Episode Transcript
[00:00:00] Speaker A: You're listening to protect it all, where Aaron Crow expands the conversation beyond just ot delving into the interconnected worlds of it and OT cybersecurity.
Get ready for essential strategies and insights.
Here's your host, Aaron Crow.
[00:00:18] Speaker B: Hey, thank you for listening to the show, guys. I'm excited to have this Kevin on today to talk about all things vehicles. So it's definitely an area outside of my expertise, but it's definitely one that is constantly in the news with all the technology that's going into cars. So, Kevin, thank you for joining us. Why don't you tell us who you are kind of a little bit about your background and what you guys do.
[00:00:38] Speaker C: So my name is Kevin Walter, and I am. I do vehicle security research. A lot of it is on my own. And I have a master's degree in cybersecurity.
One of the things that I did pretty extensively when I was in graduate school is research on vehicles. And I am still doing research myself.
I started my own llc.
Right now it's just sole proprietorship at this point, but that's just a little background on me.
[00:01:15] Speaker B: What kind of things were you researching for when you're going through school and things like that? Kind of dipped your tone to this because I know we talked a little bit offline, but you started out in a completely different field, and you transitioned fairly recently, right, into cyber security. Recently in your career, I mean.
[00:01:34] Speaker C: Yeah. Yeah. So about. About 2020 is when I transitioned into cybersecurity. And so some of the things that I researched into vehicles was things like tire pressure monitor systems.
Also, I had researched the can net boss, which stands for controller area network, and that is the vehicle network and computer system on a vehicle. And typically, this network has about 50 different, what are called electronic control units on it.
And so you can interface with that network by using, it's called an onboard diagnostics tool. So it's OBD two. And that's the standard that is in vehicles from 1996 to the current day. And so it's a. It's a standard that's in every vehicle. Almost every vehicle. Some. Some vehicles, like Tesla's, I believe, don't have that interface, but it is a standard that is in the majority of vehicles today. So that a mechanic can go in there and they can read the computer and see if there's any problems with the vehicle and help themselves diagnose the vehicle. And just a little bit more about my background.
So, yeah, I was. I was actually an independent contractor, transportation contractor, and so I was doing that, that business for several years.
And a certain point, I. I decided to learn to be a mechanic because when I did all the books on. On my business, my biggest expense was on vehicles, obviously, because it's the business I'm in. So I decided to take a couple courses in mechanics. And then I ended up getting a Pennsylvania vehicle safety inspector license and a Pennsylvania emissions inspector license. I also have motor vehicle air conditioning licenses.
And then what happened was Covid hit, and then I.
It basically hit my business pretty hard. So I was at home. I was playing around with vehicle electronics, and electronics that are similar to what are in a vehicle. I actually made one.
One of my projects was I made a.
It's almost like a mini robot self driving vehicle.
I bought a kid off Amazon, and so they tell you how to put the whole thing together. And they had some scripts in Python, and one of them was, you could throw a red ball on the ground, and you can get the robot to follow it. It was a pretty cool project, but. So it was one of them. And that was. That was when I started to get inspired to. To go into it. I still wasn't like, yeah, I'm going to do cybersecurity, specifically, but I started to get inspired to go into it. I started learning programming because I was so fascinated with raspberry PI computers and Arduinos.
And a lot of the same components that are in a vehicle are in some of those electronics you can play around with on an Arduino set, like potentiometers and things like that.
So I just got fascinated by it. I was sort of plugging in, I building the breadboard and putting different electronic components on the breadboard in the connection to the computer. And then I had all these different Arduino scripts that I put in art in the Arduino developer Ide. And I was like, this is so cool. So I started learning programming, and then I was. I signed up for Codecademy.
I don't know if you guys are familiar that, but. So I started learning programming on there, and then what happened was, I actually made them. I made a cyber. See, I wasn't in cybersecurity yet, so I made all the same mistakes that people don't, shouldn't do before I got into cyber security and my account got hacked on codecademy. Yeah.
So. So somebody got in there, and they ordered a 300 something dollar subscription there.
And then I talked to the person at the company, and they said, they told me, give me some pointers. And they said, go on. Have I been pawn calm and I saw my email address was on the dark web.
And so what I did is I started to study cyber security because of that, what happened there and then, ever since then, it hasn't stopped.
[00:07:11] Speaker B: Yeah.
[00:07:11] Speaker C: And now there was about four years ago. And so that's what inspired me. Somebody hacking my account.
