SlideShare a Scribd company logo

DEF CON 23 - Richo Healey and Mike Ryan - hacking electric skateboard

ā€¢
ā€¢
Felipe Prado
Felipe Prado

DEF CON 23 - Richo Healey and Mike Ryan - hacking electric skateboard

Technology
1 of 78
Download to read offline
Hacking electric skateboards: vehicle research for mortals Richo Healey & Mike Ryan
@mpeg4codec / Hacking Electric Skateboards / @rich0H Who are these jerks anyway ā€£ richo ā€£ Computer Jerk ā€£ @rich0H ā€£ Duck Enthusiast ā€£ Ran WrongIslandCon ā€£ mike ā€£ Bluetooth Guy ā€£ @mpeg4codec ā€£ Owner/Operator of conscience (sometimes)
@mpeg4codec / Hacking Electric Skateboards / @rich0H Why buy an $nK skateboard? ā€£ Lightweight ā€£ (relatively) inexpensive ā€£ .. maybe wanted on the hype train early
@mpeg4codec / Hacking Electric Skateboards / @rich0H Why buy an $nK skateboard? ā€£ Lightweight ā€£ (relatively) inexpensive ā€£ .. maybe wanted on the hype train early ā€£ Maybe to hax it
@mpeg4codec / Hacking Electric Skateboards / @rich0H Why hax a $1k skateboard? ā€£ Because itā€™s there ā€£ Vehicle research is cool ā€£ But not all of us can afford to brick a car ā€£ Figured we might be able to illustrate a point about the state of security research
@mpeg4codec / Hacking Electric Skateboards / @rich0H The boards ā€£ Boosted
@mpeg4codec / Hacking Electric Skateboards / @rich0H The boards ā€£ Evolve
@mpeg4codec / Hacking Electric Skateboards / @rich0H The boards ā€£ Yuneec E-go
@mpeg4codec / Hacking Electric Skateboards / @rich0H Maybe youā€™ve spotted the design trend here
@mpeg4codec / Hacking Electric Skateboards / @rich0H Hope yer wearinā€™ yer lerninā€™ b00tz Agenda ā€£ Boosted ā€£ Bluetooth GATT ā€£ Jammers ā€£ PyBT ā€£ Evolve ā€£ ā€¦ bluetooth? ā€£ Weird RF protocols ā€£ E-go ā€£ ā€¦ wiļ¬?! ā€£ Boosted (Redux) ā€£ Fiiiiiirmware!
@mpeg4codec / Hacking Electric Skateboards / @rich0H Or whatever Right so like hacking ā€£ Most of these boards use bluetooth ā€£ I know nothing about bluetooth ā€£ I know mike though ā€£ mike knows bluetooth ā€£ How hard can this possibly be?
@mpeg4codec / Hacking Electric Skateboards / @rich0H Boosted
@mpeg4codec / Hacking Electric Skateboards / @rich0H Boosted ā€£ Bluetooth Remote ā€£ Regenerative Braking ā€£ Firmware Upgradable
@mpeg4codec / Hacking Electric Skateboards / @rich0H Storytime
Co-opting a GATTling gun Bluetooth and You ā€£ Bought some uberteeth ā€£ Looked at some packets ā€£ Now what?
Bluetooth and You ā€£ Modern bluetooth supports some crypto ā€£ Using it would have made our lives annoying ā€£ No crypto though ā€£ Go team!
A clever pun about gatt GATT ā€£ Handle-wise communication ā€£ Supports either request-response or datagram like ā€£ Sits on BLE
Looks like dis
ā€¦ many beers later painstakingly reversed with love ā€£ Simple Duplex protocol ā€£ Controller sends on handle 0x1a ā€£ Reads on handle 0x1c ā€£ Basically a bluetooth -> serial adaptor
ā€¦ many beers later Message Direction Meaning RC0 Remote -> Board Speed control FUEL Remote -> Board Fetch current battery load REXP Remote -> Board Set expert mode RBGN Remote -> Board Set beginner mode GAUGE[1-5] Board -> Remote Inform current battery load painstakingly reversed with love
but how 2 talking? We know its language ā€£ Bluetooth comms turn out to be sorta miserable ā€£ Especially for general purpose applications ā€£ x10000 for ad-hoc, general purpose applications
The old school ā€£ Ubertooth ā€£ ā€œminimalā€ ā€£ BlueZ ā€£ Full featured, but heavy ā€£ Not super fond of doing obviously broken things ā€£ (Like fuzzing embedded devices)
@mpeg4codec / Hacking Electric Skateboards / @rich0H Welcome to the new school PyBT ā€£ Userland bluetooth stack implemented in Python ā€£ Backs onto scapy for actually talking to the wire ā€£ Uses HCI_CHANNEL_USER ā€£ Prototyping++ ā€£ https://github.com/mikeryan/PyBT
Now what Neat we can spin the wheels ā€£ Need to be connected to the board to exploit ā€£ Only one thing can be connected at a time ā€£ Thinking back to that intersection ā€£ richo demonstrates again that he has no idea: ā€£ ā€œHow hard can jamming bluetooth be?ā€
Super hard, it turns out Jamming bluetooth: ā€£ Naive approach: ā€£ Yell really loud ā€£ Noone can hear anything ā€£ ?????? ā€£ Proļ¬tā€¦..?
Super hard, it turns out Jamming bluetooth:
Super hard, it turns out Jamming bluetooth:
Seriously like crazy hard Jamming Bluetooth ā€£ Itā€™s like they designed the protocol itself to stop us from doing this exact thing ā€£ By this point richo is no longer allowed to make suggestions
Seriously like crazy hard Jamming Bluetooth ā€£ Bluetoothā€™s channel hopping stops us from jamming effectively ā€£ Channel hopping is deterministic ā€£ Need some state- Gotta capture: ā€£ Access address ā€£ Hop interval ā€£ Hop increment
Seriously like crazy hard Jamming Bluetooth Upstreamed: https://github.com/greatscottgadgets/ubertooth
Time to launch some jerks Demo Time! ā€£ The plan: ā€£ Setup a bunch of jammers ā€£ Conļ¬gure our repl to connect and autoreverse throttle ā€£ Wait for hapless skateboarder ā€£ Jam ā€£ Connect ā€£ Reverse ā€£ ????? ā€£ Launch some jerk
Time to launch some jerks Demo Time! Heā€™ll be like:
Time to launch some jerks Demo Time! And weā€™ll be like:
Time to launch some jerks Demo Time!
Boosted Response: not-horrible/10 Followup ā€£ Reported to Boosted before Kiwicon last year ā€£ Shaky start ā€£ Wound up working with us ā€£ Implemented a ļ¬x! (kinda)
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolve
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolve ā€£ Says bluetooth on the site ā€£ Spoilers:This is not a True Factā„¢ ā€£ Better range than boosted ā€£ Janky looking remote ā€£ Made of carbon though? ā€£ So thatā€™s neat I guess ā€£ ĀÆ_( )_/ĀÆ
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ It says bluetooth right there on the tin ā€£ Weā€™re crazy cocky at this point ā€£ ā€œWe oughta have this done by lunchā€
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ Pull out the harness we used on Boosted
