1
00:00:07,050 --> 00:00:13,530
Welcome back to the second half of our car replay attack demo, so we're going to run a real car hack.

2
00:00:13,530 --> 00:00:20,400
We have just recorded some packets from our controller area network using can dump it, save them into

3
00:00:20,400 --> 00:00:22,920
a log file with a long timestamp name.

4
00:00:22,920 --> 00:00:24,240
But it starts with can dump.

5
00:00:24,240 --> 00:00:25,260
And that's the important part.

6
00:00:25,440 --> 00:00:30,200
We'll be able to use our tab key to capture that filename and use it.

7
00:00:30,540 --> 00:00:35,240
Now we're going to learn how to use the can player the controller area network player.

8
00:00:35,610 --> 00:00:39,810
So our last cool utility from Can Utils can dump will.

9
00:00:39,810 --> 00:00:48,690
Now let us use the coolest tool can player to replay and we just give it a dashi for an input file and

10
00:00:48,690 --> 00:00:54,300
we're going to input that log file over our virtual controller area network.

11
00:00:54,930 --> 00:00:57,990
So let's switch back over to Calli Linux and see this work.

12
00:00:58,590 --> 00:00:59,100
All right.

13
00:00:59,100 --> 00:01:01,620
I still need my icey simulator up and running.

14
00:01:01,620 --> 00:01:06,300
And you notice it's got some traffic on it right now because my controller is still running.

15
00:01:06,630 --> 00:01:09,720
We will show the controller going away in just a second.

16
00:01:10,080 --> 00:01:15,240
But I'm going to replay by using can players one more quick time.

17
00:01:16,680 --> 00:01:17,670
Let's do else.

18
00:01:17,670 --> 00:01:23,340
And we see that we do have a log file that was created automatically for us when we did can dump space,

19
00:01:23,610 --> 00:01:26,760
dash L for logging on V can zero.

20
00:01:26,760 --> 00:01:27,990
That was our previous command.

21
00:01:29,340 --> 00:01:34,680
So you can see that command right there by hitting you up arrow a couple of times now we are going to

22
00:01:34,680 --> 00:01:40,500
use can player and use the input file Daksh capital.

23
00:01:40,500 --> 00:01:49,620
I can and just stop with candy and hit tab and you notice it picks up that log file and then it VCA

24
00:01:49,620 --> 00:01:52,740
in zero line wrapped around a little bit there.

25
00:01:53,400 --> 00:01:54,960
Oh, and we got an error here.

26
00:01:55,710 --> 00:02:00,750
If you specify the network you have to say can zero equals V can zero.

27
00:02:00,960 --> 00:02:03,960
In this case we want to replay over the same network.

28
00:02:03,960 --> 00:02:08,550
So I will modify that in the PDF that I give you.

29
00:02:08,550 --> 00:02:09,810
We're just going to run completed.

30
00:02:10,050 --> 00:02:14,820
I can add up and it will rerun on can zero on weekend zero.

31
00:02:14,820 --> 00:02:17,280
Or we could say Vikan zero equals Biggin zero.

32
00:02:17,550 --> 00:02:25,380
I'm just going to say can play Ardeche, I can go up and now what can player is going to do is replay

33
00:02:25,380 --> 00:02:26,730
on this controller area network.

34
00:02:26,730 --> 00:02:33,270
Well I still have this other controller over here, so if I kill it, notice no one's in control of

35
00:02:33,270 --> 00:02:34,320
my vehicle right now.

36
00:02:34,320 --> 00:02:36,000
It's being replayed from a file.

37
00:02:38,320 --> 00:02:39,820
So my doors are unlocking.

38
00:02:43,530 --> 00:02:47,580
You can see him running almost 100 miles per hour as my doors just locked again.

39
00:02:50,330 --> 00:02:52,190
My turn signals are coming on.

40
00:02:54,480 --> 00:03:00,180
And no one is touching the steering wheel, no one's touching the controls for this car I'm actually

41
00:03:00,180 --> 00:03:03,510
replaying I can player file.

42
00:03:07,060 --> 00:03:08,480
Wow, very cool.

43
00:03:08,500 --> 00:03:12,580
We're turning left and right, you'll see a slow down a little bit here.

44
00:03:13,150 --> 00:03:14,840
Let's go back and do just a little bit of review.

45
00:03:14,860 --> 00:03:15,270
Wow.

46
00:03:15,280 --> 00:03:16,650
So you remember we slowed down.

47
00:03:16,660 --> 00:03:18,880
We turn on the signal, we accelerated again.

48
00:03:19,270 --> 00:03:20,970
We can lock and unlock those doors.

49
00:03:20,980 --> 00:03:23,080
You see that all happening handsfree.

50
00:03:23,090 --> 00:03:24,400
I'm not touching the keyboard.

51
00:03:24,700 --> 00:03:27,370
Everything is happening from that log file.

52
00:03:27,670 --> 00:03:29,100
So we just can play dash.

53
00:03:29,110 --> 00:03:31,870
I can go up twenty seventeen to seven actually.

