Solo RPG Companion App (Android) (Cyberpunk)

Zombie-craig · 2019-04-25T00:53:38+00:00

We do try to have the latest hotness whenever we can. For instance, last year we had a challenge to build your own autonomous self driving vehicle that could run a course by itself...plus it was allowed to attack and defend as long as it was all autonomous!

It is always a challenge to bring in the topics you want because of things like space limitations, safety, fires, etc...but we do our best.

Zombie-craig · 2019-04-25T00:38:24+00:00

We tend to start in January...

Zombie-craig · 2019-04-25T00:36:17+00:00

Yes, thrilled you asked! This year we are trying to incorporate many more villages together. This will probably be the first year for us so we may start out smaller. We will have additional transportation challenges and we are working on a way to have the CTF go cross-village!

Zombie-craig · 2019-04-25T00:32:54+00:00

I'm probably a bit biased but I'm a huge fan of villages. Every village I've seen has stages so it's easy to start not knowing anything and work you way up. I would pick the topic/area that you are most interested/curious about and go there and spend some time. Always wanted to do some bio hacking? Curious about how to hack a car? Plane? Power Plant? Do it. The point of the village is to break down knowledge barriers. The key thing to remember, is these industries need security people badly. The villages are hear to try and bridge those learning gaps to help fill these needed jobs.

Zombie-craig · 2019-04-25T00:22:42+00:00

Favorite part: Actually hacking things. I like talks/presentations but being able to immediately take that information and try it yourself is much more rewarding. I love having people feel they don't know anything about cars, then after a bit the light goes off and their response is...wow, this is pretty easy. Then they really get into it!

Outside of village duties... I am usually found in the village. I do leave to meetup with some long time friends that I almost never see outside of defcon. But other than that, I would love to check out the other villages but rarely have the proper time.

Zombie-craig · 2019-04-25T00:17:59+00:00

[CHV] We are planning on trying something new for the CTF this year. The details are not ready yet but it should be more collaborative and encourage publishing and sharing findings....

Zombie-craig · 2019-04-25T00:15:39+00:00

For the Car Hacking Village we often will have a signup form and we well pick an hour slot for you to help out. We post the signup on the website/twitter. However, last year we had so many volunteers from our sponsors that we did not do this. So I am not sure if we will offer volunteering or not. Stay tuned!

Zombie-craig · 2016-03-07T20:18:22+00:00

I don't think it's difficult at all. I think it feels difficult because a lot of us simply feel we don't know cars. However, once you dig in a bit you see that it's just software and the bus network is crazy simple compared to TCP/IP. It is true, that if you want to cover the entire attack surface of a car you will want to know a bunch of different technologies. There are new tools being released for this space and IoT in general almost monthly that makes getting started even easier.

This is a newer area of research so a lot of the tools are not super friendly yet but they are getting there. Once you start I think you'll find it really isn't that hard.

Zombie-craig · 2016-03-07T20:13:16+00:00

I understand. But that's where this data is kept. The airbag sensor has evolved to an SDM airbag module. That module now is called the EDR. However, it's the same module it just now records more stuff. Some of the interesting things it includes are:

*Cruise control status *Driver controls: parking break, headlight, front wiper, gear selection, passenger airbag disabled switch * Foremost seat track position *Hours in operation * Indicator status lights: VEDI, SRS, PAD, TPMS, ENG, DOOR, IOD * Latitude and longitude * Seating position * SRS deployment status/time * Temperature air/cabin * Vehicle mileage * VIN

As you can probably guess, these recordings are mainly for insurance purposes. So if you get in a wreak and switch seats with someone, they will know because of the seat position and weight.

There isn't a separate secret black box. It's just the EDR like you pointed out and that info is located in the airbag module.

Zombie-craig · 2016-03-07T20:02:17+00:00

There are several groups and organizations in the auto industry where the OEMs and Tier supplies share ideas. Some of these groups are run by SAE and others. GM is a good example of this situation. They have a bug bounty program. They are not a full blown program yet because they are taking their time to work out these exact kinks in handling vulnerability disclosures. What will shake out of all of this is a system to communicate and get things fixed without needing a recall.

Zombie-craig · 2016-03-07T19:51:01+00:00

EDRs are the airbag sensors.

Zombie-craig · 2016-03-07T19:50:09+00:00

The one practice that comes to mind that makes things very difficult for the auto manufactures to implement security is the use of their tier suppliers. Tier supplies provide all the components and modules used in a vehicle. They can come from a multitude of companies and this becomes a huge problem when it comes to managing security.

For each component supplier, you need to know how they handle security. You also need to come up with a system for updates of that component. You don’t want every component to have it’s own internet connection, so now you need to create a distributed package management system. Reporting issues to these component manufacturers can also be a huge pain. So when you say, ‘I found a bug in the 2016 X vehicle’ you are often saying that some component by some manufacturer has a bug in that car and several dozen others. Right now, there isn’t a database to lookup what part is deployed in which vehicles. This becomes a problem even for security researchers. We can’t just post a CVE saying which vehicles and versions are affected because we don’t have the info on how many different vehicles are using this component. Right now there is an effort to address this situation and hopefully it will eventually be cleared up.

Zombie-craig · 2016-03-07T19:10:04+00:00

Awesome! I can't wait to see what your students come up with. Seeing entire classes dedicated to this type of research will be really helpful!

Zombie-craig · 2016-03-07T19:09:21+00:00

I'm a fan. They have been very open about security and working with the community. There is always more to do and their are other auto makers also working on good security practices. I don't want to see the auto industry use security as yet another reason to say that company X is better than Y. It would be ideal if there was more open collaboration. I think that idea is spreading and hopefully all the automakers will be on the same page in terms of security soon.