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ No packets this time :( ā€£ richo is a goddamn hipster and lives in SF ā€£ goddamn hipsters in SF love wiļ¬/bt ā€£ richoā€™s apartment might be the RF noisiest environment in the whole universe ā€£ The moratorium on richo giving advice has expired by this point ā€£ ā€œWeā€™ll build a faraday cage!ā€
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ Snowboard bindings box wrapped in tinfoil ā€£ Works terrifyingly well ā€£ Seriously wtf tho whereā€™s the bluetooth
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ merijn very kindly lent us his skateboard ā€£ We should probably pull it to pieces and look at it ā€£ Unclear if we ever mentioned that we were going to do this or that we didā€Ø ā€£ (Hi Merijn btw we pulled apart your skateboard)
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ Pulled the remote apart ā€£ Looked up the rf part ā€£ er, this is not a bluetooth chip ā€£ Neither of us have even heard of this thing ā€£ nRF24LE
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ Talks PowerThirstā„¢
@mpeg4codec / Hacking Electric Skateboards / @rich0H
@mpeg4codec / Hacking Electric Skateboards / @rich0H
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ Er, ShockBurstā„¢
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ WTF is this thing? ā€£ Antennae? ā€£ Way too big for 2.4ghz
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ No obvious path to glory ā€£ No hackRF at my place ā€£ Canā€™t ļ¬ddle with its radio today ā€£ Letā€™s just dump trafļ¬c directly ā€£ Hey didnā€™t I impulse buy a saleae a while ago?
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ Dumped everything ā€£ Nothing terribly interesting looking ā€£ ĀÆ_( )_/ĀÆ
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ No dice on the remote ā€£ Letā€™s ļ¬ddle with the board instead!ā€Ø ā€£ (Hi Merijn)
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ Cramped AF ā€£ Traced most of it out though ā€£ Off the shelf parts ā€£ Explained a bunch of hilarious bugs
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ ShockBurst is simplex ā€£ Hence no data to the remote ā€£ Not especially complex ā€£ Does have a 9 member bitļ¬eld though to make our lives miserable ā€£ Less tolerant to interference than BT
@mpeg4codec / Hacking Electric Skateboards / @rich0H Demo Time! ā€£ Inject packets into evolve ā€£ ???? ā€£ Proļ¬t!
@mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ Sadly not much else to do here ā€£ Outside of ā€œAttacker has physical accessā€ scenarios thereā€™s not much to attack
@mpeg4codec / Hacking Electric Skateboards / @rich0H E-go
@mpeg4codec / Hacking Electric Skateboards / @rich0H Taming a wild ego ā€£ Says bluetooth all over it ā€£ Has a smartphone app ā€£ Has to be bluetooth right?
@mpeg4codec / Hacking Electric Skateboards / @rich0H Taming a wild ego ā€£ Didnā€™t take a good photo :( ā€£ Sadly it canā€™t actually drive an ubertooth (yet?) ā€£ Sniffed a lot of bluetooth ā€£ No packets again ā€£ WTF?
@mpeg4codec / Hacking Electric Skateboards / @rich0H Taming a wild ego ā€£ WTF is this switch on the side? ā€£ BT|WIFI ā€£ ā€¦ no ā€£ ā€¦ ā€¦ NO
@mpeg4codec / Hacking Electric Skateboards / @rich0H Taming a wild ego ā€£ Yup this damn thing talks bluetooth *and* wiļ¬ ā€£ Paired with a phone itā€™s bluetooth ā€£ Paired with the remote itā€™s wiļ¬
@mpeg4codec / Hacking Electric Skateboards / @rich0H Demo: pwning ego
@mpeg4codec / Hacking Electric Skateboards / @rich0H Boosted: Redux
Persistence Remote code execution on a skateboard, you say? ā€£ From pulling the board apart we knew it was a pic24f ā€£ Didnā€™t have much luck initially trying to ļ¬nd debug ports on the skateboard ā€£ Later discovered that we missed them ā€£ A few months later though, this happens:
Persistence Remote code execution on a skateboard, you say?
Persistence Remote code execution on a skateboard, you say?
Persistence Remote code execution on a skateboard, you say?
Persistence Remote code execution on a skateboard, you say? ā€£ Has a ļ¬rmware update facility ā€£ This oughta be good ā€£ Upgrade one of our boards ā€£ Dump bluetooth trafļ¬c with jailbroken iThing ā€£ Dump https trafļ¬c with burp ā€£ Both sides of the conversation, hopefully we learn how to upload + format ļ¬rmware
Persistence RCE on a skateboard, you say? ā€£ many hours later weā€™ve stitched a ļ¬rmware blob together out of the dumps ā€£ Strings are encoded as, eg: ā€£ ā€œFx00Ux00Ex00Lx00ā€ => ā€œFUELā€ ā€£ Write a dumb python script to strip nulls, strings(1) to the rescue ā€£ Learn about a bunch of new commands!
ā€¦ many many beers later Message Direction Meaning RC0 Remote -> Board Speed control FUEL Remote -> Board Fetch current battery load REXP Remote -> Board Set expert mode RBGN Remote -> Board Set beginner mode GAUGE[1-5] Board -> Remote Inform current battery load PING Remote -> Board Fetch version information GIT Remote -> Board Fetch git revision of ļ¬rmware STAT Remote -> Board Fetch detailed diagnostic info NUMSKL Remote -> Board Still no idea. Replies ā€œNUMSKL4ā€ ODO Remote -> Board Fetch current odometer reading SOC Remote -> Board Still no idea painstakingly reversed with love
Persistence RCE on a skateboard, you say? ā€£ With this in hand, richo writes a repl for boosted boards ā€£ Nico works out how to unbrick a skateboard when we inevitably screw this up ā€£ https://github.com/richo/skateboard/blob/master/ boosted_repl.py
Persistence RCE on a skateboard, you say? ā€£ Finally, itā€™s time to reverse the transfer protocol ā€£ Winds up like intel .hex over bluetooth Length Address Flags Data Checksum
Persistence RCE on a skateboard, you say? ā€£ Becomes:
Persistence RCE on a skateboard, you say? ā€£ What do you even *do* with code execution on a skateboard? ā€£ Could deļ¬nitely make the board dangerous to its rider ā€£ Seemed funnier to make it pretend to be Joshua from WARGAMES
In which we make a $2k paperweight Demo Time!
These jerks are alright Gr33tz and Th4nx ā€£ nico, who showed up at the last second and helped us hax ļ¬rmware, is an Arduino Uno expert ā€£ merijn for lending us his evolve despite it obviously being a Bad Idea ā€£ whatever chump bought the e-go at the auction ā€£ Boosted ā€£ Evolve ā€£ Yuneec

