canbus

Car Security Experts Dump All Their Research and Vulnerabilities Online

May 14, 2017 by 86 Comments

[Charlie Miller] and [Chris Valasek] Have just released all their research including (but not limited to) how they hacked a Jeep Cherokee after the newest firmware updates which were rolled out in response to their Hacking of a Cherokee in 2015.

FCA, the Corp that owns Jeep had to recall 1.5 million Cherokee’s to deal with the 2015 hack, issuing them all a patch. However the patch wasn’t all that great it actually gave [Charlie] and [Chris] even more control of the car than they had in the first place once exploited. The papers they have released are a goldmine for anyone interesting in hacking or even just messing around with cars via the CAN bus. It goes on to chronicle multiple hacks, from changing the speedometer to remotely controlling a car through CAN message injection. And this release isn’t limited to Jeep. The research covers a massive amount of topics on a number of different cars and models so if you want to do play around with your car this is the car hacking bible you have been waiting for.

Jeep are not too happy about the whole situation. The dump includes a lot of background for vehicles by multiple manufactureres. But the 2015 hack was prominent and has step by step instructions. Their statement on the matter is below.

Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems.

We anticipate seeing an increasing number of security related releases and buzz as summer approaches. It is, after all, Network Security Theatre season.

Bil Herd Asks OBD “How Fast am I Going?”

February 15, 2017 by 85 Comments

Whenever I end up with a new vehicle I ultimately end up sticking in a new GPS/Receiver combination for better sound quality and a better GPS.

I am quite at home tearing into a dashboard as I was licensed to install CB radios in my teens as well as being the local go-to guy for 8-track stereo upgrades in the 70’s. I have spent a portion of my life laying upside down in a puddle on the car floor peering up into the mess of wires and brackets trying to keep things from dropping on my face. If you remember my post on my Datsun 280ZXT, I laid in that same position while welding in a clutch pedal bracket while getting very little welding slag on my face. I did make a note that the next time I convert a car from an automatic to a manual to do so while things are still disassembled.image15

Swapping out a factory radio usually involves choosing whether to hack into the existing factory wiring wire-by-wire, or my preference, getting a cable harness that mates with the factory plug and making an adapter out of it by splicing it to the connector that comes with the new radio.

Usually I still have to hunt down a few signals such as reverse indicator, parking brake indicator, vehicle speed sensor and the like. In my last vehicle the Vehicle Speed Sensor (VSS) wire was supposed to be in the factory harness, but driving experience showed it must not be as the GPS would show me driving 30 feet to the right of the highway. That and the calibration screen on the GPS verified that it was not receiving speed pulses.

Continue reading “Bil Herd Asks OBD “How Fast am I Going?””

Look What Showed Up For Bring-A-Hack At OSH Park

October 15, 2016 by 10 Comments

Hackaday was in Portland last weekend for the Open Hardware Summit. I did a brief recap earlier this week but this post has been on my mind the entire time. The night before the summit, OSH Park (the Purveyors of Perfect Purple PCBs which we all know and love) hosted a Bring-A-Hack at their headquarters. [Laen] knows how to throw a party — with a catered spread and open bar which all enjoyed. The place was packed with awesome hackers, and everyone had something amazing to show off.

In fact, there were far too many people showing off hardware for me to capture all in one evening. But join me after the jump for six or seven examples that really stuck out.

Continue reading “Look What Showed Up For Bring-A-Hack At OSH Park”

Raspberry Pi Adds A Digital Dash To Your Car

September 28, 2016 by 36 Comments

Looking for a way to make your older car more hi-tech? Why not add a fancy digital display? This hack from [Greg Matthews] does just that, using a Raspberry Pi, a OBD-II Consult reader and an LCD screen to create a digital dash that can run alongside (or in front of ) your old-school analog dials.

[Greg’s] hack uses a Raspberry Pi Foundation display, which includes a touch screen, so you don’t need a mouse or other controls. Node.js displays the speed, RPM, and engine temperature (check engine lights and other warnings are planned additions) through a webpage displayed using Chromium. The Node page is pulling info from another program on the Pi which monitors the CAN Consult bus. It would be interesting to adapt this to use with more futuristic displays, maybe something like a pico projector and a 1-way mirror for a heads-up display.

To power the system [Greg] is using a Mausberry power supply which draws power from your car battery, but which also cleanly shuts down the Pi when the ignition is turned off so it won’t drain your battery. When you throw in an eBay sourced OBD-II Consult reader and the Consult Dash software that [Greg] wrote to interpret and display the data from the OBD-II Consult bus, you get a decent digital dash display. Sure, it isn’t a Tesla touchscreen, but at $170, it’s a lot cheaper. Spend more and you can easily move that 60″ from your livingroom out to your hoopty and still use a Raspberry Pi.

What kind of extras would you build into this system? Gamification of your speed? Long-term fuel averaging? Let us know in the comments.

UPDATE – This post originally listed this hack as working from the OBD-II bus. However, this car does not have OBD-II, but instead uses Consult, an older data bus used by Nissan. Apologies for any confusion!

Continue reading “Raspberry Pi Adds A Digital Dash To Your Car”

Hackaday Prize Semifinalist: CANcrusher

August 25, 2015 by 11 Comments

In 2007, everyone discovered you could blink an LED with an Arduino. A few years after that, someone discovered you could make a PID controller work with an Arduino, and a great number of sous vide cooker hacks showed up on the Internet. Trends in electronics projects come and go, and this year we have CANbus sniffers and development platforms. One of these CAN dev platforms, CANcrusher, is a semifinalist for the Hackaday Prize, and does a great job at poking and prodding a CANbus.

