If you own a car, I would wager it’s the most complex device you own. Within you find locomotion, safety systems, and an entertainment system that may be using technology from several decades ago (but that’s a rant for a different article). Jalopy or Sweet Hotness, your ride has an underlying data network that is a ton of fun to hack, and something of a security dinosaur. Both were discussed by Craig Smith and Erik Evenchick during their talk on Car Hacking tools at Hope XI.
You should recognize both of these names. Eric Evenchick is a Hackaday contributor who has been traveling the world presenting talks and workshops on his open source car hacking hardware called CANtact. Craig Smith is founder of OpenGarages and author of the Car Hacker’s Handbook which we highly recommend. The pair made a great joint presentation; both were charismatic, using wit to navigate through the hardware, software, techniques, and goals you want to have in mind to jump into car hacking.
It’s all in the CAN
One thing you can almost always say about automotive is that they have robust and well-defined standards. There are so many vehicles on the road and the support for that hardware needs to last so long that parts tend to be standardized and documentation can almost always be found. Every car has a standardized port to patch into the CANbus — the system that carries data to every piece of electronics in the vehicle. Want to roll down the window, change the radio station from the steering wheel, or tweak the mix going into the combustion chamber? Look to the CANbus.
To the uninitiated this can be scary, but there are a ton of options to ease you into CANbus hacking. You can try your hand and reading, parsing, reverse engineering, and formulating CAN messages in software if you like. Craig has put together two software trainers. The first is based on SuperTuxKart (think Mario Kart for the Linux crowd) which spits out accurate CAN messages as you drive the Kart around. The second, called ICsim, uses a gaming controller to operate a virtual vehicle and is much more sophisticated aimed at teaching reverse engineering. The output includes many more messages (like the noisy deluge you see on a real vehicle) and challenges you to sleuth your way to associate meaning with the messages you are hunting for.
Your Car’s Hardware (for the brave) or Fake It (for the meek)
You can just jump right into plugging hardware into your own car and hacking away. Craig knows that may be a hard sell so he has a clever solution: hit the junkyard and build a test bench on the cheap.
Here you can see an instrument cluster, Electronic Control Unit (ECU), and the keys. Connect everything together, throw in a 12V PSU and you’ve got most of the interesting bits you’d want. Craig uses a couple of trimpots to stand in for the fuel level and engine temperature which are resistive sensors.
Whether hacking your own car or a junkyard unit you need a tool that can speak the language of the CANbus. The good news is that there are many options and for the most part they’re in the sub-$100 range. This is where Eric Evenchick’s part of the talk comes into play.
CANtact hasn’t had a ton of coverage yet on Hackaday. We featured it just after release but it would be great to hear more about what people are accomplishing with the hardware so send in a tip if you have a good story. The device is a USB-to-CANbus bridge that speaks to all of the best CAN hacking tools.
As we heard during Eric’s village talk at DEF CON last year, the CANtact plays nicely with socketCAN which is the go-to suite of open source CAN hacking software (eg: candump, cansniffer, cansend, cangw). But since then he has developed a new cross-platform Java app to help open up CANtact for use on OSX/WIN.
Playing with CAN and Exploring the Security Nightmare
There is so much potential for fun when you get on the CAN bus. The obvious includes things like making your instrument cluster scroll messages, and moving your windshield wipers to an asymmetrical delay. But digging a bit deeper there are some really crazy security issues here.
Craig discussed one to which you can immediately relate: if your vehicle can be paired to a phone over Bluetooth you can probably access your phone’s contacts through the CAN bus. How’s that for a challenge? Even more crazy is going the opposite way. The Bluetooth stack on an automobile is likely never to be updated. Find out the BT version on your car and look up any known vulnerabilities, then see if you can get all the way down to the CANbus by exploiting Bluetooth.
Yes, this is crazy. The only security for the CANbus is by obscurity. Manufacturers don’t publish a reference manual for CAN packets so car hacking involves a lot of reverse engineering to capture and make sense of these messages. One of the future goals of OpenGarages is to put together a crowdsourced database of these packets including import and export of Kayak and DBC message formats.
One of the questions at the end of the talk asked about the ODB-II Dongles being pushed by insurance companies right now. ODB-II is the standard connector to a vehicle’s CANbus and this gives your insurance a Big-Brother-esque look at how you drive. But once on the CANbus they can harvest any information they want and can even write to it without any logging. This could even be used to rewrite firmware for devices like the airbag controller. The point isn’t that an Insurance company would do this, but that allowing access by anyone to the car’s network is a huge security hole.
Craig thinks at the very least vehicles should have logging and mentions that autonomous car research has taken an entirely different approach which by default doesn’t trust devices on the CANbus. Instead they use redundant sensor data to verify that each device is working and that its data can be trusted.