[00:07:22] Speaker B: Yeah. I mean, sometimes it takes an incident like that to kind of get us rolling. You know, you talked about the going back to the car hacking and ODB two. You know, I had a Chevrolet avalanche, which is the truck. It's kind of like the tahoe with a bed on it instead. Right. But I had one of the motor. I bought the car or the truck. It was an older vehicle, had a lot of miles on it. And sure enough, at some point, the motor blew. So I ended up getting a junkyard engine off of.
And they sent me the engine and I had to put the moat. I put the motor, and it was a six liter as opposed to the five three was what was in the car before. But it marries up to the transmission, all that. So I put it in and I had to buy the scan or like a programming tool to actually program it. And the really cool thing, I thought it was interesting.
Chevrolet. All of the settings for every different Tahoe and every different configuration is in the computer. So even that, like, they had the high, the hybrid option, they had the six liter option, they had the five three option. They had all these different things. So even though. So to tune the car, all I had to do is put the motor in, plug everything up, all the sensors, and then go into the computer and say, hey, this is a six liter, and here's its air fuel ratio chart as opposed to what it used to be, because it's a different motor and all that. And I had to play around with it a little bit to make it work. But it was a motor from a different year, but I was able to plug it in. And because all of those settings are already in the computer, I was able to just download a config from somebody else that had done a six liter in this, you know, in this, this year, and make it run. And, man, it worked great. I drove that car for another, I don't know, year and a half, two years on a replacement motor with. Using my own computer. And I. And I'm not a mechanic. I mean, I play around shade tree mechanic at best, you know, but I was able to do it by. By hacking and playing and messing with settings and things like that. So it's amazing what you can do with a computer and through that ODB two port and the infotainment systems connected to it, and almost everything is connected in through that. That network that controls that cost.
[00:09:40] Speaker C: Yeah, that is really cool. Actually, I have a similar tool that I just purchased and I'm playing with on my vehicle. And you can really go in depth, and there's a lot of hidden features that are actually on the vehicle that people don't know about. And it's like, one thing that I recently uncovered with some of my research is that there's this key fob hack in there where you can.
You can. So you press the lock button on the key fob, and then you press it a second time and hold it down, and it will close the window. And it's the same thing with the unlock feature. Hit the unlock button once and then hold it a second time, and it will close the window. But that's a feature that's hidden on my vehicle, and I had to go into the computer system to change that. And there's a lot of other stuff. Actually, one of the things I didn't know I had on my vehicle was adaptive cruise control. It was shut off, and I went in there and turned it on.
So the reason, actually, that I got asked to be on this podcast is because I went to the B sides Harrisburg convention in. So. So I. It's about a three and a half hour drive from Pittsburgh to Harrisburg. I'm from Pittsburgh, and I wish I would have had that because I'm playing around with the cruise control constantly and manually readjusting it. And I just found out about that recently. So it would have been nice to have.
[00:11:20] Speaker B: It's incredible. I mean, all the way back to 20. You mentioned Tesla, right? All the way back to, I think, whenever the model three. All the way back to 2018. I think, you know, Tesla has all options. All the hardware is there for all options on every car. It's just a matter of what you unlock. It's like more like a licensing code. Did you unlock full drive capability? Did you unlock these things? And it's a license that you can be upgraded to, and you're getting over the air updates. I don't own a Tesla, but a lot of people that do, that's one of the things they love is they have an older car, but it unlocks these new capabilities as they. As they upgrade the software and the capabilities in the os of the running car, which is amazing. The old model is, I got to go buy a new car to get those features you want Apple carplay, you got to buy a new car, you got to replace the head unit. A lot of the hardware is the same. It's just a software thing. But the old companies are not software companies. So more and more of these software, all these cars are becoming just computers with wheels.
[00:12:21] Speaker C: Yeah, basically what they are.
Yeah, it's really neat. And one of the things that I found is really cool is that when I research more, it seems like it's mostly mechanics that are doing all these hacks on the cars. You go on YouTube and you watch all these videos. It's a lot of the guys that do this, they're just going in their car and playing around, tuning different things. But there's not as many people who come from a mechanic background and then get in cyber security. But I think it's going to be a growing field in the future, and that might be a demographic that say they got a bad back or something and they want to transition into cybersecurity because it's almost an it specialized job today. Yeah, I mean, there's physical work in it, but if you got to have a bad back or you. Something happens, they take your mechanic license, then you have a stroke, and they take your mechanic license. And I feel like you pivot into it.
[00:13:34] Speaker B: Think about it. You know, again, I grew up working on cars, and again, not. Not an actual mechanic, but, you know, modifying my cars and putting lift kits or enhancing the aftermarket parts, et cetera. Right. But you can't even work on a car nowadays unless you have a computer. Unless you have the ability to run those scanners and be able to program that stuff, you just can't do it.