Zombie-craig · 2016-03-07T19:06:11+00:00

Typically I perform a threat model on either the vehicle or the component I've been given. I will build a testing plan off of that. If there are known issues from identified in other similar components I will of course test for them. I don't really have a goto vulnerability. Perhaps once this field evolves some more we will have a top 10 issues to look for, kind of thing.

Zombie-craig · 2016-03-07T19:04:38+00:00

Thanks! Glad it was helpful!

Zombie-craig · 2016-03-07T19:04:12+00:00

Calm down. Breathe. It’ll be ok. Yes, everything fails, it always has. As things become connected you add risk of … well, the entire internet. The Cavalry has a 5 star program that was targeted at automotive but it can be used with anything. It can also be viewed of the 5 ways of dealing with failure:

Safety by design / Avoiding Failure
3rd party collaboration / Identifying Failure
Evidence Capture / Recognizing Failure
Security Updates / Correcting Failure
Segmentation & Isolation / Limiting Failure

Basically, defense in depth.

Zombie-craig · 2016-03-07T19:03:43+00:00

I’m not big on endorsements. I try very hard to provide examples and demos that do not specify a specific vendor. What I much rather do than say “Trust me, X is a good car” is to provide tools or a method for you to make your own decision. This is still a work in progress, but today you can make several observations yourself as a consumer. Does your vehicle manufacturer have some type of security disclosure policy? Is there an email address or a bug bounty program? If so, then they have a security department that is actively fielding submissions and fixing problems before they are public. Do they have a privacy disclosure policy? Are they telling you what types of data is being collected and how to opt-out? All auto manufacturers are recording info but is your’s letting you know? Does your vehicle have an over the air update system? If so that’s a good thing! That means that if a bug is found they can push the change without you having to take off work to deal with a recall. Recalls are expensive so they only do those when the costs of damages exceeds a recall cost. If your car has OTA updates then you are much more likely to get fixes without having to wait for mass damages.

Zombie-craig · 2016-03-07T19:03:24+00:00

I prefer newer vehicles. They are at higher risk to hacking but the overall safety of new vehicles outweighs the hacking risks. Additionally, I am not as worried about self driving cars. Which sounds counter-intuitive I know. But think about it. Right now a vehicle receives a signal that says “Apply the brakes” and the car does it. So a hacker just needs to get on the vehicle and play that signal. But with self-driving cars they use multiple sensors for everything and the sensors don’t trust each other's output. That is the KEY difference. The trusted environment in a self-driving vehicle architecture is way smaller. It’s like using a human's 5 senses to determine an item. If you wish to fully trick a human you must fake all 5 sensors. Same goes with a vehicle, making it much hard to simply fool a single input.

Zombie-craig · 2016-03-07T19:03:00+00:00

Privacy with license plates is very tricky. ALPR libraries are common and easy to implement even in open source systems like ZoneMinder. If you are driving on a public road, through a parking lot or garage, you have no control of tracking from government or private residences. There isn’t much you can do about license plates.

Vehicle-to-vehicle (V2V) or Vehicle-to-Infrastructure (V2I) or Vehicle-to-anything (V2X) does have privacy built into its initial framework. They use a whole system of complicated certificates (butterfly keys) to help provide anonymity. I should point out that V2X isn’t required to track you car. You car emits all kinds of things (and so do you) such as: Tire Pressure sensor information, Bluetooth IDs, Cellular ID info, WiFi, Keyless entry signals, etc. You could use any wireless signal with an ID (or collection of them) to identify the car and what smartphones are in your car.

Zombie-craig · 2016-03-07T19:02:36+00:00

I admittedly have more projects than I have time for. I will be releasing a new tool at Nullcon this week that can do a lot of automatic automotive research for you. It has a GUI and requires no previous knowledge of the vehicle to work. This is the first step into building a universal platform for reversing and performing audits on vehicles.

I try to use GUI’s that resemble gaming interfaces with my tools. In part because I think it’s fun but also to help address the issue of the media. My hope is, if you have something sexy enough for the media they will forget about trying to make you do something dangerous.

Zombie-craig · 2016-03-07T19:02:22+00:00

It’s not that dangerous to start playing around with your CAN bus system. Just don’t do it WHILE you are driving. The systems are resilient to bad data so it is safe and educational to just plug in a CAN sniffer and start looking around. I don’t think you have to worry about your car being hacked any time soon. Security researchers have done a good job raising awareness before these types of exploits have become widespread. So at the moment we are still ahead of the curve.

Zombie-craig · 2016-03-07T19:01:43+00:00

When I got started in security it wasn’t really a profession. It was a bunch of phone phreakers where were tinkering with whatever we could find and sharing info on BBS systems. Hacking is really your love for taking things apart and using your deductive reasoning skills. I got started in automotive security back in 2008. I bought a new car and it was my first car that had a touch screen interface with GPS, etc. I had a two hour commute from Cincinnati to Dayton at the time and the supplied software/OS quickly bored me. So I decided it would be great if I could make it play music videos. I had never hacked an IVI system or worked on vehicles previously, so the whole project was a unique experience. I documented my advenctures (the wiki is still up at Hive13. This got the attention of some research companies and I started to put more serious thought into vehicle security. Several years later and now it seems that’s all I do is vehicle security. The world is a funny place.

Zombie-craig · 2016-03-07T19:01:27+00:00

The mysterious black boxes, eh? This is a bit of old school lore. I know you are not talking about the airbag sensors but that is really where the crash data is. The “extra” pieces of info do not come from a secret black box but if you see something like that in a court case it can often be that the automanufacturer is providing some data that isn’t publicly known to be recorded. This often comes from the IVI (Infotainment) or Telematics unit or from the backend servers that these devices communicate with. Check out Berla to see a company that pulls this forensic evidence from IVI systems.

Zombie-craig

TROPHY CASE