Like a lot of very excellent projects, the CANcrusher is based on a Teensy 3.1 microcontroller. This, along with the MCP2515 CAN controller gives the CANcrusher three independent CAN channels supporting DW-CAN, SW-CAN, and LSFT. The software for the device can stream data directly to a computer over USB.

Simply providing an interface for a CAN bus is something that has been done to death, and to improve upon the many CANbus projects out there, the CANcrusher is adding Bluetooth, a GSM radio, SD datalogging, and a real time clock. It’s a great project for the Hackaday Prize with multiple videos explaining how it works and what it can do. You can check out the entry video for the CANcrusher below.

The 2015 Hackaday Prize is sponsored by:

Continue reading “Hackaday Prize Semifinalist: CANcrusher”

Remotely Controlling Automobiles Via Insecure Dongles

January 21, 2015 by 56 Comments

Automobiles are getting smarter and smarter. Nowadays many vehicles run on a mostly drive-by-wire system, meaning that a majority of the controls are electronically controlled. We’re not just talking about the window or seat adjustment controls, but also the instrument cluster, steering, brakes, and accelerator. These systems can make the driving experience better, but they also introduce an interesting avenue of attack. If the entire car is controlled by a computer, then what if an attacker were to gain control of that computer? You may think that’s nothing to worry about, because an attacker would have no way to remotely access your vehicle’s computer system. It turns out this isn’t so hard after all. Two recent research projects have shown that some ODBII dongles are very susceptible to attack.

The first was an attack on a device called Zubie. Zubie is a dongle that you can purchase to plug into your vehicle’s ODBII diagnostic port. The device can monitor sensor data from your vehicle and them perform logging and reporting back to your smart phone. It also includes a built-in GPRS modem to connect back to the Zubie cloud. One of the first things the Argus Security research team noticed when dissecting the Zubie was that it included what appeared to be a diagnostic port inside the ODBII connector.

Online documentation showed the researchers that this was a +2.8V UART serial port. They were able to communicate over this port with a computer with minimal effort. Once connected, they were presented with an AT command interface with no authentication. Next, the team decompiled all of the Python pyo files to get the original scripts. After reading through these, they were able to reverse engineer the communication protocols used for communication between the Zubie and the cloud. One particularly interesting finding was that the device was open for firmware updates every time it checked in with the cloud.

The team then setup a rogue cellular tower to perform a man in the middle attack against the Zubie. This allowed them to control the DNS address associated with the Zubie cloud. The Zubie then connected to the team’s own server and downloaded a fake update crafted by the research team. This acted as a trojan horse, which allowed the team to control various aspects of the vehicle remotely via the cellular connection. Functions included tracking the vehicle’s location, unlocking hte doors, and manipulating the instrument cluster. All of this can be done from anywhere in the world as long as the vehicle has a cellular signal.

A separate but similar project was also recently discussed by [Corey Thuen] at the S4x15 security conference. He didn’t attack the Zubie, but it was a similar device. If you are a Progressive insurance customer, you may know that the company offers a device that monitors your driving habits via the ODBII port called SnapShot. In exchange for you providing this data, the company may offer you lower rates. This device also has a cellular modem to upload data back to Progressive.

After some research, [Thuen] found that there were multiple security flaws in Progressive’s tracker. For one, the firmware is neither signed nor validated. On top of that, the system does not authenticate to the cellular network, or even encrypt its Internet traffic. This leaves the system wide open for a man in the middle attack. In fact, [Thuen] mentions that the system can be hacked by using a rogue cellular radio tower, just like the researchers did with the Zubie. [Thuen] didn’t take his research this far, but he likely doesn’t have too in order to prove his point.

The first research team provided their findings to Zubie who have supposedly fixed some of the issues. Progressive has made a statement that they hadn’t heard anything from [Thuen], but they would be happy to listen to his findings. There are far more devices on the market that perform these same functions. These are just two examples that have very similar security flaws. With that in mind, it’s very likely that others have similar issues as well. Hopefully with findings like this made public, these companies will start to take security more seriously before it turns into a big problem.

[Thanks Ellery]

Hackaday Links: October 27, 2013

October 27, 2013 by 12 Comments

hackaday-links-chain

[Kyle] came across a project which he thinks is “simply elegant”. If you don’t already have a PCB vice, here’s an easy way to build one of your own.

This one’s so good but alas it’s not a hack. Check out the slideshow tour at UC Boulder’s Fiske Planetarium. You get a really cool look at the hardware that makes the dome and projector such a great experience. [via Reddit]

Here’s a schematic and a couple of snapshots of [Trax’s] CAN bus hacking rig. He plans on doing a tutorial but decided to share this link after reading the first part of our own CAN hacking series.

These strings of LEDs bump to the tunes. [Alex] is using GrooveShark as a frequency analyzer, then pushing commands via Node.js to the Arduino controlling the lights. It’s all planned for the back porch during his Halloween party.

We remember drilling holes in the 3.5″ floppy discs (we even made a wood jig for this) to double their capacity. A similar blast from the past was to punch a notch in the larger 5.25″ versions to make them double-sided.

If you’re trying to learn about FFT [Ronald] highly recommends this website. We didn’t do too much poking around because it’s kind of strange. But if you do get sucked in and have fun with it leave a comment to let others know it’s worth their attention.

We suppose that using 39 Raspberry Pi boards and their camera modules isn’t the worst way to build a huge 3D model capture rig. The results certainly are impressive. [Thanks Wouter]