Recommended

Functional IoT: Hardware and Platform
Functional IoT: Hardware and PlatformFunctional IoT: Hardware and Platform
Functional IoT: Hardware and PlatformKiwamu Okabe
Ā 
When a robot is smart enough?
When a robot is smart enough?When a robot is smart enough?
When a robot is smart enough?TomĆ”Å” Jukin
Ā 
How to build Open Hardware self-navigating car robot
How to build Open Hardware self-navigating car robotHow to build Open Hardware self-navigating car robot
How to build Open Hardware self-navigating car robotTomĆ”Å” Jukin
Ā 
Internet of Things
Internet of ThingsInternet of Things
Internet of ThingsAndy Gelme
Ā 
Let me tell you about curl
Let me tell you about curlLet me tell you about curl
Let me tell you about curlDaniel Stenberg
Ā 
Bitcoin protocol for developerBitcoin Protocol for Developers
Bitcoin protocol for developerBitcoin Protocol for DevelopersBitcoin protocol for developerBitcoin Protocol for Developers
Bitcoin protocol for developerBitcoin Protocol for DevelopersParadigma Digital
Ā 
Emacs verilog-mode is coming to Debian, again
Emacs verilog-mode is coming to Debian, againEmacs verilog-mode is coming to Debian, again
Emacs verilog-mode is coming to Debian, againKiwamu Okabe
Ā 
Thunderbolts and Lightning: Very Very Frightening
Thunderbolts and Lightning: Very Very FrighteningThunderbolts and Lightning: Very Very Frightening
Thunderbolts and Lightning: Very Very Frighteningblowmenowpls
Ā 

