It looks like you're having connection troubles. Reconnect now.
01/25/2026 17:20:43
37c3-talk-11935 Latest text of pad 37c3-talk-11935 Saved Jan 25, 2026 |
Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles oder https://chat.rc3.world/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!
Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles or https://chat.rc3.world/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!
======================================================================
*Music*
Herald: All right. Unlocking the road ahead. Automative digital forensic. While times have long passed that a car or any vehicle is just something that has mechanical Parts in it and does its job. Nowadays there is a lot of microchips in those vehicles and Kevin Gomez from the Technical University of Englistadt he's a postdock over there is going to present us what's going on there. He's going to give us a deep dive into this field. Kevin...
*Ovations*
Kevin Gomez: Yeah thank you very much for having me today. So as we already talked about or heard about today we are going to talk about vehicles and specifically Automotive digital forensics, so how we are going to investigate in the case of an accident for example modern vehicles. So if we think about modern vehicles we think about cars that are connected to something. So cars that communicate with other cars. Cars that are connected to the traffic light infrastructure to our smartphones and many more. Modern cars also have like um self-driving features so they keep you in the lane adaptive cruise control or like the autopilot from Tesla and other um vehicles that allow you to just sit there look around and hope that the car does not crash. *some Laughs* We also have a lot of different features and services. You can connect your smartphone you fully integrate your smartphone into modern vehicles, you can connect your smart home to the modern to the vehicle infrastructure and the the car then is part of the Internet of Things environment, so it's part of the iot environment. So you can look it up in different search engines you can find out stuff what what ports for example and services are open um within the car and so on. But when we think think about it realistically what cars are even evolved in state-of-the-art investigations and that's not modern cars because the average age of a vehicle on the road is not 3 weeks for the fully functional or fully fancy. Modern cars the age for example or the average age for vehicles in the US is around 12 years, in Germany
around 10
years and in China around 5 years. This means that we cannot rely on the fancy stuff and the increased processing capabilities this modern vehicles have. Right now in modern vehicles we have to deal with something like this, so this is a Volkswagen Golf from 2013 so it's approximately 10 years old. We have a pretty classical infotainment system. This is what you can see on the top right picture. There's no real smartphone integration here you usually have a hard drive within the infotainment system where navigation maps are stored and sometimes other information but we do not have like dedicated storage mechanisms in such Vehicles. We also have limited Advanced driving features, so you might have adaptive cruise control or Lane assistance but nothing really more. The such vehicles from around this age also work with distributed architectures in the car, this means that you have a lot of different small computers and in a car par computer is called ECU that communicate with other and each small computer so each ECU has its own functionality so you don't have like very big processing capability units like the Tesla for example has as a dedicated centralized architecture. All functions all services are distributed within a modern car or not a modern car within an older car.
<--------transkribiert bis hier ---->
so when we then think about what new vehicles um are currently introducing we think about more fancy stuff as I indicated at the beginning so smart home integration so your vehicle is connected to your home so you drive into the pathway of your of your home and the garage doors for example opening automatically or the heat already turns up when you are 20 km um ahead um of arriving at home you have keyless go so you don't need to physically unlock and lock the car you just get into the car with a classical key or sometimes even with the smartphone you have smartphone integration so you fully integrate your smartphone and everything you have with a smartphone into the car so you can see who i
s calling you you can speak with the car and indirectly speak with the with your smartphone you can use your music on your smartphone to play it within the car and you have a a lot of advanced driving assistance systems which we also will look into in this presentation so what does this mean with um all the vehicles that are investigating and vehicles that are part of uh or modern vehicles um for automotive digital forensic investigations and what is even an automotive digital forensic investigation so Automotive digital forensic investigations or Automotive digital forensics is a subdiscipline of classical computed forensics or forensics Computing so here we mainly focus on investigating um vehicle in vehicle components and components or entities from the vehicle ecosystem so they are connected to the car but can be considered as external units examples for this is traffic light systems smartphones or the iot as we've seen before we currently separate two different use cases when we look at cars accident reconstruction and crime related um investigations when we look at exent reconstruction we focusing on proving a fault so A Fault by the driver or F by the manufacturer and um another um option here is showing guilt again of the driver or of the car in this case it's usually um the manufacturer but they are very good at telling people that it's not their fault it's the fault of the car and of somewhere else when it comes to Crime related investigations we look at either um the case that the vehicle is attacked directly so examples are cyber security related um investigations or vehicle is used as an asset in a criminal um action so for example in a robbery all right but before we continue we should take a step back so why is Automotive dig forensics even something special why we should consider it well we have multiple users for vehicles compared to classical it systems so we have the driver we have the owner we have the registered user we have the insurance contac
