I just had my car in for an inspection and an oil change. The garage I take my car to is generally okay, they’re more honest than a stealership, but they don’t cross all their t’s and dot all their lowercase j’s. A few days after I picked up my car, low and behold, I noticed the garage didn’t do a complete oil change. The oil life indicator wasn’t reset, which means every time I turn my car on, I’ll have to press a button to clear an ominous glowing warning on my dash.
For my car, resetting the oil life indicator is a simple fix – I just need to push the button on the dash until the oil life indicator starts to blink, release, then hold it again for ten seconds. I’m at least partially competent when it comes to tech and embedded systems, but even for me, resetting the oil life sensor in my car is a bit obtuse. For the majority of the population, I can easily see this being a reason to take a car back to the shop; the mechanic either didn’t know how to do it, or didn’t know how to use Google.
The two most technically complex things I own are my car and my computer, and there is much more information available on how to fix or modify any part of my computer. If I had a desire to modify my car so I could read the value of the tire pressure monitors, instead of only being notified when one of them is too low, there’s nowhere for me to turn.
2015 was the year of car hacks, ranging from hacking ECUs to pass California emissions control standards, Google and Tesla’s self-driving cars, to hacking infotainment systems to drive reporters off the road. The lessons learned from these hacks are a hodge-podge of forum threads, conference talks, and articles scattered around the web. While you’ll never find a single volume filled with how to exploit the computers in every make and model of automobile, there is space for a reference guide on how to go about this sort of car hacking.
I was given the opportunity to review The Car Hacker’s Handbook by Craig Smith (259p, No Starch Press). Is it a guide on how to plug a dongle into my car and clear the oil life monitor the hard way? No, but you wouldn’t want that anyway. Instead, it’s a much more informative tome on penetration testing and reverse engineering, using cars as the backdrop, not the focus.
Craig Smith is one of the founders of Open Garages, one of the best repositories for vehicle documentation that you won’t find in a Haynes manual. He’s been in the car hacking game for a long time, too. One of his first car hacks, back when the extent of car hacking was modifying an ECU, was a complete teardown of the navigation system in his 2009 Civic. There’s depth and breadth to Craig’s knowledge, a necessity when it comes to reverse engineering a car.
Reverse Engineering. Also, Cars.
Were it not for vehicle-specific communications protocols and mentions of ECUs, The Car Hacker’s Handbook could easily lose the word ‘Car’ from the title. I don’t think this is a bad thing. This is an introduction to pen testing, finding exploits, and futzing around with embedded electronics. It’s not a guide on tuning a Miata or making your nav system work after you’ve decided OnStar isn’t worth $250 a year.
The clearest example of this focus on reverse engineering, instead of modifying cars, is Chapter 8, Attacking ECUs and Other Embedded Systems. This is quite literally a tutorial on reverse engineering anything. The chapter begins with the sub-heading, ‘Analyzing Circuit Boards’, with the simple instruction, “When reversing a circuit board, first look at the model number of the microcontroller chips on the board.” This is how you begin to break down every bit of electronics, from cheap WiFi routers to broken Internet of Things devices.
The chapter on Attacking Embedded Systems goes through the usual tools – the JTAGulator, using an STM32 Discovery board for its SWD functionality, to side channel analysis with the ChipWhisperer. The only thing missing from this book is dropping acid and looking at the layers of metal and polysilicon in a chip, a subject that could fill several volumes.
Of course, this focus on the tools and techniques of reverse engineering is not at the expense of proper, traditional car hacking. The classic car hack – removing the 27-series ROM from an engine control unit tuning a car with a pattern of bits and bytes is still covered. Hacking infotainment displays is there, and there’s even a chapter dedicated to Vehicle to Vehicle communications, the next great advancement of our interstate highway system that’s been around for 20 years. This is, after all, a book on car hacking.
The Ethics of
There are bigger names than Craig Smith in the world of car hacking. Before last year’s Def Con, Charlie Miller and Chris Valasek made a name for themselves by taking a Wired writer out for a spin on a public highway. This was widely regarded as a bad move, even if it was great for publicity. You simply don’t remotely commandeer a vehicle while someone is driving it on a highway. Charlie and Chris had the opportunity to use a closed track for this demo for a tech journo, but didn’t. I can’t say I blame them; the press they got from that stunt was incredible.
George Hotz pulled a similar stunt with Bloomberg putting a self-driving car on I-280 in San Francisco. Yes, the self-made self-driving car worked as intended, but George did put a relatively untested system on the open road, with idiots texting and driving in the next lane.
The most important trait a person can have is the ability to differentiate between what is legal and what is ethical. The car hacks that have received the most attention are neither. Charlie Miller’s exploit is simply awesome, and George Hotz’ self-driving car is easily several PhD theses, but test tracks exist. There is no reason to put these cars on the road until sufficient testing is done.
Craig Smith falls on the safer side of garnering media attention. All of his modifications are on a test bench. From a Reddit AMA, he avoids demonstrating his exploits on real cars at all costs. This, by the way, is the standard way of doing things. No, vehicle exploits done in a controlled, non-public environment are not the most widely reported – that’s just a function of how much attention illegal and unethical vehicle exploits receive.
This focus on safety extends to Craig’s introduction of threat models before introducing the reader to the CAN bus. The Car Hacker’s Handbook is not a book telling the reader how to control everything in three thousand pounds of rolling steel. It’s a book telling the reader how to control a ton and a half of rolling death safely.
This is first and foremost a book about hacking the electronics in cars. The skills required to modify an ECU, snoop the CAN bus, or update your sat nav maps without shelling out hundreds are the same skills required to install OpenWRT on a weird router and install Linux on a hard drive the hard way. Craig provides an excellent introduction to what can be done to hack a car, but presents it under the banner of hacking, without cars involved at all.
The full title of this book is, The Car Hacker’s Handbook: A Guide for the Penetration Tester. The heading and subheading should be swapped, and that’s a good thing. This is a guide on how to reverse engineer, exploit, and modify any kind of embedded system; cars are just the example. Craig presents this in a way that is eminently comprehensible and spends enough time reinforcing the idea of hacking a car safely, legally, and ethically. It’s a great read, an excellent introduction to fiddling with embedded bits, and truly owning the devices you’ve already purchased.