Recommended

Functional IoT: Hardware and Platform
Functional IoT: Hardware and PlatformFunctional IoT: Hardware and Platform
Functional IoT: Hardware and PlatformKiwamu Okabe
Ā 
When a robot is smart enough?
When a robot is smart enough?When a robot is smart enough?
When a robot is smart enough?TomĆ”Å” Jukin
Ā 
How to build Open Hardware self-navigating car robot
How to build Open Hardware self-navigating car robotHow to build Open Hardware self-navigating car robot
How to build Open Hardware self-navigating car robotTomĆ”Å” Jukin
Ā 
Internet of Things
Internet of ThingsInternet of Things
Internet of ThingsAndy Gelme
Ā 
Let me tell you about curl
Let me tell you about curlLet me tell you about curl
Let me tell you about curlDaniel Stenberg
Ā 
Bitcoin protocol for developerBitcoin Protocol for Developers
Bitcoin protocol for developerBitcoin Protocol for DevelopersBitcoin protocol for developerBitcoin Protocol for Developers
Bitcoin protocol for developerBitcoin Protocol for DevelopersParadigma Digital
Ā 
Emacs verilog-mode is coming to Debian, again
Emacs verilog-mode is coming to Debian, againEmacs verilog-mode is coming to Debian, again
Emacs verilog-mode is coming to Debian, againKiwamu Okabe
Ā 
Thunderbolts and Lightning: Very Very Frightening
Thunderbolts and Lightning: Very Very FrighteningThunderbolts and Lightning: Very Very Frightening
Thunderbolts and Lightning: Very Very Frighteningblowmenowpls
Ā 
SSTIC RUMP 2018 - Modmobjam
SSTIC RUMP 2018 - ModmobjamSSTIC RUMP 2018 - Modmobjam
SSTIC RUMP 2018 - ModmobjamšŸ“” Sebastien Dudek
Ā 
The Immobile Web
The Immobile WebThe Immobile Web
The Immobile WebJason Grigsby
Ā 
Ansible ALLTHETHINGS
Ansible ALLTHETHINGSAnsible ALLTHETHINGS
Ansible ALLTHETHINGSDan Chuparkoff
Ā 
Kranky geeklondon build an app
Kranky geeklondon build an appKranky geeklondon build an app
Kranky geeklondon build an appTim Panton
Ā 
HackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePghHackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePghMarty McGuire
Ā 
How to make_your_first_robot
How to make_your_first_robotHow to make_your_first_robot
How to make_your_first_robotLanka Praneeth
Ā 
Door Sitter Presentation
Door Sitter PresentationDoor Sitter Presentation
Door Sitter PresentationBrian Kobiernicki
Ā 
TASBot - the perfectionist
TASBot - the perfectionistTASBot - the perfectionist
TASBot - the perfectionistAnge Albertini
Ā 
Quick Summary of LTE Voice Summit 2015 #LTEVoice
Quick Summary of LTE Voice Summit 2015 #LTEVoiceQuick Summary of LTE Voice Summit 2015 #LTEVoice
Quick Summary of LTE Voice Summit 2015 #LTEVoice3G4G
Ā 
Raspberry Pi and Amateur Radio - 2020 update
Raspberry Pi and Amateur Radio - 2020 updateRaspberry Pi and Amateur Radio - 2020 update
Raspberry Pi and Amateur Radio - 2020 updateKevin Hooke
Ā 
HUMAN RESCUE ROBOT (PROTOTYPE)
HUMAN RESCUE ROBOT (PROTOTYPE)HUMAN RESCUE ROBOT (PROTOTYPE)
HUMAN RESCUE ROBOT (PROTOTYPE)Shahrokh Ahmad
Ā 
PhoneGap at JSConf
PhoneGap at JSConfPhoneGap at JSConf
PhoneGap at JSConfBrian LeRoux
Ā 
A survey of robotics in Ruby
A survey of robotics in RubyA survey of robotics in Ruby
A survey of robotics in RubyAdam Dill
Ā 
Getting started with IoT with only your laptop - 2018 - Pi Jam
Getting started with IoT with only your laptop - 2018 - Pi JamGetting started with IoT with only your laptop - 2018 - Pi Jam
Getting started with IoT with only your laptop - 2018 - Pi JamPeter Gallagher
Ā 
Spoto ccie lab rs v5.0 h1 ts1 bt1 version 1.0 solution
Spoto ccie lab rs v5.0 h1 ts1 bt1 version 1.0 solutionSpoto ccie lab rs v5.0 h1 ts1 bt1 version 1.0 solution
Spoto ccie lab rs v5.0 h1 ts1 bt1 version 1.0 solutionssuser8aaebb
Ā 
Are Video Codecs... Done?
Are Video Codecs... Done?Are Video Codecs... Done?
Are Video Codecs... Done?Derek Buitenhuis
Ā 
The BBC Micro:Bit - It does (way) more than you think!
The BBC Micro:Bit - It does (way) more than you think!The BBC Micro:Bit - It does (way) more than you think!
The BBC Micro:Bit - It does (way) more than you think!Peter Gallagher
Ā 
PICCOLI GREEN TECHNOLOGY , PICCOLI MOTORS , PGT GROUP, Franquia Piccoli Green...
PICCOLI GREEN TECHNOLOGY , PICCOLI MOTORS , PGT GROUP, Franquia Piccoli Green...PICCOLI GREEN TECHNOLOGY , PICCOLI MOTORS , PGT GROUP, Franquia Piccoli Green...
PICCOLI GREEN TECHNOLOGY , PICCOLI MOTORS , PGT GROUP, Franquia Piccoli Green...Piccoli Green Technology Piccoli
Ā 
Arduino Robotics workshop day2
Arduino Robotics workshop day2Arduino Robotics workshop day2
Arduino Robotics workshop day2Sudar Muthu
Ā 
How to make your first robot report
How to make your first robot reportHow to make your first robot report
How to make your first robot reportRamki M
Ā 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
Ā 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
Ā 

