Milliways

Horror Stories from the Automotive Industry

In this talk, we will revisit some of the scariest stories we faced during more than 50 penetration testing and security research projects, with a twist. In the ever-emerging industry of automotive, with old and new OEMs trying to get a share of the pie, many things are at stake, with many things getting overlooked, forgotten, or even deliberately covered. We will go through a journey of critical findings in different targets and the constant battle between penetration testers, developers, and mid to upper management. This will help the audience get an understanding of how the industry behaves right now, what they (and what we) are doing wrong, and how the future of automotive security should be shaped, not only for the sake of security, but also for the sake of safety and reliability. This talk will try to raise awareness on the current state of automotive security, how does the industry behave in the whole spectrum of it (100-year-old OEMs to 2-year-old OEMs and Tier 1 suppliers) and ultimately try to propose a way forward for both the automotive and security industries, with the goal being a safer and more reliable future for everyone, in and out of the streets.
Working with some of the biggest OEMs and Tier 1 suppliers on pre-production vehicles gave us an understanding and experience of the whole spectrum of developing a vehicle, from architectural design to homologation and sales. This led us in many realizations and pitfals that the automotive industry falls into, and in order to avoid another Miller/Valasek we have to educate the people of the industry. While most of the people/companies in this industry try to keep the gates closed for apparent reasons, we try to share as much as possible, with the hope of making a change to the industry that will have an impact on how and where it progresses in the future.

Additional information

Live Stream https://streaming.media.ccc.de/camp2023/milliways
Type Talk
Language English

More sessions

8/15/23
Milliways
Hardware Hacking Village
In this 2h workshop, I will teach you to work with the tiny components that modern electronic devices are made of. We will assemble an electronic kitten, that purrs when touched correctly, and hisses when touched wrong. It will work, and is guaranteed to remove your fear of hand-assembling surface mount designs.
8/15/23
Milliways
Milliways
The session proposes a quick overview of Frida, a dynamic instrumentation framework, and how it can be used to enhance our work during the runtime analysis of a mobile application. It will be a walkthrough on how hooking and rewriting functions in runtime may be helpful against anti-reverse engineering measures and SSL pinning mechanisms.
8/15/23
Milliways
Milliways
Hardware FIDO U2F tokens are security devices which are meant to defend user second factor keys from physical and remote attacks. In this presentation different security features and implemented by FIDO U2F tokens and how they are meant to protect a user from various attack scenarios. We will focus on the open source implementation of FIDO U2F token developed and Common Criteria certified by Federal Office for Information Security (BSI). Having access not only to the source code of the token ...
8/15/23
Milliways
Milliways Workshop Dome
Come learn how to hack networks without needing to piss off your housemates, local coffee shop, or the Feds! Bring your laptop and by the end of this workshop, everyone can walk away having intercepted some packets and popped some reverse shells.
8/15/23
Milliways
Milliways
MITRE ATT&CK (Attack Framework among friends) is intimidating sight at first, but is a great tool for risk identification, threat analysis, red teaming, DFIR and security management. Brief introduction to the topic with various examples.
8/15/23
Milliways
Hardware Hacking Village
Solder your own pathlighter badge to illuminate your surroundings at night.
8/15/23
Milliways
Milliways
This talk will show you how many interfaces have to communicate in order to fly experiments on a sounding rocket. We will give you insights into the procedures and the complexity of a research campaign and the actual flight of the rocket itself. In particular, we look at the hardware and software used in the Ground Support Equipment (GSE) and the Service Module (SM) within the rocket.