Black Hat USA 2025: “evilDoggie,” the Argentine device that tests the security of modern cars
Two Argentine hackers presented "evilDoggie," a device for testing the security of computer systems used in cars, on Thursday, on the second day of Black Hat , one of the world's largest cybersecurity conferences. Octavio Gianatempo and Gastón Aznarez of Faraday Security demonstrated how to identify security holes in some car brands using this tool.
The tool's name is a play on the " CAN " protocol (short for Controller Area Network), which is an internal communications standard used by modern cars to allow various internal computers (such as those that control the engine or brakes) to communicate with each other.
During the presentation in the conference's "Arsenal," a space where programs and various pieces of hardware are displayed, the researchers demonstrated how to use the tool, which even includes a switch to change from its monitoring version (Doggie) to its "evil" version, used to attack this protocol. They also held a workshop so attendees could learn how to use it.
The research falls under the umbrella of "Car hacking," one of the most popular areas of cybersecurity conferences. "Car hacking focuses on existing cybersecurity knowledge but applies it to the networks used by cars. In recent years, vehicles have become 'smarter' and coexist with electronic systems. To paraphrase Elon Musk, they are 'computers on wheels,'" Faraday Security explained to this outlet.
"All of these networks are proprietary; they're not designed with transparency in mind. That's where the role of security experts comes in: understanding how these technologies work and what risks they pose ," they added.
The "good/bad" switch to enter attack mode. Photo: Juan Brodersen
The company's research began as an exploration into automotive security . "When we began our research, we realized we would need a tool to communicate with the car's computers. But we found there wasn't a good open option available in Argentina. Gastón had the idea of developing this tool with a modular design for its firmware and hardware, so anyone could build their own with whatever components they had on hand, and even develop other versions," Octavio Gianatiempo, a researcher at the company, told Clarín .
Gastón Aznarez explains how the project shifted toward offensive security , a branch of cybersecurity dedicated to attacking systems to find vulnerabilities and, eventually, fix them. “This first tool was Doggie, but the idea grew, and we added offensive capabilities, thus ultimately giving rise to evilDoggie, focused on research with the possibility of carrying out advanced attacks on CAN communications at both the protocol and physical levels, interfering with the circuit at the electrical level,” he explains.
"Doggie features and evilDoggie attacks can be used to disrupt communication between a car's ECUs [electronic control units] and create unexpected conditions. Today, cars have multiple computers, and almost all of their functions are controlled by them via CAN communications. While modern cars are incorporating security measures into this communication, there are known cases where this type of attack can have a real impact ," the hacker added.
“evilDoggie” isn't the first device that can test a car's security. In fact, the “Flipper Zero ,” known as the “Swiss Army Knife of hacking,” has been featured in several viral videos showing how to open a car door without a key. This is because the device operates with wireless protocols, which are different from those targeted by evilDoggie.
“Communication between the car's parts, for example, between the engine and the wheels, is done through cables. Therefore, to use evilDoggie, you must first have access to the car: the goal is to see, once inside the car, how secure this protocol is and how it could be improved ,” says Faraday.
Octavio Gianatiempo and Gastón Aznarez, Faraday Security researchers, at Black Hat. Photo: Juan Brodersen
What this Argentine development offers is an open-source version (the entire construction and programming process is accessible for consultation) and the low level at which it operates, that is, interacting directly with the car's hardware or communication protocols. Instead of using pre-designed programs or interfaces, evilDoggie allows access to layers closer to the chips embedded in modern cars, such as this CAN protocol.
“Cybersecurity isn't limited to computers and servers, but also to the technology we use every day: cars are no exception ,” the company explained.
Clarín asked about the car models that were attacked during the tests, but Faraday declined to provide details.
The exhibition at the Arsenal sparked the interest of more than one visitor who wanted to purchase the tool.
Diego Staino and Federico Pacheco, from BASE4, at the presentation of BUDA. Photo: Juan Brodersen
Also at the Arsenal, Federico Pacheco and Diego Staino, researchers from the Argentine company BASE4, presented a tool within the area of what is known as "Cyber deception," which are virtual traps that analysts leave on networks to fool hackers who want to enter a system and extract information from it.
Deception strategies are common in threat analysis. It's a fairly well-explored area in offensive security. At the 2024 edition of Ekoparty, local researcher Sheila Berta demonstrated how a specific type of system called a " honeypot " was used on public systems.
"The problem with traditional honeypot-style traps is that more sophisticated attackers can sometimes detect them because they look too clean or empty , or because they lack activity. BUDA is a tool that makes these traps much more credible," Pacheco told this outlet. BUDA stands for Behavioral User-driven Deceptive Activities Framework.
"To do this, it generates fictitious 'user profiles' based on the normal behavior of the network and systems themselves. These profiles then perform things that a normal employee would do, such as logging into a system , opening documents, sending emails, or browsing the web," the specialist continues.
During the Arsenal talk, the researchers emphasized the importance of creating a coherent “narrative” for deceptions so that attackers don’t realize they’re dealing with a honeypot .
“The tool allows profiles to be orchestrated so they act autonomously, following typical behavior patterns. By simulating these behaviors, the trap becomes much more realistic, and attackers have more reason to believe they're dealing with a system with legitimate users, which wastes more time and makes it harder to distinguish what's real from what's fake ,” Diego Staino added.
"Additionally, since fictitious users can act on real or fake systems and assets, the tool allows simulated behavior to resemble that of an attacker or malicious actor, thus allowing network and system defensive measures to be tested," the specialist concludes.
The work was presented this week in a white paper, before academic scrutiny, at the Argentine Conference on Informatics in Operations Research.
Sebastián García and Verónica Valeros, Argentine cybersecurity researchers at the Czech Technical University in Prague (CTU)
Another important area of Black Hat is the training sessions, which begin several days before the talks and conferences. They are not open to the general public, but rather serve as intensive classes for various specialists and industry workers.
One of them was taught by Sebastián García and Verónica Valeros, Argentine researchers at the Czech Technical University in Prague (CTU), "an advanced training program to learn how to detect malware (virus) traffic and differentiate it from legitimate traffic in critical situations," they explained.
“It was two very practical and intense days with real-life attacks. Many exercises focused on learning about hidden malware, botnets, spyware, how to work with large volumes of data, and how to use artificial intelligence to improve threat detection,” they added.
Nicole Perlroth at Black Hat USA 2025. Photo: Black Hat
Black Hat is one of the most influential cybersecurity conferences in the world. It was founded in 1997 by Jeff Moss, known in the hacking world as "The Dark Tangent." While the main conference is held in the United States, it also has editions in Asia and Europe.
During the opening of the 2025 edition, Moss delivered a political address, and Mikko Hypponen, a renowned Finnish hacker , announced his retirement from the hacking industry. On the second day, former New York Times journalist Nicole Perlroth called for reflection on the challenges posed by artificial intelligence in the threat landscape.
" We're coming off a honeymoon with AI. We're reaching incredible levels of efficiency. And I think on this question of whether AI will favor defense or offense, early indications suggest that offense is going to have the advantage. But we can still change that. We have a narrow window, but it's closing very fast, and once AI becomes embedded in our infrastructure, in our decision-making, and in our defense, the cost of failure will only multiply . Secure by design has never been more urgent ," Perlroth said.
The convention brings together experts from around the world to discuss vulnerabilities, global threats, defense techniques, and groundbreaking findings in cybersecurity. Unlike DEF CON, which was founded in 1993 and maintains a more informal spirit, Black Hat is aimed at the corporate world.
The conference serves as a showcase for the world of cybersecurity, but also as a laboratory for the current threat landscape.
Clarin