More Related Content

Similar to DEF CON 23 - Richo Healey and Mike Ryan - hacking electric skateboard

The Immobile Web
The Immobile WebThe Immobile Web
The Immobile WebJason Grigsby
Ā 
Ansible ALLTHETHINGS
Ansible ALLTHETHINGSAnsible ALLTHETHINGS
Ansible ALLTHETHINGSDan Chuparkoff
Ā 
Kranky geeklondon build an app
Kranky geeklondon build an appKranky geeklondon build an app
Kranky geeklondon build an appTim Panton
Ā 
HackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePghHackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePghMarty McGuire
Ā 
How to make_your_first_robot
How to make_your_first_robotHow to make_your_first_robot
How to make_your_first_robotLanka Praneeth
Ā 
Door Sitter Presentation
Door Sitter PresentationDoor Sitter Presentation
Door Sitter PresentationBrian Kobiernicki
Ā 
TASBot - the perfectionist
TASBot - the perfectionistTASBot - the perfectionist
TASBot - the perfectionistAnge Albertini
Ā 
Quick Summary of LTE Voice Summit 2015 #LTEVoice
Quick Summary of LTE Voice Summit 2015 #LTEVoiceQuick Summary of LTE Voice Summit 2015 #LTEVoice
Quick Summary of LTE Voice Summit 2015 #LTEVoice3G4G
Ā 
Raspberry Pi and Amateur Radio - 2020 update
Raspberry Pi and Amateur Radio - 2020 updateRaspberry Pi and Amateur Radio - 2020 update
Raspberry Pi and Amateur Radio - 2020 updateKevin Hooke
Ā 
HUMAN RESCUE ROBOT (PROTOTYPE)
HUMAN RESCUE ROBOT (PROTOTYPE)HUMAN RESCUE ROBOT (PROTOTYPE)
HUMAN RESCUE ROBOT (PROTOTYPE)Shahrokh Ahmad
Ā 
PhoneGap at JSConf
PhoneGap at JSConfPhoneGap at JSConf
PhoneGap at JSConfBrian LeRoux
Ā 
A survey of robotics in Ruby
A survey of robotics in RubyA survey of robotics in Ruby
A survey of robotics in RubyAdam Dill
Ā 
Getting started with IoT with only your laptop - 2018 - Pi Jam
Getting started with IoT with only your laptop - 2018 - Pi JamGetting started with IoT with only your laptop - 2018 - Pi Jam
Getting started with IoT with only your laptop - 2018 - Pi JamPeter Gallagher
Ā 
Spoto ccie lab rs v5.0 h1 ts1 bt1 version 1.0 solution
Spoto ccie lab rs v5.0 h1 ts1 bt1 version 1.0 solutionSpoto ccie lab rs v5.0 h1 ts1 bt1 version 1.0 solution
Spoto ccie lab rs v5.0 h1 ts1 bt1 version 1.0 solutionssuser8aaebb
Ā 
Are Video Codecs... Done?
Are Video Codecs... Done?Are Video Codecs... Done?
Are Video Codecs... Done?Derek Buitenhuis
Ā 
The BBC Micro:Bit - It does (way) more than you think!
The BBC Micro:Bit - It does (way) more than you think!The BBC Micro:Bit - It does (way) more than you think!
The BBC Micro:Bit - It does (way) more than you think!Peter Gallagher
Ā 
PICCOLI GREEN TECHNOLOGY , PICCOLI MOTORS , PGT GROUP, Franquia Piccoli Green...
PICCOLI GREEN TECHNOLOGY , PICCOLI MOTORS , PGT GROUP, Franquia Piccoli Green...PICCOLI GREEN TECHNOLOGY , PICCOLI MOTORS , PGT GROUP, Franquia Piccoli Green...
PICCOLI GREEN TECHNOLOGY , PICCOLI MOTORS , PGT GROUP, Franquia Piccoli Green...Piccoli Green Technology Piccoli
Ā 
Arduino Robotics workshop day2
Arduino Robotics workshop day2Arduino Robotics workshop day2
Arduino Robotics workshop day2Sudar Muthu
Ā 
How to make your first robot report
How to make your first robot reportHow to make your first robot report
How to make your first robot reportRamki M
Ā 

Similar to DEF CON 23 - Richo Healey and Mike Ryan - hacking electric skateboard (20)

SSTIC RUMP 2018 - Modmobjam
SSTIC RUMP 2018 - ModmobjamSSTIC RUMP 2018 - Modmobjam
SSTIC RUMP 2018 - Modmobjam
Ā 
The Immobile Web
The Immobile WebThe Immobile Web
The Immobile Web
Ā 
Ansible ALLTHETHINGS
Ansible ALLTHETHINGSAnsible ALLTHETHINGS
Ansible ALLTHETHINGS
Ā 
Kranky geeklondon build an app
Kranky geeklondon build an appKranky geeklondon build an app
Kranky geeklondon build an app
Ā 
HackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePghHackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePgh
Ā 
How to make_your_first_robot
How to make_your_first_robotHow to make_your_first_robot
How to make_your_first_robot
Ā 
Door Sitter Presentation
Door Sitter PresentationDoor Sitter Presentation
Door Sitter Presentation
Ā 
TASBot - the perfectionist
TASBot - the perfectionistTASBot - the perfectionist
TASBot - the perfectionist
Ā 
Quick Summary of LTE Voice Summit 2015 #LTEVoice
Quick Summary of LTE Voice Summit 2015 #LTEVoiceQuick Summary of LTE Voice Summit 2015 #LTEVoice
Quick Summary of LTE Voice Summit 2015 #LTEVoice
Ā 
Raspberry Pi and Amateur Radio - 2020 update
Raspberry Pi and Amateur Radio - 2020 updateRaspberry Pi and Amateur Radio - 2020 update
Raspberry Pi and Amateur Radio - 2020 update
Ā 
HUMAN RESCUE ROBOT (PROTOTYPE)
HUMAN RESCUE ROBOT (PROTOTYPE)HUMAN RESCUE ROBOT (PROTOTYPE)
HUMAN RESCUE ROBOT (PROTOTYPE)
Ā 
PhoneGap at JSConf
PhoneGap at JSConfPhoneGap at JSConf
PhoneGap at JSConf
Ā 
A survey of robotics in Ruby
A survey of robotics in RubyA survey of robotics in Ruby
A survey of robotics in Ruby
Ā 
Getting started with IoT with only your laptop - 2018 - Pi Jam
Getting started with IoT with only your laptop - 2018 - Pi JamGetting started with IoT with only your laptop - 2018 - Pi Jam
Getting started with IoT with only your laptop - 2018 - Pi Jam
Ā 
Spoto ccie lab rs v5.0 h1 ts1 bt1 version 1.0 solution
Spoto ccie lab rs v5.0 h1 ts1 bt1 version 1.0 solutionSpoto ccie lab rs v5.0 h1 ts1 bt1 version 1.0 solution
Spoto ccie lab rs v5.0 h1 ts1 bt1 version 1.0 solution
Ā 
Are Video Codecs... Done?
Are Video Codecs... Done?Are Video Codecs... Done?
Are Video Codecs... Done?
Ā 
The BBC Micro:Bit - It does (way) more than you think!
The BBC Micro:Bit - It does (way) more than you think!The BBC Micro:Bit - It does (way) more than you think!
The BBC Micro:Bit - It does (way) more than you think!
Ā 
PICCOLI GREEN TECHNOLOGY , PICCOLI MOTORS , PGT GROUP, Franquia Piccoli Green...
PICCOLI GREEN TECHNOLOGY , PICCOLI MOTORS , PGT GROUP, Franquia Piccoli Green...PICCOLI GREEN TECHNOLOGY , PICCOLI MOTORS , PGT GROUP, Franquia Piccoli Green...
PICCOLI GREEN TECHNOLOGY , PICCOLI MOTORS , PGT GROUP, Franquia Piccoli Green...
Ā 
Arduino Robotics workshop day2
Arduino Robotics workshop day2Arduino Robotics workshop day2
Arduino Robotics workshop day2
Ā 
How to make your first robot report
How to make your first robot reportHow to make your first robot report
How to make your first robot report
Ā 

