1
00:00:06,990 --> 00:00:14,370
Let's do a quick review and see how we set up this really cool simulated controller area network, the

2
00:00:14,370 --> 00:00:22,450
simulated car network that runs just like a real network in your own automobile, can utilize an ICBM,

3
00:00:22,470 --> 00:00:23,700
made the whole thing possible.

4
00:00:23,710 --> 00:00:30,060
We can run a real controller that looks like a PlayStation controller down here to run using either

5
00:00:30,060 --> 00:00:34,350
the keyboard or a real USB controller to drive a virtual car.

6
00:00:34,350 --> 00:00:40,140
And we can see on the instrument cluster simulator, the icy simulator, the speed we can see the doors

7
00:00:40,140 --> 00:00:40,860
lock and unlock.

8
00:00:40,860 --> 00:00:43,020
We can see the signals turned on and off.

9
00:00:43,260 --> 00:00:48,220
And then we could even see the network packages that came by and we saw how to capture and replay those.

10
00:00:48,600 --> 00:00:50,900
Well, let's go back through how we made that happen.

11
00:00:50,910 --> 00:00:55,900
First of all, we had to install a few dependencies that meant that there were some libraries, that

12
00:00:55,950 --> 00:01:01,320
this package depended on the live SDL, too, and then SDL to image.

13
00:01:01,620 --> 00:01:04,110
Then we had to get the can utilize.

14
00:01:04,110 --> 00:01:06,300
Those are the controller area network utilities.

15
00:01:06,300 --> 00:01:13,260
That's what led us set up that virtual Khan network or the V can zero on our Linux computer.

16
00:01:13,860 --> 00:01:19,830
Then we used GitHub for the first time, so we used Git to grab some really cool open source software

17
00:01:19,830 --> 00:01:20,790
from Zombi Craig.

18
00:01:20,790 --> 00:01:22,950
That's Craig Smith and the team at Open Garages.

19
00:01:22,950 --> 00:01:29,640
Doug, the I simulator of the instrument cluster simulator gives us a controller and a dashboard simulator

20
00:01:29,640 --> 00:01:33,150
to let us drive a virtual car to practice car hacking safely.

21
00:01:33,540 --> 00:01:37,200
Then we didn't have to really compile the icy SIM tools using make.

22
00:01:37,380 --> 00:01:44,970
We just could CDN and use the DOT controls and the dot ICSOM folders, files, programs that were already

23
00:01:44,970 --> 00:01:45,330
in there.

24
00:01:45,750 --> 00:01:51,540
But I'm going to record a bonus section that was really popular in our previous two years of the National

25
00:01:51,540 --> 00:01:57,630
Cyber Warriors Academy, where we hack the car hacking software and we'll learn to use make to recompile.

26
00:01:57,630 --> 00:02:00,240
I'll do that right after this review lesson here.

27
00:02:00,540 --> 00:02:08,160
But we are able to do an LS inside the ICC directory and we saw two new program files, ICSOM and controls.

28
00:02:08,820 --> 00:02:10,710
Then to start our virtual kin network.

29
00:02:10,710 --> 00:02:16,110
Any time you restart your computer, you'll have to reload this Vikan module into your Linux kernel.

30
00:02:16,380 --> 00:02:21,300
That's with the mod probe Vikan and notice that's just Vuksanovic in zero.

31
00:02:21,300 --> 00:02:26,760
They're just Volcan because we're loading the module that lets us do virtual controller area network

32
00:02:27,000 --> 00:02:28,650
simulating on our computer.

33
00:02:28,920 --> 00:02:34,110
Then we use message to make sure that it was actually in the kernel history.

34
00:02:35,160 --> 00:02:36,480
So we displayed those messages.

35
00:02:36,480 --> 00:02:44,460
IP link add dev V can zero type V can that added a new device called V can zero of Type V can.

36
00:02:44,460 --> 00:02:51,870
So we set up a network and then we turn or connected to that network or turned it on by saying IP link

37
00:02:51,870 --> 00:02:55,620
set up the can zero we were able to run can sniff around.

38
00:02:55,620 --> 00:02:57,960
In the beginning there was nothing running across that network.

39
00:02:57,960 --> 00:03:04,740
But as soon as we loaded the icy simulator and the controls from our I see SIM folder, we were able

40
00:03:04,740 --> 00:03:11,280
to run a real controller area network simulator and see that traffic flow by.

41
00:03:11,550 --> 00:03:17,280
And we could see the packets colored different colors because that actually flag the red ones had changed

42
00:03:17,550 --> 00:03:19,050
and the others are staying the same.

43
00:03:19,290 --> 00:03:24,390
And remember, we had to use Slash because we were running these files locally from that one folder

44
00:03:24,390 --> 00:03:28,020
we had and added this system to our path yet for our show.

45
00:03:28,650 --> 00:03:31,470
So we were able to do a car replay attack.

46
00:03:31,470 --> 00:03:38,100
That's a very common hack on networks and on devices like cars, even your door locks in your home.

47
00:03:38,100 --> 00:03:42,240
A replay attack is a pretty common way to test your security.

48
00:03:42,240 --> 00:03:47,610
So if you have a Bluetooth lock, you can use a Bluetooth packet, sniffer and wireless device or laptop

49
00:03:47,610 --> 00:03:53,850
computer and you can listen to those packets as you press your door key unlock if you have one of those

50
00:03:53,850 --> 00:03:58,080
Bluetooth unlocks or when you send the signal from your cell phone.

51
00:03:58,410 --> 00:04:03,630
So if you're using a Bluetooth sniffer, you can sniff just like we used a can sniffer to sniff from

52
00:04:03,630 --> 00:04:04,530
the can network.