54
00:03:31,910 --> 00:03:32,170
Team.

55
00:03:32,390 --> 00:03:35,740
Well we just had to say can the tab.

56
00:03:36,040 --> 00:03:41,920
So can be tab gave us that can dump file and notice my car is stuck going that speed.

57
00:03:42,190 --> 00:03:51,130
I can rerun it again and it'll take it back down to zero, raise it back up and we'll lock and unlock

58
00:03:51,130 --> 00:03:53,950
all the doors, turn on the blinkers any time.

59
00:03:53,950 --> 00:03:59,680
I want to affect my virtual car in the same way I did before.

60
00:03:59,680 --> 00:04:01,240
All I have to do is replay this.

61
00:04:01,600 --> 00:04:07,780
Well, you would probably want to use this in a an actual attack in your own car if you wanted to test

62
00:04:07,780 --> 00:04:10,540
your car security just by doing one thing at a time.

63
00:04:10,540 --> 00:04:17,380
So turn on, stand up and turn on the right blinker and then turn off, stand up and then turn off your

64
00:04:17,380 --> 00:04:24,310
blinker, your turn signal, then run cardplayer and see if your turn signal turns on.

65
00:04:25,150 --> 00:04:30,910
And then the same thing for the accelerator and steering left and right and everything else that we

66
00:04:30,910 --> 00:04:36,040
can do in a car, unlocking and locking doors, turning on the stereo, the air conditioning, and then

67
00:04:36,040 --> 00:04:42,340
listen back by replaying that attack and see if it actually has the same effect.

68
00:04:43,000 --> 00:04:49,540
There are lots of ways you could use this can player routine with the can dump and can player the can

69
00:04:49,540 --> 00:04:59,650
play the car or controller area network replay attack to test the security of your own car or to actually

70
00:04:59,650 --> 00:05:02,220
inject packets into a car if you needed to do so.

71
00:05:02,560 --> 00:05:07,060
So if your car is having trouble so you can't unlock your doors anymore, something's wrong with the

72
00:05:07,060 --> 00:05:07,570
door lock.

73
00:05:07,840 --> 00:05:12,190
You can actually use the cam player to find out what the packet is that you would send to unlock your

74
00:05:12,190 --> 00:05:19,660
doors or go to somebody else with the same vehicle and replay that anytime you want to be able to lock

75
00:05:19,660 --> 00:05:20,680
it and lock your doors.

76
00:05:21,670 --> 00:05:29,440
I've actually seen people lose the ability to use their power windows, but if you can use the can network

77
00:05:29,440 --> 00:05:35,230
and it is it allows you to inject it back in, you can roll your windows down using your computer.

78
00:05:35,500 --> 00:05:39,610
That may not be the most practical, but it's very cool to be able to do so when you need to.

79
00:05:39,850 --> 00:05:43,890
It's also great to be able to just read messages from your car so you can tell when something's wrong.

80
00:05:44,290 --> 00:05:51,820
So what we've seen how to do here is take a can dump or a pack, a picture, a log file of our controller

81
00:05:51,820 --> 00:05:55,270
area network traffic and then replay it using can player

82
00:05:58,150 --> 00:06:08,110
to replay all of those controller area network messages on a real simulated car here, a virtual controller

83
00:06:08,110 --> 00:06:09,010
area network.

84
00:06:09,310 --> 00:06:15,550
If you've got a control cable, you can run this and try it with your own vehicle, but do so only if

85
00:06:15,550 --> 00:06:23,620
it is your vehicle and if you're OK fixing something if you break it, remember, it is relatively safe

86
00:06:23,620 --> 00:06:28,030
to play with things on your controller network, but you don't ever want to do this.

87
00:06:28,030 --> 00:06:34,750
If your only transportation is that one vehicle and and you don't have some money saved up for repairs

88
00:06:34,750 --> 00:06:39,250
in case anything goes wrong, I have some money saved up for repairs.

89
00:06:39,520 --> 00:06:46,090
So I actually used my car in our National Cyber Warrior Academy camp here on the University of Georgia's

90
00:06:46,090 --> 00:06:47,080
Dahlonega campus.

91
00:06:47,380 --> 00:06:54,670
And I'm going to provide a quick look at the link to the Facebook video as a little bonus after our

92
00:06:54,670 --> 00:06:55,180
review.

93
00:06:55,180 --> 00:06:59,680
So we'll do a quick review next with a couple of the changes that we picked up here, like removing

94
00:06:59,680 --> 00:07:01,510
the V can zero four can player.

95
00:07:02,020 --> 00:07:07,150
We can either say V can zero equals we can zero because we're replaying over the same port that we recorded

96
00:07:07,390 --> 00:07:12,670
or we can just say can't play or dashi and the can dump file has all of the information about what network

97
00:07:12,670 --> 00:07:13,510
it was played on.

98
00:07:13,810 --> 00:07:15,040
So we're able to replay that.

99
00:07:15,040 --> 00:07:18,850
We'll look at that in the review and then we'll see a little bonus section for fun.