More from Felipe Prado

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
Ā 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
Ā 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
Ā 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
Ā 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
Ā 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
Ā 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
Ā 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
Ā 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
Ā 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceFelipe Prado
Ā 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
Ā 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
Ā 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
Ā 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
Ā 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
Ā 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
Ā 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
Ā 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
Ā 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
Ā 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
Ā 

More from Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Ā 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
Ā 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
Ā 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
Ā 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
Ā 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
Ā 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
Ā 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
Ā 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
Ā 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
Ā 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
Ā 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
Ā 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
Ā 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
Ā 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Ā 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
Ā 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
Ā 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Ā 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
Ā 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
Ā 

Recently uploaded

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
Ā 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
Ā 
šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜RTylerCroy
Ā 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
Ā 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
Ā 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
Ā 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
Ā 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
Ā 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
Ā 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
Ā 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
Ā 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
Ā 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
Ā 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
Ā 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
Ā 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
Ā 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
Ā 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
Ā 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
Ā 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
Ā 

Recently uploaded (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Ā 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Ā 
šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜
Ā 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Ā 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Ā 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Ā 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Ā 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Ā 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Ā 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
Ā 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Ā 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
Ā 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Ā 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Ā 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Ā 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Ā 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Ā 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
Ā 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Ā 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Ā 

