Yes, You Should be Hacking Your Car’s Data System

If you own a car, I would wager it’s the most complex device you own. Within you find locomotion, safety systems, and an entertainment system that may be using technology from several decades ago (but that’s a rant for a different article). Jalopy or Sweet Hotness, your ride has an underlying data network that is a ton of fun to hack, and something of a security dinosaur. Both were discussed by Craig Smith and Erik Evenchick during their talk on Car Hacking tools at Hope XI.

You should recognize both of these names. Eric Evenchick is a Hackaday contributor who has been traveling the world presenting talks and workshops on his open source car hacking hardware called CANtact. Craig Smith is founder of OpenGarages and author of the Car Hacker’s Handbook which we highly recommend. The pair made a great joint presentation; both were charismatic, using wit to navigate through the hardware, software, techniques, and goals you want to have in mind to jump into car hacking.

It’s all in the CAN

One thing you can almost always say about automotive is that they have robust and well-defined standards. There are so many vehicles on the road and the support for that hardware needs to last so long that parts tend to be standardized and documentation can almost always be found. Every car has a standardized port to patch into the CANbus — the system that carries data to every piece of electronics in the vehicle. Want to roll down the window, change the radio station from the steering wheel, or tweak the mix going into the combustion chamber? Look to the CANbus.

To the uninitiated this can be scary, but there are a ton of options to ease you into CANbus hacking. You can try your hand and reading, parsing, reverse engineering, and formulating CAN messages in software if you like. Craig has put together two software trainers. The first is based on SuperTuxKart (think Mario Kart for the Linux crowd) which spits out accurate CAN messages as you drive the Kart around. The second, called ICsim, uses a gaming controller to operate a virtual vehicle and is much more sophisticated aimed at teaching reverse engineering. The output includes many more messages (like the noisy deluge you see on a real vehicle) and challenges you to sleuth your way to associate meaning with the messages you are hunting for.

Your Car’s Hardware (for the brave) or Fake It (for the meek)

Junkyard acquired test bench (via @OpenGarages)
Junkyard acquired test bench (via @OpenGarages)

You can just jump right into plugging hardware into your own car and hacking away. Craig knows that may be a hard sell so he has a clever solution: hit the junkyard and build a test bench on the cheap.

Here you can see an instrument cluster, Electronic Control Unit (ECU), and the keys. Connect everything together, throw in a 12V PSU and you’ve got most of the interesting bits you’d want. Craig uses a couple of trimpots to stand in for the fuel level and engine temperature which are resistive sensors.

Whether hacking your own car or a junkyard unit you need a tool that can speak the language of the CANbus. The good news is that there are many options and for the most part they’re in the sub-$100 range. This is where Eric Evenchick’s part of the talk comes into play.

cantactCANtact hasn’t had a ton of coverage yet on Hackaday. We featured it just after release but it would be great to hear more about what people are accomplishing with the hardware so send in a tip if you have a good story. The device is a USB-to-CANbus bridge that speaks to all of the best CAN hacking tools.

As we heard during Eric’s village talk at DEF CON last year, the CANtact plays nicely with socketCAN which is the go-to suite of open source CAN hacking software (eg: candump, cansniffer, cansend, cangw). But since then he has developed a new cross-platform Java app to help open up CANtact for use on OSX/WIN.

Playing with CAN and Exploring the Security Nightmare

There is so much potential for fun when you get on the CAN bus. The obvious includes things like making your instrument cluster scroll messages, and moving your windshield wipers to an asymmetrical delay. But digging a bit deeper there are some really crazy security issues here.

Craig discussed one to which you can immediately relate: if your vehicle can be paired to a phone over Bluetooth you can probably access your phone’s contacts through the CAN bus. How’s that for a challenge? Even more crazy is going the opposite way. The Bluetooth stack on an automobile is likely never to be updated. Find out the BT version on your car and look up any known vulnerabilities, then see if you can get all the way down to the CANbus by exploiting Bluetooth.

Yes, this is crazy. The only security for the CANbus is by obscurity. Manufacturers don’t publish a reference manual for CAN packets so car hacking involves a lot of reverse engineering to capture and make sense of these messages. One of the future goals of OpenGarages is to put together a crowdsourced database of these packets including import and export of Kayak and DBC message formats.

