1
00:00:00,120 --> 00:00:10,170
so we're gonna start with a little shot

2
00:00:02,760 --> 00:00:15,000
while everybody gets seated chili pepper

3
00:00:10,170 --> 00:00:17,850
liqueur okay so hello everybody and

4
00:00:15,000 --> 00:00:19,289
thank you for coming to our talk we're

5
00:00:17,850 --> 00:00:21,480
gonna be talking about some research

6
00:00:19,289 --> 00:00:25,140
that we did at Argus ozl and I both work

7
00:00:21,480 --> 00:00:28,349
at Argus and it's kind of an interesting

8
00:00:25,140 --> 00:00:30,359
research with some things that looked

9
00:00:28,349 --> 00:00:32,759
revealed but somes that don't and at the

10
00:00:30,359 --> 00:00:36,750
end we're gonna tell you why we did all

11
00:00:32,759 --> 00:00:38,510
that this work was actually done by more

12
00:00:36,750 --> 00:00:42,930
than just the two of us so this is a

13
00:00:38,510 --> 00:00:44,519
this is Razi stay high today and this is

14
00:00:42,930 --> 00:00:45,870
she she was doing the signals

15
00:00:44,520 --> 00:00:49,760
intelligence

16
00:00:45,870 --> 00:00:51,989
Rossi's the radio guy this is an Ikea

17
00:00:49,760 --> 00:00:54,718
clothes hanger

18
00:00:51,989 --> 00:00:56,699
don't ask we'll get to that later it

19
00:00:54,719 --> 00:00:59,730
does play a part in the research and I'm

20
00:00:56,699 --> 00:01:02,760
somewhere in the back running the stuff

21
00:00:59,730 --> 00:01:06,060
yes so TPMS who's familiar with TPMS who

22
00:01:02,760 --> 00:01:07,048
knows what TPMS is okay you did your

23
00:01:06,060 --> 00:01:09,119
homework that's nice

24
00:01:07,049 --> 00:01:11,610
so that's basically a device that

25
00:01:09,119 --> 00:01:14,460
measured the amount of pressure that you

26
00:01:11,610 --> 00:01:16,170
have in your tire there's a number of

27
00:01:14,460 --> 00:01:18,119
reasons you want to do that it affects

28
00:01:16,170 --> 00:01:19,950
your fuel consumption the performance of

29
00:01:18,119 --> 00:01:21,509
the wheel if you have a flat tire you

30
00:01:19,950 --> 00:01:24,210
want to know it can cause an accident

31
00:01:21,509 --> 00:01:28,170
and so on this is actually a device that

32
00:01:24,210 --> 00:01:29,520
is inside the rim okay when you fill the

33
00:01:28,170 --> 00:01:31,350
air it goes through that and it has a

34
00:01:29,520 --> 00:01:33,119
little battery inside and it measures

35
00:01:31,350 --> 00:01:35,939
the air pressure and it tells the car

36
00:01:33,119 --> 00:01:39,079
there is a receiver and ECU inside the

37
00:01:35,939 --> 00:01:41,220
car that knows how much air you got now

38
00:01:39,079 --> 00:01:43,610
we're not the first to look into that

39
00:01:41,220 --> 00:01:46,679
this has been extensively researched

40
00:01:43,610 --> 00:01:48,509
this device is not encrypted many people

41
00:01:46,680 --> 00:01:51,360
looked at that reach the conclusion that

42
00:01:48,509 --> 00:01:54,869
you can spoof it and we're not the first

43
00:01:51,360 --> 00:01:56,549
to do that however almost everybody or

44
00:01:54,869 --> 00:01:59,610
not almost everybody who looked into

45
00:01:56,549 --> 00:02:00,990
that reach the conclusion that while it

46
00:01:59,610 --> 00:02:03,780
is not encrypted and can therefore be

47
00:02:00,990 --> 00:02:06,419
spoofed there is really not enough that

48
00:02:03,780 --> 00:02:08,340
you can do with it so it's most of most

49
00:02:06,420 --> 00:02:09,869
of the time it's harmless you can

50
00:02:08,340 --> 00:02:11,250
possibly cause someone to pull over

51
00:02:09,869 --> 00:02:13,140
right if they think they have a flat

52
00:02:11,250 --> 00:02:13,980
tire they're gonna pull over then maybe

53
00:02:13,140 --> 00:02:16,679
you can steal their

54
00:02:13,980 --> 00:02:19,500
car or rob them that's one thing if you

55
00:02:16,680 --> 00:02:21,900
have a self inflating tire then you can

56
00:02:19,500 --> 00:02:23,940
cause over inflation that could be a

57
00:02:21,900 --> 00:02:26,040
problem but very few vehicles have that

58
00:02:23,940 --> 00:02:28,950
mostly military or maybe some big

59
00:02:26,040 --> 00:02:31,379
agriculture ones and the general

60
00:02:28,950 --> 00:02:33,629
consensus is that this is mostly

61
00:02:31,379 --> 00:02:35,940
harmless and the potential for damage is

62
00:02:33,629 --> 00:02:37,709
really small and when you tell us that

63
00:02:35,940 --> 00:02:43,379
the potential for damage is really small

64
00:02:37,709 --> 00:02:45,629
we're like hmm yes let's see now this

65
00:02:43,379 --> 00:02:48,560
research was inspired of the direction

66
00:02:45,629 --> 00:02:50,530
that we took was inspired by this video

67
00:02:48,560 --> 00:02:56,620
we're getting some

68
00:02:50,530 --> 00:02:56,620
[Music]

69
00:03:17,540 --> 00:03:22,609
[Music]

70
00:03:39,170 --> 00:03:42,290
[Music]

71
00:04:01,490 --> 00:04:04,619
[Music]

72
00:04:08,660 --> 00:04:15,390
[Music]