t we have the passengers we have many more people each of those individuals leave traces with the car or the ecosystem so for example within the infotainment system within the Comfort System if the Comfort System for example automatically um detects that another key is coming um and then the seat is positioned in the correct um yeah seat position and we have all our own driving or personal driving behavior that is already connected collected by some of the insurance companies vles are mely networked so they are connected to backend Services cellular um infrastructure and the traffic light systems the components um are further interconnected within the vehicle itself so the result is that we have evidence at a v a big Varity of different um locations so locations within the car but also locations that are um external um because in a classical investigation you cannot go to Every traffic light system the vehicle passed through and try to collect this data afterwards here we vehicles are cyber physical systems this means that they are inter they interact with the environment and through this they have safety implications so that's pretty known I guess because there's a lot of safety focus on vehicles right now um because we have to protect or the vehicles have to to ensure that the passenger and the environment environment gets does not get harmed we have a lot of dependencies between components so multiple ecus require data and functionality from other components um in development you usually use a hill hardw a loop setup um to plug in um your device you want to test into a semi simulated environment um and here you have the capability to not need a car in order a fully functional car that is driving to test your features um Hills or hardwind Loop setups are also used by forensic investigators to collect data from such components we've also functional data as I indicated before this is mainly the fact due to a lot of regulations and standards in the safety realm um th
at we focus on collecting this data or storing this data in a modern vehicle so such as the um driver safety belt or the temperature of the of the engine itself we have a lot of safety implications which are the result of the uh functional data obviously so real or life investigations like we would do this in our classical it systems are not very feasible because we need to ensure safety of the passenger and the environment obviously so accessibility is the last point and this is also a pretty big problem because the car is usually with the owner shipping a car is very hard and um we also do not always know which component aware within a specific vehicle from a dedicated manufacturer so we have to perform a lot of reverse engineering looking up block posts looking at previous investigations on how on identifying where this component is within our car for example so overall the characteristics um are not unique to Automotive future forensics they have crosscorrelation and cross connections to other domains in digit forensics obviously but the mixture of all makes Automotive digit forensics very special and the the domain on its own in digital forensic science so how would you investigate a modern vehicle currently there are two tools that you can use bive for infotainment systems and CDR or EDR tools tools like the Bosch um CDR tool for event data recorders usually um airbag systems bif is only available for um military um dedicated legal entities or specific legal entities and are selected private entities so you canot not buy as a researcher or as a private um person and identify what data is stored within your infotainment system um we can further utilize embedded forensic techniques um to collect the data from a component but this usually um leaves us with the with the um analysis problem and the interpr interpretation problem of the data um where we can then use proprietary development tools or third party tooling where we again have to rely on the trustworthine
ss of the tools provider to actually give us um the data and the correct representation of the data um of the device we collected the data from so for example let's look at a Tesla autopilot investigation that we performed so in this case um a Tesla vehicle crashed into a tree um the driver then claimed um that it was not their fault uh that Tesla accelerated on its own and cre the vehicle into the tree the insurance company was pretty uh was not very sure how to um prove or dis proof that um it was actually the manufacturer's problem and Tesla obviously have stated that it's not the problem of the Tesla vehicle um so the insurance company wanted us to get additional Insight on the autopilot functions on the forensic capabilities of the autopilot so we identified the storage unit we collected this data the file folders UND corresponding metadata andall the knowledge in a dedicated knowledge representation for us to use it um again in future investigations so for this we first received the um autopilot we identified the comp the storage component and this in this case it's a emmc We performed a chip off um on this device then we used a classical emmc reader that we know from um mobile forensics um we identified that uh the data stored as a squash FS and is not encrypted which we were pretty lucky um we performed metadata analysis collected the locks and quickly identified that's a weird device that's a very weird setup um however it's pretty protected but um they're not really storing a lot of data on the component um they are pumping everything into the cloud um so Automotive digital forensic investigations should be no problem now right so we just do things to evidence items collect them and find out things and we are fine right but it's sadly not that straightforward in such investigations because state-of-the-art aut the mod of digital forens forensic investigations are very rarely um in depth due to the massive um time consumption that we have to deal with in ve
