smart keys, what are they good for?

kelly nogueras seilhamer

FRIDAY 8/10 • 11:20-11:50 aM
30 mintalk

An overview of current Smart Key hacking efforts and their potential uses:

  • Gaining access to the vehicle
  • Denying access to the vehicle
  • Identifying their attack vectors

During this session, we will review the hardware used to detect the signal and share ideas for what we can do after capturing the signal, without gaining access to the car.

CAN Signal Extraction from OpenXC with Radare2

Ben Gardiner

FRIDAY 8/10 • 12:00-12:25 PM
25 min talk

OpenXC builds its firmware -- for both the open and proprietary builds -- using JSON data structures which define the CAN signals. These definitions are akin to the CAN database files (.dbc) files. Reverse engineering of the open openXC builds (as an educational excersise) reveals that it is a straightforward matter to identify and extract the CAN signal definitions from the binary. Attendees will learn:  What are dbc files? How strings lead reverse engineers to interesting code via backwards cross-references? What tools do attackers use to reverse engineer raw binary firmwares? How do they use them? What are some simple, useful deterrents? How do descriptive data structures -- JSON in particular -- aid attackers in their reverse engineering efforts? What mitigations are possible for this risk? The exposition of machine code in the talk will be via the free radare2 RE tool.

So, You Want To Hack A Car?

Jerry Gamblin

FRIDAY 8/10 • 12:30-1:15 PM
45 min talk

Getting started in car hacking can be a daunting and expensive hobby. In this talk I am going to walk you through what you need to buy (and what you can likely skip). I will also be releasing a quick start guide and a script to help new car hackers build a "Car Hacking" system.

Go Hack Cars

Eric Evenchick

FRIDAY 8/10 • 1:20-1:45 PM
25 min talk



Golang is a pretty nifty language, and it's remarkably well suited for car hacking. SocketCAN provides a great framework for interacting with CAN devices, so why not use it from Go? We'll present an open source Go library for making SocketCAN easy, and show how to work with raw CAN and ISOTP data. Attendees will get all the info they need to start hacking CAN buses with Go.

Meet Salinas, the first ever SMS-commanded Car Infotainment RAT

Dan Regalado

FRIDAY 8/10 • 3:50-4:35 PM
45 min talk

Nowadays any recent car up to 5 years old comes with something called “Infotainment”, this is that IPad-looking screen that allows you to use the GPS Navigation, select your favorite music from your IPod, make or receive calls while speaking through the Car’s speakers, or even ask the Car to read a SMS message for you, that along with the latest self-driving technologies popping up everywhere cannot longer be handled by a microcontroller, it requires an embedded OS to support all those features and therefore the world started worrying about the possibility to get Ransomware on the Car or an Infostealer reading all your SMS messages while you are driving, or triggering a DoS on the CAN Bus so that the Car cannot work properly, etc. All those scenarios used to be hypothetical until now, we grabbed an infotainment, broke into it and reversed engineer all its main components with one goal in mind: to infect the Infotainment with malware that can be commanded remotely through SMS messages.

Automotive Evidence Collection – Automotive Driving Aids and Liability


FRIDAY 8/10 • 4:40-5:05 PM
25 min talk

The presentation will cover security implications of GPS and positioning attacks. We will discuss real world attacks and incidents. We will touch upon increased reliance on positioning data in accident reconstruction and assistive driving technologies.

Automotive Flash Bootloaders: Exposing automotive ECU updates

Philip Lapczynski

Friday 8/10 • 5:10-5:55 PM
45 min talk

Unified Diagnostic Services (UDS) provides a powerful interface into vehicle diagnostics. OEMs use these services to update firmware, manipulate calibration data, send and receive information from vehicle ECUs, and now more recently for over the air updates. This talk pulls back the curtain on automotive bootloaders and how poor security design or implementation choices can be used by attackers to exfiltrate firmware or even gain persistent code execution.

Grand theft auto: Digital key hacking


saturday 8/11 • 11:20 AM-12:05 PM
45 min talk

The security of automobiles accesses control system is a topic often discussed. Today's vehicles rely on key-fob control modules, to ensure the vehicle is accessible to authorized users only. While most traditional automobile key-fob systems have been shown to be insecure in the past, here comes a game changer. Instead of the regular key-fob system, some car owners will be able to access their vehicle by having their smartphone authenticate as a digital car key.

In this talk, we will reveal the research and attacks for one of the digital car key system in the current market. By investigating how these features work, and how to exploit it through different possibilities of attack vectors, we will demonstrate the security limitations of such system. By the end of this talk, the attendees will not only understand how to exploit these systems, but also which tools can be used to achieve our goals.

Automotive Exploitation Sandbox: A Hands-on Educational Introduction to Embedded Device Exploitation


saturday 8/11 • 12:15-12:40 PM
25 min talk

The Automotive Exploitation Sandbox is a hands-on educational tool designed to provide stakeholders with little to no previous exposure to automotive security a hands-on experience with real hardware following a basic attack chain against a typical automotive development board. The attack chain provides instructions for the user to remotely exploit, escalate privilege, exfiltrate data, and modify memory using synthetic vulnerabilities placed on a remote test platform running an OS and hardware typically found in automotive systems.

An illustrated summary can be found at:

Performance Tuning Tools and their Capabilities

Russell Mosley

Saturday 8/11 • 12:45-1:10 PM
25 mintalk

An overview of commercial performance tuning tools for vehicles and their uses: engine and transmission performance tuning tools have been around before infosec 'car hacking' was a thing and you should be aware of their capabilities. The presenter will discuss HPtuners, EFI Live, MSD Gold Box, Megasquirt, various handhelds and others, and how they are commonly used.

Misbehavior Detection in V2X networks


saturday 8/11 • 2:35 PM-3:20 PM
45 min talk

There exist several approaches to misbehavior detection in V2X networks in research literature, many of them not necessarily taking automotive restrictions into account. Only few approaches do and there is only one approach that has been tested in actual vehicles as far as I know. And that approach has it challenges - although it is an important first step towards implementation. I will present how this (and one or two other) approach works and how it can be tricked. Although misbehavior detection is an integral part of the V2X security system nobody seems to care that V2X gets deployed, but there is no feasible approach for misbehavior detection. I will present a hypothesis why this is and will discuss it with the audience.


Tim Brom

SATURDAY 8/11 • 3:30-4:15 PM
45 min talk

The Controller Area Network (CAN) bus has been mandated in all cars sold in the United States since 2008. But CAN is terrible in many unique and disturbing ways. CAN has served as a convenient punching bag for automotive security researches for a plethora of reasons, but all of the available analysis tools share a shortcoming. They invariably use a microcontroller with a built-in CAN peripheral that automatically takes care of the low-level (ISO layer 1 and 2) communication details, and ensures that the CAN peripheral plays nicely and behaves at those low levels. However, a good hardware hacker understands that the sole purpose of the electron is to be bent to our will, and breaking assumptions by making “That CANT happen!” happen is a surefire way to find bugs. CANT is a (partial) CAN bus peripheral implemented in software that allows security researchers to exercise the electrical bus-level error handling capability of CAN devices. The ability to selectively attack specific ECUs in a manner that is not detectable by automotive IDS/IPS systems (see ICS-ALERT-17-209-01) is invaluable to automotive security researchers as more automakers integrate advanced security measures into their vehicles.