73
00:04:12,710 --> 00:04:21,030
all right so this is a great commercial

74
00:04:15,390 --> 00:04:23,550
and it made us you know think what if we

75
00:04:21,029 --> 00:04:25,500
could cause this sort of distraction on

76
00:04:23,550 --> 00:04:28,080
the larger scale because if it's just

77
00:04:25,500 --> 00:04:30,570
one driver not a lot can happen

78
00:04:28,080 --> 00:04:32,400
everybody is agreeing on that but what

79
00:04:30,570 --> 00:04:35,550
happens if you can do it on a larger

80
00:04:32,400 --> 00:04:37,729
scale so here's the plan

81
00:04:35,550 --> 00:04:41,220
when you're dealing with one vehicle

82
00:04:37,730 --> 00:04:44,400
we're flickering yeah party yeah

83
00:04:41,220 --> 00:04:45,990
guys video flickering so more when

84
00:04:44,400 --> 00:04:47,640
you're dealing with one car this is

85
00:04:45,990 --> 00:04:50,610
basically what you have to do you have

86
00:04:47,640 --> 00:04:53,219
to receive the transmission you have to

87
00:04:50,610 --> 00:04:56,330
decipher what's in there analyze it

88
00:04:53,220 --> 00:04:59,370
parse it use radio equipment to do that

89
00:04:56,330 --> 00:05:01,409
then you need to modify the field that

90
00:04:59,370 --> 00:05:04,280
says how much air pressure you have and

91
00:05:01,410 --> 00:05:07,740
as it turns out not just that there's a

92
00:05:04,280 --> 00:05:09,750
few more interesting details there and

93
00:05:07,740 --> 00:05:11,850
then you have to re transmit if you can

94
00:05:09,750 --> 00:05:14,940
do all that then you will have spoofed

95
00:05:11,850 --> 00:05:16,320
and a TPMS message and then you can make

96
00:05:14,940 --> 00:05:19,140
the car think that you're low on air

97
00:05:16,320 --> 00:05:20,700
right but we want to do it at scale to

98
00:05:19,140 --> 00:05:22,860
do it for more than one vehicle at the

99
00:05:20,700 --> 00:05:24,390
same time now this is what you're

100
00:05:22,860 --> 00:05:27,210
looking for this has been researched

101
00:05:24,390 --> 00:05:28,680
before this is what a TPMS message looks

102
00:05:27,210 --> 00:05:30,840
like one of them anyway there are many

103
00:05:28,680 --> 00:05:33,660
types so you can see that you have here

104
00:05:30,840 --> 00:05:35,849
not just the air pressure but a very

105
00:05:33,660 --> 00:05:38,520
important piece of information the ID of

106
00:05:35,850 --> 00:05:41,460
the wheel every single wheel in the car

107
00:05:38,520 --> 00:05:43,380
will have their own ID so you can't just

108
00:05:41,460 --> 00:05:45,900
broadcast a random message you need to

109
00:05:43,380 --> 00:05:47,850
know the particular Real ID in order for

110
00:05:45,900 --> 00:05:50,039
the car to respond to it so that brings

111
00:05:47,850 --> 00:05:52,590
the level of complexity a little bit up

112
00:05:50,040 --> 00:05:54,840
and you also have you know temperature

113
00:05:52,590 --> 00:05:57,989
which you might not care about and other

114
00:05:54,840 --> 00:05:59,580
flex and there's a CRC so once again you

115
00:05:57,990 --> 00:06:02,130
need to know what you're doing you can't

116
00:05:59,580 --> 00:06:03,510
just change values and retransmit that's

117
00:06:02,130 --> 00:06:06,000
not going to work and this is why a

118
00:06:03,510 --> 00:06:08,789
little bit of research is required so

119
00:06:06,000 --> 00:06:10,979
scaling back up we need to position

120
00:06:08,790 --> 00:06:13,800
multiple receivers why because the

121
00:06:10,979 --> 00:06:16,440
signal is not constant the TPMS

122
00:06:13,800 --> 00:06:19,380
transmitter will transmit anywhere

123
00:06:16,440 --> 00:06:20,669
between once every 15 seconds to up to

124
00:06:19,380 --> 00:06:22,890
two minutes depending on the

125
00:06:20,669 --> 00:06:24,688
configuration so if I want to receive

126
00:06:22,890 --> 00:06:27,269
the TPMS transmission

127
00:06:24,689 --> 00:06:30,089
Rossi's car I don't know where to wait

128
00:06:27,269 --> 00:06:32,939
maybe he just transmitted now maybe it's

129
00:06:30,089 --> 00:06:35,369
gonna transmit in 30 seconds maybe in a

130
00:06:32,939 --> 00:06:37,229
minute right so imagine a long stretch

131
00:06:35,369 --> 00:06:39,629
of roads you have to position multiple

132
00:06:37,229 --> 00:06:42,299
receivers at some point one of them will

133
00:06:39,629 --> 00:06:43,949
receive the signal you have to collect

134
00:06:42,299 --> 00:06:46,558
it analyze it and know what you have to

135
00:06:43,949 --> 00:06:49,319
change in many different types and then

136
00:06:46,559 --> 00:06:51,689
you have to aggregate all of them okay B

137
00:06:49,319 --> 00:06:54,239
of all the vehicles because what we want

138
00:06:51,689 --> 00:06:56,249
to do is reach wordsmith them all at the

139
00:06:54,239 --> 00:06:58,969
exact same time this is kind of a

140
00:06:56,249 --> 00:07:02,909
challenge so this is the attack scenario

141
00:06:58,969 --> 00:07:04,619
anybody here from Denmark or Sweden this

142
00:07:02,909 --> 00:07:07,379
is the bridge between Denmark and Sweden

143
00:07:04,619 --> 00:07:12,059
so imagine the traffic coming from that

144
00:07:07,379 --> 00:07:14,249
way to this way you buy the receiver

145
00:07:12,059 --> 00:07:16,860
this is called the RTL SDR you can buy

146
00:07:14,249 --> 00:07:18,809
it for like nine dollars on eBay really

147
00:07:16,860 --> 00:07:21,329
cheap it can only receive but it's good

148
00:07:18,809 --> 00:07:24,239
enough and you position let's say eight

149
00:07:21,329 --> 00:07:25,979
of them over this stretch of road I

150
00:07:24,239 --> 00:07:28,859
don't remember exactly how long it is

151
00:07:25,979 --> 00:07:30,419
think for maybe five kilometres so it

152
00:07:28,860 --> 00:07:32,669
takes more than two minutes to drive

153
00:07:30,419 --> 00:07:35,399
over that so any single vehicle that

154
00:07:32,669 --> 00:07:37,878
enters this stretch of road will

155
00:07:35,399 --> 00:07:40,589
transmit a TPMS signal at some point

156
00:07:37,879 --> 00:07:42,599
during the travel and we will receive

157
00:07:40,589 --> 00:07:44,759
that okay maybe one maybe more than one

158
00:07:42,599 --> 00:07:48,319
but it's going to happen and then you

159
00:07:44,759 --> 00:07:50,489
buy this device the yardstick one is

160
00:07:48,319 --> 00:07:51,899
transmitting device as well so this is a

161
00:07:50,489 --> 00:07:53,419
little bit more expensive what was it

162
00:07:51,899 --> 00:07:57,300
like a hundred dollars hundred thirty

163
00:07:53,419 --> 00:08:01,589
something like that and you put the

164
00:07:57,300 --> 00:08:04,889
transmitting device here this is a

165
00:08:01,589 --> 00:08:06,779
tunnel okay now imagine that when all

166
00:08:04,889 --> 00:08:08,879
the vehicle come here a bunch of

167
00:08:06,779 --> 00:08:12,479
vehicles traveling at 120 kilometres an

168
00:08:08,879 --> 00:08:16,800
hour and then 30 of them get this little

169
00:08:12,479 --> 00:08:19,199
and the light goes on you make 30 cars

170
00:08:16,800 --> 00:08:21,659
do that I don't know three drivers will

171
00:08:19,199 --> 00:08:23,519
take their eyes off the road one of

172
00:08:21,659 --> 00:08:25,289
those might be you know starting and

173
00:08:23,519 --> 00:08:28,019
because they're not looking at the road

174
00:08:25,289 --> 00:08:29,429
that's all it takes and in the tunnel

175
00:08:28,019 --> 00:08:31,529
it's gonna be a big problem now I know

176
00:08:29,429 --> 00:08:33,149
I'm the bad guy now but this is where

177
00:08:31,529 --> 00:08:36,299
the white hat I didn't get a white hat I

178
00:08:33,149 --> 00:08:37,470
got a black hat this year so status

179
00:08:36,299 --> 00:08:39,750
report

180
00:08:37,470 --> 00:08:42,960
we succeeded but there was a lot of

181
00:08:39,750 --> 00:08:45,630
failure on the way okay we didn't it

182
00:08:42,960 --> 00:08:47,910
didn't just all go very smoothly and why

183
00:08:45,630 --> 00:08:49,980
because Rossi and I decided that even

184
00:08:47,910 --> 00:08:52,469
though this was already researched you

185
00:08:49,980 --> 00:08:55,530
could find pretty much 90% of what we

186
00:08:52,470 --> 00:08:57,240
wanted to do already done we haven't

187
00:08:55,530 --> 00:08:58,949
done that yet so we wanted to create for

188
00:08:57,240 --> 00:09:01,230
ourselves a learning experience and this

189
00:08:58,950 --> 00:09:03,900
is very important for you guys if you

190
00:09:01,230 --> 00:09:05,790
just copy from you know other people's

191
00:09:03,900 --> 00:09:08,790
work you missed all the stages of

192
00:09:05,790 --> 00:09:10,890
learning and and experiencing and

193
00:09:08,790 --> 00:09:13,860
experimenting which is very important so

194
00:09:10,890 --> 00:09:15,449
we knew that we're going to reinvent the

195
00:09:13,860 --> 00:09:18,240
wheel we're going to do things that

196
00:09:15,450 --> 00:09:19,710
other people had already done and the

197
00:09:18,240 --> 00:09:22,650
meaning of that is that it's gonna cost

198
00:09:19,710 --> 00:09:24,720
us time this will take a lot longer than

199
00:09:22,650 --> 00:09:27,329
it could have taken if we just taken

200
00:09:24,720 --> 00:09:29,130
other people's work and done it but

201
00:09:27,330 --> 00:09:30,930
that's the the route that we chose

202
00:09:29,130 --> 00:09:33,480
because we wanted to learn something

203
00:09:30,930 --> 00:09:36,560
that we hadn't done before and Rossi

204
00:09:33,480 --> 00:09:36,560
will tell you about what we've learned

205
00:09:37,070 --> 00:09:43,020
yeah so I'm gonna tell you a little

206
00:09:39,660 --> 00:09:45,510
about all the stuff that we did know

207
00:09:43,020 --> 00:09:50,069
about the mistakes we did but also about

208
00:09:45,510 --> 00:09:52,530
the good stuff that we did as well so

209
00:09:50,070 --> 00:09:55,440
the first thing was to take a vehicle

210
00:09:52,530 --> 00:09:58,380
and start exploring it and then when we

211
00:09:55,440 --> 00:10:00,420
decided to start the research in Barr

212
00:09:58,380 --> 00:10:03,360
said well no problem I have a TPMS

213
00:10:00,420 --> 00:10:06,780
system in my car we can just explore my

214
00:10:03,360 --> 00:10:09,330
car and then we went out we went down to

215
00:10:06,780 --> 00:10:13,020
the underground garage we're in bars car

216
00:10:09,330 --> 00:10:15,420
is located and we took an SDR and indeed