DEF CON 23 - Richo Healey and Mike Ryan - hacking electric skateboard

  • 1. Hacking electric skateboards: vehicle research for mortals Richo Healey & Mike Ryan
  • 2. @mpeg4codec / Hacking Electric Skateboards / @rich0H Who are these jerks anyway ā€£ richo ā€£ Computer Jerk ā€£ @rich0H ā€£ Duck Enthusiast ā€£ Ran WrongIslandCon ā€£ mike ā€£ Bluetooth Guy ā€£ @mpeg4codec ā€£ Owner/Operator of conscience (sometimes)
  • 3. @mpeg4codec / Hacking Electric Skateboards / @rich0H Why buy an $nK skateboard? ā€£ Lightweight ā€£ (relatively) inexpensive ā€£ .. maybe wanted on the hype train early
  • 4. @mpeg4codec / Hacking Electric Skateboards / @rich0H Why buy an $nK skateboard? ā€£ Lightweight ā€£ (relatively) inexpensive ā€£ .. maybe wanted on the hype train early ā€£ Maybe to hax it
  • 5. @mpeg4codec / Hacking Electric Skateboards / @rich0H Why hax a $1k skateboard? ā€£ Because itā€™s there ā€£ Vehicle research is cool ā€£ But not all of us can afford to brick a car ā€£ Figured we might be able to illustrate a point about the state of security research
  • 6. @mpeg4codec / Hacking Electric Skateboards / @rich0H The boards ā€£ Boosted
  • 7. @mpeg4codec / Hacking Electric Skateboards / @rich0H The boards ā€£ Evolve
  • 8. @mpeg4codec / Hacking Electric Skateboards / @rich0H The boards ā€£ Yuneec E-go
  • 9. @mpeg4codec / Hacking Electric Skateboards / @rich0H Maybe youā€™ve spotted the design trend here
  • 10. @mpeg4codec / Hacking Electric Skateboards / @rich0H Hope yer wearinā€™ yer lerninā€™ b00tz Agenda ā€£ Boosted ā€£ Bluetooth GATT ā€£ Jammers ā€£ PyBT ā€£ Evolve ā€£ ā€¦ bluetooth? ā€£ Weird RF protocols ā€£ E-go ā€£ ā€¦ wiļ¬?! ā€£ Boosted (Redux) ā€£ Fiiiiiirmware!
  • 11. @mpeg4codec / Hacking Electric Skateboards / @rich0H Or whatever Right so like hacking ā€£ Most of these boards use bluetooth ā€£ I know nothing about bluetooth ā€£ I know mike though ā€£ mike knows bluetooth ā€£ How hard can this possibly be?
  • 12. @mpeg4codec / Hacking Electric Skateboards / @rich0H Boosted
  • 13. @mpeg4codec / Hacking Electric Skateboards / @rich0H Boosted ā€£ Bluetooth Remote ā€£ Regenerative Braking ā€£ Firmware Upgradable
  • 14. @mpeg4codec / Hacking Electric Skateboards / @rich0H Storytime
  • 15. Co-opting a GATTling gun Bluetooth and You ā€£ Bought some uberteeth ā€£ Looked at some packets ā€£ Now what?
  • 16. Bluetooth and You ā€£ Modern bluetooth supports some crypto ā€£ Using it would have made our lives annoying ā€£ No crypto though ā€£ Go team!
  • 17. A clever pun about gatt GATT ā€£ Handle-wise communication ā€£ Supports either request-response or datagram like ā€£ Sits on BLE
  • 19. ā€¦ many beers later painstakingly reversed with love ā€£ Simple Duplex protocol ā€£ Controller sends on handle 0x1a ā€£ Reads on handle 0x1c ā€£ Basically a bluetooth -> serial adaptor
  • 20. ā€¦ many beers later Message Direction Meaning RC0 Remote -> Board Speed control FUEL Remote -> Board Fetch current battery load REXP Remote -> Board Set expert mode RBGN Remote -> Board Set beginner mode GAUGE[1-5] Board -> Remote Inform current battery load painstakingly reversed with love
  • 21. but how 2 talking? We know its language ā€£ Bluetooth comms turn out to be sorta miserable ā€£ Especially for general purpose applications ā€£ x10000 for ad-hoc, general purpose applications
  • 22. The old school ā€£ Ubertooth ā€£ ā€œminimalā€ ā€£ BlueZ ā€£ Full featured, but heavy ā€£ Not super fond of doing obviously broken things ā€£ (Like fuzzing embedded devices)
  • 23. @mpeg4codec / Hacking Electric Skateboards / @rich0H Welcome to the new school PyBT ā€£ Userland bluetooth stack implemented in Python ā€£ Backs onto scapy for actually talking to the wire ā€£ Uses HCI_CHANNEL_USER ā€£ Prototyping++ ā€£ https://github.com/mikeryan/PyBT
  • 24. Now what Neat we can spin the wheels ā€£ Need to be connected to the board to exploit ā€£ Only one thing can be connected at a time ā€£ Thinking back to that intersection ā€£ richo demonstrates again that he has no idea: ā€£ ā€œHow hard can jamming bluetooth be?ā€
  • 25. Super hard, it turns out Jamming bluetooth: ā€£ Naive approach: ā€£ Yell really loud ā€£ Noone can hear anything ā€£ ?????? ā€£ Proļ¬tā€¦..?
  • 26.
  • 27. Super hard, it turns out Jamming bluetooth:
  • 28. Super hard, it turns out Jamming bluetooth:
  • 29. Seriously like crazy hard Jamming Bluetooth ā€£ Itā€™s like they designed the protocol itself to stop us from doing this exact thing ā€£ By this point richo is no longer allowed to make suggestions
  • 30. Seriously like crazy hard Jamming Bluetooth ā€£ Bluetoothā€™s channel hopping stops us from jamming effectively ā€£ Channel hopping is deterministic ā€£ Need some state- Gotta capture: ā€£ Access address ā€£ Hop interval ā€£ Hop increment
  • 31. Seriously like crazy hard Jamming Bluetooth Upstreamed: https://github.com/greatscottgadgets/ubertooth
  • 32. Time to launch some jerks Demo Time! ā€£ The plan: ā€£ Setup a bunch of jammers ā€£ Conļ¬gure our repl to connect and autoreverse throttle ā€£ Wait for hapless skateboarder ā€£ Jam ā€£ Connect ā€£ Reverse ā€£ ????? ā€£ Launch some jerk
  • 33. Time to launch some jerks Demo Time! Heā€™ll be like:
  • 34. Time to launch some jerks Demo Time! And weā€™ll be like:
  • 35. Time to launch some jerks Demo Time!
  • 36. Boosted Response: not-horrible/10 Followup ā€£ Reported to Boosted before Kiwicon last year ā€£ Shaky start ā€£ Wound up working with us ā€£ Implemented a ļ¬x! (kinda)
  • 37. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolve
  • 38. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolve ā€£ Says bluetooth on the site ā€£ Spoilers:This is not a True Factā„¢ ā€£ Better range than boosted ā€£ Janky looking remote ā€£ Made of carbon though? ā€£ So thatā€™s neat I guess ā€£ ĀÆ_( )_/ĀÆ
  • 39. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ It says bluetooth right there on the tin ā€£ Weā€™re crazy cocky at this point ā€£ ā€œWe oughta have this done by lunchā€
  • 40. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ Pull out the harness we used on Boosted
  • 41. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ No packets this time :( ā€£ richo is a goddamn hipster and lives in SF ā€£ goddamn hipsters in SF love wiļ¬/bt ā€£ richoā€™s apartment might be the RF noisiest environment in the whole universe ā€£ The moratorium on richo giving advice has expired by this point ā€£ ā€œWeā€™ll build a faraday cage!ā€
