My H2HC Conference Summary

I am Danilo Erazo (Independent Car/Hardware Security Research, Pentester, Programmer & Hacking lover) I was invited to the H2HC conference to be at the DEFCON Car Hacking Village. This was my first time in Brazil and I liked it a lot. I was teaching about key fob hacking process at the Car Hacking Village during the two day event. In this post, I’ll share an overview of H2HC, some villages that I visited, my learnings, the talk I attended, the parties, the hackers I met, my experience. I’ll also provide recommendations on how to make the most out of this event.

INDEX

  1. What is H2HC
  2. DEFCON Car Hacking Village
  3. Villages & Learnings
  4. Talks
  5. Parties
  6. Recommendations

1. What is H2HC

About: Cybersecurity Conference focused on technical topics and exploits, Talks, Workshops, Villages, CTF and more.
Years: 21 years
Location: São Paulo Brazil (Novotel Center Norte São Paulo)

Novotel Center Norte Sao Paulo – H2HC Location


Date: December 14th & 15th of 2024
Assistants: 3000-4000 infosec people
Language: Portuguese & English and a little bit of spanish

On the first day, when the receptionist handed me the card for my room, I thought, “This is a great opportunity to use my Flipper Zero again.” The room card used Mifare Ultralight EV1 technology. I started by using the Flipper to read the first 16 out of 20 readable pages (0–15). Afterward, I held the Flipper close to the door reader to initiate a brute-force attack on the 32-bit password that protected the remaining pages. In less than a minute, I successfully cracked the password and accessed all 20 pages, enabling me to clone the card. Don’t worry—I hacked my own room card, so there’s no need to be alarmed or call the police! 😄

Before the brute force attack (16/20 pages readed).
After the brute force attack (20/20 pages readed).

2. DEFCON Car Hacking Village in the H2HC

2.1 Key Fobs Hacking

Car Hacking Village Table 2.

I demonstrated the process of conducting key fob vulnerability research through RF and hardware hacking using tools such as a Logic Analyzer, HackRF, BladeRF, AutoRFKiller, URH and GNURadio. I covered the three types of key fob security systems—fixed code, rolling code, and learning code—along with their associated vulnerabilities and attacks. Additionally, I introduced the attendees to a tool I developed called Auto RF Killer, designed to unlock cars that use learning codes. However, this tool can unlock any car, as it also includes RollJam and Jamming functionalities. I presented the AutoRFKiller at the DEFCON32 conference.

During my workshop, a Brazilian guy approached me and showed me his BMW key fob. Afterward, we went with him to the parking garage and attempted to unlock the BMW.

BMW Car – HackRF – Parking Garage H2HC

2.2 CAN BUS Workshop

Kamel Ghali, the Car Hacking Village President

The Car Hacking Village (CHV) also featured two Toyota Corolla cars at the stand. The CHV President, Kamel Ghali, conducted a lesson on CAN Bus using various tools. He bypassed the CAN gateway of the Toyota Corolla by disassembling and disconnecting the Toyota camera, then connecting a 12-pin OBD2 connector adapter to the 12-pin port of the camera. This setup allowed for sniffing the car’s entire CAN traffic. If you have a Toyota with a front camera you can do the same.

Front camera disassembled and the 12-pin available.
12pin OBD2 Connector Adapter used
The OBD2 interface connected to my computer and sniffing the Toyota Corolla CAN BUS.

2.3 CTF for learning

In the CHV Table 1, participants had the opportunity to learn car hacking through a CTF using a miniature car model, RAMN. This setup simulated a real-world environment, allowing users to connect to the RAMN via SLCAN and interact with the car using CAN frames. The CTF included challenges such as sending specific CAN frames, sniffing particular CAN IDs, requesting UDS services, analyzing assembly code to retrieve flags, and more. Something very interesting to learn while having fun!

Attendees resolving CHV CTF challenges

2.4 CARLA with CAN interface + Joystick / RAMN

Octavio Gianatiempo and Gastón Aznárez demonstrated the autonomous driving simulator CARLA. Initially, the simulator was controlled using a joystick connected to a custom-made CAN DIY interface. Later, it was connected to the RAMN. This setup allowed participants to control the simulated car in CARLA through CAN frames, either using the joystick-CAN interface or solely through the RAMN, which integrates all the necessary components. Participants had the opportunity to drive the simulated car and gain hands-on experience with CAN interfaces.

Kamel and Gaston driving a simulated car with RAMN

3. Villages & Learnings

3.1 Radio Frequency Hacking

Davi Mikael Cezar, also known as Penegui, is a highly skilled Brazilian radio frequency hacker. He demonstrated how it is possible to perform fault injection on NFC/RFID readers using Electromagnetic Pulses (EMD). This technique allows bypassing security controls without needing the tag or card. To carry out this attack, all you need is an Electromagnetic Pulse Generator, which is readily available for purchase. For more content like this, you can visit his YouTube channel.