One of the questions at the end of the talk asked about the ODB-II Dongles being pushed by insurance companies right now. ODB-II is the standard connector to a vehicle’s CANbus and this gives your insurance a Big-Brother-esque look at how you drive. But once on the CANbus they can harvest any information they want and can even write to it without any logging. This could even be used to rewrite firmware for devices like the airbag controller. The point isn’t that an Insurance company would do this, but that allowing access by anyone to the car’s network is a huge security hole.

Craig thinks at the very least vehicles should have logging and mentions that autonomous car research has taken an entirely different approach which by default doesn’t trust devices on the CANbus. Instead they use redundant sensor data to verify that each device is working and that its data can be trusted.

45 thoughts on “Yes, You Should be Hacking Your Car’s Data System

  1. Actually on topic, just finished this last night:

    USB powered CAN sniffer and display to read out the state of a Nissan Leaf Battery Pack.
    For use when salvaging battery packs from wrecked Leafs (Leaves?).

    1. I love the idea, both parts, but..
      I’ve heard this suggestion a couple times, but, please, where can you find leafs (or any ev/hybrid) to salvage from?? I’venever seen any available anywhere! The closes I’ve ever found are a few hybrids at police auction, but tthat’s nowhere near ‘grab some pieces’ prices…

      1. Thank you!
        It was definitely meant as a general question, since i can’t possibly be the only one who’s run into this difficulty.
        Personally, I’m in las Vegas, nv, usa, and more specifically interested in the gm second generation BAS system and the potential to adapt it to an other vehicle (I’ve seen the generator motor new for $550). Depending on total price, it could be an impressive boost for any vehicle, if I can get one to adapt…

        Also, I apologize for my grammar and spelling, apparently SwiftKey ddoesn’t like this text box!

        1. Hey, do you have a site, blog, or thread to follow? I too would like to divine the secrets of BAS. I see a lot of GM hybrid trucks broken and dirt cheap. I think they don’t actually break that much they’re just beyond the typical wrencher when they get down the cheap end of the market. Either would like to use parts to implement on a completely different vehicle, or at least figure how to fo gm to gm retrofits.

      2. I would live to know of a reliable source in Australia. Priuses (Prii?) are pretty common here and I’ve seen 1 Leaf and a couple Teslas… but nothing in terms of used/wrecked availability.

      1. You can also get most of the info from the dash board display…
        If you have a mostly intact car. ;)

        Usually the main high voltage disconnect is pulled (at the scene of the accident), and the salvage yard will not allow you to put it back in, (they don’t have it anyway).

        Leaf Spy will work if have an intact OBD2 port, and Ironically, a way to power the battery.
        Salvage yards tend to get suspicious if you are carrying around a 12V car battery. ;)

        Most of the time the battery pack will already be pulled and sitting on the ground.
        High voltage battery packs are a hot commodity these days, and usually worth what they just just paid to the insurance company for the salvage, so they are first item to get sold.

        This is like any other purpose built tool, it has one job, you an just walk up to a battery pack, plug in and then a few seconds later know what state it is in.

        Also, I enjoyed building it. ;)

        1. The dash display won’t indicate any battery degradation until it reaches 85% of original capacity, so it’s not very useful if you’re looking for a battery in excellent shape.

    2. Actually now it is finished:

      There was one firmware bug in the previous version (shows up in the part 2 video at 3:03), [DrSegatron] noticed that the average cell voltage was higher than the highest cell…

      The first pass I sum all the cells and divide by 96.
      But each pass after that I never cleared that value from the sum.
      So the next pass started with the last average value then summed in the 96 cells, then divided by 96. This caused the average cell voltage to creep up with each pass (97/96).

      It is fixed now. :)

      Thanks again to [DrSegatron]. :D

        1. I may or may not have a couple hanging about that I could do a teardown on if there’s interest. Let me dig up the parts and see if there’s anything cool going on.

