,0000,0000,,and I've been able to deactivate\Nimmobilization, I'd say, 3 minutes once, Dialogue: 0,0:27:53.81,0:28:00.41,Default,,0000,0000,0000,,maybe 10 minutes once. And after that, if\Nyou toggle the ignition switch, the car Dialogue: 0,0:28:00.41,0:28:07.78,Default,,0000,0000,0000,,will actually start without transponder\Npresent. So. That was not so good. Next Dialogue: 0,0:28:07.78,0:28:15.86,Default,,0000,0000,0000,,case is the Fiat I investigated, the\NGrande Punto and I reverse engineered the Dialogue: 0,0:28:15.86,0:28:22.28,Default,,0000,0000,0000,,BCM. It's based on the NEC V850\Narchitecture, which is a nice 32 bit RISC Dialogue: 0,0:28:22.28,0:28:29.60,Default,,0000,0000,0000,,architecture, pretty readable, pretty fair\Ninformation density. But still, I couldn't Dialogue: 0,0:28:29.60,0:28:35.45,Default,,0000,0000,0000,,really figure out what the actual crypto\Npart was. So I also investigated an engine Dialogue: 0,0:28:35.45,0:28:41.57,Default,,0000,0000,0000,,control module. Surprisingly, I was able\Nto find it there. And then I immediately Dialogue: 0,0:28:41.57,0:28:48.26,Default,,0000,0000,0000,,went back to the V850 because that at\Nleast is readable code. Protocol is as Dialogue: 0,0:28:48.26,0:29:00.35,Default,,0000,0000,0000,,follows: It has a 32 bit challenge, then a\N4 bit - sorry - 4 byte challenge, then a 2 Dialogue: 0,0:29:00.35,0:29:06.47,Default,,0000,0000,0000,,byte proof of knowledge. And that's an\Ninteresting feature, because that way the Dialogue: 0,0:29:06.47,0:29:10.82,Default,,0000,0000,0000,,engine control module proves to the body\Ncontrol module that it actually has Dialogue: 0,0:29:10.82,0:29:17.03,Default,,0000,0000,0000,,knowledge of the key. So you can not just\Nspam a challenge and get a get a response Dialogue: 0,0:29:17.03,0:29:23.30,Default,,0000,0000,0000,,for that. You have to prove that you know\Nthe secret. And then you get back a 2 byte Dialogue: 0,0:29:23.30,0:29:30.32,Default,,0000,0000,0000,,response. And if that is correct, the ECM\Naccepts it and the car can start. And this Dialogue: 0,0:29:30.32,0:29:37.64,Default,,0000,0000,0000,,very well, seemingly nice security feature\Nthat there is a proof of knowledge of the Dialogue: 0,0:29:37.64,0:29:44.72,Default,,0000,0000,0000,,key is actually the flaw in this system,\Nas it turns out. The cipher is a linear Dialogue: 0,0:29:44.72,0:29:50.36,Default,,0000,0000,0000,,feedback shift register based cipher. It\Ninitializes the states with the key, XORed Dialogue: 0,0:29:50.36,0:29:55.73,Default,,0000,0000,0000,,with the challenge, XORed with some\Nconstant. And then it does 38 rounds. If Dialogue: 0,0:29:55.73,0:30:00.41,Default,,0000,0000,0000,,you don't know what an LFSR is I'll tell\Nyou in the next slide. Then it generates Dialogue: 0,0:30:00.41,0:30:06.02,Default,,0000,0000,0000,,the proof. That is 12 rounds, actually 12\Nbits output. And if you look back in the Dialogue: 0,0:30:06.02,0:30:11.51,Default,,0000,0000,0000,,protocol, you actually see that the first\Nnibble is indeed a zero. So it's not 16 Dialogue: 0,0:30:11.51,0:30:17.00,Default,,0000,0000,0000,,bits, but it's only 12 bits. After\Ngenerating the proof, it loads an Dialogue: 0,0:30:17.00,0:30:22.94,Default,,0000,0000,0000,,additional 16 bit constant and then\Ngenerates the 14 bit response. This is a Dialogue: 0,0:30:22.94,0:30:28.85,Default,,0000,0000,0000,,very standard construction in crypto and\Nthere is a fairly standard attack to it. Dialogue: 0,0:30:28.85,0:30:40.46,Default,,0000,0000,0000,,So what you see here is an LFSR, it's a 32\Nbit register and it operates in ticks. So Dialogue: 0,0:30:40.46,0:30:45.17,Default,,0000,0000,0000,,it is loaded with this initial secret\Nstate at the beginning of the algorithm Dialogue: 0,0:30:45.17,0:30:55.61,Default,,0000,0000,0000,,and each tick it takes 4 bits and they are\NXORed together. Then the whole register Dialogue: 0,0:30:55.61,0:31:02.03,Default,,0000,0000,0000,,shifts one position to the left. So bit 0\Ngoes to bit 1, 1 to 2, etc. Bit 31 shifts Dialogue: 0,0:31:02.03,0:31:10.31,Default,,0000,0000,0000,,out and the previously computed XOred bit\Nis shifted in in the 0 position. So that Dialogue: 0,0:31:10.31,0:31:16.34,Default,,0000,0000,0000,,way it cycles and continuously updates its\Ninternal state. And then there is an Dialogue: 0,0:31:16.34,0:31:22.91,Default,,0000,0000,0000,,output function that takes 8 bits of input\Nand each tick it computes one bit from an Dialogue: 0,0:31:22.91,0:31:29.69,Default,,0000,0000,0000,,8 