Even your old school mechanics that have been doing this for 40 or 50 years, unless they have the ability to interact with the computers, they can't work on newer cars. Like anything from the late nineties on, you have to have some level of computer ability to plug into and enable features and troubleshoot. Cause it's not the same troubleshooting like the computer. I remember changing a battery on a BMW, and the battery just went bad. But just replacing the battery, I had to take it to the shop, and they had to enable the new battery in the computer, even though it was just a freaking battery, but they had to enable it in the car, in the computer. The BMWs, I didn't have a scanner because it wasn't the same scanner. It was back that circle scanner in the earlier nineties. So there wasn't anything I could do. I had to take it to a mechanic, and they charged me $500 to just check a box that says, yeah, this battery is okay.
[00:14:56] Speaker C: Yeah, yeah, it's crazy. It's like, it seems like it shouldn't be that much money to, but it.
They have the tool to do it.
[00:15:06] Speaker B: So, so, so talk about some of the security and safety issues. Obviously, with cars and OT. One of the things that's different in OT and absolutely goes into the car side is, is the implications of these things. There's a physical, you know, reaction to them. Right. If I hack a car, I can make brakes not work. I can make, you know, power steering go off. I can make your speedometer, you know, miscalibrated. There's all. There's an infinite number of things that I can do. I can set off airbags. Like, I could do some really scary things with these cars. And, you know, if we're not considering cyber when we're building these cars, especially in the future, it's not necessarily you could something you can go back to and put a firewall on something, but you can absolutely at least be aware of what the risks are when you're buying a car. Which cars are better than others as far as what risks and vulnerabilities there are on them.
[00:15:59] Speaker C: Yeah, so there are. There are several different vulnerabilities that I covered in my presentation in Harrisburg. One of them was on tire sensors. And so the tire sensors are kind of a unique vulnerability because in it was 2000, I think it was 2008 was the year they passed the Tread act.
And so that required every vehicle on the road to have a tire pressure monitor sensor in every. In every tire. Because the reason they passed that was, I don't know if you remember a while back, but there was all those firestone tire burnouts on highways.
[00:16:48] Speaker B: Yep.
[00:16:49] Speaker C: It was.
[00:16:49] Speaker B: It was a Ford. Ford Escape or Explorer, I think it was. The Ford Explorer was the most common of them. That were, like, flipping and stuff because of that. Yeah, I remember that.
[00:16:58] Speaker C: Yeah. So they, when they get to high speeds, they would burn out. And so what the law did was it required to have that sensor in there. And whenever one tire is eight psi pounds per square inch below the recommended manufacturer's setting, then that sensor will go off and it will tell the driver, you need to put air in this tire. And so the one vulnerability flaw in them, though, is that if you think about a tire, it's a moving piece.
It goes in a circle. And how do you connect the wire to that? You can't really do that. So. So you have. So they put radio signal transmitting from that sensor and so that opens the vulnerability up on the tire.
And so what was demonstrated was that there was a study done by University of South Carolina and Rutgers, and they uncovered several vulnerabilities with these sensors.
One of them is just a basic privacy concern with them. So each sensor has a unique id, and so you have four different unique ids and they transmit these packets within about, I think it's, you can get up to about 100 meters.
So that's around maybe, I don't know, 60, I forget the conversion, but 60ft or so.
And so if somebody were to put a receiver on the side of the road, they can track your location.
So that's, that's one issue with them. Another one is that, so you have, so you can actually intercept these, these packets, you can reverse engineer them and then you can send spoof packets to, to the sense to the module that the tire pressure module that receives signals from the tire sensor. And if you flood that, that module with packets, you can actually shut the vehicle down while somebody's driving. That was another finding that they had and they demonstrated another one was that you could actually drain the battery if, say, that the car is just sitting there idle, parked on the side of the road, you can repeatedly flood it with spoof packets and drain the battery of the vehicle.
And so those are just some of the vulnerabilities that are in the tire sensor.
And the other thing is that what they found in this study was that the packets are just accepted completely. There's no authentication on them.
It just accepts whatever command you send to it. And you could also make the, the sensor send messages to the computer so that it causes the tire sensor to keep flashing even though the tires are fine. And that could maybe cause somebody to pull over the side of the road or whatever and say they're on a busy highway. That could put them in a dangerous situation.
So those are just a few of the findings they had in that study.
[00:20:55] Speaker B: Or, I mean, I'm guessing sure you could also send, everything is fine even though the pressure is low. So someone would ignore a low tire because they wouldn't know that it's there. So, yeah, it's definitely an example of how sensors that are designed to help help us out and know, because used to back in the day, you just walked around your car and made sure your tire pressure was good before you went, got going. And now we assume everything is good with our, with our, the sensors that we have built into our cars now.