217
00:10:13,020 --> 00:10:17,430
we started recording and then the first

218
00:10:15,420 --> 00:10:19,380
signal we found is this signal now this

219
00:10:17,430 --> 00:10:21,719
makes a lot of sense right I mean there

220
00:10:19,380 --> 00:10:24,150
are four tires in a vehicle and there

221
00:10:21,720 --> 00:10:25,770
are four transmissions here although

222
00:10:24,150 --> 00:10:27,600
there are transmissions in several

223
00:10:25,770 --> 00:10:30,470
frequencies but back then we thought we

224
00:10:27,600 --> 00:10:33,330
thought oh maybe those are artifacts

225
00:10:30,470 --> 00:10:36,540
coming from the fact that we misuse the

226
00:10:33,330 --> 00:10:38,550
SDR or because there is some kind of

227
00:10:36,540 --> 00:10:42,810
retransmission mechanism that we are not

228
00:10:38,550 --> 00:10:45,180
aware of that aware of I remind here

229
00:10:42,810 --> 00:10:46,979
that we didn't want to physically touch

230
00:10:45,180 --> 00:10:51,420
the car we want to be able to explore

231
00:10:46,980 --> 00:10:53,910
the car remotely so we started a

232
00:10:51,420 --> 00:10:56,579
we started researching this signal but

233
00:10:53,910 --> 00:10:59,189
then after a few minutes you found

234
00:10:56,580 --> 00:11:00,990
another signal and this signal also

235
00:10:59,190 --> 00:11:03,090
makes sense and not only it makes sense

236
00:11:00,990 --> 00:11:05,040
because we have four transmissions we

237
00:11:03,090 --> 00:11:08,430
also have something that looks like an

238
00:11:05,040 --> 00:11:11,819
invoking transmission right and then at

239
00:11:08,430 --> 00:11:15,380
this point we started to be a little

240
00:11:11,820 --> 00:11:19,530
confused and sometimes these

241
00:11:15,380 --> 00:11:21,420
transmissions where we sometimes we've

242
00:11:19,530 --> 00:11:23,390
seen them sometimes they were gone and

243
00:11:21,420 --> 00:11:25,680
we didn't exactly know what you do now

244
00:11:23,390 --> 00:11:27,120
I'm not sure if you are able to

245
00:11:25,680 --> 00:11:29,160
understand from the spectrum but these

246
00:11:27,120 --> 00:11:32,820
signals are pretty strong and not only

247
00:11:29,160 --> 00:11:35,280
strong we were actually sitting next to

248
00:11:32,820 --> 00:11:39,570
the car and trying to do this recording

249
00:11:35,280 --> 00:11:42,300
this is my car yeah this is Baska so

250
00:11:39,570 --> 00:11:47,130
after seeing multiple signals and after

251
00:11:42,300 --> 00:11:49,620
we we since we were really confused at

252
00:11:47,130 --> 00:11:51,720
at some point we wanted to take we said

253
00:11:49,620 --> 00:11:54,510
okay let's take the vehicle out let's

254
00:11:51,720 --> 00:11:56,940
start driving around and see what we can

255
00:11:54,510 --> 00:11:59,460
find and then it become even more

256
00:11:56,940 --> 00:12:02,220
strange because when we got out there

257
00:11:59,460 --> 00:12:04,800
were no signals at all so Inbar said

258
00:12:02,220 --> 00:12:06,960
okay enough with this enough with this

259
00:12:04,800 --> 00:12:09,870
nonsense I want to take a shortcut I'll

260
00:12:06,960 --> 00:12:12,150
go to the shop I'll take that the sensor

261
00:12:09,870 --> 00:12:14,160
out we'll take a photo of its of the

262
00:12:12,150 --> 00:12:16,770
label on it then we can look it up

263
00:12:14,160 --> 00:12:18,510
online for for the specs and then we can

264
00:12:16,770 --> 00:12:22,910
find out what the hell is going on here

265
00:12:18,510 --> 00:12:26,819
only thing is in bar car doesn't have

266
00:12:22,910 --> 00:12:27,689
okay so imagine our surprise here okay

267
00:12:26,820 --> 00:12:30,780
never mind

268
00:12:27,690 --> 00:12:35,490
we recovered pretty quickly and one of

269
00:12:30,780 --> 00:12:38,400
our colleagues gave us his car loan does

270
00:12:35,490 --> 00:12:41,520
his car so we can research it and then

271
00:12:38,400 --> 00:12:44,850
we said okay so let's let's again let's

272
00:12:41,520 --> 00:12:47,819
take that shortcut let's take the the

273
00:12:44,850 --> 00:12:50,520
new vehicle to the shop take the tire

274
00:12:47,820 --> 00:12:53,610
pressure sensor out and research it and

275
00:12:50,520 --> 00:12:56,670
this is how the label looks like and in

276
00:12:53,610 --> 00:13:00,270
fact that was that was pretty smart move

277
00:12:56,670 --> 00:13:02,339
from for three reasons first of all now

278
00:13:00,270 --> 00:13:03,699
we know there is a tyre sensor in the

279
00:13:02,340 --> 00:13:06,220
car right

280
00:13:03,699 --> 00:13:09,248
but the second reason was that because

281
00:13:06,220 --> 00:13:11,259
of that we were able to actually record

282
00:13:09,249 --> 00:13:15,189
the signal in an isolated environment

283
00:13:11,259 --> 00:13:16,600
instead of recording it in a in an

284
00:13:15,189 --> 00:13:18,868
undergrad parking lot which was

285
00:13:16,600 --> 00:13:21,609
obviously stacked with other signals or

286
00:13:18,869 --> 00:13:24,069
somewhere outside we just took the

287
00:13:21,609 --> 00:13:27,129
sensor into the shop and it was quite

288
00:13:24,069 --> 00:13:29,439
isolated so we we were pretty sure that

289
00:13:27,129 --> 00:13:32,439
we only record that signal it didn't

290
00:13:29,439 --> 00:13:34,689
help us isolating the signal down the

291
00:13:32,439 --> 00:13:39,069
down the road but the third reason was

292
00:13:34,689 --> 00:13:42,969
that since we we only recorded one wheel

293
00:13:39,069 --> 00:13:44,858
we also had recordings of one ID and as

294
00:13:42,970 --> 00:13:47,109
Inbar explained we wanted to extract the

295
00:13:44,859 --> 00:13:51,160
ID so down the path when we wanted to

296
00:13:47,109 --> 00:13:55,559
try and identify where the ID is located

297
00:13:51,160 --> 00:13:59,019
in the signal that helped us a lot

298
00:13:55,559 --> 00:14:01,779
so after we got the label and we got the

299
00:13:59,019 --> 00:14:06,100
FCC ID we looked in online and obviously

300
00:14:01,779 --> 00:14:08,439
that made things much easier for us and

301
00:14:06,100 --> 00:14:10,269
we also managed to actually get the

302
00:14:08,439 --> 00:14:13,179
specifications of the signal of the

303
00:14:10,269 --> 00:14:16,779
signal as well as finding out all kinds

304
00:14:13,179 --> 00:14:19,988
of of new information we we weren't

305
00:14:16,779 --> 00:14:22,629
aware of so for example here you can

306
00:14:19,989 --> 00:14:24,910
hardly see but we found out that there

307
00:14:22,629 --> 00:14:27,939
is a distinction between how the vehicle

308
00:14:24,910 --> 00:14:32,439
behaves where it is in in parking and

309
00:14:27,939 --> 00:14:33,910
between when it is in Drive so again

310
00:14:32,439 --> 00:14:35,498
this helped us understand more and

311
00:14:33,910 --> 00:14:38,049
obviously after that it was quite easy

312
00:14:35,499 --> 00:14:39,809
to find a signal so you could see those

313
00:14:38,049 --> 00:14:43,569
four transmissions and this is the

314
00:14:39,809 --> 00:14:47,108
baseband view of of the signal then we

315
00:14:43,569 --> 00:14:49,899
could extract all the information and

316
00:14:47,109 --> 00:14:53,649
indeed from the documentation online and

317
00:14:49,899 --> 00:14:56,470
for from what we saw on the vehicle we

318
00:14:53,649 --> 00:14:57,819
could extract the the following

319
00:14:56,470 --> 00:15:01,689
information this is not different from

320
00:14:57,819 --> 00:15:04,029
previous reaches researches it's only

321
00:15:01,689 --> 00:15:06,910
something that was unique to our sensors

322
00:15:04,029 --> 00:15:09,970
and helped us down the path with the

323
00:15:06,910 --> 00:15:14,640
with the analysis so in that at that

324
00:15:09,970 --> 00:15:18,000
point we were able to quickly

325
00:15:14,640 --> 00:15:19,769
that quickly build a receiver now at

326
00:15:18,000 --> 00:15:21,930
that point we still didn't have all the

327
00:15:19,769 --> 00:15:24,839
information so we couldn't build the

328
00:15:21,930 --> 00:15:27,510
entire receiving chain right so what we

329
00:15:24,839 --> 00:15:30,930
did here we did just a basic we use the

330
00:15:27,510 --> 00:15:32,899
basic receiver we use some energy based

331
00:15:30,930 --> 00:15:36,149
detection of the signal then we

332
00:15:32,899 --> 00:15:38,040
separated the signals that we use the

333
00:15:36,149 --> 00:15:40,260
transmissions as we received two

334
00:15:38,040 --> 00:15:42,170
different files then we did all the rest

335
00:15:40,260 --> 00:15:46,890
of the chain extracting the bits and

336
00:15:42,170 --> 00:15:49,399
determining whether it is it is a TPMS

337
00:15:46,890 --> 00:15:53,939
transmission or something else manually

338
00:15:49,399 --> 00:15:58,200
and at that point we got a lot of a lot

339
00:15:53,940 --> 00:16:00,300
of a lot of recordings and at that point

340
00:15:58,200 --> 00:16:02,519
we used the fact that we have a lot of

341
00:16:00,300 --> 00:16:04,349
recordings to do some statistical

342
00:16:02,519 --> 00:16:06,930
analysis now the statistical analysis

343
00:16:04,350 --> 00:16:11,310
means that I have a lot of packets so I

344
00:16:06,930 --> 00:16:15,329
can do I can try and find out all kinds

345
00:16:11,310 --> 00:16:18,329
of patterns in the signal and sometimes

346
00:16:15,329 --> 00:16:19,920
we use just common sense stuff that help

347
00:16:18,329 --> 00:16:23,370
us and sometimes we use something that

348
00:16:19,920 --> 00:16:25,500
is more complicated so the most basic

349
00:16:23,370 --> 00:16:27,750
one and in Bart did it like a minute

350
00:16:25,500 --> 00:16:30,930
after we got all the all the recordings

351
00:16:27,750 --> 00:16:35,279
it just replaced the ones and zeros in

352
00:16:30,930 --> 00:16:38,790
dots in lines right and it looks maybe

353
00:16:35,279 --> 00:16:42,029
dumb or maybe funny but when you look at

354
00:16:38,790 --> 00:16:44,550
it closely you can really see different

355
00:16:42,029 --> 00:16:47,220
patterns so it really helped us guessing

356
00:16:44,550 --> 00:16:51,479
where the ID is located where other

357
00:16:47,220 --> 00:16:55,709
information that we estimate is static

358
00:16:51,480 --> 00:16:57,899
is located and where there is no static

359
00:16:55,709 --> 00:16:59,969
information so for example CRC right

360