53
00:04:04,800 --> 00:04:07,590
Then you can replay that and see if it unlocks your front door.

54
00:04:07,770 --> 00:04:12,640
Unfortunately, there are some locks that came out early on that you could do that with.

55
00:04:12,870 --> 00:04:17,790
Same thing for a garage door opener in the old days, you could just listen using a simple software

56
00:04:17,790 --> 00:04:25,890
defined radio to somebody, press their garage door opener or your or your car lock and unlock from

57
00:04:25,890 --> 00:04:26,610
your key fob.

58
00:04:26,970 --> 00:04:34,290
And somebody could replay that same signal and unlock a door, open a garage door, etc..

59
00:04:34,440 --> 00:04:37,380
So replay attacks are really common thing that we like to try.

60
00:04:37,560 --> 00:04:39,210
And in this case, it worked beautifully.

61
00:04:39,210 --> 00:04:41,760
We could do everything that we could do from the can dump.

62
00:04:41,760 --> 00:04:48,240
So everything we did while we were capturing those packets and logging them with candy dash elv on becan

63
00:04:48,240 --> 00:04:54,150
zero, like pressing the accelerator, unlocking the doors, turning the turn lights, the turn signals

64
00:04:54,150 --> 00:04:55,170
on left and right.

65
00:04:55,920 --> 00:05:02,970
All of those things were shown and replayed when we replayed that same packet file on our can player.

66
00:05:03,510 --> 00:05:06,250
So when we did Candombe Dash LMB can road.

67
00:05:06,560 --> 00:05:12,770
Added, this new file can dump it a long time stamp backlog, and we just had to replay the capture

68
00:05:12,770 --> 00:05:18,650
commands with can player space dashi for an input file, can add up and notice we didn't have to use

69
00:05:18,650 --> 00:05:22,670
becan zero there because we were replaying on the same network that we recorded and on.

70
00:05:22,940 --> 00:05:28,640
If you wanted to record from your Vikan zero and play out over one of those serial connections to a

71
00:05:28,640 --> 00:05:30,470
car, Acel can zero.

72
00:05:30,470 --> 00:05:37,730
For example, your serial can if you plug in a real USB to can device, then you would just say SLK

73
00:05:37,740 --> 00:05:44,330
in zero equals V zero so that you can replay what was originally designed or captured on the can zero

74
00:05:44,330 --> 00:05:45,980
over the serial can connection.

75
00:05:46,580 --> 00:05:51,320
Well, these are some exciting hacking tools and it's just scratching the surface of car hacking.

76
00:05:51,590 --> 00:05:56,540
But if you can understand how to do this, you can do some important things to test your own car and

77
00:05:56,720 --> 00:06:01,730
maybe even replay whether you want to be able to unlock your doors even when your door locks are not

78
00:06:01,730 --> 00:06:04,900
working or the control panel on your door is not working.

79
00:06:04,910 --> 00:06:11,180
Roll down your windows, turn on your stereo, try sniffing and do it responsibly, only on a car that

80
00:06:11,180 --> 00:06:11,630
you own.

81
00:06:12,230 --> 00:06:16,610
But like I mentioned, we can capture and replay single events.

82
00:06:16,610 --> 00:06:22,310
So if your car windows stop working, all of a sudden you can try going to a friend's car that has the

83
00:06:22,310 --> 00:06:29,720
same kind of automobile and just capture that signal when you lower the windows and then save that as

84
00:06:29,720 --> 00:06:29,930
one.

85
00:06:29,930 --> 00:06:33,200
To capture that signal when you raise the windows is another.

86
00:06:33,380 --> 00:06:38,510
And you can plug into your controller area network using a 20 to 40 dollar cable and your laptop computer

87
00:06:38,750 --> 00:06:41,390
and you can control your windows once again.

88
00:06:41,750 --> 00:06:44,080
So some really cool things are possible.

89
00:06:44,090 --> 00:06:47,990
Once you understand how to use this, it won't work on every car the same.

90
00:06:47,990 --> 00:06:54,500
And you do have to capture the the traffic so that you can start to understand it, but can dump can

91
00:06:54,510 --> 00:06:57,310
player, can sniffer will allow you to do that pretty well.

92
00:06:57,830 --> 00:07:02,450
Now, coming up in this bonus lesson, what I want to do for you show you a really cool lesson that

93
00:07:02,450 --> 00:07:07,340
we did with our students in 2016 and 2017 for the National Cyber Warriors Academy.

94
00:07:07,730 --> 00:07:11,180
We are going to hack the car hacking software.

95
00:07:11,360 --> 00:07:16,910
We're actually going to remake that ICSOM file and make some edits so that we can take this speedometer

96
00:07:16,910 --> 00:07:20,330
instead of just stopping at I think it stopped at one hundred miles per hour.

97
00:07:20,570 --> 00:07:24,650
We're going to be able to push that all the way up to 300 miles per hour.

98
00:07:24,650 --> 00:07:25,940
We're going to peg it all the way around.

99
00:07:26,270 --> 00:07:27,650
So that was a fun lesson.

100
00:07:27,650 --> 00:07:33,920
Plus, it shows some really cool skills with editing some open source software, editing the C files

101
00:07:33,920 --> 00:07:40,790
that we downloaded from Excel, from GitHub, and then making use in the new compiler and the make utility

102
00:07:41,030 --> 00:07:45,890
so that we can remake or recompile our car hacking simulation software.

103
00:07:45,890 --> 00:07:48,710
So we're going to hack the car hacking software.

104
00:07:48,950 --> 00:07:51,680
We'll see that as a bonus lesson coming up next.