bit input, and on the lower left you can\Nsee the output generation table. So it Dialogue: 0,0:31:29.69,0:31:36.89,Default,,0000,0000,0000,,kind of just counts through this. And if\Nthe eight bits together add up to say A2, Dialogue: 0,0:31:36.89,0:31:44.03,Default,,0000,0000,0000,,then you pick bit position A2 in this\Ntable and that is then the bit that is Dialogue: 0,0:31:44.03,0:31:53.00,Default,,0000,0000,0000,,being generated as proof or response bit\Nduring that round. Now what we see here is Dialogue: 0,0:31:53.00,0:32:00.56,Default,,0000,0000,0000,,that there is actually 8 bits of the LFSR\Nthat determine the output bit. And of Dialogue: 0,0:32:00.56,0:32:12.82,Default,,0000,0000,0000,,these 8 bits they generate 256 different\Nvalues. Now there are 256 different Dialogue: 0,0:32:12.82,0:32:18.73,Default,,0000,0000,0000,,combinations and only half will generate\Nthe observed output bit. So that means Dialogue: 0,0:32:18.73,0:32:24.79,Default,,0000,0000,0000,,that 128 different options may be valid\Noptions for these 8 bits to generate a Dialogue: 0,0:32:24.79,0:32:30.34,Default,,0000,0000,0000,,response or a proof that we have observed\Nearlier. And that is pretty interesting. Dialogue: 0,0:32:30.34,0:32:37.51,Default,,0000,0000,0000,,And you can use that to construct a guess\Nand determine attack. Which means that you Dialogue: 0,0:32:37.51,0:32:44.50,Default,,0000,0000,0000,,make an assumption on the internal state.\NWe have 128 candidate internal states. And Dialogue: 0,0:32:44.50,0:32:50.17,Default,,0000,0000,0000,,then we do a round. So we shift the\Nguessed bits one position to the left. We Dialogue: 0,0:32:50.17,0:32:56.17,Default,,0000,0000,0000,,do the feedback function and then we are\Ngoing to evaluate the second bit that was Dialogue: 0,0:32:56.17,0:33:01.12,Default,,0000,0000,0000,,generated. For the second bit we already\Nhave some knowledge, because we made Dialogue: 0,0:33:01.12,0:33:09.04,Default,,0000,0000,0000,,assumptions earlier. So the green squares\Ndesignate the bits that we already know. Dialogue: 0,0:33:09.04,0:33:17.26,Default,,0000,0000,0000,,And you see that throughout the rounds,\Neach round you can eliminate half the Dialogue: 0,0:33:17.26,0:33:21.43,Default,,0000,0000,0000,,candidates, because they generate the\Nwrong output bit. And you need to guess Dialogue: 0,0:33:21.43,0:33:28.63,Default,,0000,0000,0000,,less and less bits in order to to fill in\Nthe state. And this continuous elimination Dialogue: 0,0:33:28.63,0:33:35.50,Default,,0000,0000,0000,,of half the candidate states makes this\Nfar more efficient than just a brute force Dialogue: 0,0:33:35.50,0:33:42.49,Default,,0000,0000,0000,,attack. The total complexity of this\Nattack is 2^21, which is orders of Dialogue: 0,0:33:42.49,0:33:51.64,Default,,0000,0000,0000,,magnitude less than mounting a brute force\Nattack. Right. So that's OK. That is Dialogue: 0,0:33:51.64,0:33:58.21,Default,,0000,0000,0000,,fairly standard stuff in crypto. Now,\Nthere is a big problem in the way they Dialogue: 0,0:33:58.21,0:34:03.69,Default,,0000,0000,0000,,implemented this, because they did some\Nsecret reuse. And the secret that is being Dialogue: 0,0:34:03.69,0:34:12.33,Default,,0000,0000,0000,,used to generate the proof is in some\Nmangled way the vehicle PIN. If you take Dialogue: 0,0:34:12.33,0:34:18.51,Default,,0000,0000,0000,,this 32 bit secret input value and you\Ntake the 5 rightmost nibbles and then Dialogue: 0,0:34:18.51,0:34:23.85,Default,,0000,0000,0000,,transform the letters into numbers and\Nthen replace the zeros by sevens, then you Dialogue: 0,0:34:23.85,0:34:31.62,Default,,0000,0000,0000,,get a 5 digit number and that number is\Nthe PIN. So what we have now is an attack Dialogue: 0,0:34:31.62,0:34:37.77,Default,,0000,0000,0000,,that observes a couple of challenges\Ntogether with their proof of knowledge, Dialogue: 0,0:34:37.77,0:34:44.64,Default,,0000,0000,0000,,which is always there, and you get it for\Nfree when you just power the ECU, and you Dialogue: 0,0:34:44.64,0:34:50.67,Default,,0000,0000,0000,,run an attack on that. That takes, well,\Nmy not so optimized implementation takes 6 Dialogue: 0,0:34:50.67,0:34:57.57,Default,,0000,0000,0000,,seconds on a single core. You can probably\Ndo better. Runs in seconds. And what you Dialogue: 0,0:34:57.57,0:35:05.40,Default,,0000,0000,0000,,get is the PIN. So you can still not\Nauthenticate towards the ECM, but you do Dialogue: 0,0:35:05.40,0:35:09.18,Default,,0000,0000,0000,,get