00:16:57,899 --> 00:17:03,420
because yours is also it's not

361
00:16:59,970 --> 00:17:05,730
deterministic something a little clever

362
00:17:03,420 --> 00:17:08,699
that we did is we use the fact that this

363
00:17:05,730 --> 00:17:11,849
signal uses Manchester encoding anybody

364
00:17:08,699 --> 00:17:15,059
knows Manchester encoding here okay not

365
00:17:11,849 --> 00:17:16,799
a lot so one of the main characteristic

366
00:17:15,059 --> 00:17:19,290
of Manchester encoding is that there are

367
00:17:16,799 --> 00:17:22,829
some patterns that are legit in some

368
00:17:19,290 --> 00:17:26,399
patterns then are not so 0 1 1 0 1 1 0 0

369
00:17:22,829 --> 00:17:27,119
are valid packets but for example 0 0 0

370
00:17:26,400 --> 00:17:31,650
or

371
00:17:27,119 --> 00:17:35,879
1-1 or longer repetitions are not valid

372
00:17:31,650 --> 00:17:38,520
that this helped us both realizing word

373
00:17:35,880 --> 00:17:43,350
packet ends and also finding out whether

374
00:17:38,520 --> 00:17:47,820
this packet is corrupted or not and so

375
00:17:43,350 --> 00:17:50,719
on in others in other things we stood on

376
00:17:47,820 --> 00:17:53,309
the shoulders of giants we didn't try to

377
00:17:50,720 --> 00:17:56,910
actually reinvent the wheel but we did

378
00:17:53,309 --> 00:17:59,340
use some some previous work and we build

379
00:17:56,910 --> 00:18:03,480
upon it so for example to find the tire

380
00:17:59,340 --> 00:18:07,470
ID so we used previous research that had

381
00:18:03,480 --> 00:18:10,500
some scripts that did some packet some

382
00:18:07,470 --> 00:18:13,470
statistical analysis and we build our

383
00:18:10,500 --> 00:18:15,870
own script for example to find the tire

384
00:18:13,470 --> 00:18:18,600
the tire ID so what we did here is that

385
00:18:15,870 --> 00:18:23,309
we knew or we guessed that the tire ID

386
00:18:18,600 --> 00:18:25,980
is 32 bytes to 32 bits sorry and then we

387
00:18:23,309 --> 00:18:30,928
took a sliding window and we looked on

388
00:18:25,980 --> 00:18:33,000
every 32 by 32 bits window inside the

389
00:18:30,929 --> 00:18:36,000
transmission and then we asked ourselves

390
00:18:33,000 --> 00:18:38,280
how many unique values they are through

391
00:18:36,000 --> 00:18:41,460
the all the transmissions through all

392
00:18:38,280 --> 00:18:43,860
the recordings that we had and finally

393
00:18:41,460 --> 00:18:47,370
we found out one window that only had

394
00:18:43,860 --> 00:18:49,199
four unique values and that gave us a

395
00:18:47,370 --> 00:18:51,000
guess where the idea is because

396
00:18:49,200 --> 00:18:55,110
obviously they are in the vehicle only

397
00:18:51,000 --> 00:18:57,000
for valid IDs for four tires and another

398
00:18:55,110 --> 00:18:58,770
thing was finding these CRC parameters

399
00:18:57,000 --> 00:19:00,600
so again here we use something that

400
00:18:58,770 --> 00:19:03,629
already exists we use the brute force

401
00:19:00,600 --> 00:19:07,260
ERC library that is available on github

402
00:19:03,630 --> 00:19:09,090
and perhaps it doesn't say much a lot of

403
00:19:07,260 --> 00:19:10,800
you but this actually is the information

404
00:19:09,090 --> 00:19:13,740
that we needed in order to be able to

405
00:19:10,800 --> 00:19:17,879
rebuild the packet with the right CRC

406
00:19:13,740 --> 00:19:21,990
values okay with that information we

407
00:19:17,880 --> 00:19:24,690
were able to make to extend the

408
00:19:21,990 --> 00:19:25,580
receiving chain and actually start

409
00:19:24,690 --> 00:19:29,910
parsing

410
00:19:25,580 --> 00:19:33,510
packets from the air right so this is

411
00:19:29,910 --> 00:19:36,690
exactly what we did and we we build

412
00:19:33,510 --> 00:19:38,640
something that automatically as you can

413
00:19:36,690 --> 00:19:40,830
see automatically detects

414
00:19:38,640 --> 00:19:43,410
missions and then in a few after a few

415
00:19:40,830 --> 00:19:48,270
seconds or few milliseconds it displays

416
00:19:43,410 --> 00:19:50,490
the the received transmission and you

417
00:19:48,270 --> 00:19:52,800
can see it looks quite nice here right

418
00:19:50,490 --> 00:19:56,820
it parses quite nicely and the reason

419
00:19:52,800 --> 00:20:00,419
for that is because I did that in my lab

420
00:19:56,820 --> 00:20:02,629
back on my lab bench when you go but

421
00:20:00,420 --> 00:20:06,620
when you when we went out and we started

422
00:20:02,630 --> 00:20:09,530
receiving transmission or over-the-air

423
00:20:06,620 --> 00:20:11,850
now it doesn't look quite nicely right

424
00:20:09,530 --> 00:20:14,160
so we have a lot of packets here that

425
00:20:11,850 --> 00:20:18,899
are corrupted and we have a lot of stuff

426
00:20:14,160 --> 00:20:21,980
here that longer or signals that are not

427
00:20:18,900 --> 00:20:24,000
related at all to TPMS sensors and so on

428
00:20:21,980 --> 00:20:25,920
another by the way another funny thing

429
00:20:24,000 --> 00:20:28,740
is that you don't hear me you can see me

430
00:20:25,920 --> 00:20:31,470
speaking in the video and you can hear

431
00:20:28,740 --> 00:20:35,940
an audio this is for the plain reason I

432
00:20:31,470 --> 00:20:39,060
forgot to turn the microphone so okay

433
00:20:35,940 --> 00:20:41,040
moving on so we wanted to make sure that

434
00:20:39,060 --> 00:20:43,530
we are actually able to receive signals

435
00:20:41,040 --> 00:20:46,350
from all the vehicles as Inbar explained

436
00:20:43,530 --> 00:20:48,720
we wanted to take a highway or somewhere

437
00:20:46,350 --> 00:20:53,639
with a lot of vehicles and receive all

438
00:20:48,720 --> 00:20:55,740
those transmissions now we we took a so

439
00:20:53,640 --> 00:20:58,380
we thought about a highway so a typical

440
00:20:55,740 --> 00:21:01,230
highway has six lines every Lane is like

441
00:20:58,380 --> 00:21:02,880
about five meters and we wanted so we

442
00:21:01,230 --> 00:21:05,340
wanted to make sure that we can receive

443
00:21:02,880 --> 00:21:08,100
from approximately thirty meters and

444
00:21:05,340 --> 00:21:09,889
then we did some theoretical

445
00:21:08,100 --> 00:21:12,270
calculations and we found out that

446
00:21:09,890 --> 00:21:15,240
theoretically we could receive from

447
00:21:12,270 --> 00:21:17,580
hundreds of meters so we were lazy we

448
00:21:15,240 --> 00:21:20,820
said okay so artists offices are

449
00:21:17,580 --> 00:21:22,620
watching just over I alone Road on

450
00:21:20,820 --> 00:21:26,280
Israel which is one of the busiest

451
00:21:22,620 --> 00:21:28,469
highways that that we have so we said

452
00:21:26,280 --> 00:21:30,960
okay let's be lazy let's sit in the

453
00:21:28,470 --> 00:21:35,340
office let's take an antenna and here's

454
00:21:30,960 --> 00:21:38,610
where the the cold rack took took a

455
00:21:35,340 --> 00:21:41,399
major major place in our research and

456
00:21:38,610 --> 00:21:43,260
which we can just kill the antenna

457
00:21:41,400 --> 00:21:45,330
towards the highway and then we can

458
00:21:43,260 --> 00:21:47,790
receive everything and we are in the air

459
00:21:45,330 --> 00:21:48,860
condition and we are happy we can just

460
00:21:47,790 --> 00:21:53,809
hit and hack out

461
00:21:48,860 --> 00:21:56,990
in hack cars but unfortunately this did

462
00:21:53,809 --> 00:21:59,600
not work right because for some reason

463
00:21:56,990 --> 00:22:03,110
we were not able to to receive those

464
00:21:59,600 --> 00:22:05,389
signals probably because of the of other

465
00:22:03,110 --> 00:22:07,790
interruptions because there was a lot of

466
00:22:05,390 --> 00:22:10,429
metal outside of the building you can

467
00:22:07,790 --> 00:22:13,428
see that the the windows themselves are

468
00:22:10,429 --> 00:22:17,090
made of aluminium and eventually we had

469
00:22:13,429 --> 00:22:18,980
no choice so inbar had to get get to the

470
00:22:17,090 --> 00:22:23,389
side of the highway and do the

471
00:22:18,980 --> 00:22:25,669
measurement there but once we did that

472
00:22:23,390 --> 00:22:29,510
we were able to actually receive those

473
00:22:25,669 --> 00:22:32,150
signals next was proofing the signal

474
00:22:29,510 --> 00:22:33,919
okay and that was also a challenge so at

475
00:22:32,150 --> 00:22:37,760
the beginning we we we said okay let's

476
00:22:33,919 --> 00:22:41,299
do a very very simple replay attack

477
00:22:37,760 --> 00:22:43,280
right because we want to divide the we

478
00:22:41,299 --> 00:22:47,110
wanted to reduce the risk and we say

479
00:22:43,280 --> 00:22:51,080
probably we can if we can receive and

480
00:22:47,110 --> 00:22:56,809
record a low low pressure signal and

481
00:22:51,080 --> 00:23:00,020
then replay it after we after we inflate

482
00:22:56,809 --> 00:23:03,740
the tires back then probably we will

483
00:23:00,020 --> 00:23:05,510
have a low tire a lot higher alarm and

484
00:23:03,740 --> 00:23:09,559
we used for that purpose we used the

485
00:23:05,510 --> 00:23:12,110
heck RF so that is able to both receive

486
00:23:09,559 --> 00:23:14,480
and transmit those signals the problem

487
00:23:12,110 --> 00:23:17,360
was that it didn't work

488
00:23:14,480 --> 00:23:19,520
so for some reason when we recorded a

489
00:23:17,360 --> 00:23:23,990
signal try to replay it in the vehicle

490
00:23:19,520 --> 00:23:25,879
it just didn't work later on we found

491
00:23:23,990 --> 00:23:27,770
out that we cut probably because there

492
00:23:25,880 --> 00:23:31,490
is there is a difference between whether

493
00:23:27,770 --> 00:23:33,620
the car is standing and in the move that

494
00:23:31,490 --> 00:23:36,049
probably was the reason why we weren't

495
00:23:33,620 --> 00:23:39,229
able to do the replay correctly however

496
00:23:36,049 --> 00:23:41,210
the problem with that method was you

497
00:23:39,230 --> 00:23:45,260
cannot debug it right you just record a

498
00:23:41,210 --> 00:23:48,500
signal you send it again it either works

499
00:23:45,260 --> 00:23:50,419
or not right so we said okay let's try

500
00:23:48,500 --> 00:23:53,929
to do something maybe a little a little

501
00:23:50,419 --> 00:23:56,210
more complicated but by the way that

502
00:23:53,929 --> 00:23:58,460
will allow us to actually debug the

503
00:23:56,210 --> 00:24:00,890
entire process so we through the heck RF