        2. Actually Hackaday featured a (partial) teardown a while back. The dongle was well photographed after removing the outer shell.
          http://hackaday.com/2014/12/14/hackaday-links-december-14-2014/

          In the comments we speculated how they worked based on the visible chips. Surprisingly there were no accelerometer ICs or GPS hardware found. Instead there was a small cylinder that I suspect was a omnidirectional G-force threshold sensor. This sensor combined with OBD-II ABS brake data should be enough for the insurance companies to spot the “hard braking” events that they want.

          1. Borrowed my daughter’s car with one of those in it. Apparently I’m a “hard braker”, because the thing beeped like crazy at me. If they are basing rates on what they’re sensing, their algorithm sucks. Example: light turns yellow, so you brake hard not to go through it (vs not braking and running it). What’s the desired behaviour? Another example: hard braking detection while parking. Huh? Brake hard to let someone out into traffic. Perhaps I’m a crappy driver, or perhaps driving in Boston means you need to keep on your toes and react quickly.

      1. The easy way around that is to simply spoof NOP’s (e.g. pretend it’s your weekend driver car and you just bike to the metro to get to work everyday, so you don’t have to simulate any accelerometer or GPS device information). Log yourself driving like grandma for 50 miles RT and use that as a model with random variance scattered in.
        Caveat lector – Almost certainly DMCA violation bullshit territory, if not possibly worse (falls into the same ‘tampering with odometer’ stuff you can’t do)

        1. Almost certainly would qualify as insurance fraud, so unless you enjoy jail time, I’d recommend NOT to do this on an active dongle. Or at least make sure to iron out the details on an offline dongle first ;)

  2. Yup, it’s on my To-Do list. Started a simple project just reading the OBD2 data and found out that my car apparently implemented only the most bare bone command set possible (allowed?).

  3. I wish you had wagered something, as the most complex part of my car is maybe the mechanical throttle linkage or the brake drums themselves. The single circuit non-assist brake circuit sure isn’t. Nor are the safety systems that aren’t in place, and the lack of seat belts sure eliminates the need for retractors, tensioners, and crash detection there.
    It’s a pretty simple machine in all honesty, and it would have been nice to have won something in a wager related to it with how hard parts are to find.

  4. It’s OBD, not ODB, isn’t it?
    So, rather “onboard diagnostics” than “obscured data bus”, as I grok it.
    Maybe a freudian mixup with DB2, but that one is unlikely to be installed inside a car system.

    1. As far as I know, OBD is the only correct way. I thought the misspelling was amusing until it made finding a previously misspelled Hackaday post difficult to find (my link in a comment above). Apparently spelling OBD as ODB is an epidimic level event on hackaday, not limited to any single author. Even some of the tags contain the misspelling. Almost five pages of google search results. But of course some of those are the fault of the commenters.
      http://www.google.com/search?q=“ODB”+site:hackaday.com/blog

  5. Wonder what would be on a 1985 Corvette? No, not testing on mine, but I think that it uses an early form of OBD-II. If someone else knows feel free to correct me on this.

      1. Thank you for the info. So I’m also guessing that any type of malicious software that targets the CANBus wouldn’t affect my vehicle. Since the rouge software wouldn’t understand the older programming and or interface signals, correct?

        1. CAN bus is even newer than OBD2. CAN is not likely to be found on the OBD2 connector on any car prior to 2005 or so. Historically there are FOUR different physical layer protocols used on OBD2! Now, CAN is mandated.

  6. It’ll only cost you tens of thousands of dollars if you mess anything up. Mechanics are like people in pharma and medical these days printing their own money especially at dealerships..

    I have a print out of your trouble codes.. That’ll be $75.00.. o2 sensor replacement? Just give me $300.00.. I work cheap

    1. It also costs tens of thousands when they mess anything up, and these were the folks without high enough math and science grades to go to university…. so I fix my own.

      1. I can fix them too, but if you go to a work place at least 40 hours a week it’s not an option to do something like repair heads or main bearings or patch a main wiriing harness with a short. ECM, TCM, BCM, SCM stuff is worse since it takes expensive tools. Even Charlie Miller couldn’t get around being dependent on a 1,200 dollar flash tool and subscription with all his reverse engineering skills

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s