Yeah, well, yeah, I know I've got a 16 year old or soon to be 16 year old and one of his friends, you know, just got a new car.
Not new, but, you know, a Toyota Highlander or something. But I've seen how kids today, when they're learning to drive and they're learning to, like, for instance, back up, they only use their camera. Like, I don't think they have the skill set to back up. So what happens if the camera stops working? Are they going to be able to back up without wrecking? Yeah, because they're 100% dependent upon these tools, which are great tools. I'm glad we have them, but they can't do it without them. So that can be a problem if you hack it and your camera goes down.
[00:22:06] Speaker C: Yeah, yeah. I mean, I grew up. I learned how to look behind you, but you didn't have a choice.
[00:22:14] Speaker B: That's the only way we hacked. We could be. Right.
[00:22:16] Speaker C: Yeah.
And then my prior vehicle, I had. It was kind of hard to even look behind me because the visibility wasn't good, but it had sonar, but didn't have a camera, and I had to depend on that sonar sound.
[00:22:31] Speaker B: Yeah.
[00:22:32] Speaker C: But it was very hard to look back and see. But this one is fine. And every other car I've had is. I've been able to look back and it's fine.
[00:22:43] Speaker B: Yeah.
So what are some of the other issues that you've seen are coming up in cars, obviously. I know there's. There's a lot going on. I think a recent bill just came out where the government can actually shut down your vehicle. So police case, they can actually shut down your car.
Now, obviously, that's only supposed to be done from, you know, authorized personnel, but if they can do it, theoretically, then somebody could hack it and be able to do that and shut down your car as well. So, again, driving down the highway and shut your car off.
[00:23:15] Speaker C: Yeah. Yeah. So one of the things I like to do in my research is I like to find the wiring diagrams on, on the vehicle, and then I like to screenshot all the different vehicles I research that have you see a telematics unit, which is what? It's like a cellular connection to the Internet.
And then you. You have this wire that goes over here, and then it connects to the can bus, and it's like, here, telematics unit. The wire goes and connects to that network.
And so it's. If you can get into that telematics unit, then you can. There. There are potentially ways you can pivot into that can bus. And as I said before, with. With the tire sensors, a lot of the vehicles don't have authentication, and you can just send whatever command in there that you want to. Now, I think some of the newer vehicles are improving on this, but some of the models that, when they first started connecting to the Internet, it's maybe not as secure, but some of the newer ones have ethernet, and they could segment some of those components.
So each component would say, like, I don't know, a powertrain module, so it's harder to get into those ones. But, yeah, you can. It's been demonstrated that you can definitely remotely get into vehicles. And one of the, one of the most famous hacks on cars remotely was that 2014 jeep hack. I don't know if you're familiar with that one, but, yeah, but why don't.
[00:25:18] Speaker B: You talk about it?
[00:25:19] Speaker C: Yeah. So it was Andy Greenberg, and I believe. What's his name? Charlie Miller and Chris. Chris Valasek. Those are, they're pretty, pretty prominent vehicle hackers. And so what they did is they had Andy Greenberger. He's like a pretty popular wired reporter, and he was driving the jeep down the highway, and this was all pre consent and everything. And they, and they got.
First they started turning the, the radio on and blasting it really high. And then, and then they put a pictures of themselves on the infotainment system, started making the wipers go like crazy on and off. And then I think one of the things that Andy Greenberg got mad at is that they shut, actually shut the engine down on the highway, and I don't think he was too happy about it. That. But.
And then another part of that video, they didn't do this on, on a highway, but they did it, like, in a parking lot. And they, they, uh, shut the brakes down while he was, like, going maybe like 2. It made his. The jeep go into a ditch and it was just stuck there.
So that was another one they did. So, yeah, that, that's just demonstrated that there is some vulnerabilities that could potentially be exploited. Now, that was a 2014.
[00:26:54] Speaker B: Sure.
[00:26:55] Speaker C: Hack. So I think that they, some people may have started to improve on.
[00:27:05] Speaker B: Yeah, but the problem. The problem is, is there's 2014 still on the road. Right. You know?
[00:27:09] Speaker C: Yeah, yeah.