504
00:23:58,460 --> 00:24:01,929
to the side and we took the yardstick

505
00:24:00,890 --> 00:24:03,220
one just

506
00:24:01,929 --> 00:24:05,080
one to those who don't know it's

507
00:24:03,220 --> 00:24:09,490
actually a radio that can be controlled

508
00:24:05,080 --> 00:24:13,449
by a pretty simple Python interface and

509
00:24:09,490 --> 00:24:15,369
again we we said okay let's work on the

510
00:24:13,450 --> 00:24:16,840
bench before we get down to the vehicle

511
00:24:15,369 --> 00:24:19,809
let's make sure that everything is

512
00:24:16,840 --> 00:24:23,019
working on a bench then we'll get to the

513
00:24:19,809 --> 00:24:25,539
vehicle and indeed it worked and you can

514
00:24:23,019 --> 00:24:28,179
see here the tire pressure it's in psi

515
00:24:25,539 --> 00:24:30,999
and I'm not sure if you are if you know

516
00:24:28,179 --> 00:24:33,039
but there is no 101 psi in a vehicle

517
00:24:30,999 --> 00:24:36,149
that very problematic and obviously this

518
00:24:33,039 --> 00:24:40,749
is because we were able to spoof the

519
00:24:36,149 --> 00:24:42,580
tire pressure okay moving on so we were

520
00:24:40,749 --> 00:24:44,919
pretty happy right because that was one

521
00:24:42,580 --> 00:24:48,158
of the main risks that that we had we

522
00:24:44,919 --> 00:24:50,769
wanted to be able to transmit to a

523
00:24:48,159 --> 00:24:52,649
vehicle and spoof the signal so we went

524
00:24:50,769 --> 00:24:54,820
down and we said okay let's try to

525
00:24:52,649 --> 00:24:57,039
experience experiment with the

526
00:24:54,820 --> 00:25:00,700
transmitter let's try to find out how

527
00:24:57,039 --> 00:25:03,369
far we can transmit the this poofed the

528
00:25:00,700 --> 00:25:05,499
spoof signal and you can see in bar here

529
00:25:03,369 --> 00:25:08,559
we went down to the to the underground

530
00:25:05,499 --> 00:25:11,139
parking lot and we used again the coat

531
00:25:08,559 --> 00:25:14,678
rack with the directional antenna and

532
00:25:11,139 --> 00:25:16,600
you have the setup here and again you

533
00:25:14,679 --> 00:25:19,570
know when you reinvent the wheel you

534
00:25:16,600 --> 00:25:23,889
find out all kinds of crazy stuff for

535
00:25:19,570 --> 00:25:26,320
example the code did not run on in bars

536
00:25:23,889 --> 00:25:28,449
computer for some reason kept running on

537
00:25:26,320 --> 00:25:30,668
the computer it's a Python command you

538
00:25:28,450 --> 00:25:32,740
sent the yardstick one yeah the computer

539
00:25:30,669 --> 00:25:35,259
plays no part in this and in bar and I

540
00:25:32,740 --> 00:25:37,240
have basically the same laptop right I

541
00:25:35,259 --> 00:25:40,029
mean he has a MacBook I have a little or

542
00:25:37,240 --> 00:25:42,580
maybe a little older male book MacBook

543
00:25:40,029 --> 00:25:45,460
but for some reason you just did not

544
00:25:42,580 --> 00:25:49,449
work so eventually we had to use my

545
00:25:45,460 --> 00:25:51,369
laptop and bar was pretty frustrated and

546
00:25:49,450 --> 00:25:54,399
we didn't find out the reason yet but

547
00:25:51,369 --> 00:25:57,549
hopefully we do that in the future so

548
00:25:54,399 --> 00:26:00,309
after all these failure descriptions and

549
00:25:57,549 --> 00:26:01,779
after all that stuff let's show you what

550
00:26:00,309 --> 00:26:03,940
really happened just before I play the

551
00:26:01,779 --> 00:26:06,399
video I'm sorry we couldn't actually

552
00:26:03,940 --> 00:26:08,590
take a video of the take a good the

553
00:26:06,399 --> 00:26:11,408
focus of the details however when there

554
00:26:08,590 --> 00:26:12,240
is a a low tire pressure the screen here

555
00:26:11,409 --> 00:26:17,870
will turn

556
00:26:12,240 --> 00:26:17,870
read so pay attention okay ready

557
00:26:18,559 --> 00:26:22,580
start now

558
00:26:23,309 --> 00:26:39,879
okay awesome it's working so at that

559
00:26:34,510 --> 00:26:42,429
point we were able to receive TPMS

560
00:26:39,880 --> 00:26:44,799
sensor TPMS sensor transmissions from

561
00:26:42,429 --> 00:26:47,830
the highway we were able to successfully

562
00:26:44,799 --> 00:26:50,889
spoof a vehicle from over 30 meters so

563
00:26:47,830 --> 00:26:54,668
that parking lot was pretty pretty is

564
00:26:50,889 --> 00:26:57,820
pretty why a large and we tried several

565
00:26:54,669 --> 00:26:59,380
scenarios I tried we tried taking the

566
00:26:57,820 --> 00:27:03,820
vehicles from the sides and so on

567
00:26:59,380 --> 00:27:06,700
everything worked pretty great and we

568
00:27:03,820 --> 00:27:10,260
succeeded in stripping a receive TPMS

569
00:27:06,700 --> 00:27:13,750
transmission rebuild it with our own

570
00:27:10,260 --> 00:27:17,500
tire pressure value and then we transmit

571
00:27:13,750 --> 00:27:19,269
it so currently we're working on the

572
00:27:17,500 --> 00:27:22,179
backend setup so is in bar explained

573
00:27:19,269 --> 00:27:24,460
before we want you really scaled it up

574
00:27:22,179 --> 00:27:27,880
so for that purpose we need to be able

575
00:27:24,460 --> 00:27:30,580
to take those transmissions those

576
00:27:27,880 --> 00:27:33,370
receive transmissions rebuild the packet

577
00:27:30,580 --> 00:27:35,620
send it to all those transmissions on

578
00:27:33,370 --> 00:27:38,939
the on the bridge and then send it back

579
00:27:35,620 --> 00:27:41,949
again so we're now working on that

580
00:27:38,940 --> 00:27:46,029
because we are going to use a very

581
00:27:41,950 --> 00:27:51,130
simple VPN setup this will and this will

582
00:27:46,029 --> 00:27:53,110
help us scale up the entire setup pretty

583
00:27:51,130 --> 00:27:55,480
quickly and this indeed already worked

584
00:27:53,110 --> 00:27:59,799
already working and we're just

585
00:27:55,480 --> 00:28:01,630
finalizing that cell okay what's next so

586
00:27:59,799 --> 00:28:04,679
we have a few challenges here the first

587
00:28:01,630 --> 00:28:07,059
one is to be able to handle multiple

588
00:28:04,679 --> 00:28:07,870
transmission methods multiple

589
00:28:07,059 --> 00:28:11,070
mutilations

590
00:28:07,870 --> 00:28:15,489
this one was based on in frequency

591
00:28:11,070 --> 00:28:17,080
modulated signal however we know that

592
00:28:15,490 --> 00:28:20,260
there are some sensors that use

593
00:28:17,080 --> 00:28:22,510
amplitude Bay amplitude based

594
00:28:20,260 --> 00:28:24,970
modulations and so on so we need to take

595
00:28:22,510 --> 00:28:28,750
care of that obviously we need to find

596
00:28:24,970 --> 00:28:30,580
out how other sensors work and how they

597
00:28:28,750 --> 00:28:32,190
are built and to be able to pass them

598
00:28:30,580 --> 00:28:34,439
correctly

599
00:28:32,190 --> 00:28:37,140
and to be able to synchronize everything

600
00:28:34,440 --> 00:28:39,180
so as in bar cell we need to be able to

601
00:28:37,140 --> 00:28:41,070
receive everything aggregate everything

602
00:28:39,180 --> 00:28:43,710
and then transmit everything on the same

603
00:28:41,070 --> 00:28:48,450
time so this is another challenge that

604
00:28:43,710 --> 00:28:50,850
we still facing so is responsible

605
00:28:48,450 --> 00:28:52,620
security researchers I told you I didn't

606
00:28:50,850 --> 00:28:55,800
get my white hat but I actually have it

607
00:28:52,620 --> 00:28:56,969
you cannot disclose a problem or tell

608
00:28:55,800 --> 00:28:59,639
the world something is wrong without

609
00:28:56,970 --> 00:29:01,380
offering ways to solve it right because

610
00:28:59,640 --> 00:29:05,460
otherwise you just gave the bad guys

611
00:29:01,380 --> 00:29:06,780
ideas and weapons obviously okay the

612
00:29:05,460 --> 00:29:08,970
number one problem here is that the

613
00:29:06,780 --> 00:29:11,250
signal is not encrypted so the trivial

614
00:29:08,970 --> 00:29:12,840
thing to say is let's encrypt a signal

615
00:29:11,250 --> 00:29:15,600
but here's a problem

616
00:29:12,840 --> 00:29:17,929
this is the TPMS it's really small it's

617
00:29:15,600 --> 00:29:21,570
running on a small battery this is not a

618
00:29:17,930 --> 00:29:24,000
real computer so if you have to do

619
00:29:21,570 --> 00:29:25,649
encryption you might need to get into

620
00:29:24,000 --> 00:29:28,140
costs the whole design of this thing

621
00:29:25,650 --> 00:29:30,360
might need to change because the

622
00:29:28,140 --> 00:29:32,310
architecture of or the the

623
00:29:30,360 --> 00:29:34,949
microelectronics inside are not strong

624
00:29:32,310 --> 00:29:37,050
enough to do the encryption and also how

625
00:29:34,950 --> 00:29:38,370
do you synchronize the keys what happens

626
00:29:37,050 --> 00:29:41,129
if you change the tire

627
00:29:38,370 --> 00:29:43,560
so now your car needs to know the Nutri

628
00:29:41,130 --> 00:29:45,450
the new wheel or maybe the new wheel

629
00:29:43,560 --> 00:29:47,730
needs to know the encryption key for the

630
00:29:45,450 --> 00:29:50,730
car so this gets complicated this is not

631
00:29:47,730 --> 00:29:52,590
really a viable option also one thing

632
00:29:50,730 --> 00:29:54,990
you could do to mitigate the problem

633
00:29:52,590 --> 00:29:56,730
right now the vehicle is listening to

634
00:29:54,990 --> 00:29:59,670
the wheel so whenever the wheel is

635
00:29:56,730 --> 00:30:02,130
speaking the vehicle is listening if you

636
00:29:59,670 --> 00:30:04,170
change that and you said okay from now

637
00:30:02,130 --> 00:30:07,380
on I don't care what the wheel is saying

638
00:30:04,170 --> 00:30:09,270
unless I ask it first hey will how much

639
00:30:07,380 --> 00:30:11,210
pressure do you have then he tells me

640
00:30:09,270 --> 00:30:13,290
then that would make the attack

641
00:30:11,210 --> 00:30:16,350
significantly harder because I would

642
00:30:13,290 --> 00:30:18,600
have to listen to the question and then

643
00:30:16,350 --> 00:30:22,919
get into a race condition with the wheel

644
00:30:18,600 --> 00:30:25,500
and answer over the wheel right that's

645
00:30:22,920 --> 00:30:28,020
really a lot more complicated and it

646
00:30:25,500 --> 00:30:30,420
might not even succeed right but

647
00:30:28,020 --> 00:30:33,750
actually the best way to mitigate with

648
00:30:30,420 --> 00:30:36,030
existing hardware is to correlate the

649