  • 42. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution
  • 43. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ Snowboard bindings box wrapped in tinfoil ā€£ Works terrifyingly well ā€£ Seriously wtf tho whereā€™s the bluetooth
  • 44. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ merijn very kindly lent us his skateboard ā€£ We should probably pull it to pieces and look at it ā€£ Unclear if we ever mentioned that we were going to do this or that we didā€Ø ā€£ (Hi Merijn btw we pulled apart your skateboard)
  • 45. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ Pulled the remote apart ā€£ Looked up the rf part ā€£ er, this is not a bluetooth chip ā€£ Neither of us have even heard of this thing ā€£ nRF24LE
  • 46. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ Talks PowerThirstā„¢
  • 47. @mpeg4codec / Hacking Electric Skateboards / @rich0H
  • 48. @mpeg4codec / Hacking Electric Skateboards / @rich0H
  • 49. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ Er, ShockBurstā„¢
  • 50. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ WTF is this thing? ā€£ Antennae? ā€£ Way too big for 2.4ghz
  • 51. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ No obvious path to glory ā€£ No hackRF at my place ā€£ Canā€™t ļ¬ddle with its radio today ā€£ Letā€™s just dump trafļ¬c directly ā€£ Hey didnā€™t I impulse buy a saleae a while ago?
  • 52. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution
  • 53. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ Dumped everything ā€£ Nothing terribly interesting looking ā€£ ĀÆ_( )_/ĀÆ
  • 54. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ No dice on the remote ā€£ Letā€™s ļ¬ddle with the board instead!ā€Ø ā€£ (Hi Merijn)
  • 55. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ Cramped AF ā€£ Traced most of it out though ā€£ Off the shelf parts ā€£ Explained a bunch of hilarious bugs
  • 56. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ ShockBurst is simplex ā€£ Hence no data to the remote ā€£ Not especially complex ā€£ Does have a 9 member bitļ¬eld though to make our lives miserable ā€£ Less tolerant to interference than BT
  • 57. @mpeg4codec / Hacking Electric Skateboards / @rich0H Demo Time! ā€£ Inject packets into evolve ā€£ ???? ā€£ Proļ¬t!
  • 58. @mpeg4codec / Hacking Electric Skateboards / @rich0H Evolution ā€£ Sadly not much else to do here ā€£ Outside of ā€œAttacker has physical accessā€ scenarios thereā€™s not much to attack
  • 59. @mpeg4codec / Hacking Electric Skateboards / @rich0H E-go
  • 60. @mpeg4codec / Hacking Electric Skateboards / @rich0H Taming a wild ego ā€£ Says bluetooth all over it ā€£ Has a smartphone app ā€£ Has to be bluetooth right?
  • 61. @mpeg4codec / Hacking Electric Skateboards / @rich0H Taming a wild ego ā€£ Didnā€™t take a good photo :( ā€£ Sadly it canā€™t actually drive an ubertooth (yet?) ā€£ Sniffed a lot of bluetooth ā€£ No packets again ā€£ WTF?
  • 62. @mpeg4codec / Hacking Electric Skateboards / @rich0H Taming a wild ego ā€£ WTF is this switch on the side? ā€£ BT|WIFI ā€£ ā€¦ no ā€£ ā€¦ ā€¦ NO
  • 63. @mpeg4codec / Hacking Electric Skateboards / @rich0H Taming a wild ego ā€£ Yup this damn thing talks bluetooth *and* wiļ¬ ā€£ Paired with a phone itā€™s bluetooth ā€£ Paired with the remote itā€™s wiļ¬
  • 64. @mpeg4codec / Hacking Electric Skateboards / @rich0H Demo: pwning ego
  • 65. @mpeg4codec / Hacking Electric Skateboards / @rich0H Boosted: Redux
  • 66. Persistence Remote code execution on a skateboard, you say? ā€£ From pulling the board apart we knew it was a pic24f ā€£ Didnā€™t have much luck initially trying to ļ¬nd debug ports on the skateboard ā€£ Later discovered that we missed them ā€£ A few months later though, this happens:
  • 67. Persistence Remote code execution on a skateboard, you say?
  • 68. Persistence Remote code execution on a skateboard, you say?
  • 69. Persistence Remote code execution on a skateboard, you say?
  • 70. Persistence Remote code execution on a skateboard, you say? ā€£ Has a ļ¬rmware update facility ā€£ This oughta be good ā€£ Upgrade one of our boards ā€£ Dump bluetooth trafļ¬c with jailbroken iThing ā€£ Dump https trafļ¬c with burp ā€£ Both sides of the conversation, hopefully we learn how to upload + format ļ¬rmware
  • 71. Persistence RCE on a skateboard, you say? ā€£ many hours later weā€™ve stitched a ļ¬rmware blob together out of the dumps ā€£ Strings are encoded as, eg: ā€£ ā€œFx00Ux00Ex00Lx00ā€ => ā€œFUELā€ ā€£ Write a dumb python script to strip nulls, strings(1) to the rescue ā€£ Learn about a bunch of new commands!
  • 72. ā€¦ many many beers later Message Direction Meaning RC0 Remote -> Board Speed control FUEL Remote -> Board Fetch current battery load REXP Remote -> Board Set expert mode RBGN Remote -> Board Set beginner mode GAUGE[1-5] Board -> Remote Inform current battery load PING Remote -> Board Fetch version information GIT Remote -> Board Fetch git revision of ļ¬rmware STAT Remote -> Board Fetch detailed diagnostic info NUMSKL Remote -> Board Still no idea. Replies ā€œNUMSKL4ā€ ODO Remote -> Board Fetch current odometer reading SOC Remote -> Board Still no idea painstakingly reversed with love
  • 73. Persistence RCE on a skateboard, you say? ā€£ With this in hand, richo writes a repl for boosted boards ā€£ Nico works out how to unbrick a skateboard when we inevitably screw this up ā€£ https://github.com/richo/skateboard/blob/master/ boosted_repl.py
  • 74. Persistence RCE on a skateboard, you say? ā€£ Finally, itā€™s time to reverse the transfer protocol ā€£ Winds up like intel .hex over bluetooth Length Address Flags Data Checksum
  • 75. Persistence RCE on a skateboard, you say? ā€£ Becomes:
  • 76. Persistence RCE on a skateboard, you say? ā€£ What do you even *do* with code execution on a skateboard? ā€£ Could deļ¬nitely make the board dangerous to its rider ā€£ Seemed funnier to make it pretend to be Joshua from WARGAMES
  • 77. In which we make a $2k paperweight Demo Time!
  • 78. These jerks are alright Gr33tz and Th4nx ā€£ nico, who showed up at the last second and helped us hax ļ¬rmware, is an Arduino Uno expert ā€£ merijn for lending us his evolve despite it obviously being a Bad Idea ā€£ whatever chump bought the e-go at the auction ā€£ Boosted ā€£ Evolve ā€£ Yuneec