the pin which you can then use to\Nauthenticate for diagnostic services, you Dialogue: 0,0:35:09.18,0:35:12.84,Default,,0000,0000,0000,,can, maybe, read memory, you can, maybe,\Nreprogram stuff, you can, maybe,enter key Dialogue: 0,0:35:12.84,0:35:23.16,Default,,0000,0000,0000,,teaching mode. There is absolutely ways to\Nleverage this and, well, get the car to Dialogue: 0,0:35:23.16,0:35:33.87,Default,,0000,0000,0000,,start. The 3rd case I investigated was an\NOpel Astra H. And I've decided to skip the Dialogue: 0,0:35:33.87,0:35:38.19,Default,,0000,0000,0000,,crypto parts in this one because I\Ncouldn't break it and I wouldn't want to Dialogue: 0,0:35:38.19,0:35:43.71,Default,,0000,0000,0000,,bore you with a fairly complicated\Nalgorithm and then not present an attack. Dialogue: 0,0:35:43.71,0:35:48.42,Default,,0000,0000,0000,,If you're interested, it's in my thesis so\Nyou can look it up. But there is still Dialogue: 0,0:35:48.42,0:35:56.10,Default,,0000,0000,0000,,some funny things to point out here. I\Nreverse engineered an ECM that was based Dialogue: 0,0:35:56.10,0:36:04.32,Default,,0000,0000,0000,,on a PowerPC architecture microcontroller.\NAnd that is very nice because there is a Dialogue: 0,0:36:04.32,0:36:10.86,Default,,0000,0000,0000,,decompiler for that. And IDA Pro will\Nnicely transform the assembly into Dialogue: 0,0:36:10.86,0:36:18.27,Default,,0000,0000,0000,,somewhat accurate, somewhat readable C\Ncode. That was good, but it was not Dialogue: 0,0:36:18.27,0:36:26.79,Default,,0000,0000,0000,,enough. So I purchased some tool to use\Nthe BDM interface of this ECU which was Dialogue: 0,0:36:26.79,0:36:32.64,Default,,0000,0000,0000,,active and usable. And it took me a lot of\Ntime to get the tools working, because Dialogue: 0,0:36:32.64,0:36:37.02,Default,,0000,0000,0000,,virtual machines were not okay, etc etc. I\Ninstalled Windows and did crazy stuff. And Dialogue: 0,0:36:38.58,0:36:43.92,Default,,0000,0000,0000,,then I was able to read memory, modify\Nregisters on the actual ECU, and that Dialogue: 0,0:36:43.92,0:36:52.17,Default,,0000,0000,0000,,helped a great deal in debugging and\Nfinding the actual functions. So this is Dialogue: 0,0:36:52.17,0:36:58.95,Default,,0000,0000,0000,,the protocol that I found. It has a 2 byte\Nopcode, then 2 bytes status data, then a 4 Dialogue: 0,0:36:58.95,0:37:03.48,Default,,0000,0000,0000,,byte challenge. And similarly 2 byte\Nopcode for the response, 2 byte status Dialogue: 0,0:37:03.48,0:37:13.59,Default,,0000,0000,0000,,data, 4 byte response. No proof of\Nknowledge here. Just a 32 bit to 32 bit Dialogue: 0,0:37:13.59,0:37:20.40,Default,,0000,0000,0000,,challenge-response authentication. And\Nwhat was funny when I finally uncovered Dialogue: 0,0:37:20.40,0:37:26.76,Default,,0000,0000,0000,,the algorithm is that this is not an\Nalgorithm that was designed by Opel. It is Dialogue: 0,0:37:26.76,0:37:34.44,Default,,0000,0000,0000,,an algorithm that is used by a security\Ntransponder. It is used by the PCF7935 Dialogue: 0,0:37:34.44,0:37:39.63,Default,,0000,0000,0000,,security transponder, which is the\Npredecessor of high tech II, which you may Dialogue: 0,0:37:39.63,0:37:47.76,Default,,0000,0000,0000,,be familiar with it. It uses a 128 bit\Nsecret. So that is really, really big Dialogue: 0,0:37:47.76,0:37:53.79,Default,,0000,0000,0000,,secret, and a 32 bit internal state. When\NI saw that 32 bit internal state, I was Dialogue: 0,0:37:53.79,0:38:01.26,Default,,0000,0000,0000,,like, OK, this is going to be doable. It\Nwasn't. Because it does a lot of rounds Dialogue: 0,0:38:01.26,0:38:05.91,Default,,0000,0000,0000,,between output moments. Not as in the FIAT\Ncase, one round, one bit output. It does Dialogue: 0,0:38:05.91,0:38:11.58,Default,,0000,0000,0000,,34 rounds and then it outputs two bits and\Nthen it does another 34 rounds and two Dialogue: 0,0:38:11.58,0:38:19.95,Default,,0000,0000,0000,,more bits. And during these 34 rounds, it\Nmixes the whole 128 bit secret key into Dialogue: 0,0:38:19.95,0:38:23.58,Default,,0000,0000,0000,,the state. There is so much distance\Nbetween these moments that it is very, Dialogue: 0,0:38:23.58,0:38:31.38,Default,,0000,0000,0000,,very hard to relate any of this\Ninformation or any usable assumption that Dialogue: 0,0:38:31.38,0:38:39.78,Default,,0000,0000,0000,,survives so much new mixing of\Ninformation. I did my best. I found some Dialogue: 0,0:38:39.78,0:38:44.40,Default,,0000,0000,0000,,stuff. Nothing that is usable to mount