00:30:33,750 --> 00:30:38,790
signal with other sensors you already

650
00:30:36,030 --> 00:30:40,710
have in your car for example all modern

651
00:30:38,790 --> 00:30:44,240
vehicles have a sensor that tells them

652
00:30:40,710 --> 00:30:48,380
how fast the wheel is turning

653
00:30:44,240 --> 00:30:51,470
because it's used for skid alert and abs

654
00:30:48,380 --> 00:30:54,560
so when the tire changes significantly

655
00:30:51,470 --> 00:30:56,600
the rotational speed changes as well so

656
00:30:54,560 --> 00:30:58,820
if you get a low tire alert but the

657
00:30:56,600 --> 00:31:00,649
wheel is still turning in the same speed

658
00:30:58,820 --> 00:31:03,110
at the same speed then you know

659
00:31:00,650 --> 00:31:04,760
something is wrong you cannot trust the

660
00:31:03,110 --> 00:31:07,669
pressure and there are other ways to do

661
00:31:04,760 --> 00:31:09,890
that some passive TPMS actually look at

662
00:31:07,670 --> 00:31:12,230
the balance of the car if you have a low

663
00:31:09,890 --> 00:31:14,060
tire pressure then one one side of the

664
00:31:12,230 --> 00:31:17,060
car is a little bit low so you already

665
00:31:14,060 --> 00:31:19,490
have existing sensors and signals that

666
00:31:17,060 --> 00:31:21,740
you can correlate with and know if this

667
00:31:19,490 --> 00:31:24,470
is a fake signal or not but of course

668
00:31:21,740 --> 00:31:26,360
it's hard for us to tell the car

669
00:31:24,470 --> 00:31:29,600
manufacturers how to fix their problems

670
00:31:26,360 --> 00:31:32,270
but the number one problem is us we need

671
00:31:29,600 --> 00:31:34,159
to keep our eyes on the road if we knew

672
00:31:32,270 --> 00:31:36,200
for a fact that whenever a driver got an

673
00:31:34,160 --> 00:31:39,500
alert they would still look at the road

674
00:31:36,200 --> 00:31:42,230
this entire attack wouldn't work okay so

675
00:31:39,500 --> 00:31:44,450
as always it's a like security people

676
00:31:42,230 --> 00:31:46,910
like to say the technology is ok it's

677
00:31:44,450 --> 00:31:50,810
the human right so this is just an

678
00:31:46,910 --> 00:31:54,170
example no that was the research and

679
00:31:50,810 --> 00:31:58,129
here comes the message ok it's doable

680
00:31:54,170 --> 00:32:00,200
yes it's a little bit far-fetched but

681
00:31:58,130 --> 00:32:02,900
imagine if that thing actually works

682
00:32:00,200 --> 00:32:05,150
then people might you know get hurt a

683
00:32:02,900 --> 00:32:07,700
car crash inside the tunnel that's a

684
00:32:05,150 --> 00:32:10,010
serious thing so it's doable and it only

685
00:32:07,700 --> 00:32:12,590
needs to happen once imagine it just

686
00:32:10,010 --> 00:32:15,590
happened and someone is calling one of

687
00:32:12,590 --> 00:32:17,629
the car makers and says I did that I

688
00:32:15,590 --> 00:32:19,520
want 3 bitcoins by tomorrow or it

689
00:32:17,630 --> 00:32:21,200
happens again who knows

690
00:32:19,520 --> 00:32:24,080
maybe they're lying maybe they're not

691
00:32:21,200 --> 00:32:28,840
lying right so it's doable this is not

692
00:32:24,080 --> 00:32:32,330
something to be disregarded as hackers

693
00:32:28,840 --> 00:32:35,510
we know that where there's a will

694
00:32:32,330 --> 00:32:37,730
there's a way if I want to find a way to

695
00:32:35,510 --> 00:32:39,830
make something malicious I will find it

696
00:32:37,730 --> 00:32:41,330
and this is why our starting point was

697
00:32:39,830 --> 00:32:43,730
the fact that everybody else thought

698
00:32:41,330 --> 00:32:45,649
that this was harmless this is sort of a

699
00:32:43,730 --> 00:32:47,750
challenge accepted because when

700
00:32:45,650 --> 00:32:50,630
something is harmless then you already

701
00:32:47,750 --> 00:32:53,210
predict that there are not going to be

702
00:32:50,630 --> 00:32:55,160
any mitigations so if you find a way to

703
00:32:53,210 --> 00:32:57,320
do something the chances of creating

704
00:32:55,160 --> 00:32:57,920
damage are larger because no one was

705
00:32:57,320 --> 00:33:01,730
even prepared

706
00:32:57,920 --> 00:33:03,860
for that right and we changed that

707
00:33:01,730 --> 00:33:07,880
saying a little bit to say where there's

708
00:33:03,860 --> 00:33:09,889
malice malice is bad intention okay word

709
00:33:07,880 --> 00:33:11,900
there's malloced there's a way when the

710
00:33:09,890 --> 00:33:13,820
bad guys decide that they want to attack

711
00:33:11,900 --> 00:33:16,460
something they will invest the time

712
00:33:13,820 --> 00:33:18,260
money effort whatever and find a way to

713
00:33:16,460 --> 00:33:21,320
attack so we should never underestimate

714
00:33:18,260 --> 00:33:23,360
the ability of other people to find

715
00:33:21,320 --> 00:33:25,700
things that we have not found and this

716
00:33:23,360 --> 00:33:27,379
applies to all of us as researchers if

717
00:33:25,700 --> 00:33:29,180
we didn't find the answer it doesn't

718
00:33:27,380 --> 00:33:31,550
mean it's not there if we perform the

719
00:33:29,180 --> 00:33:32,870
pen test it does not mean that we found

720
00:33:31,550 --> 00:33:34,430
everything somebody else could find

721
00:33:32,870 --> 00:33:38,060
something that we did okay so remember

722
00:33:34,430 --> 00:33:41,000
that and as someone that I sometimes

723
00:33:38,060 --> 00:33:43,700
meet over the conference calls of the

724
00:33:41,000 --> 00:33:46,780
sae he said if they also the other way

725
00:33:43,700 --> 00:33:49,760
around if there's a way to do it

726
00:33:46,780 --> 00:33:51,440
someone will be malicious because that's

727
00:33:49,760 --> 00:33:53,600
how the world works okay because of the

728
00:33:51,440 --> 00:33:55,970
incentives the criminals have or just

729
00:33:53,600 --> 00:33:58,550
script kiddies whatever someone will

730
00:33:55,970 --> 00:34:00,440
always be pardon my french the asshole

731
00:33:58,550 --> 00:34:02,270
who wants to ruin the party for

732
00:34:00,440 --> 00:34:04,820
everybody else so never assume that

733
00:34:02,270 --> 00:34:07,370
everybody is a good person and maybe the

734
00:34:04,820 --> 00:34:11,080
most important lesson here is that scale

735
00:34:07,370 --> 00:34:14,810
matters if you look at a single car okay

736
00:34:11,080 --> 00:34:18,440
this behavior is by design low tire

737
00:34:14,810 --> 00:34:20,540
pressure sounds an alert and makes some

738
00:34:18,440 --> 00:34:23,540
notification on the dashboard that's

739
00:34:20,540 --> 00:34:26,000
expected you can't say hey this is wrong

740
00:34:23,540 --> 00:34:30,020
this is expected behavior and the risk

741
00:34:26,000 --> 00:34:32,659
indeed is meaningless the worst that can

742
00:34:30,020 --> 00:34:34,250
happen is maybe you pull over and

743
00:34:32,659 --> 00:34:35,000
discover that you don't actually have a

744
00:34:34,250 --> 00:34:38,630
flat tire

745
00:34:35,000 --> 00:34:40,610
but when you do that it's scale all of a

746
00:34:38,630 --> 00:34:43,010
sudden the threat and risk assessment

747
00:34:40,610 --> 00:34:44,990
change all of a sudden something that

748
00:34:43,010 --> 00:34:48,410
was insignificant before becomes

749
00:34:44,989 --> 00:34:50,899
significant now so when you do threat

750
00:34:48,409 --> 00:34:52,909
analysis and risk assessment you need to

751
00:34:50,900 --> 00:34:54,950
be aware of the fact that maybe what

752
00:34:52,909 --> 00:34:57,080
you're looking at doesn't mean much when

753
00:34:54,949 --> 00:34:59,089
it's one system well what happens if

754
00:34:57,080 --> 00:35:02,090
it's done on many systems at the same

755
00:34:59,090 --> 00:35:05,210
time or sequentially scale matters scale

756
00:35:02,090 --> 00:35:07,430
changes the risk score of this

757
00:35:05,210 --> 00:35:09,920
particular scenario significantly

758
00:35:07,430 --> 00:35:11,529
because we could theoretically cause a

759
00:35:09,920 --> 00:35:14,770
car

760
00:35:11,530 --> 00:35:17,030
failure we come from Israel in Israel

761
00:35:14,770 --> 00:35:19,790
failure is part of the learning process

762
00:35:17,030 --> 00:35:20,270
some cultures in other places around the

763
00:35:19,790 --> 00:35:23,570
world

764
00:35:20,270 --> 00:35:25,759
don't encourage failure in fact some of

765
00:35:23,570 --> 00:35:28,520
them even discouraging but we are

766
00:35:25,760 --> 00:35:30,800
researchers research is about failing

767
00:35:28,520 --> 00:35:33,560
many times people will stand on stage

768
00:35:30,800 --> 00:35:36,020
and show you what they did amazing stuff

769
00:35:33,560 --> 00:35:38,600
best research ever but they don't tell

770
00:35:36,020 --> 00:35:40,430
you how they got there what they tried

771
00:35:38,600 --> 00:35:42,040
that worked what they tried that didn't

772
00:35:40,430 --> 00:35:44,629
work what was their thought process

773
00:35:42,040 --> 00:35:47,450
learning from what other people did is

774
00:35:44,630 --> 00:35:49,730
like doing copy and paste from you know

775
00:35:47,450 --> 00:35:51,350
all the websites with the solutions but

776
00:35:49,730 --> 00:35:53,240
learning somebody's thought process

777
00:35:51,350 --> 00:35:55,520
teaches you a lot more so you need to

778
00:35:53,240 --> 00:35:58,250
teach others as well failure is okay

779
00:35:55,520 --> 00:36:00,380
because I think it was Mark Twain who

780
00:35:58,250 --> 00:36:02,780
said I failed all the way to success

781
00:36:00,380 --> 00:36:06,710
okay and if you haven't watched this

782
00:36:02,780 --> 00:36:08,810
talk ng Albertini a very appreciated

783
00:36:06,710 --> 00:36:12,080
researcher gave a talk two years ago

784
00:36:08,810 --> 00:36:14,360
just about this success and failure in

785
00:36:12,080 --> 00:36:16,549
the info state so look look it up it's

786
00:36:14,360 --> 00:36:18,020
probably on their YouTube and it's

787
00:36:16,550 --> 00:36:20,300
really it's part of the process you have

788
00:36:18,020 --> 00:36:21,710
to accept that and if you fail do not

789
00:36:20,300 --> 00:36:23,990
give up it's part of the process

790
00:36:21,710 --> 00:36:25,820
document it continue researching and

791
00:36:23,990 --> 00:36:27,709
then help others

792
00:36:25,820 --> 00:36:29,200
thank you I think we have time for

793
00:36:27,710 --> 00:36:34,030
questions right

794
00:36:29,200 --> 00:36:34,029
[Applause]