ry rare occasions um we get the opportunity to look into our component um we have a lack of available tools where we don't know what the tools are actually doing um we need to trust the manufacturers here we Vehicles introduce a lot of manufacturer specific so you have a standardized data format and then you have a very big range on quote unquote manufacturer specific so the manufacturer can do whatever he or she um wants in in the device itself so um that's a big problem in again M data interpretation so each investigation that we have to deal with is an individual one which makes it very hard and timec consuming and highly complex when we look at modern vehicles so this was identified by Academia as a problem and in Academia we love to solve problems and sometimes we love to generate a lot of new problems um so people are looking into five different research areas from pretty specific ones with in-depth investigations to more General one with fundamental research so in video investigations would be in-depth analysis so only an investigation on the Tesla autopilot like I've shown before then also the development of additional components so data loggers blackboxes that we know from avionics and backend streaming applications process development on how we approach a car so how would you again also combine physical and digital evidence General investigation methods so how can we utilize um standardized interfaces like the diagnostic interface to collect data and fundamental research to just generate an understanding of the domain and what is actually happening within a car so besides the research efforts we can further identify changes in the automotive industry while the European oems utilize um resources in lobbying against um electrical vehicles and four Alternatives or combustion engines oems from other regions um take them over through actually functional software defined Vehicles where the European Vehicle um oems are having a hard time to deal with so the manuf
acturer have again identified the problem that the cars are too complex and no one gets what the car is actually doing they also required to handle privacy aspects by law and now they even um have to look at um security and cyber security stuff also Again by law so what a shame bad lobbying I would say um so to handle the complexity the oems now switch to centralized um architectures so architectures where um not every ECU is responsible for a dedicated functionality and has a lot of connection interfaces everything is centralized to um connect to be connected with more um dedicated um processing capability units like gateways and a telematics control system so here this allows us to collect data only from R specific um component and generate a picture of what actually happened within a car um om to further introduce a lot of additional features so um like modern cars sometimes even have biometric authentication so we can identify um uh personal identifier information about a specific individual also comes to vehicle and personalization that we can identify oh what music usually um a specific individual listens to we have features on demand where we again can identify personal um preferences by each individual and we can already sense a bit that the Privacy impact that modern vehicles have is yeah pretty substantial and pretty big the OM um om are now also collaborating with it companies because they identified well it is not that easy um we can build cars but we are not very good when it comes to bringing it into cars so for example huawai is working together with SAS to sell their cars in the stores and Porsche announced that they are will in the future um cars will have apple carplay in their vehicles so you can fully integrate your Apple smartphone into your Porsche car if you have a por car then the oems are now making Automotive digital forensics um are Cloud problem um so for example the Volkswagen group now works together with Microsoft to integrate their ve
hicles fully into the autom into the Microsoft cloud um this involves not only the car manufacturer investigation um it also uh involves the cloud provider where we need to rely on data that we get from the cloud provider so where do we currently head so it serves us with virus um opportunities but also a lot of challenges in this domain so vehicles are valuable and important for investigation but um due to the complexity Automotive dig forensic investigations are highly complex so this leads um to jailbreaking vehicles and we will will have um a talk right after this one where Nicholas nichlas and Chris uh will show us how they um looked into a Tesla car a Tesla vehicle we will have um vehicle ecosystem forensics in the future we will have more structured knowledge reuse use um because that's a very big problem in this domain and we in general need to generate an understanding of the tools capabilities and also the capabilities of the vehicles specifically when it comes to privacy so the current pass path leads us to additional services and features which will open up a lot of a tech surface where which um we as researchers will definitely benefit from but um people as Vehicles vehicle owners will definitely not benefit from um more data also leads um that the data is scattered around everywhere at the oems at the cloud providers at third party um infrastructures um where they now lead uh need to deal with things and I specifically say things here because um you get quickly the feeling that um each entity that collects data from the from the vehicle is not really aware of what data is they actually collected and for this um what the mozzilla foundation looked into the Privacy aspects of modern vehicles they identified um on 25 different brands um that um they quoted that cars are privacy nightmare um they identified that for example cars collect data like songs you play songs you play where you drive how fast you drive even genetic information your sexual preferenc
