The Car Hacker's Handbook: A Guide for the Penetration Tester - Craig Smith (2016)
In 2014, Open Garages—a group of people interested in sharing and collaborating on vehicle security—released the first Car Hacker’s Manual as course material for car hacking classes. The original book was designed to fit in a vehicle’s glove box and to cover the basics of car hacking in a one- or two-day class on auto security. Little did we know how much interest there would be in that that first book: we had over 300,000 downloads in the first week. In fact, the book’s popularity shut down our Internet service provider (twice!) and made them a bit unhappy with us. (It’s okay, they forgave us, which is good because I love my small ISP. Hi SpeedSpan.net!)
The feedback from readers was mostly fantastic; most of the criticism had to do with the fact that the manual was too short and didn’t go into enough detail. This book aims to address those complaints. The Car Hacker’s Handbook goes into a lot more detail about car hacking and even covers some things that aren’t directly related to security, like performance tuning and useful tools for understanding and working with vehicles.
Why Car Hacking Is Good for All of Us
If you’re holding this book, you may already know why you’d want to hack cars. But just in case, here’s a handy list detailing the benefits of car hacking:
Understanding How Your Vehicle Works
The automotive industry has churned out some amazing vehicles, with complicated electronics and computer systems, but it has released little information about what makes those systems work. Once you understand how a vehicle’s network works and how it communicates within its own system and outside of it, you’ll be better able to diagnose and troubleshoot problems.
Working on Your Vehicle’s Electrical Systems
As vehicles have evolved, they’ve become less mechanical and more electronic. Unfortunately, automotive electronics systems are typically closed off to all but the dealership mechanics. While dealerships have access to more information than you as an individual can typically get, the auto manufacturers themselves outsource parts and require proprietary tools to diagnose problems. Learning how your vehicle’s electronics work can help you bypass this barrier.
Modifying Your Vehicle
Understanding how vehicles communicate can lead to better modifications, like improved fuel consumption and use of third-party replacement parts. Once you understand the communication system, you can seamlessly integrate other systems into your vehicle, like an additional display to show performance or a third-party component that integrates just as well as the factory default.
Discovering Undocumented Features
Sometimes vehicles are equipped with features that are undocumented or simply disabled. Discovering undocumented or disabled features and utilizing them lets you use your vehicle to its fullest potential. For example, the vehicle may have an undocumented “valet mode” that allows you to put your car in a restricted mode before handing over the keys to a valet.
Validating the Security of Your Vehicle
As of this writing, vehicle safety guidelines don’t address malicious electronic threats. While vehicles are susceptible to the same malware as your desktop, automakers aren’t required to audit the security of a vehicle’s electronics. This situation is simply unacceptable: we drive our families and friends around in these vehicles, and every one of us needs to know that our vehicles are as safe as can be. If you learn how to hack your car, you’ll know where your vehicle is vulnerable so that you can take precautions and be a better advocate for higher safety standards.
Helping the Auto Industry
The auto industry can benefit from the knowledge contained in this book as well. This book presents guidelines for identifying threats as well as modern techniques to circumvent current protections. In addition to helping you design your security practice, this book offers guidance to researchers in how to communicate their findings.
Today’s vehicles are more electronic than ever. In a report in IEEE Spectrum titled “This Car Runs on Code,” author Robert N. Charette notes that as of 2009 vehicles have typically been built with over 100 microprocessors, 50 electronic control units, 5 miles of wiring, and 100 million lines of code (http://spectrum.ieee.org/transportation/systems/this-car-runs-on-code). Engineers at Toyota joke that the only reason they put wheels on a vehicle is to keep the computer from scraping the ground. As computer systems become more integral to vehicles, performing security reviews becomes more important and complex.
Car hacking should not be taken casually. Playing with your vehicle’s network, wireless connections, onboard computers, or other electronics can damage or disable it. Be very careful when experimenting with any of the techniques in this book and keep safety as an overriding concern. As you might imagine, neither the author nor the publisher of this book will be held accountable for any damage to your vehicle.
What’s in This Book
The Car Hacker’s Handbook walks you through what it takes to hack a vehicle. We begin with an overview of the policies surrounding vehicle security and then delve in to how to check whether your vehicle is secure and how to find vulnerabilities in more sophisticated hardware systems.
Here’s a breakdown of what you’ll find in each chapter:
✵ Chapter 1: Understanding Threat Models teaches you how to assess a vehicle. You’ll learn how to identify areas with the highest risk components. If you work for the auto industry, this will serve as a useful guide for building your own threat model systems.
✵ Chapter 2: Bus Protocols details the various bus networks you may run into when auditing a vehicle and explores the wiring, voltages, and protocols that each bus uses.
✵ Chapter 3: Vehicle Communication with SocketCAN shows how to use the SocketCAN interface on Linux to integrate numerous CAN hardware tools so that you can write or use one tool regardless of your equipment.
✵ Chapter 4: Diagnostics and Logging covers how to read engine codes, the Unified Diagnostic Services, and the ISO-TP protocol. You’ll learn how different module services work, what their common weaknesses are, and what information is logged about you and where that information is stored.
✵ Chapter 5: Reverse Engineering the CAN Bus details how to analyze the CAN network, including how to set up virtual testing environments and how to use CAN security-related tools and fuzzers.
✵ Chapter 6: ECU Hacking focuses on the firmware that runs on the ECU. You’ll discover how to access the firmware, how to modify it, and how to analyze the firmware’s binary data.
✵ Chapter 7: Building and Using ECU Test Benches explains how to remove parts from a vehicle to set up a safe testing environment. It also discusses how to read wiring diagrams and simulate components of the engine to the ECU, such as temperature sensors and the crank shaft.
✵ Chapter 8: Attacking ECUs and Other Embedded Systems covers integrated circuit debugging pins and methodologies. We also look at side channel analysis attacks, such as differential power analysis and clock glitching, with step-by-step examples.
✵ Chapter 9: In-Vehicle Infotainment Systems details how infotainment systems work. Because the in-vehicle infotainment system probably has the largest attack surface, we’ll focus on different ways to get to its firmware and execute on the system. This chapter also discusses some open source in-vehicle infotainment systems that can be used for testing.
✵ Chapter 10: Vehicle-to-Vehicle Communication explains how the proposed vehicle-to-vehicle network is designed to work. This chapter covers cryptography as well as the different protocol proposals from multiple countries. We’ll also discuss some potential weaknesses with vehicle-to-vehicle systems.
✵ Chapter 11: Weaponizing CAN Findings details how to turn your research into a working exploit. You’ll learn how to convert proof-of-concept code to assembly code, and ultimately shellcode, and you’ll examine ways of exploiting only the targeted vehicle, including ways to probe a vehicle undetected.
✵ Chapter 12: Attacking Wireless Systems with SDR covers how to use software-defined radio to analyze wireless communications, such as TPMS, key fobs, and immobilizer systems. We review the encryption schemes you may run into when dealing with immobilizers as well as any known weaknesses.
✵ Chapter 13: Performance Tuning discusses techniques used to enhance and modify a vehicle’s performance. We’ll cover chip tuning as well as common tools and techniques used to tweak an engine so it works the way you want it to.
✵ Appendix A: Tools of the Trade provides a list of software and hardware tools that will be useful when building your automotive security lab.
✵ Appendix B: Diagnostic Code Modes and PIDs lists some common modes and handy PIDS.
✵ Appendix C: Creating Your Own Open Garage explains how to get involved in the car hacking community and start your own Open Garage.
By the end of the book, you should have a much deeper understanding of how your vehicle’s computer systems work, where they’re most vulnerable, and how those vulnerabilities might be exploited.