Seeing hackers struggle with sound gives me a certain level of satisfaction. Not gonna lie

I love that the origin story for this work is “honey, I got a gift for you!”

When will companies learn that "Security through Obscurity" is a broken concept that's been overcome by the widespread of technology availability?

its defcon27 but still no mic to hear questions from audience

It is 2019... HOW ON EARTH IS SQL INJECTION STILL A THING??!!

So my brand new 2019 Kia came with a cell phone remote start built in. The app requires you don't have a rooted phone (easily bypassed). I've always wondered how easy it would be for someone more skilled than myself to snoop on the messages being sent / received and bypass the "security". I DID notice my app had a "mandatory security update" a few weeks ago... perhaps it was to close some of these holes?

m2m suite seems like the kind of service that caters to car monitoring companies, where a track of where the car is and has been might be wanted and requested by the customers. They should however have changed a part of their service or changed the retention time for the GPS logs so that they expired after 1 day or x hours rather than keeping a full comprehensive log.

Biggest applause came when they got the sound to work

Did not expect to see SQL injection in 2019. Especially in this context.

it would have been REAAALLLLLY hard not to start all the cars.

When you can hack a computer to do anything you want and you can't unmute it.

6 months later: GF: “Honey, can I have my car back, please?”

Ladies. Get you a man with this level of dedication

What a great presentation @ 11:34 should be very comforting for every non-tech "Oh My God" love it :)

Red shirt guy has done well for himself since Blizzcon

15:40 for when they get the sound to work

why is it every time I watch a video from one of these elite computer hacker conferences, they never have their computer stuff working right XD

Why is it that companies that boast on social media about their security always have the worst security practices?

lol, why doesn't Defcon ever have an AV tech, to make things run a bit smoother?

Interesting that in the US people like to start their cars by remote. In most countries in europe, having your engine running while not in the car just to warm up the car, defrost the windows ect. is illegal, or at least costs you a fine. If you want to have a warm car you install auxilliary heating (or buy the car already outfitted with that) Those systems have remote controls or a sim card slot so you can call it or send a text message to start it. Also this uses way less fuel than the engine ideling, and it heats the engine too, so less cold starts. This means longer engine life. Then again, if your car isn't heating well when started it is either a very old Diesel car, or something is broken and should be fixed. (proper modern Diesel cars for example have additional heating which makes warm air come out of the vets in 1 minute or less after start. And with modern i mean the last 10 years.)

I love your opinion about puzzles.

Sounds like his wife's car needed a new thermostat, not a remote starter... unless he lives 5 minutes or less from the airport I guess

anddddd im not going to install that now.

Young Christopher Hitchens at the start there.

What I didn't understand from this is how all of these attack vectors would be useful to someone standing outside my car or someone who is otherwise trying to compromise me/my car. How would they get the DeviceID of my car's device if they were to use the admin account? Break in, pull the device, and then just use it as a bypass to not having an ignition key but not to bypass having to get through the locked door? (basically to gain the ability they didn't previously have to start the broken-in car without a key) Would one be able to get someone's DeviceID by knowing their email address used for login? So a "friend" who knows your email address could bluff their way in through the API, get your car's DeviceID, unlock it, and start it, perhaps from an open access apartment parking lot?

Is this your car?... It's my car now.

Classic SNL skit at work here. User "Still no sound"..."yeah its plugged in"....IT Guy: "Oh My God MOVE!!"...still didn't work. LOL.

Well, that's not good. Though it is great they (eventually) closed the SQLI problems.

I would have went straight to the dealership or the remote start company parking lot (assuming most employees prolly got a good deal on one) and set everything off. I have a big hairy hard-on for privacy, and this is a direct example of how your data is being used (and probably sold!) I bought a 2015 Ford Flex and have found so many issues with the onboard computer its ridiculous, even when in warrantee it doesn't cover software updates, they want to charge you $160. Well, if your software is hanging when i exit the vehicle and is leaving power on to certain systems it kills the battery over a period of time that isn't evident (ie. interior lights go off,etc. but the bluetooth box and other power distribution is hot to the touch the next morning when it should be cold). Every year when a new update is released and I don't buy it, inherently stuff starts failing. Maybe I'm paranoid, but they have way to much control over my car. The auto industry is going to hell. There were 3 recalls on my car, everytime i try to set an appt they are mysteriously "out of parts" - but they mfg. new ones everyday. They are crooked AF. They know how far I've traveled and send me snail mail exactly at the recommended oil change mileage regardless of how much time has passed. I have other vehicles. It may be paranoid, but my data and where i go is my business. #ANDREWYANG take your data back!

