Hacking electric skateboards

Click here to load reader

  • date post

    12-Jan-2017
  • Category

    Documents

  • view

    219
  • download

    0

Embed Size (px)

Transcript of Hacking electric skateboards

  • Hacking electric skateboards: vehicle research for mortals

    Richo Healey & Mike Ryan

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Who are these jerks anyway richo Computer [email protected] Enthusiast Ran WrongIslandCon

    mike Bluetooth [email protected]/Operator of

    conscience (sometimes)

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Why buy an $nK skateboard? Lightweight (relatively) inexpensive .. maybe wanted on the hype train early

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Why buy an $nK skateboard? Lightweight (relatively) inexpensive .. maybe wanted on the hype train early

    Maybe to hax it

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Why hax a $1k skateboard? Because its there Vehicle research is cool But not all of us can afford to brick a car

    Figured we might be able to illustrate a point about the state of security research

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    The boards Boosted

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    The boards Evolve

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    The boards Yuneec E-go

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Maybe youve spotted the design trend here

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Hope yer wearin yer lernin b00tzAgenda

    Boosted Bluetooth GATT Jammers PyBT

    Evolve bluetooth? Weird RF protocols

    E-go wifi?!

    Boosted (Redux) Fiiiiiirmware!

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Or whateverRight so like hacking

    Most of these boards use bluetooth I know nothing about bluetooth

    I know mike thoughmike knows bluetooth How hard can this possibly be?

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Boosted

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Boosted Bluetooth Remote Regenerative Braking Firmware Upgradable

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Storytime

  • Co-opting a GATTling gunBluetooth and You

    Bought some uberteeth

    Looked at some packetsNow what?

  • Bluetooth and YouModern bluetooth supports some crypto Using it would have made our lives annoyingNo crypto though Go team!

  • A clever pun about gattGATT

    Handle-wise communication Supports either request-response or datagram like Sits on BLE

  • Looks like dis

  • many beers laterpainstakingly reversed with love

    Simple Duplex protocol Controller sends on handle 0x1a Reads on handle 0x1c

    Basically a bluetooth -> serial adaptor

  • many beers later

    Message Direction Meaning

    RC0 Remote -> Board Speed control

    FUEL Remote -> Board Fetch current battery load

    REXP Remote -> Board Set expert mode

    RBGN Remote -> Board Set beginner mode

    GAUGE[1-5] Board -> Remote Inform current battery load

    painstakingly reversed with love

  • but how 2 talking?We know its language

    Bluetooth comms turn out to be sorta miserable Especially for general purpose applications x10000 for ad-hoc, general purpose applications

  • The old school Ubertooth minimal

    BlueZ Full featured, but heavy Not super fond of doing obviously broken things (Like fuzzing embedded devices)

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Welcome to the new schoolPyBT

    Userland bluetooth stack implemented in Python Backs onto scapy for actually talking to the wire Uses HCI_CHANNEL_USER Prototyping++

    https://github.com/mikeryan/PyBT

    https://github.com/mikeryan/PyBT

  • Now whatNeat we can spin the wheelsNeed to be connected to the board to exploitOnly one thing can be connected at a time Thinking back to that intersection

    richo demonstrates again that he has no idea: How hard can jamming bluetooth be?

  • Super hard, it turns outJamming bluetooth:

    Naive approach: Yell really loud Noone can hear anything ?????? Profit..?

  • Super hard, it turns outJamming bluetooth:

  • Super hard, it turns outJamming bluetooth:

  • Seriously like crazy hardJamming Bluetooth

    Its like they designed the protocol itself to stop us from doing this exact thing

    By this point richo is no longer allowed to make suggestions

  • Seriously like crazy hardJamming Bluetooth

    Bluetooths channel hopping stops us from jamming effectively

    Channel hopping is deterministic

    Need some state- Gotta capture: Access address Hop interval Hop increment

  • Seriously like crazy hardJamming Bluetooth

    Upstreamed: https://github.com/greatscottgadgets/ubertooth

    https://github.com/greatscottgadgets/ubertooth

  • Time to launch some jerksDemo Time!

    The plan: Setup a bunch of jammers Configure our repl to connect and autoreverse throttle Wait for hapless skateboarder Jam Connect Reverse ????? Launch some jerk

  • Time to launch some jerksDemo Time!

    Hell be like:

  • Time to launch some jerksDemo Time!

    And well be like:

  • Time to launch some jerksDemo Time!

  • Boosted Response: not-horrible/10Followup

    Reported to Boosted before Kiwicon last year Shaky startWound up working with us Implemented a fix! (kinda)

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Evolve

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Evolve Says bluetooth on the site Spoilers: This is not a True Fact

    Better range than boosted Janky looking remoteMade of carbon though? So thats neat I guess \_( )_/

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Evolution It says bluetooth right there on the tinWere crazy cocky at this point We oughta have this done by lunch

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Evolution Pull out the harness we used on Boosted

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    EvolutionNo packets this time :( richo is a goddamn hipster and lives in SF goddamn hipsters in SF love wifi/bt richos apartment might be the RF noisiest

    environment in the whole universe

    The moratorium on richo giving advice has expired by this point

    Well build a faraday cage!

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Evolution

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Evolution Snowboard bindings box

    wrapped in tinfoil

    Works terrifyingly well Seriously wtf tho wheres

    the bluetooth

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Evolutionmerijn very kindly lent us his skateboardWe should probably pull it to pieces and look at it Unclear if we ever mentioned that we were going to

    do this or that we did

    (Hi Merijn btw we pulled apart your skateboard)

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Evolution Pulled the remote apart Looked up the rf part er, this is not a bluetooth

    chip

    Neither of us have even heard of this thing

    nRF24LE

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Evolution Talks PowerThirst

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Evolution Er, ShockBurst

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    EvolutionWTF is this thing?

    Antennae?Way too big for 2.4ghz

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    EvolutionNo obvious path to gloryNo hackRF at my place Cant fiddle with its radio today Lets just dump traffic directly

    Hey didnt I impulse buy a saleae a while ago?

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Evolution

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    EvolutionDumped everythingNothing terribly

    interesting looking

    \_( )_/

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    EvolutionNo dice on the remote Lets fiddle with the board instead!

    (Hi Merijn)

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Evolution Cramped AF Traced most of it out thoughOff the shelf parts Explained a bunch of

    hilarious bugs

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Evolution ShockBurst is simplex Hence no data to the remote

    Not especially complexDoes have a 9 member bitfield though to make our

    lives miserable

    Less tolerant to interference than BT

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Demo Time! Inject packets into evolve ???? Profit!

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Evolution Sadly not much else to do hereOutside of Attacker has physical access scenarios

    theres not much to attack

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    E-go

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Taming a wild ego Says bluetooth all over it Has a smartphone app Has to be bluetooth right?

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Taming a wild egoDidnt take a good photo :( Sadly it cant actually drive

    an ubertooth (yet?)

    Sniffed a lot of bluetooth

    No packets againWTF?

  • @mpeg4codec / Hacking Electric Skateboards / @rich0H

    Taming a wild egoWTF is th