795
00:36:35,360 --> 00:36:41,640
yes we do have time for questions and

796
00:36:38,460 --> 00:36:46,280
heads are proper God mic mics are coming

797
00:36:41,640 --> 00:36:48,810
to you just let's start anywhere

798
00:36:46,280 --> 00:36:50,850
shouldn't the car like automatically

799
00:36:48,810 --> 00:36:52,710
correct itself is that you send that

800
00:36:50,850 --> 00:36:56,130
that you send a message that the tires

801
00:36:52,710 --> 00:36:57,930
are deflated but you know the sensors

802
00:36:56,130 --> 00:36:59,790
send the message that the tires are not

803
00:36:57,930 --> 00:37:02,669
deflated so the car should automatically

804
00:36:59,790 --> 00:37:07,440
correct for the earnest behavior that

805
00:37:02,670 --> 00:37:10,910
you introduced but a single car is a

806
00:37:07,440 --> 00:37:14,130
single case in the case of a single card

807
00:37:10,910 --> 00:37:17,399
nothing is wrong here and as I say this

808
00:37:14,130 --> 00:37:19,410
is expected behavior by design when the

809
00:37:17,400 --> 00:37:21,180
tire pressure goes down then an alert

810
00:37:19,410 --> 00:37:23,970
happens if you discover that the tire

811
00:37:21,180 --> 00:37:26,069
pressure is back up for instance if I

812
00:37:23,970 --> 00:37:29,250
scoop the message and I got the alert

813
00:37:26,070 --> 00:37:31,800
but you continue driving and then 20 or

814
00:37:29,250 --> 00:37:34,080
30 or 60 seconds later the real signal

815
00:37:31,800 --> 00:37:37,680
is transmitted then the alert goes away

816
00:37:34,080 --> 00:37:39,840
it's very simple alert display alert

817
00:37:37,680 --> 00:37:43,290
display the problem is its scale and

818
00:37:39,840 --> 00:37:45,870
until we have a good vehicle to vehicle

819
00:37:43,290 --> 00:37:47,370
infrastructure working then you can't

820
00:37:45,870 --> 00:37:49,440
take that into consideration there's

821
00:37:47,370 --> 00:37:53,850
very little you can do this is expected

822
00:37:49,440 --> 00:37:56,030
behavior did I answer all right anybody

823
00:37:53,850 --> 00:37:56,029
else

824
00:37:58,580 --> 00:38:01,370
yeah we're also gonna look at the back

825
00:38:00,200 --> 00:38:04,160
because it's always the people in the

826
00:38:01,370 --> 00:38:05,420
back that don't know you ask me we have

827
00:38:04,160 --> 00:38:14,899
another microphone for the people in the

828
00:38:05,420 --> 00:38:16,960
back hello thank you for presentation

829
00:38:14,900 --> 00:38:19,250
what carmakers

830
00:38:16,960 --> 00:38:24,820
meeting how how much are matters

831
00:38:19,250 --> 00:38:28,130
mitigated it that that risk

832
00:38:24,820 --> 00:38:30,260
well actually carmakers have some other

833
00:38:28,130 --> 00:38:32,750
concerns besides the security concerns

834
00:38:30,260 --> 00:38:34,040
so one of the things that TPMS sensors

835
00:38:32,750 --> 00:38:35,960
have they require a lot of maintenance

836
00:38:34,040 --> 00:38:38,870
if you want to replace a tire that is

837
00:38:35,960 --> 00:38:41,030
broken you need to there is like a whole

838
00:38:38,870 --> 00:38:44,600
process of scanning the new tire

839
00:38:41,030 --> 00:38:46,790
updating the the software on the ECU in

840
00:38:44,600 --> 00:38:49,339
the vehicle are in order for it to be

841
00:38:46,790 --> 00:38:51,200
able to transmit and receive so

842
00:38:49,340 --> 00:38:55,690
basically they are already looking for

843
00:38:51,200 --> 00:38:59,359
ways to avoid using IDs such as

844
00:38:55,690 --> 00:39:01,400
automatic recognition of the sensors in

845
00:38:59,360 --> 00:39:04,130
the vehicle and also relying on other

846
00:39:01,400 --> 00:39:07,490
sensors in the vehicle in order to

847
00:39:04,130 --> 00:39:10,610
determine whether the the tire is really

848
00:39:07,490 --> 00:39:12,500
in play deflated or not so we assume

849
00:39:10,610 --> 00:39:13,730
that in the future this will be solved

850
00:39:12,500 --> 00:39:16,550
not because of security concerns

851
00:39:13,730 --> 00:39:19,310
thoroughly but also because of a lot of

852
00:39:16,550 --> 00:39:20,810
maintenance concerns as well and of

853
00:39:19,310 --> 00:39:22,580
course we hope that they know the

854
00:39:20,810 --> 00:39:25,090
correlation with other sensors as we

855
00:39:22,580 --> 00:39:30,380
will suggested don't you consider that

856
00:39:25,090 --> 00:39:32,060
the car is over alerting the driver so

857
00:39:30,380 --> 00:39:36,290
one of the things that you hear now on

858
00:39:32,060 --> 00:39:38,750
the SAE meetings is that driver

859
00:39:36,290 --> 00:39:40,610
distraction is beginning to be taken

860
00:39:38,750 --> 00:39:43,730
into consideration both in terms of

861
00:39:40,610 --> 00:39:45,830
security and safety the industry is

862
00:39:43,730 --> 00:39:48,170
mostly interested in safety because you

863
00:39:45,830 --> 00:39:49,880
sell somebody a car they need to get

864
00:39:48,170 --> 00:39:57,830
where they need to get but it's very

865
00:39:49,880 --> 00:40:00,500
unsafe to alerted the driver as I said

866
00:39:57,830 --> 00:40:03,319
this is an expected behavior if you have

867
00:40:00,500 --> 00:40:05,360
a flat tire that has implications you

868
00:40:03,320 --> 00:40:06,800
want to know so if they correlate it

869
00:40:05,360 --> 00:40:08,540
with other sensors it's going to be

870
00:40:06,800 --> 00:40:09,980
better or maybe they come up with a

871
00:40:08,540 --> 00:40:11,590
solution that we didn't think of we

872
00:40:09,980 --> 00:40:13,450
don't pretend to have all

873
00:40:11,590 --> 00:40:19,210
thank you there was somebody else at the

874
00:40:13,450 --> 00:40:23,350
back also we're gonna be outside if you

875
00:40:19,210 --> 00:40:26,620
need to ask us more things hello so I

876
00:40:23,350 --> 00:40:33,580
was wondering where are you over there

877
00:40:26,620 --> 00:40:35,620
okay other sensors but each tire will

878
00:40:33,580 --> 00:40:37,569
actually send its own data

879
00:40:35,620 --> 00:40:40,509
besides the data that you are sending

880
00:40:37,570 --> 00:40:42,730
the fake data so wouldn't it be simpler

881
00:40:40,510 --> 00:40:46,450
to just count the number of occurrences

882
00:40:42,730 --> 00:40:50,230
and don't display any alert if you get

883
00:40:46,450 --> 00:40:52,270
different information from the same tire

884
00:40:50,230 --> 00:40:54,670
actually it's like it's the other way

885
00:40:52,270 --> 00:40:57,220
around actually in this case the the

886
00:40:54,670 --> 00:40:59,620
spoofing transmission was pretty

887
00:40:57,220 --> 00:41:01,529
persistent he took us actually a few

888
00:40:59,620 --> 00:41:04,720
seconds as also like driving the car

889
00:41:01,530 --> 00:41:06,820
accelerating and braking in order for it

890
00:41:04,720 --> 00:41:10,299
to retransmit the correct signal again

891
00:41:06,820 --> 00:41:12,400
so that tire doesn't send its own signal

892
00:41:10,300 --> 00:41:14,830
in the meantime the tire does send its

893
00:41:12,400 --> 00:41:16,510
sensors but because of the way I mean

894
00:41:14,830 --> 00:41:19,330
ventually those tires run on on

895
00:41:16,510 --> 00:41:22,540
batteries right so in order to save

896
00:41:19,330 --> 00:41:25,029
battery life they don't transmit all the

897
00:41:22,540 --> 00:41:27,580
time they transmit sometimes once a

898
00:41:25,030 --> 00:41:30,700
minute and sometimes the only transmit

899
00:41:27,580 --> 00:41:35,920
when you accelerate pretty quickly or if

900
00:41:30,700 --> 00:41:38,529
you brake pretty quickly and and this is

901
00:41:35,920 --> 00:41:41,170
something that we took as a advantage

902
00:41:38,530 --> 00:41:43,720
for the spoofing attack so eventually

903
00:41:41,170 --> 00:41:46,750
what happened here in the video is that

904
00:41:43,720 --> 00:41:49,720
once we sent the spoofed message and the

905
00:41:46,750 --> 00:41:53,440
and the tire the low tire pressure alarm

906
00:41:49,720 --> 00:41:56,020
turned on we took a few good seconds

907
00:41:53,440 --> 00:41:58,510
before the vehicle got an update

908
00:41:56,020 --> 00:42:00,670
transmission from the tires and again

909
00:41:58,510 --> 00:42:02,710
this is for to save battery having said

910
00:42:00,670 --> 00:42:04,960
all that by the way anomaly detection is

911
00:42:02,710 --> 00:42:07,120
one of the ideas but it's easier said

912
00:42:04,960 --> 00:42:10,800
than done it is though

913
00:42:07,120 --> 00:42:14,440
one of the ideas that was someone here

914
00:42:10,800 --> 00:42:17,260
microphone yes so mike is coming to you

915
00:42:14,440 --> 00:42:17,980
yeah keep your hands up so we can see

916
00:42:17,260 --> 00:42:21,250
cool

917
00:42:17,980 --> 00:42:23,680
hey and I don't mean to put you guys

918
00:42:21,250 --> 00:42:25,839
down other celebre have you guys

919
00:42:23,680 --> 00:42:28,919
considered a Barbra Streisand effect and

920
00:42:25,839 --> 00:42:31,000
that you mentioned that basically you

921
00:42:28,920 --> 00:42:32,530
offering solutions on mitigation is

922
00:42:31,000 --> 00:42:35,290
important but have you reached out to

923
00:42:32,530 --> 00:42:37,390
any vendors or any entities to basically

924
00:42:35,290 --> 00:42:39,160
say I could probably use this as an

925
00:42:37,390 --> 00:42:42,400
assassination attempt for like officials

926
00:42:39,160 --> 00:42:45,609
or like on a motorcade or something on a

927
00:42:42,400 --> 00:42:47,619
highway over like a 30% success rate in

928
00:42:45,609 --> 00:42:49,089
that to like put it into context where

929
00:42:47,619 --> 00:42:51,280
it could have the most damage or the

930
00:42:49,089 --> 00:42:53,770
most efficiency or have you tried

931
00:42:51,280 --> 00:42:55,869
contacting any vendors that particularly

932
00:42:53,770 --> 00:42:57,759
you make these to say this is how it

933
00:42:55,869 --> 00:42:59,200
could be released officials that say

934
00:42:57,760 --> 00:43:02,200
