DEF CON 31 TALK Schedule
All talks this year will be in person
Friday - August 11th:
The Combined Charging System (CCS), one of the most widely used DC rapid charging technologies for EVs, is vulnerable to wireless attacks. The charging cable acts as unintentional antenna, leaking the power-line communication (PLC) signals and letting an adversary inject their own with off-the-shelf radio equipment. We show how we can eavesdrop on charging communication, or terminate multiple charging sessions wirelessly. These vulnerabilities have been known for several years, but are still present in CCS standards, while the new North American Charging Standard (NACS) uses the same vulnerable physical layer as well. How do we secure these charging systems now we're in so deep?
Bios:
Sebastian is a Postdoctoral Research Associate in the Systems Security Lab, Department of Computer Science at the University of Oxford, where he coordinates the research activities in wireless and physical-layer security. His work focuses on the security of various systems, ranging from space and satellite systems to autonomous and electric vehicles. For his work during his PhD, which revealed a serious vulnerability in a widely used electric vehicle charging protocol, he was awarded the EPSRC Doctoral Prize and MPLS Early Career Research Impact Award.
Richard is a researcher in the wireless security industry and visiting academic in the Systems Security Lab, Department of Computer Science, Oxford. He was awarded a DPhil in Cybersecurity from University of Oxford in 2020 and previously an MEng in Computing from Imperial College London in 2010. He is an alumnus of the CDT in Cybersecurity (2014 -- 2019) and a founding member of Oxford Competitive Computer Security Society / Ox002147 CTF team.
Redeploying the Same Vulnerabilities: Exploiting Wireless Side-Channels in Electric Vehicle Charging Protocols
Sebastian Kohler & Richard Baker
FRI 8/11
16:00
40 minutes
How an automotive security researcher had his car stolen via 'CAN Injection'
FRI 8/11
17:00
40 minutes
The story of the investigation into the device that I believe was used to steal my 2021 Toyota RAV4 in July 2022 using 'CAN Injection'
There will be low level details on how the CAN bus works, how the 'theft device' spoofs CAN frames and using a modified transceiver to stop other ECUs communicating. We will also explain the disclosure process and possible fixes. Give the full story in the blog https://kentindell.github.io/2023/04/03/can-injection/
Bios:
Ian Tabor is an automotive security consultant that has a passion for car hacking, found vulnerabilities in his own car and private Car bug bounties. Now runs Car Hacking Village UK and is part of the team behind CHV at defcon. Has created #Value-pasta-auto which is an open source 'Car in a case' and has also created the nano-can pcb and software, which can allow potential car hackers to build a cheap OBD2 (<£20) car hacking device.
Dr. Ken Tindell is the CTO of Canis Labs. He obtained his doctorate in real-time systems from the University of York and has spent many years in the automotive industry, focused on tools and technology for in-vehicle real-time embedded systems. He formulated timing analysis for CAN bus to guarantee frame latencies and invented the three buffer systems for CAN controllers to avoid priority inversion. He has co-founded several automotive startups, including LiveDevices (later acquired by Bosch) and Volcano Communications Technologies (later acquired by Mentor Graphics).
Saturday - August 12th:
VDA Shenanigans: Attacking & Defending the Truck Part that Gets Left Behind
Wyatt Ford & Alex Reuter
Sat 8/12
10:00
25 minutes
Vehicle Diagnostic Adapters (VDA) do a lot! They plug into automobiles, update ECU firmware, and pull diagnostic information. Despite their usefulness and high level of access, they get left behind: in maintenance garages with insecure update mechanisms, in threat models and our hearts. In this presentation we will go through some of our own offensive research into VDAs, and our efforts in decreasing their attack surfaces. We’ll also share how we turned this research into four problems from the Defcon 30 CHV CTF.
Bios:
Alex Reuter is a security researcher at Red Balloon Security. When he isn't hacking low level devices, you can probably find him outside: rock climbing, surfing, hiking, or scheming scenic shenanigans.
Wyatt Ford is a senior software engineer and engineering manager at Red Balloon Security and a core maintainer of OFRAK.
Automotive USB Fuzzing: How to fuzzing USB in vehicles to discover the real-world vulnerabilities
Euntae Jang, Donghyeon Jeong, & Jonghyuk Song
Sat 8/12
11:00
40 minutes
In this talk, we propose a practical USB fuzzing method for real cars.
Current USB fuzzing in the automotive industry is usually done by creating malicious media files on a PC, putting them to a USB stick, and inserting the USB stick into the car.
But we performed fuzzing by directly connecting PC and car with a USB line. This method greatly simplifies the whole fuzzing process and saves the tester a lot of effort. It also allows for fuzzing not only media files but also kernel areas.
We performed fuzzing on real cars using this method and found vulnerabilities in Volkswagen Jetta, Renault Zoe, GM Chevrolet Equinox, and AGL. During this talk, we share the vulnerabilities and the trials/errors we went through fuzzing real cars.
Abusing CAN Bus Protocol Specification for Denial of Service in Embedded Systems
Sat 8/12
12:00
40 minutes
https://github.com/Martyx00
The CAN bus is a traditional communication standard used (not only) in automotive to allow different components to talk to each other over reliable connection. While one of the primary motivators for CAN bus introduction was to reduce the amount of wiring inside vehicles, it became popular for its robustness, flexibility, and ease of implementation for which it is now used in almost every vehicle.As with any other protocol, it is a well-defined standard that enforces all aspects of the communication from the physical media to the message format and its processing. The formal protocol specifications like this are often seen as the source of the absolute truth when working with various transfer protocols. Such specifications are very strict on the format of the messages that belong to the given protocol and thus it is natural that developers that are familiar with it are often relying upon this information when developing their applications.In this talk, we will look at what happens when the attacker decides not to adhere to the protocol specification and uses the available metadata fields within the well-defined message in their own way. Would libraries provided by the device manufacturers handle this situation or is it left to the developer? And could a wrong assumption about the message format lead to a vulnerability?
BIO:
Martin is a security engineer working at Accenture in Prague specializing in performing penetration testing of embedded systems. His responsibilities and research areas of interest include but are not limited to reverse engineering, hardware hacking and radio analysis. As an open-source enthusiast, he also developed several open source tools that focus on automation during reverse engineering.