[00:27:09] Speaker B: I'll just. I drive a 2017 car and I drive a 2017 Toyota Lexus brand. Right. So Toyota is kind of late to the game on upgrading that kind of stuff. So it's possible that mine is vulnerable to those types of things. Right. So it's very similar in all things. Ot is, we've kind of. We started adding these technologies and these capabilities in without fully understanding the implications and the risks behind them. And especially when you're talking about how many thousands of cars are out there that have this type of thing. And now, granted, how many people are sitting around with a laptop with the capabilities that are going to go down and try to do these things. But it's still something that we need to get in there that we can stop this, because again, if you look at the bill that just came out, again with talking about being able to shut down a car, a nation state, a bad actor, if they were able to get into that system, they could potentially shut down every car that has a capability. Right. Every car with, with that, that cell phone connection, with everything, I think newer than like 2014 or 2012, they could, they could potentially shut down those vehicles, which obviously that could be an impact. So there's a national security risk. There's a, there's a bad actor risk, but there's also just a general safety. You know, if you lock brakes up on the highway, you're going to cause people to crash and injuries. And there's a lot of implications that could come from all these things, but we're dealing with real world problems.
[00:28:30] Speaker C: Yeah. So I actually, I actually read the write up that Charlie Miller and Chris, I mixed their names up.
[00:28:42] Speaker B: Sure.
[00:28:43] Speaker C: Yeah. Chris ValAsek wrote on very specific detail on how they implemented that hack on the vehicles and the way that it wasn't really on the, if you go on YouTube and you watch it, but there was a potential that they wrote in there that say you could get into all of those vehicles simultaneously and you could say spread a worm that way and then it would just go to all of them. And then simultaneously you could have millions of cars go take control of them. And it's, that's a huge national security risk in my opinion. And, but I think that they did release a patch on that. So, yeah, that's at least a good thing.
[00:29:36] Speaker B: And, well, and that can bus system, that architecture is used across maritime, it's used in airplanes. So that can bus system is obviously not that specific problem. And obviously airplanes, they're probably looking, or I know they're looking at that differently than they are cars, but still there's a similar architecture issue. There's a similar consideration we need to be looking at for all these types of systems. When we're integrating, it's easiest to just plug it into the network that's available. That's like putting the power plant. I'm just going to plug it into the Internet because it's closest network available. But we all know the problems with doing that and the risks that we're opening up by doing that as well.
[00:30:19] Speaker C: Yeah.
Yeah. It's kind of, it's so, yeah, I mean, I think the one, the one thing is that how, how do you update these vehicles too? Is like, it's very easy, I think, to do it on, on a computer or phone. But when it comes to vehicles, not all of them have over the air capability.
[00:30:46] Speaker B: Yeah.
[00:30:46] Speaker C: To update it in the, in, when you go in the computer and you look, is this something you can update over the air and some of them have it restricted to, you have to go into the dealership or download the software off of the manufacturer and plug a usb stick in and update it.
[00:31:05] Speaker B: Right.
[00:31:06] Speaker C: And so it's, so that can be a complexity. It depends on which one. But I know, like there's certain features when I went in my vehicle with the tool I have or over the air capabilities to update certain components in the vehicle or just use a usb stick. So it's like people need to go find somebody to help them update it or now there are a lot of over the year means to update it, too. But it's like, it's. I'm sure there's some vehicles out there that are not updated and so that can be an issue too.
[00:31:52] Speaker B: Yeah, absolutely. I mean, especially when you start looking at, you know, I'm not a mechanic or people that are not capable or comfortable doing those things and maybe they live in a remote area. They don't take it to the dealership, whatever. Those, those cars can be vulnerable to that because they haven't gone in and taken it. So, you know, all the way down to. I remember I had a Harley Davidson, you know, the infotainment system on that. If I wanted to enable it to use Spotify or airplay with my, with my phone, I had to take it in the dealership. They had to plug in their, into their scanner, which it wasn't ODB two. It was some other proprietary Harley thing, but it was the same type of connection and connect into the can bus and the infotainment system to enable that Checkbox like we were talking about when I did the avalanche on the Chevy platform just to enable that. And that was a, they charged me $100 mechanic fee, you know, shop charge and, you know, the cable. I don't remember what it was, but it was like $250 to basically do something I could do at home, but I didn't have the software to do it. Right. So, yeah, pretty frustrating that, that they're doing that and then I know Tesla, you know, Tesla really doesn't allow you to do any, any. You have to get all work done at Tesla, right? There is no, you can't just take it to your local mechanic or have your brother in law fix it or even do it yourself. You really don't have that ability. I know there's a lot of lawsuits around those things, but they don't have the software availability. You can't just download an open source software package and get the scanner a normal car. If you have a check engine light, you can go up to, you know, autozone or O'Reilly or any of these places, they can plug in their scanner and tell you at least what the code is. Hey, this is for the air conditioning system, or this is a ABS sensor, or this is an ODB two scan or a o two sensor. They'll at least narrow it down and tell you what the cut, what the code is. But on a Tesla, unless it tells you on the display, which I don't know enough, obviously, there's not as many parts and sensors and things to break necessarily, but it's just different. So it makes it difficult when you don't have the ability to at least diagnose and troubleshoot. And what is the life cycle of that car beyond the cybersecurity impacts of it? What is the life cycle of that car if I can't maintain it myself? Because eventually the warranty is going to end if I want that car to last after that fact, because I can buy a 1962 mustang and I can still work on her. 62 is not right. 64 and a half would be the first one. But you get my point. I can buy sixties car and I can still work on it. I can put a new motor in it. I can do all the work on it. I can do the same thing with the 2012, but I'm going to have to have a computer. But a Tesla, I know there's that one guy on YouTube, what is his name? Russ or Ross or, or whatever, and he takes Teslas and finds them in junkyards and pieces them together and makes one. But Tesla won't even sell them apart because they refuse to sell him anything, which is to me.