this is what the worst-case scenario

935
00:42:59,200 --> 00:43:04,960
would be for you guys so I'll answer in

936
00:43:02,200 --> 00:43:07,569
parts as I mentioned before we're on the

937
00:43:04,960 --> 00:43:09,130
one of the conference calls of the SAE

938
00:43:07,569 --> 00:43:11,220
where people from the entire industry

939
00:43:09,130 --> 00:43:14,079
are there we discussed this and

940
00:43:11,220 --> 00:43:16,149
presented our theme

941
00:43:14,079 --> 00:43:19,599
please remember the point of this

942
00:43:16,150 --> 00:43:22,420
research is not the actual scenario of

943
00:43:19,599 --> 00:43:24,819
the TPMS the important thing here is

944
00:43:22,420 --> 00:43:26,500
that when you do risk analysis in threat

945
00:43:24,819 --> 00:43:29,259
assessment or threat analysis and risk

946
00:43:26,500 --> 00:43:32,230
assessment scale matters so now you need

947
00:43:29,260 --> 00:43:34,839
to reconsider the risks and are the risk

948
00:43:32,230 --> 00:43:37,300
score for something that looks riskless

949
00:43:34,839 --> 00:43:39,400
now but might look different if you put

950
00:43:37,300 --> 00:43:42,040
it in a scale actually you were talking

951
00:43:39,400 --> 00:43:44,800
about assassination of seniors they have

952
00:43:42,040 --> 00:43:48,099
their own you know I forgot the word for

953
00:43:44,800 --> 00:43:50,800
that but no no they have it's like three

954
00:43:48,099 --> 00:43:52,930
cars there's nothing yeah motorcade that

955
00:43:50,800 --> 00:43:55,060
there's no one to crash with and I'm

956
00:43:52,930 --> 00:43:57,430
pretty sure their drivers are much

957
00:43:55,060 --> 00:44:00,099
better than any of us so that is not

958
00:43:57,430 --> 00:44:01,810
really a scenario which is true but

959
00:44:00,099 --> 00:44:04,210
they're so human so they're still gonna

960
00:44:01,810 --> 00:44:08,828
have human reactions like an alert yes

961
00:44:04,210 --> 00:44:11,079
but it's it's really far fetched and yes

962
00:44:08,829 --> 00:44:13,150
there is a chance that this will be

963
00:44:11,079 --> 00:44:14,829
performed but that is something that you

964
00:44:13,150 --> 00:44:18,160
can say about pretty much all the

965
00:44:14,829 --> 00:44:21,010
researcher we do all of us who disclose

966
00:44:18,160 --> 00:44:24,040
problems or talk about risks you never

967
00:44:21,010 --> 00:44:25,260
know whether you predict the future or

968
00:44:24,040 --> 00:44:27,480
create the future

969
00:44:25,260 --> 00:44:29,760
right because maybe some of you are

970
00:44:27,480 --> 00:44:32,040
black hats I don't know that's possible

971
00:44:29,760 --> 00:44:34,710
it's always a risk but this is so

972
00:44:32,040 --> 00:44:37,710
far-fetched yet possible that we felt

973
00:44:34,710 --> 00:44:41,670
comfortable to display that talked to

974
00:44:37,710 --> 00:44:43,710
the vendors over the the industry over

975
00:44:41,670 --> 00:44:46,440
other channels and they all agreed that

976
00:44:43,710 --> 00:44:50,340
while this is an acceptable behavior

977
00:44:46,440 --> 00:44:56,490
they need to reconsider threat analysis

978
00:44:50,340 --> 00:44:59,550
at scale thank you about three more

979
00:44:56,490 --> 00:45:08,850
questions alright somebody here

980
00:44:59,550 --> 00:45:10,350
frontline microphone over here or you

981
00:45:08,850 --> 00:45:11,640
could shout and we could repeat the

982
00:45:10,350 --> 00:45:13,740
question yes

983
00:45:11,640 --> 00:45:16,250
the spoofing test that you've done in

984
00:45:13,740 --> 00:45:19,259
the parking lot was done with a

985
00:45:16,250 --> 00:45:21,690
predefined transmitting package or did

986
00:45:19,260 --> 00:45:23,670
you intercept and if you received some

987
00:45:21,690 --> 00:45:26,760
packets from the car and then change it

988
00:45:23,670 --> 00:45:30,030
and send it back so we we did the entire

989
00:45:26,760 --> 00:45:32,250
intercept the entire process of

990
00:45:30,030 --> 00:45:35,880
intercepting rebuilding and transmitting

991
00:45:32,250 --> 00:45:37,200
it was divided into two steps so we

992
00:45:35,880 --> 00:45:39,359
didn't actually make the entire thing

993
00:45:37,200 --> 00:45:41,368
online and indeed it's a it's a

994
00:45:39,359 --> 00:45:43,710
researching process so we still need to

995
00:45:41,369 --> 00:45:47,010
as we said before stealing to take care

996
00:45:43,710 --> 00:45:49,859
of the synchronization so you've sent a

997
00:45:47,010 --> 00:45:52,920
predefined package so it was in the

998
00:45:49,859 --> 00:45:55,529
blind yes it wasn't entirely predefined

999
00:45:52,920 --> 00:45:57,600
we were building the package through the

1000
00:45:55,530 --> 00:45:59,820
script where you you chose the pressure

1001
00:45:57,600 --> 00:46:02,279
and the packet was being built and sent

1002
00:45:59,820 --> 00:46:03,780
the CRC was being calculated the reason

1003
00:46:02,280 --> 00:46:05,670
we didn't do what you asked about is

1004
00:46:03,780 --> 00:46:07,160
because we were doing our experiments at

1005
00:46:05,670 --> 00:46:10,230
a parking lot and as we said before

1006
00:46:07,160 --> 00:46:12,690
sometimes the TPMS will transmit every

1007
00:46:10,230 --> 00:46:14,850
60 seconds so you can't drive around for

1008
00:46:12,690 --> 00:46:17,760
60 seconds waiting for that that's not

1009
00:46:14,850 --> 00:46:19,920
part of a research so we recorded the

1010
00:46:17,760 --> 00:46:23,369
message at one opportunity and then at

1011
00:46:19,920 --> 00:46:26,420
runtime modified it recalculated the CRC

1012
00:46:23,369 --> 00:46:29,160
and transmitted it so it's not really

1013
00:46:26,420 --> 00:46:32,609
it's a lab setup basically it's the man

1014
00:46:29,160 --> 00:46:33,609
in the middle it's you know you can do

1015
00:46:32,609 --> 00:46:36,310
you can do

1016
00:46:33,610 --> 00:46:39,790
tire process in their parking lot you

1017
00:46:36,310 --> 00:46:42,430
just don't have enough for the car to

1018
00:46:39,790 --> 00:46:44,440
drive enough time for it for you to

1019
00:46:42,430 --> 00:46:46,660
record it because of the frequency of

1020
00:46:44,440 --> 00:46:48,970
transmissions and then send it you just

1021
00:46:46,660 --> 00:46:52,240
don't have enough enough length that was

1022
00:46:48,970 --> 00:46:55,029
an extra like what we did still proved

1023
00:46:52,240 --> 00:47:02,169
the research okay thank you

1024
00:46:55,030 --> 00:47:03,460
anybody else somebody here with have we

1025
00:47:02,170 --> 00:47:07,060
considered the implications on

1026
00:47:03,460 --> 00:47:10,690
autonomous driving we haven't yet this

1027
00:47:07,060 --> 00:47:12,730
is pretty much the same question of how

1028
00:47:10,690 --> 00:47:15,220
to analyze signals that you're getting

1029
00:47:12,730 --> 00:47:19,000
from sensors whether you do anomaly

1030
00:47:15,220 --> 00:47:21,189
detection whether you correlate them I'm

1031
00:47:19,000 --> 00:47:23,770
assuming it's hard to tell that I'm

1032
00:47:21,190 --> 00:47:25,930
assuming that car vendors that make

1033
00:47:23,770 --> 00:47:28,660
autonomous vehicles that watch this talk

1034
00:47:25,930 --> 00:47:31,180
or are part of this discussion that we

1035
00:47:28,660 --> 00:47:33,299
have on the conference call will know to

1036
00:47:31,180 --> 00:47:36,160
take this into consideration because

1037
00:47:33,300 --> 00:47:38,230
this is a particular case of a false

1038
00:47:36,160 --> 00:47:40,089
signal but when you start talking

1039
00:47:38,230 --> 00:47:42,370
vehicle to vehicle then it's also a

1040
00:47:40,090 --> 00:47:44,410
trust problem do I trust

1041
00:47:42,370 --> 00:47:45,850
lassies car if they're telling me that

1042
00:47:44,410 --> 00:47:47,500
they're breaking right in front of me

1043
00:47:45,850 --> 00:47:49,990
and they're not then I start breaking

1044
00:47:47,500 --> 00:47:52,200
and then they break so it's it's a trust

1045
00:47:49,990 --> 00:47:56,680
problem that the industry is aware of

1046
00:47:52,200 --> 00:47:57,879
looking into that last one I think yes

1047
00:47:56,680 --> 00:48:04,120
last question

1048
00:47:57,880 --> 00:48:07,060
any hands over there front line hi hi I

1049
00:48:04,120 --> 00:48:10,720
have a question it's not technical it's

1050
00:48:07,060 --> 00:48:13,720
more I don't know an opinion you

1051
00:48:10,720 --> 00:48:17,089
mentioned that car manufacturers don't

1052
00:48:13,720 --> 00:48:19,700
want to invest more in the ink

1053
00:48:17,089 --> 00:48:22,710
encryption part and change the device

1054
00:48:19,700 --> 00:48:25,230
but also you said that manufacturers

1055
00:48:22,710 --> 00:48:30,240
want to increase the safety what's more

1056
00:48:25,230 --> 00:48:32,700
important to them the cost question as I

1057
00:48:30,240 --> 00:48:36,529
said this in the context of a single

1058
00:48:32,700 --> 00:48:40,399
vehicle is expected behavior okay and

1059
00:48:36,530 --> 00:48:43,049
investing now in encrypting the TPMS

1060
00:48:40,400 --> 00:48:45,450
doesn't really solve the problem if you

1061
00:48:43,049 --> 00:48:47,069
can do it in other ways correlating the

1062
00:48:45,450 --> 00:48:50,069
same signal with other senses you

1063
00:48:47,069 --> 00:48:52,619
already have can be done in software so

1064
00:48:50,069 --> 00:48:56,308
why go and invest money and time and

1065
00:48:52,619 --> 00:49:01,349
research into making new hardware the

1066
00:48:56,309 --> 00:49:04,289
same solution can be done in software so

1067
00:49:01,349 --> 00:49:06,539
it's a mitigation it's just not the best

1068
00:49:04,289 --> 00:49:10,140
one or the most suitable or the cheapest

1069
00:49:06,539 --> 00:49:12,539
depending on all right okay cool thank

1070
00:49:10,140 --> 00:49:13,890
you so much for listening to us if you

1071
00:49:12,539 --> 00:49:17,130
have any questions we'll be outside

1072
00:49:13,890 --> 00:49:17,129
[Applause]