Electromagnetic Pulse Generator

When I was in the village giving explanations about key fob hacking I met a group of young Brazilians who are dedicated to RF hacking, one of them was Fernando Hansen, who showed me a portable and practical tool, it is called ScaryRF, this tool is an open-source Arduino-based project that leverages an ESP32 and a CC1101 module to provide a versatile platform for RF communication. It can capture and replay signals on common RF frequencies like 315MHz and 433.92MHz, perform replay attacks, send random codes within the 315-433MHz range, and analyze signals within 300-928MHz. The tool also has potential for further features, including a navigation menu, though it’s still in its early development stage.

ScaryRF hardware tool

3.2 Hardware Hacking Village

I met Luiz Henrique, also known as Monge, a Brazilian hardware hacker. He introduced me to the M5Stack Cardputer, an ESP32-S3 pocket computer designed for developing and testing IoT devices with its Wi-Fi and Bluetooth capabilities. This tool is programmable and supports various protocols, making it versatile for a wide range of applications. I invite you to check out this tool.

M5Stack Carputer in the Hardware Hacking Village

Additionally, there are isolated CAN bus transceivers available for connecting to the M5Stack Cardputer, allowing you to interface with your car and work with CAN frames.

On the other hand, Monge showed me a tool called Cynthion, this is a USB research and sniffing tool designed for Man-in-the-Middle (MITM) attacks. It allows users to intercept, analyze, and manipulate USB communication between devices. This tool is commonly used for security research and testing vulnerabilities in USB devices and protocols. I find it very interesting, I must try it in the future.

Cynthion hardware tool in the Hardware Hacking Village

3.3 Lebanon AR-924 Pager Exploitation Demo Attack

Do you remember the news about thousands of pagers exploding and killing many people in Lebanon and Syria? If you don’t know about this I invite you to check out the news about a supply chain infiltration carried out by Israeli hackers.

Hezbollah uses pagers because they are aware that cellphones pose a significant risk due to their potential for surveillance, and they prioritize confidentiality. However, these pagers were intercepted several months before they reached Hezbollah. Using hardware hacking techniques, Israeli hackers implanted a backdoor, allowing them to exploit the pagers by sending a specific signal. This process was replicated at the H2HC conference, where a device was made to explode by sending a message from a cellphone to the targeted pager. In the video below, you can see the speaker who demonstrated this attack, with a member of the audience approaching to send the message that triggered the explosion. Was amazing because many people was attend to the exploitation!

4. Talks

Since I had to stay at the CHV, I didn’t have the opportunity to attend any talks except for Kamel’s.

Kamel presenting his talk in the H2HC

Kamel’s talk focused on methods for bypassing security controls implemented by companies on employee computers. In summary, I noted three tools, the third of which was developed by me and is used to exfiltrate data from computers that block USB storage.

  • USB Capture Card: A USB capture card allows you to capture and record video and audio signals from external devices, such as cameras, gaming consoles, or other video sources, and input them into your computer via a USB port. It allow you to bypass many controls in the original computer.
  • IP-KVM: (Internet Protocol Keyboard, Video, and Mouse) switch allows users to control multiple computers or servers remotely over a network using a single keyboard, video monitor, and mouse. It enables access to and management of devices from anywhere via the internet, making it ideal for data centers, remote work, and IT support. IP-KVMs support features like remote reboot, console redirection, and multi-platform compatibility, providing seamless control for administrators or users to manage systems without being physically present.
  • Exfiltrate-PC2Flipper: It allows you to bypass USB storage restrictions. Through a keystroke injection attack, you can save data to the Flipper Zero’s storage device via a serial port. I discovered this method and created a post about it, which you can check if you want to learn more about the process.

5. Parties

The parties are exclusive to H2HC speakers due to limited capacity at the bars. The Brazilian attendees are very enthusiastic and enjoy the parties. At the first party on Friday, there was Brazilian funk music, which I really liked. Other parties featured different music styles, such as pagode. I remember returning to the hotel very late on the first night with some of the organizers/speakers. It’s common for the parties to end around 5 a.m. the next day. I discovered that Sao Paulo is a very party city, but just as they party, they are also very good hackers.

H2HC Friday party
Speakers dinner

6. Recommendations

  • Use Hacker Tracker app.
  • Sao Paulo is very large, so get used to traveling long distances by Uber.
  • Learn the basics of Portuguese, because sometimes Uber drivers don’t understand Spanish or English, and you might end up in troubles.
  • On the first day, exchange a few dollars for brazilian real BRL in case of emergencies, as some restaurants, bars, or games might not accept cards, which is what happened to me.
  • When you go out to eat or to any place outside the hotel, never go alone. It’s better to have a local companion who can guide you or recommend places to go.
  • Enjoy & Learn & Meet people.

Finally, I want to thank the Brazilian people I met for being so kind to me. I really enjoyed Brazil and the hacker culture in São Paulo, and I would love to return for more hacking. A big thank you to Penegui, Ana, Rodrigo, Daiane, Cybelle, Monge, Nana and many others who were part of the event and to Kamel for inviting me.

Finally, I made a video about all of this including the hacking process that I mentioned before:

🏴‍☠ Reverse Everything and happy hacking gis!!

Leave a Reply

Your email address will not be published. Required fields are marked *