"Some times things get complicated..cated..cated". Haha.

sound over HDMI or whatever connection is going into the computer maybe?

I have been sanitizing the inputs since 2009 they still have SQL Injection and now it is 2019

This guy sounds really Canadian he fuzzed over the complete explanation for Renauds syndrome people needing remote car starters in the north. It's so cold for months in a row that you need to (much debate rages here actually) run your engine stationary to warm up your engine before applying load to it also heats up the interior of your car from -15 C or -25 C to like -3 C in 10 minutes idle time more confortable for the human. We would spend 2 minutes putting on outdoor jackets go out start car 10 minutes etc before plan to leave, run back inside only mildly cold take off outdoor stuff, then you're set to leave soon. Now we all use remote starters in the warm and convenience of our living rooms in the time it takes to find it in your bag. This detail of it being so uncomfortably cold inside a canadian car in winter before it has had time to warm up just needed to be mentioned i felt.

Just install the remote start somewhere it can only be accessed with a key

That particular video player has to be restarted if it is loosing the sound .

Guy in the very beginning looks like a dork but sounds like Barry White. That's awesome lol

Now it's time to look at how many and which cars, without aftermarket accessories, can be remotely disabled or controlled in some way. I'd really like to know if it is possible to kill the ignition in a car or control the steering or gas and I suspect the electric or hybrids will be much more susceptible to this than normal cars. I still think it's a good idea to put a mechanical kill switch in a car, like for the fuel pump, so you can switch this if you are worried about theft and the theif would have to figure out where you hid it. I guess you could also use an electric switch and maybe pair it with an RF or cellular receiver and toggle it remotely and this could be paired with a remote start system as well.

Loved the fact that a team of hackers couldn’t get the sound to work 😂

I had a dream that a bunch of middle school girls (I dunno why it was all little girls) took remote control over a fleet of Tesla trucks and drove'em all onto a launch site while playing Rick Astley's "Never Gonna Give You Up"...and they were dead serious about whatever they were trying to achieve by doing that. I know they were dead serious because that's how my mind presented it to me. ...that's it...Nothing profound, nothing clever, nothing insightful or witty...just utter nonsense that I'd LOVE to see animated for some reason.

Trick to get ur remote started from further away hold the remote to the bottom of ur chin and ull get an extra 25-50% extra distance

We can hack a car, hell we can hack anything but can't get sound to work :)

How is it that all these devices have worse security than something I'd make in my basement with a raspberry pi?? They do fucking 2 way communication so how hard is it to just do diffie-hellman key exchange and some existing crypto library?

11:44 .... Someone had their Android phone on.

"Yellow/Green (~) IMO" = "Yellow/Green or thereabouts in my opinion"

I thought this was for hackers???

The funniest part is that form the whole 41 minutes of the video, KZfaq automatically picked the one where the hacker gets the assisance with the sound problem LMAO

There's a fairly simple, and almost inevitable, solution to this sort of thing. As we already have with other areas of engineering, software engineering at least in critical potentially-life-ending-or-saving scenarios, will need to have a real form of credentialing and legislated requirements for companies to hire credentialed engineers, give them the tools and time required to do their job competently and safely, and most importantly, LISTEN to them. Currently, it is literally impossible for a company to face criminal negligence charges if their product involves a computer in some way. No matter how actually negligent their behavior might be, the courts have found (see the Toyota 'unintended acceleration' scandal from a few years ago) that there simply aren't any legal standards that a company can be said to have violated. Right now, even if the companies engineers all say "this product is UNSAFE, and it will KILL people if you release it" but an executive with an MBA and no engineering knowledge whatsoever says 'screw it, we're going to market', that's fine. If they did it in an industry like construction, they would go to prison for criminal negligence. If they do it when there's a computer involved, they flat out can not be punished at all.

The more I hear about car hacking like this, the more I want to get a truck with an old all-mechanical Cummings diesel engine and say fuck it to all these electrons. Or maybe I'll get a used car where everything is lovely wired communications that can only be hacked from inside the car. That could work too. Maybe I'll get both. A normal car for normal days, truck for when things need to get moved. Or when an EMP happens.

The carbon monoxide warning seems outdated considering how long catalytic converters have been around...