es so pretty obvious stuff I would say that you would expect that your sense to um to a third party environment and due to the increased complexity security pitfalls do also arise and some examples is that vehicle is now part of the internet of things so we have a lot of potential entry points for attackers um the extreme complexity in vehicles introduce a lot of um software bucks and vulnerabilities European oems currently rely a lot of um security by obscurity um but this will change in the future when they centralize everything and utilize um classical it hardware and software um this is why for example currently there's a lot of research in the Tesla region because it's just a classical it system um with wheels and it does stuff um we also have the problem that oems um are some are still not able to patch all the components um on the um on vehicles um that's not that easy and there also discussions on how long they should provide um updates and even security patches um for the vehicles keyless go systems can ease the theft um this you can um identify or quickly Google up some Hardware devices where you uh which you can buy and then you can open up um a lot of different vehicles um that introduce um keyless go functionality and um as we already indicated modern vehicles could collect and transmit a vast amount of data so raising concerns about privacy and security also and manufacturers here need to implement transparent data policies and robust security um measures to protect the sensitive information um many vehicles use components from various suppliers so the supply chain is pretty complex and big in the automotive industry so if one third party component has a security vulnerability there probably are different manufacturers are affected and different models are affected here so we've learned that vehicles are um important and valuable for forensic investigations and specifically for inventory construction but they are pretty complex when it comes to the to
an investigation here um we can utilize a lot of different evidence sources for cross validation of evidence but also um to check if evidence from different sources is actually trustworthy the current um evolution of the automotive industry um moves towards software based vehicles that holds a lot of challenges and opportunities for forensic investigations but also a lot of dangers when it comes to the um privacy impact that cars have on each of us um as an individual we still lack a lot of fundamental research and Automotive digital forensics and specifically in automotive privacy and automotive security um but we will see that uh or we are currently seeing that the digital forensic capabilities of vehicles coming up right now and um are part of Investigations at this time will further increase in the future thank you um very
[Applause]
much thanks Kevin we have of course now a good portion of time for questions um you might line up at the microphones and while you do so we're going to post the first question from the Internet is there anything well it doesn't look like so basically we go to microphone number four it is number four there's a question for microphone number number four one two could you please uh leave the the room a little bit more silently thanks B yeah can you briefly talk about the boundary protocols between the vehicle and cloud is it can ofd piped over web socket is it kind of all over the place and is there a standard on the horizon um it's all over the place but usually it's a classic cellular um or cellular based communication so 3G 5G um sometimes it com come uh comes down to how far you want to communicate Wi-Fi or Bluetooth and there are some standards specifically when it comes to the communication between vehicles with um carto car communication um but as I indicated before um the standard has defines a lot of different stuff but leaves um the room open for a lot of manufacturer specifics which makes the investigation again pretty hard um because we have to yeah reverse and hope to find out what the manufacturers are doing thanks so much yeah welcome all right more equations here number one microphone number one please hello hello um I was wondering how can you do forensics if car manufacturers sent all their data into the clouds they can just say oh we didn't have anything I mean Tesla crashes and then say oh no no it's we don't have any data yeah that's a that's a legal Minefield that's a very good point um because that was the the the the the goal behind the Tesla investigation because Tesla claimed well we everything is fine on our side trust me um and and here it comes down to the investigation of the in vehicle components so rely on that some parts uh or some information is stored in form of locks within the vehicle that we can prove for dis specific device of fo