an\Nattack. You can read my thesis if you're Dialogue: 0,0:38:44.40,0:38:53.19,Default,,0000,0000,0000,,interested in the details. I found it\Nfunny to find an implementation of a Dialogue: 0,0:38:53.19,0:38:57.99,Default,,0000,0000,0000,,security transponder in an engine. While\NI, In the beginning of this talk pointed Dialogue: 0,0:38:57.99,0:39:03.15,Default,,0000,0000,0000,,out that the engine doesn't talk with the\Ntransponder. So I went back in time and I Dialogue: 0,0:39:03.15,0:39:10.53,Default,,0000,0000,0000,,analyzed another vehicle, a Corsa Model C\Nand found that this was different. This Dialogue: 0,0:39:10.53,0:39:17.37,Default,,0000,0000,0000,,car had indeed an engine that talks with\Nthe key. And what probably happened is Dialogue: 0,0:39:17.37,0:39:22.92,Default,,0000,0000,0000,,that they wanted to decouple development\Nof engines and development of cars so they Dialogue: 0,0:39:22.92,0:39:27.18,Default,,0000,0000,0000,,could upgrade security transponders\Nwithout replacing their engines or Dialogue: 0,0:39:27.18,0:39:33.21,Default,,0000,0000,0000,,replacing their engine firmwares. So I\Nthink that is how this happened and why Dialogue: 0,0:39:33.21,0:39:39.09,Default,,0000,0000,0000,,they just decided to well, then implement\Nthe security transponder and emulate it in Dialogue: 0,0:39:39.09,0:39:43.86,Default,,0000,0000,0000,,the body control module towards the\Nengine. It seemed like a convenient Dialogue: 0,0:39:43.86,0:39:49.65,Default,,0000,0000,0000,,solution, I guess. It is by far the\Nstrongest algorithm I have encountered in Dialogue: 0,0:39:49.65,0:39:54.66,Default,,0000,0000,0000,,these three case studies. And while it is\Nout of scope because I limited myself to Dialogue: 0,0:39:54.66,0:39:59.70,Default,,0000,0000,0000,,the actual cryptographic primitives, I\Nfelt the need to point out that the random Dialogue: 0,0:39:59.70,0:40:08.82,Default,,0000,0000,0000,,number generator is really not very good.\NThey use the tick counter of the CPU as Dialogue: 0,0:40:08.82,0:40:13.44,Default,,0000,0000,0000,,source of randomness and then they use a\Ncouple of constants that, if you google Dialogue: 0,0:40:13.44,0:40:23.52,Default,,0000,0000,0000,,them, direct you to the Netscape random\Nnumber generator. So summing it up: We Dialogue: 0,0:40:23.52,0:40:30.87,Default,,0000,0000,0000,,found that Peugeot used a tiny key space\Nwith only 1.3 million different possible Dialogue: 0,0:40:30.87,0:40:39.51,Default,,0000,0000,0000,,PIN codes. They leak a lot of information\Nin the response. If you can inject a zero Dialogue: 0,0:40:39.51,0:40:44.67,Default,,0000,0000,0000,,challenge, you immediately get the full\Nsecret. It has a lot of collisions, which Dialogue: 0,0:40:45.18,0:40:54.21,Default,,0000,0000,0000,,makes it really not very robust against an\Nadversary. Fiat has a schoolbook algorithm Dialogue: 0,0:40:54.21,0:41:01.05,Default,,0000,0000,0000,,and it's vulnerable to schoolbook attack.\NIt's a nice idea to implement neutral Dialogue: 0,0:41:01.05,0:41:07.65,Default,,0000,0000,0000,,authentication, but it doesn't really work\Nin this context. And worse, they reuse Dialogue: 0,0:41:07.65,0:41:14.70,Default,,0000,0000,0000,,that part of the secret as the vehicle PIN\Nas opposed to using the other part of the Dialogue: 0,0:41:14.70,0:41:21.12,Default,,0000,0000,0000,,secret that is used to generate a\Nresponse. If that would have been the Dialogue: 0,0:41:21.12,0:41:28.35,Default,,0000,0000,0000,,vehicle PIN I would not have been able to\Nmount this attack. And lastly, Opel Dialogue: 0,0:41:28.35,0:41:34.47,Default,,0000,0000,0000,,decided to clone an obsolete security\Ntransponder. The successor, high tech II, Dialogue: 0,0:41:34.47,0:41:41.64,Default,,0000,0000,0000,,was desperately broken. This one wasn't.\NNot by me. I have a master's degree, not Dialogue: 0,0:41:41.64,0:41:46.74,Default,,0000,0000,0000,,in cryptanalysis. I'm not convinced that\Nit's a secure transponder, but it is Dialogue: 0,0:41:46.74,0:41:52.23,Default,,0000,0000,0000,,certainly better than the other two I\Nanalyzed. And also interesting is that all Dialogue: 0,0:41:52.23,0:41:58.65,Default,,0000,0000,0000,,these three systems are still around in\Nnew vehicles. Maybe not all models, but Dialogue: 0,0:41:58.65,0:42:05.40,Default,,0000,0000,0000,,they're still being manufactured. So I am\Ncurious to see how this relates to other Dialogue: 0,0:42:05.40,0:42:12.63,Default,,0000,0000,0000,,manufacturers, other models. And I think\Nit would be interesting to, well, do some Dialogue: 0,0:42:12.63,0:42:19.29,Default,,0000,0000,0000,,further research in this domain and see\Nwhat else is out there. So to finish with Dialogue: 0,0:42:19.29,0:42:25.92,Default,,0000,0000,0000,,a few takeaways. Don't do your own crypto.