I've taken us down another, another panel there, but it all goes back to being able to understand what's in your system and in your car, because ultimately it's impacting you as a consumer and me as another in another vehicle driving on the same highway as you.
[00:35:06] Speaker C: Yeah.
Yeah. It's definitely an issue there.
[00:35:15] Speaker B: So what do you see, of how, how do you get ahead of this from a. From a cyber perspective and across all these different car manufacturers, and we've got different countries where these cars are put in. You know, you know, Toyotas are built in Japan, and the company is Japan, but they, obviously, we have them here. There's. But there's a right side drive car. There's a lot left side drive car. Like, we've got all of these issues, but from an american perspective on our highways, if we just focus in on just America just for a second, you know, how do we, how do we look at this from a, from a policy perspective or from a, you know, future engineering perspective of how do we make these things more secure and more reliable? Because reliability is really the biggest impact. We don't really care about cyber except for the fact that it can impact availability and safety.
[00:36:02] Speaker C: Yeah, I think one of the things is that just like they, they passed a standard for tire sensors, they have to be in the vehicle.
[00:36:11] Speaker B: Yep.
[00:36:12] Speaker C: And then, and then the OBD two in 1996 and newer vehicles all have to have that same network for universal trouble code diagnostics.
There. There should be some type of standard for safety on.
On the vehicles for that, because it's. It's very, it's a very important subject. And it's, this isn't just like, say you hack into a computer and you. Somebody loses money and data and someone puts a ransomware on your computer, but it goes beyond that to people's lives could be at stake, and it's also a national security risk. And so I think maybe some type of standard across the board should maybe be implemented to make the vehicles safer.
So I think that's a good solution.
And I guess there's a lot of people that will have to come into play. Play and try to. Try to figure out how. How that needs to be implemented. But that's my idea.
[00:37:29] Speaker B: Well, and I know as we have more, and it's beyond just Tesla, you mentioned earlier the auto, the cameras are noticing speed. My car, it recognizes the speed of the speed limit signs. And I know that's easily hacked. I know you talked about that in your speech or in your talk at b sides where you can just, you know, put reflective tape on a speed limit sign and it reads it as a different speed than it actually is. So there's easy ways that I can physically manipulate those things that have a giant impact. So talk a little bit about the autonomy from a vehicle perspective. And as we're adding more autonomous self driving capabilities, more than just Tesla have that. Now that's a. That's a big risk. There's. There's self driving cars in San Francisco. There's even some. Well, there were some in Austin here where there were driverless vehicles where you could get a car and it would show up and there's no driver in it. You just get in the back and it takes you to your destination.
[00:38:33] Speaker C: Yes. So I remember seeing them in Pittsburgh, too, because Uber was. This was basically the hub for Uber for their self driving vehicles in Pittsburgh. And then there was that one accident. It was on a St. Patrick's day several years ago, and I guess it didn't recognize the woman was crossing the street with a shopping cart, and I ran her over. And then ever since then, I have not seen any of those vehicles on the road in Pittsburgh. They basically just shut the program down. Uber did.
[00:39:11] Speaker B: So, yeah.
[00:39:15] Speaker C: But, yeah, that's. That's definitely a big issue. Like. Like the stops or the speed limit signs. That is a hack that was demonstrated. And it's so simple for an attacker to implement. I mean, it's just, you had a 35 miles per hour stop speed limit sign, and somebody put a black tape across the middle of the three.