r the specific vehicle that um Tesla for example did lock that the autopilot was running while um the crash was happening so each investigation is an individual one but you usually rely a lot on um propretary data on embedded forensic techniques like the chip off um and hope that the device is not encrypted in our case it was not encrypted so you can identify the data afterwards yeah so Tesla will delete the logs in the future and increase enry their hard their their file system um they they I don't think that they will delete their locks but the and autopilot currently is encrypted and we will hear this in the next presentation uh where they opened up the device um and do not have to deal with the encryption anymore yeah thank you all right thanks uh next one is microphone number three please hi thanks um yeah my question goes into the same direction actually so I was wondering if I for example would own a Tesla um um those lock data if those get into the cloud wouldn't I have a right at least in EU to ask the manufacturers to release those data to me yeah you have okay and then I could provide them to you to do forensics on them right you can yeah okay thanks um that's one research domain where um a researcher in um at the University of minster is looking into so he's looking into um the um the smartphone apps that are connected to the car and what data you can collect here based on um the legal requirements that the oems have to fulfill yeah okay thank you okay and the next one is on microphone number two over there in the back hello um I assume you are familiar with Y regulation 156 yeah um what is your observation in general how do the automotives um try to implement or architect I mean this is only one regulation but there is an guideline coming with the iso but there is this ISO if you read it it's not really solving the key problems so what is your observation and how does it affect um forensics yeah so I have not seen any effect on forensics yet and based o
n the regulations the only effect I was aware of is that for example pora is not um building the the new Maran due to uh because they can cannot fulfill the regulations um but different research have shown and we've SE this in regular investigations that um I at least get the feeling that um oems tend to use standardization as an inspiration on how something uh can be done and uh you can rely to some extent um that data should be in a specific format or should be available in the cloud or in the car um but this is heavily um this heavily depends on the car on the manufacturing year if they um need to uh follow the standardization and uh but I've not seen any impact here yet to be honest um but the current path has just pump everything into the cloud and do your magic there yeah okay thank you all right uh do we have any questions from the outside from the internet yes there are some please um first off can you firewall the data leaving the car and is it even legal to go one step further and remove the modem or any signaling or networking from your car uh so to answer the first question yeah this is already done in v as in in vehicle or in in vehical Fireballs so that specific data is not transmitted between different components and yes you can uh I guess you can remove the modem and from your car but you can just buy an old car this has no communication with an uh with with a third party um infrastructure and uh for example for for pretty Advanced cars like the Tesla um you you can basically not utilize any functionality a lot of functionality of the car um if you do not agree um on the big a um um rgbs they have um that they are allowed to collect specific data from your car okay any more questions from the internet let's be fair to those who are not attending the session here yeah that's a fitting followup question how old does the car need to be to avoid this data collection yeah um that's that's a that's a question I cannot really precisely answer um I would say
around 10 years maybe seven or 8 years uh that's a good uh point where everything around the um communication with the backend systems have um started um so for example I have a car that is uh I think seven or six years old and it has functionality that is pretty convenient but um does not communicate with um any backends thanks there's I think there is definitely room for one more question from the inside number one microphone please okay thank you uh thank you for your talk and um I was wondering if you investigated anything other than Tesla because to my knowledge distributed networking is something of the past of today we have uh the domain y uh architecture next upcoming theone architecture not really a centralized as you say it it's more little bit different and to my knowledge most of car manufacturers except Tesla doesn't send anything uh or not too much to the cloud because of cost reasons uh so yeah yeah yeah yes we looked also at um at um Toyota for example at matar at Volkswagen uh where we have seen uh similar Behavior Uh but as you indicated correctly Tesla is um the most prominent example when it comes comes to fully software and cloud-based vehicles um but uh new vehicles from other manufacturers go similar way and as you indicated you have a mixture of um of the hyb of the so hybrid architectures where you have centralized and decentralized uh somewhat mix with zone architectures or um domain architectures as you indicated um but it's it goes in a in a similar way and the Mozilla Foundation report indicated also that at least for the 25 Brands they investigated in that there's a lot of communication with the beend systems yeah sorry just to remark Milla just investigated the Privacy policies not not actual cures yeah that that's true but you can ID you can see that the Privacy policies are somewhat related to what the cars from other investigations that we've seen um Community communicate actually with the backend systems yeah but but there's sorry
there's a very little research as I indicated at the end of the presentation um in this domain where we currently need to look in um to not fully rely on the Privacy policies and hoping that uh not a lot of data is communicated due to costs due to regulations um so as a private um as a private Civil Society we need to um rely on investigations and research in this domania okay thanks everybody for the questions there are still some people at the microphone I just invite you to come over it's easy for you not for those from the internet to have a chat a private chat with Kevin Kevin thank you a lot very much for your talk Applause
[Applause]
[Music]
please