\NIt's often said and repeated. You are Dialogue: 0,0:42:25.92,0:42:32.20,Default,,0000,0000,0000,,going to mess it up. Just use standardized\Ncryptographic components and maybe try to Dialogue: 0,0:42:32.20,0:42:38.23,Default,,0000,0000,0000,,get people that are actually security\Nexperts to implement it instead of hoping Dialogue: 0,0:42:38.23,0:42:44.71,Default,,0000,0000,0000,,for the best. Don't reuse secrets. These\Ntwo case studies revealed that reuse of Dialogue: 0,0:42:44.71,0:42:50.71,Default,,0000,0000,0000,,secret made the attack much more powerful\Nthan it needed to be. Minimize the number Dialogue: 0,0:42:50.71,0:42:53.98,Default,,0000,0000,0000,,of cryptographic protocols and\Ncryptographic primitives that you're Dialogue: 0,0:42:53.98,0:43:01.42,Default,,0000,0000,0000,,using. The more different primitives, the\Nmore attack surface you create for an Dialogue: 0,0:43:01.42,0:43:07.24,Default,,0000,0000,0000,,adversary. And lastly, as I mentioned\Nbefore, there has been an arms race in Dialogue: 0,0:43:07.24,0:43:12.40,Default,,0000,0000,0000,,transponder security. How is it possible\Nthat a modern car key may be equipped with Dialogue: 0,0:43:12.40,0:43:19.87,Default,,0000,0000,0000,,AES or other fairly secure cryptographic\Nfeatures, and these protocols that date Dialogue: 0,0:43:19.87,0:43:26.68,Default,,0000,0000,0000,,from 1995 and such are still there, not\Nreplaced. Apparently no one either figured Dialogue: 0,0:43:26.68,0:43:34.87,Default,,0000,0000,0000,,it out or there are other very important\Nreasons to just leave them there. So I Dialogue: 0,0:43:34.87,0:43:39.88,Default,,0000,0000,0000,,hope that was interesting. Maybe\Nentertaining and I'll happily take any Dialogue: 0,0:43:39.88,0:43:46.60,Default,,0000,0000,0000,,questions you have for me. Dialogue: 0,0:43:46.60,0:43:47.86,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:43:47.86,0:43:51.75,Default,,0000,0000,0000,,Herald: Bedankt Wouter Bokslag. Thank you.\NYou know the game if you have questions - Dialogue: 0,0:43:51.75,0:43:59.31,Default,,0000,0000,0000,,oh, we already have questions. There are\Nmicrophones, microphones number 1 to 7 and Dialogue: 0,0:43:59.31,0:44:05.26,Default,,0000,0000,0000,,2 to 8. And the Internet has questions\Nalready. So we start with the Internet. Dialogue: 0,0:44:05.26,0:44:09.02,Default,,0000,0000,0000,,Internet, please.\NSignal Angel: Why don't make cars more use Dialogue: 0,0:44:09.02,0:44:13.62,Default,,0000,0000,0000,,of rings of security or layers or\Npermissons system? Dialogue: 0,0:44:13.62,0:44:21.45,Default,,0000,0000,0000,,Wouter: Oh, well, this is embedded\Nsecurity. This is not a PC or smartphone Dialogue: 0,0:44:21.45,0:44:26.87,Default,,0000,0000,0000,,security. It's embedded security. And I\Nthink automotive manufacturers do their Dialogue: 0,0:44:26.87,0:44:33.63,Default,,0000,0000,0000,,best, but this is just not their game. And\Nyeah, there is plenty of ways you could do Dialogue: 0,0:44:33.63,0:44:40.99,Default,,0000,0000,0000,,this in a more secure manner. But they\Ndidn't. I cannot really say, why not do it Dialogue: 0,0:44:40.99,0:44:46.95,Default,,0000,0000,0000,,better? Of course they should do it\Nbetter. But I think it's understandable Dialogue: 0,0:44:46.95,0:44:53.17,Default,,0000,0000,0000,,that they may be a bit behind on this game\Nthat is relatively new to them. Dialogue: 0,0:44:53.17,0:44:57.47,Default,,0000,0000,0000,,Herald: Thank you. And microphone number\None. Dialogue: 0,0:44:57.47,0:45:03.44,Default,,0000,0000,0000,,Q: Hi. Amazing work, but I have a\Nquestion. Did you find any simpler, more Dialogue: 0,0:45:03.44,0:45:08.72,Default,,0000,0000,0000,,entertaining mistakes like storing the PIN\Nin the open, in other components in the Dialogue: 0,0:45:08.72,0:45:12.87,Default,,0000,0000,0000,,car?\NWouter: Well yeah, I did do some other Dialogue: 0,0:45:12.87,0:45:18.36,Default,,0000,0000,0000,,stuff besides the 3 cases I presented\Nhere. I also investigated some Dialogue: 0,0:45:18.36,0:45:24.07,Default,,0000,0000,0000,,authentication mechanisms for diagnostic\Nfunctionality and I didn't put them in my Dialogue: 0,0:45:24.07,0:45:30.31,Default,,0000,0000,0000,,thesis because it's nice to have a clear\Nmessage and a clear line of research. But Dialogue: 0,0:45:30.31,0:45:37.28,Default,,0000,0000,0000,,I've seen authentications that are really\Npretty hilarious, such as challenge - Dialogue: 0,0:45:37.28,0:45:48.40,Default,,0000,0000,0000,,secrets - subtract - response.