It wasn't even a complete eight. But. But the Tesla. Tesla's automobile auto drivers automated driver assist, it interpreted that as an 85 miles per hour speed limit sign. And you can. There was one video, actually, I didn't put it in my presentation, but you can look it up on YouTube where it. You can actually see that demonstration. And so there's a driver in the car and it. It starts going up to maybe about 50 or 55, and then the driver catches it and puts the brake on. But that's still a potential of what if. So what if somebody is like, oh, this automated vehicle is doing fine, driving me to work or whatever. I'm reading my newspaper, and then all of a sudden it just slams into the back of somebody's car.
So that's. I mean, that's an issue. And it's. I think that's just these AI systems, they.
They need to be fine tuned to be able to.
To see certain visual stimuli, and it's still not fine tuned enough, I think, today, for it to be safe, but hopefully someday it will be better. But, yeah, they're still working on that and it's. It's still a risk. So, yeah, there's ice. Actually saw another issue where.
So the brake assist, they showed all these different vehicles and they had a guy on a. On a mock. It was just a dummy a mock motorcycle, and, like, 90% of them just slammed straight into the back of the parked motorcycle.
And so it's, I mean, they try slow down a little bit, but it's things like that that need to be worked out with the AI machine learning on vehicles.
[00:41:43] Speaker B: Yeah, I mean, not to mention that most of our cars now are keyless. So I put a, you know, I have a key fob in my pocket that's got some kind of RFID or something that's registered to the car. But there's also a lot of things on YouTube, etcetera, that you can see in cars being stolen left and right, because they have, they have tools that can figure out the codes. Either they're capturing the codes when you click it, or they're just trying multiple codes. And that's how they're. They're stealing vehicles. And these are brand new cars and not, they're not old school days where they, you know, take a screwdriver and break your lock or break a window to get in your car. They're just doing it like the garage door openers of the nineties, and they're just using tools to get into your car, open it up, and then they drive it off with your car. It doesn't even register it as stolen. It thinks you're the right person.
[00:42:29] Speaker C: Yeah. So the say you have to do a relay attack. You have two thieves.
Typically, if you watch any of these videos, you can look up on YouTube, you'll have one thief who have a device, and they're pretty close to the vehicle. And what they do is the first date, they pull on the handle, and then that sends a challenge out from the vehicle, and then it goes to that device, and then you have another thief who is standing in front of the person's house, and it relays that signal to the second thief's device, and then that signal goes inside of that person's house, connects with the key fob, it sends the signal back to the second thief's device, and then goes back to the first thief's device, and then it's able to open the door from that. So that is, that's basically how that works. So you just unlock it with that simple attack. And basically, any of the vehicles that are out there that don't have a key, that don't have a key, you can plug into the vehicle. They're generally vulnerable to that type of attack.
[00:43:52] Speaker B: Right.
[00:43:53] Speaker C: And so some of the solutions, I think, for that maybe are you could maybe put an on off button on future keyboard key fobs so when you're, you don't need to use it. You basically shut that off. I mean, that's a very, very simple solution.
But today I think if you want to protect yourself from that attack, you almost have to fight. Buy a little Faraday bag and put it in there. And then, I mean, if you're worried about somebody trying to steal your car, but that's the way to do it today. But yeah, I think that the only.
[00:44:34] Speaker B: Way is to get a, you know, aftermarket, some kind of system that has a kill switch that disables that you have to bypass. Basically it's almost like dual factor. Right. I have some other thing, thing that I have to overcome before I can attack the sensor in my key. I have a secondary thing I have to hurdle to connect the dots. Right?
[00:44:54] Speaker C: Yeah, yeah, definitely.
[00:44:57] Speaker B: Exactly.
Go ahead.
[00:45:00] Speaker C: Where are you saying go ahead?
[00:45:02] Speaker B: No, I was just going to say. So all this that we've said, like there's a lot of things that are good and scary and wonderful. I mean, granted, my, my 2000 or my brand new car, the newer models of cars have so many cool features compared to my. The first vehicle I ever had was a 1984, you know, Toyota Land Cruiser, which had, you know, zero computer. It was carbureted. I mean, everything about it was manual. The windows were manual, it didn't have power locks, it didn't have power windows, it didn't power anything. Like it had a radio, it had air conditioning, it had power steering and power brakes. But that's about it. Like, everything else was mechanical and even those were mechanical, they weren't electric systems.
All the way up to now, where I can remote start my car and, you know, it's got serious accident satellite radio and it's got gps built into it. Like all the creature comforts of the capabilities that are in this turn by turn navigation are great, but they bring on this inherent risk. So all that to say, the next five to ten years, what's something that you're excited about and maybe something that you're anxious or nervous about about or not excited about that could be coming and could be impactful or scary if it's not fixed?