Why start the car when all you want is a pre-heater?

These problems have been know about by mechanics and inatallers for years some systems are alot better some are worse the one he choose is middle of the road. When i checked last fsctory mercedes benz remote are the most secure Viper makes a few differnt systems that are quite good for home install units they use rolling code and has sorftware thst wont allow use to use the key thats bypassing the aystem for more then 15 min and if installed correctly it will lock u out there is ways around but it takes enough time that somebody should notice them fucking with ur car By the way as far as nonody starting a car using SEQUENTIAL injection by wirignthe icm to 12v and shorting the starter off the frame with prybar

I was more interested in if they got the sound working than what ever he was talking about.

Am I on LSD or, ......go to 31:00 and pause the video. Look at the screen, take 2 steps back away from the screen and tell me what YOU see. I am looking at a very romantic screne of a boar lying on a bear skin rug-covered floor in front of a roaring fire and an old TV showing static so this image must be from the 80's, i think.

Wow, that was embarrassing but also ironic it's called DEFCON. Or, should that be DEAF CON? How many Hakers does in take to get sound? 27 👊😎👍

“Um” counter: 497

But can you Download a car?

Christopher Hitchens had an affair with Rebel Wilson's mom and their son is in this video

11:44

36:10 'None of this is the most offensive of all' Wait, it gets worse, How? Oh... wow.. Son of a bitch...

maybe because im a sound guy, but once they started to have sound issues I couldnt watch any further

At first I thought he was gonna get his gf some woolen gloves or something

My car is hackproof and EMP proof. Its carburated. Lol. Never said anyone with a pocket knife or a screwdriver couldn't steal it. If you can get that bitch to fire over before I do, go for it. Ha.

"My girlfriend" - loses the defcon audience a minute or so into his, um talk.

Dude do not invest that kind of work or cash until you put a ring on that finger.

This then loops around to bounty hunters using the GPS data

Probably the youtube video that started the mandate for security gateways in vehicles in USA even though it is not even relevant . RIP aftermarket.

Hello - i think it is generally illegal or unethical for the environment for sure - when you start your car and leave it on for over a minute without riding - maybe where you live its not in statute though :)

Elon musk put on some weight

LOL! Breaking cars using SQL injection... FFS wow...

I love tech, but... wouldn't s pair of frickin gloves have made more sense? Frankly, screw remote *anything* in a car. At least, until IPS becomes std for the CAN bus. Might be the one place an IPS is actually useful.

Can probably also create a condition that would STOP a running car as well, in traffic, even more dangerous...

What a nob ...he did ALLthat so his GF didnt have cold hands ??? Just buy her a PAIR of GLOVES !!!

Unplug the can from any vw,BMW, merc and the car will not start. IMO is in the can so...

Auto start is a dumb feature, but then again I’m perfectly happy sitting in my coat waiting for the car to warm up.

Can hack a car... Can't make sound play on a video.

Fuck me, talk about solving first world problems.

Don't put reaction gifs in your talk dude please

11:00 Conference about security and technology, can’t get a PowerPoint to output Audio. 🤦🏻‍♂️

Can someone please tell him it's NOT CALLED "SEQUEL INJECTION". This seriously triggers me

It's kind of noisy for an electric car.

Teach your girl to do push ups.

Um, is there any, um, reason, um, he can't, um, speak, um, without pausing with an "ummmm" ? Does he think someone else is going to jump in and speak instead?

Is DEFCON just one huge marketing advertisement plot for the very companies they claim to "hack"?

He didn’t hack a car, he hacked HIS car. There is no Nicholas Cage moment here for me. 40 mins I’ll never get back.

Looks a bit illegal

cool project, don't see any real security implications though. it's not exactly news that if you have access to the can bus and the car's internal wiring, you can bypass its authentication. it's cool though! just, shouldn't this be at like, a maker con and not a hacking convention? or at least not titled "my car is your car" when this doesn't lead to any practical attacks?

The older you get, the more you get into thinking: 'Yeah, thanks for that hack, but why couldn't you just keep it to yourself'? What I'm aiming for is that all the nitty-witty-hackers will at some point start a 'normal' living at some point, and by that change focus on what's wrong with e.g. that particular remote they just bought. Its because their focus changed completely once their first born arrived. And then they realise: 'Hmm, well, the 80s weren't so bad', let's try that lifestyle out again: Offline?

dude i cant watch you are so boring im sleeping