\NHerald: Answered? I think this is a yes. Dialogue: 0,0:45:48.40,0:45:53.95,Default,,0000,0000,0000,,Microphone number 2, please.\NQ: Hey, thank you for the talk. Two short Dialogue: 0,0:45:53.95,0:45:58.30,Default,,0000,0000,0000,,questions. How did you specifically choose\Nthose two cars, those three cars, and Dialogue: 0,0:45:58.30,0:46:05.32,Default,,0000,0000,0000,,which parts or are parts of these flaws\Nfixable in later firmware, bootloader, Dialogue: 0,0:46:05.32,0:46:10.42,Default,,0000,0000,0000,,software, coding, update, whatever?\NWouter: Yeah, Okay. I chose these cars Dialogue: 0,0:46:10.42,0:46:16.72,Default,,0000,0000,0000,,mainly by availability. I didn't really\Ncherry pick models. It was just that at Dialogue: 0,0:46:16.72,0:46:23.02,Default,,0000,0000,0000,,the place where I was doing my internship\Nthen, I was, I had some platforms to play Dialogue: 0,0:46:23.02,0:46:27.34,Default,,0000,0000,0000,,around with. You have seen my very\Nprofessional PSA setup, that was the most Dialogue: 0,0:46:27.34,0:46:35.35,Default,,0000,0000,0000,,professional I had. So yeah, this is what\NI had. And since I in the end found that Dialogue: 0,0:46:35.35,0:46:43.30,Default,,0000,0000,0000,,they are still relevant right now, I think\Nthat wasn't really harmful in any way. It Dialogue: 0,0:46:43.30,0:46:47.68,Default,,0000,0000,0000,,turns out to be a good choice. Your second\Nquestion was? Dialogue: 0,0:46:47.68,0:46:52.93,Default,,0000,0000,0000,,Q: Can those flaws be fixed in an update?\NWouter: Oh yes. Well, in some sense, Dialogue: 0,0:46:52.93,0:46:59.89,Default,,0000,0000,0000,,except that there is no real\Ninfrastructure to roll out updates. So all Dialogue: 0,0:46:59.89,0:47:03.04,Default,,0000,0000,0000,,the cars that are out there, I don't think\Nthey are going to recall them to update Dialogue: 0,0:47:03.04,0:47:04.16,Default,,0000,0000,0000,,firmwares.\NQ: But normal servicing... Dialogue: 0,0:47:04.16,0:47:13.00,Default,,0000,0000,0000,,Wouter: Yeah, yeah, you can do that. It\Ntakes time. So it doesn't incur costs for Dialogue: 0,0:47:13.00,0:47:18.13,Default,,0000,0000,0000,,the manufacturer. But what you could do,\Nfor instance, is just use timeouts in the Dialogue: 0,0:47:18.13,0:47:26.86,Default,,0000,0000,0000,,PSA case and make sure it's not too easy\Nto try lots of authentication attempts. Dialogue: 0,0:47:27.70,0:47:32.70,Default,,0000,0000,0000,,It's not a fix because it doesn't really\Nfix it. But well, it's certainly a Dialogue: 0,0:47:32.70,0:47:39.46,Default,,0000,0000,0000,,mitigation. It somewhat limits the impact.\NIn the Fiat case, it's a bit harder Dialogue: 0,0:47:39.46,0:47:45.16,Default,,0000,0000,0000,,because you cannot really change an entire\Nalgorithm because there's different Dialogue: 0,0:47:45.16,0:47:49.06,Default,,0000,0000,0000,,engines. And yeah, I think that would be\Nquite a hassle. You really have to change Dialogue: 0,0:47:49.06,0:47:51.88,Default,,0000,0000,0000,,your protocol there.\NQ: Thank you. Dialogue: 0,0:47:52.65,0:47:54.90,Default,,0000,0000,0000,,Herald: Thank you. Microphone number five,\Nplease. Dialogue: 0,0:47:54.90,0:48:01.20,Default,,0000,0000,0000,,Q: Are the secrets unique per car? And if\Nso, how do you handle the case when one of Dialogue: 0,0:48:01.20,0:48:06.33,Default,,0000,0000,0000,,the units has to get replaced?\NWouter: Yeah. The secrets are unique for Dialogue: 0,0:48:06.33,0:48:16.29,Default,,0000,0000,0000,,car and replacement frequently involves a\Nprocedure to couple the new ECU in the Dialogue: 0,0:48:16.29,0:48:21.00,Default,,0000,0000,0000,,current system. And you just have to put\Nthe ECU there, connect to the ECU and Dialogue: 0,0:48:21.00,0:48:25.35,Default,,0000,0000,0000,,enter the vehicle pin. So that is quite\Nprobably also the reason that they reused Dialogue: 0,0:48:25.35,0:48:29.64,Default,,0000,0000,0000,,a secret, because if you use a different\Nsecret, you have to have some kind of Dialogue: 0,0:48:29.64,0:48:37.05,Default,,0000,0000,0000,,complicated secret sharing protocol that\Nwell, brings the new ECU up to speed with Dialogue: 0,0:48:37.05,0:48:39.72,Default,,0000,0000,0000,,the key material that's being used inside\Nthe vehicle. Dialogue: 0,0:48:39.72,0:48:45.09,Default,,0000,0000,0000,,Herald: Thank you. Microphone number one,\Nplease. Dialogue: 0,0:48:45.09,0:48:53.07,Default,,0000,0000,0000,,Q: Hello. So what I'm struggling to\Nunderstand here is why there was the need Dialogue: 0,0:48:53.07,0:48:58.89,Default,,0000,0000,0000,,to decouple the communication in the first\Nplace and just split it in two. I can Dialogue: 0,0:48:58.89,0:49:03.45,Default,,0000,0000,0000,,guess that is so that the ECU can be\Ntrained on new keys. But then isn't it Dialogue: 0,0:49:03.45,0:49:08.31,Default,,0000,0000,0000,,easier to just, you know, instead of\Ntraining like the ECU and telling it: Hey, Dialogue: 0,0:49:08.31,0:49:15.36,Default,,0000,0000,0000,,this is the new key's key. Just load the\NECU's key on the new transponder. Dialogue: 0,0:49:15.36,0:49:19.32,Default,,0000,0000,0000,,Wouter: So if I understand your question\Ncorrectly is that you wonder why we need Dialogue: 0,0:49:19.32,0:49:25.32,Default,,0000,0000,0000,,two different authentication systems, one\Nfor the key to BCM and one for the engine Dialogue: 0,0:49:25.32,0:49:29.28,Default,,0000,0000,0000,,to BCM and not use the simple model of\Nhaving the key talk to the engine control Dialogue: 0,0:49:29.28,0:49:30.12,Default,,0000,0000,0000,,module.\NQ: That's correct. Dialogue: 0,0:49:30.12,0:49:33.81,Default,,0000,0000,0000,,Wouter: All right. You have to understand\Nthat engine development is done by Dialogue: 0,0:49:33.81,0:49:40.65,Default,,0000,0000,0000,,different companies and the same engine\Nmay be used in various different vehicles, Dialogue: 0,0:49:40.65,0:49:49.14,Default,,0000,0000,0000,,maybe even from completely different\Nranges. And it is complicated to give Dialogue: 0,0:49:49.14,0:49:55.98,Default,,0000,0000,0000,,these cars a different firmware. So it's\Ndefinitely possible. But they just want to Dialogue: 0,0:49:55.98,0:50:00.06,Default,,0000,0000,0000,,build an engine and build a car and have\Nit work together. And another car with the Dialogue: 0,0:50:00.06,0:50:06.66,Default,,0000,0000,0000,,same engine should also work. So it's, ...\Nit has to do with their process of Dialogue: 0,0:50:06.66,0:50:13.62,Default,,0000,0000,0000,,developing vehicles.\NQ: But then shouldn't also, I mean, I'm Dialogue: 0,0:50:13.62,0:50:20.46,Default,,0000,0000,0000,,assuming that the part that talks to the\Ntransponder and talks to the engine still Dialogue: 0,0:50:20.46,0:50:27.03,Default,,0000,0000,0000,,has to match the engine communication\Nprotocol anyway. So, I mean, doesn't the Dialogue: 0,0:50:27.03,0:50:32.03,Default,,0000,0000,0000,,car producers still have to match the\Nengine protocol anyway at some points Dialogue: 0,0:50:32.03,0:50:35.00,Default,,0000,0000,0000,,anyway, so why just not implement it on\Nthe key in the first place? Dialogue: 0,0:50:35.00,0:50:38.52,Default,,0000,0000,0000,,Wouter: Yeah. Well, this is all\Nspeculation from my side as well. I have Dialogue: 0,0:50:38.52,0:50:45.62,Default,,0000,0000,0000,,no inside information as to why they did\Nthis. But yeah, I can imagine ways that Dialogue: 0,0:50:45.62,0:50:53.60,Default,,0000,0000,0000,,they could fix this and they don't do it.\NAnd my experience is that generally this Dialogue: 0,0:50:53.60,0:50:59.84,Default,,0000,0000,0000,,has to do with legacy and compatibility\Nissues. They could also just embed five Dialogue: 0,0:50:59.84,0:51:05.55,Default,,0000,0000,0000,,algorithms in the BCM or the engine\Ncontrol module and just by configuration Dialogue: 0,0:51:05.55,0:51:10.85,Default,,0000,0000,0000,,choose the one that fits for that vehicle.\NI have no idea why they don't do that. But Dialogue: 0,0:51:10.85,0:51:15.50,Default,,0000,0000,0000,,once again, these are not software\Ncompanies. These are automotive companies. Dialogue: 0,0:51:15.50,0:51:18.90,Default,,0000,0000,0000,,Q: Awesome. Thanks.\NHerald: Thank you. Microphone number Dialogue: 0,0:51:18.90,0:51:23.15,Default,,0000,0000,0000,,three, please.\NQ: Thank you for the great talk. Once we Dialogue: 0,0:51:23.15,0:51:29.57,Default,,0000,0000,0000,,have the OBD connected to the Internet and\Ndo you see any other complication that Dialogue: 0,0:51:29.57,0:51:33.91,Default,,0000,0000,0000,,could prevent me to park the car remotely\Nfrom there? Dialogue: 0,0:51:33.91,0:51:43.39,Default,,0000,0000,0000,,Wouter: OBD connected to the Internet...