[00:46:13] Speaker C: Well, I think that as we become more interconnected and as people start to figure out how to exploit these systems more, it could become an issue where it's more commonplace for people to hack cars.
One of the things I think that might be a likely outcome at some point in the future is that I've read about one hack that may potentially blow up in the future. And it's, it's a ransomware on your vehicle.
So you get your vehicle hacked and, and then you get a message on your infotainment system and it says, send this amount of money to this whatever in bitcoin, and then that could become more commonplace. That's one issue I think could be a problem in the future.
The other thing is, as far as positive, I think that there are manufacturers who are working on this in trying to mitigate the situation. So, like I said, they're working on Ethernet. That could help potentially mitigate some of those situations we're talking about. And like I said, I'm hoping at some point that in the future we get some type of security standard for over the air components of a vehicle. And I think that's a good route to try to solve some of these issues.
And so, I mean, those are just basically a good breakdown of some of the pros and cons. I also think, though, that in the future, for people in the cyber security field, I think that this will be something that will grow with jobs because we're going to need more people to be on the watch watching vehicles because, I mean, not, I think maybe it's 60 something or 65% of vehicles on the road have some type of over the year capability, but in a few years, it might be 100%.
[00:48:44] Speaker B: Yeah.
[00:48:45] Speaker C: And we're gonna need more people to go into this industry. So it could be a good job growth opportunity for cybersecurity for people in the future.
[00:48:56] Speaker B: Yeah, absolutely. And we see more and more commercial vehicles, too. Right? Commercial vehicles have all these additional systems that they can monitor, you know, where their vehicles are, you know, manage their fleet. They can see all this stuff, you know, from a central perspective. So if I have a thousand vehicles out, I mean, think about Amazon and how many Amazon cars there are. I'm sure they have logistics on every one of their vehicles. They know tire pressure, they know how fast the drivers are going, all the things. Right. But there's also risks in that. If it's not done well, then, you know, somebody could hack into that system and shut down all the, all the Amazon cars as a hypothetical. Right. As we do these things, it adds a lot of capability and visibility and systems, and I can track and trends and all that kind of stuff. But with all of those things also comes risk. And we just have to ensure that we're thinking about both sides of that coin, not just the positive side and all the things that it can get us, but also that, hey, how do we make sure that the bad side of that coin doesn't happen and making sure we're going into it with eyes wide open.
[00:49:57] Speaker C: Yeah, I agree.
[00:49:58] Speaker B: Yeah. Awesome, man. So. So where. Where. Where are you going to be anybody, any place you're going to be that people can come see you, give this talk, and if they want to reach out to ask about more about car security, how do they get hold of you?
[00:50:14] Speaker C: Well, I could. I can give you a. Maybe my email or actually I have LinkedIn too.
Send you that after the shows.
[00:50:24] Speaker B: I'll put it in the show notes for sure.
[00:50:26] Speaker C: But I'm also going to be hopefully speaking at the Pittsburgh B sides. I put my call for speakers paper in.
I haven't heard back yet, but it's still kind of early. So they're still selecting who they want to pick. But I'm hoping this speak at the Pittsburgh B sides and that will be I 12th of this year.
[00:50:49] Speaker B: Awesome.
[00:50:50] Speaker C: And I'll probably have a more. I should have more updated research from when I spoke at Harrisburg because there was a few things I want to try to figure out. Like, I want to do more research on this tire sensors. Yeah. I just didn't have the tools to put it into my presentation, but I may have them for the Pittsburgh B sides presentation, so that's something to look forward to.
[00:51:20] Speaker B: Very cool.
[00:51:21] Speaker C: Yeah. So I'll send you some contact info.
[00:51:25] Speaker B: After podcasts, and I'll put all that stuff in the show notes. So anybody that wants to reach out, they can find you on LinkedIn. They can find you at the potentially at the Pittsburgh B sides and obviously just reach out with any questions or whatever.
So.
[00:51:39] Speaker C: Yeah.
[00:51:39] Speaker B: Yeah. Hey, man, thanks a lot for joining me today. It was a lot of good information. It just shows that there's all this stuff that in OT, in all these different verticals, manufacturing and power utility, but. But cars, too. And we're driving around in those things every day, trusting the technology, hoping that it's going to work and that we're not. We're not risking it. So I appreciate it and keep up the good fight. Sir, I thank you for your time.
[00:52:03] Speaker C: Thank you. Thanks for your time, too.
All right.
[00:52:08] Speaker A: Thanks for joining us on protect it all, where we explore the crossroads of it and OT cybersecurity.
Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.