\NNow well, no. Why? Once you have OBD Dialogue: 0,0:51:43.39,0:51:53.08,Default,,0000,0000,0000,,access so you can use the OBD port you can\Ndo a lot. There are cars that use a Dialogue: 0,0:51:53.08,0:51:59.20,Default,,0000,0000,0000,,gateway that is some kind of filter or you\Nhave to authenticate towards it before you Dialogue: 0,0:51:59.20,0:52:02.98,Default,,0000,0000,0000,,can access the internals of the vehicle.\NSo it really depends on the model. It Dialogue: 0,0:52:02.98,0:52:07.100,Default,,0000,0000,0000,,depends on the manufacturer to which\Nextent you have room to maneuver there. Dialogue: 0,0:52:07.100,0:52:12.78,Default,,0000,0000,0000,,For some, it would be super easy, for some\Nit would be a lot of work. For some, it Dialogue: 0,0:52:12.78,0:52:17.29,Default,,0000,0000,0000,,might be impossible. But you certainly\Nhave a very, very good starting point. Dialogue: 0,0:52:17.29,0:52:21.30,Default,,0000,0000,0000,,Q: Thank you.\NHerald: Microphone number one, please. Dialogue: 0,0:52:21.30,0:52:26.68,Default,,0000,0000,0000,,Q: Hello. Did you spot any kind of anti-\Nbrute force measures during your analyses? Dialogue: 0,0:52:26.68,0:52:30.68,Default,,0000,0000,0000,,That's the question number one. And\Nquestion number two is: Obviously you had Dialogue: 0,0:52:30.68,0:52:35.96,Default,,0000,0000,0000,,access to the internal communication\Nbetween the BCM and ECM, but were those Dialogue: 0,0:52:35.96,0:52:42.33,Default,,0000,0000,0000,,attacks successful on Fiat and Peugeot,\Nare they doable using just the OBD-II Dialogue: 0,0:52:42.33,0:52:47.13,Default,,0000,0000,0000,,port? Or do you actually need to see the\Ninternal communications? Dialogue: 0,0:52:47.13,0:52:52.59,Default,,0000,0000,0000,,Wouter: I tried to point out in the\Nbeginning of my talk that I carry out all Dialogue: 0,0:52:52.59,0:52:59.36,Default,,0000,0000,0000,,the attacks presented and I focused only\Non functionality that is exposed through Dialogue: 0,0:52:59.36,0:53:05.31,Default,,0000,0000,0000,,OBD. So, yes, I did some stuff on the\Nhardware of the ECUs, but that was just Dialogue: 0,0:53:05.31,0:53:10.42,Default,,0000,0000,0000,,for research. So the attacks are\Nabsolutely doable over OBD. Dialogue: 0,0:53:10.42,0:53:16.74,Default,,0000,0000,0000,,Q: OK, and the previous question there,\Nwhich was already partially answered. Dialogue: 0,0:53:16.74,0:53:21.05,Default,,0000,0000,0000,,Wouter: Yes.\NQ: So no, like, locking out after five Dialogue: 0,0:53:21.05,0:53:26.62,Default,,0000,0000,0000,,failed trials?\NWouter: I did find something that was Dialogue: 0,0:53:26.62,0:53:36.67,Default,,0000,0000,0000,,peculiar in the PSA case, and that is that\Nif you... let me think. There is rate Dialogue: 0,0:53:36.67,0:53:45.56,Default,,0000,0000,0000,,limiting implemented in the PSA on the\Nengine control module. Is that right? No, Dialogue: 0,0:53:45.56,0:53:51.96,Default,,0000,0000,0000,,on the body control module. And that means\Nthat if you spam challenges, it will at Dialogue: 0,0:53:51.96,0:53:57.44,Default,,0000,0000,0000,,some point no longer give you the\Nresponse, which sounds like a good idea, Dialogue: 0,0:53:57.44,0:54:01.80,Default,,0000,0000,0000,,right? Rate limiting. But they did it on\Nthe wrong side. Dialogue: 0,0:54:01.80,0:54:06.14,Default,,0000,0000,0000,,Q: Okay, great. Thank you.\NHerald: Thank you. Microphone number two, Dialogue: 0,0:54:06.14,0:54:08.61,Default,,0000,0000,0000,,please.\NQ: Have you spotted some kinds of Dialogue: 0,0:54:08.61,0:54:13.48,Default,,0000,0000,0000,,relationship between this, like public\Nidentifier of the car and the secret used Dialogue: 0,0:54:13.48,0:54:20.56,Default,,0000,0000,0000,,to authenticate in the service?\NWouter: Yeah, so if the VIN in some ways Dialogue: 0,0:54:20.56,0:54:28.61,Default,,0000,0000,0000,,could be converted in the secret, the PIN\Ncode of the car. No, I see where you're Dialogue: 0,0:54:28.61,0:54:31.99,Default,,0000,0000,0000,,headed, but I haven't spotted anything\Nlike that. Dialogue: 0,0:54:31.99,0:54:35.25,Default,,0000,0000,0000,,Q: Okay. Thanks.\NHerald: Questions from the Internet? Dialogue: 0,0:54:35.25,0:54:40.54,Default,,0000,0000,0000,,Signal Angel: No more.\NHerald: No more. In this case, ladies and Dialogue: 0,0:54:40.54,0:54:58.64,Default,,0000,0000,0000,,gentlemen, bedankt Wouter Bokslag. Thank\Nyou very much. Dialogue: 0,0:54:58.64,0:55:13.20,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:55:13.20,0:55:15.96,Default,,0000,0000,0000,,{\i1}postroll music{\i0} Dialogue: 0,0:55:15.96,0:55:20.00,Default,,0000,0000,0000,,Subtitles created by many many volunteers and\Nthe c3subtitles.de team. Join us, and help us!