Blackberry Eyes Up Car Anti-Virus Market

May 19, 2017 by Jack Laidlaw 73 Comments

[Reuters] reports that BlackBerry is working with at least two car manufacturers to develop a remote malware scanner for vehicles, On finding something wrong the program would then tell drivers to pull over if they were in critical danger.

The service would be able to install over-the-air patches to idle cars and is in testing phase by Aston Martin and Range Rover. The service could be active as early as next year, making BlackBerry around $10 a month per vehicle.

Since the demise of BlackBerry in the mobile phone sector, they’ve been hard at work refocusing their attention on new emerging markets. Cars are already rolling computers, and now they’re becoming more and more networked with Bluetooth and Internet connections. This obviously leaves cars open to new types of attacks as demonstrated by [Charlie Miller] and [Chris Valasek]’s hack that uncovered vulnerabilities in Jeeps and led to a U.S. recall of 1.4 million cars.

BlackBerry seem to be hedging their bets on becoming the Kingpin of vehicle anti-virus. But do our cars really belong on the Internet in the first place?

Car Security Experts Dump All Their Research And Vulnerabilities Online

May 14, 2017 by Jack Laidlaw 81 Comments

[Charlie Miller] and [Chris Valasek] Have just released all their research including (but not limited to) how they hacked a Jeep Cherokee after the newest firmware updates which were rolled out in response to their Hacking of a Cherokee in 2015.

FCA, the Corp that owns Jeep had to recall 1.5 million Cherokee’s to deal with the 2015 hack, issuing them all a patch. However the patch wasn’t all that great it actually gave [Charlie] and [Chris] even more control of the car than they had in the first place once exploited. The papers they have released are a goldmine for anyone interesting in hacking or even just messing around with cars via the CAN bus. It goes on to chronicle multiple hacks, from changing the speedometer to remotely controlling a car through CAN message injection. And this release isn’t limited to Jeep. The research covers a massive amount of topics on a number of different cars and models so if you want to do play around with your car this is the car hacking bible you have been waiting for.

Jeep are not too happy about the whole situation. The dump includes a lot of background for vehicles by multiple manufactureres. But the 2015 hack was prominent and has step by step instructions. Their statement on the matter is below.

Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems.

We anticipate seeing an increasing number of security related releases and buzz as summer approaches. It is, after all, Network Security Theatre season.

Reverse Engineering The Smart ForTwo CAN Bus

February 28, 2017 by Lewin Day 33 Comments

The CAN bus has become a defacto standard in modern cars. Just about everything electronic in a car these days talks over this bus, which makes it fertile ground for aspiring hackers. [Daniel Velazquez] is striking out in this area, attempting to decode the messages on the CAN bus of his Smart ForTwo.

[Daniel] has had some pitfalls – first attempts with a Beaglebone Black were somewhat successful in reading messages, but led to strange activity of the car and indicators. This is par for the course in any hack that wires into an existing system – there’s a high chance of disrupting what’s going on leading to unintended consequences.

Further work using an Arduino with the MCP_CAN library netted [Daniel] better results, but it would be great to understand precisely why the BeagleBone was causing a disturbance to the bus. Safety is highly important when you’re hacking on a speeding one-ton metal death cart, so it pays to double and triple check everything you’re doing.

Thus far, [Daniel] is part way through documenting the messages on the bus, finding registers that cover the ignition and turn signals, among others. Share your CAN hacking tips in the comments. For those interested in more on the CAN bus, check out [Eric]’s great primer on CAN hacking – and keep those car hacking projects flowing to the tip line!

First Look: Macchina M2

February 21, 2017 by Eric Evenchick 49 Comments

In the past few years, we’ve seen a growth in car hacking. Newer tools are being released, which makes it faster and cheaper to get into automotive tinkering. Today we’re taking a first look at the M2, a new device from the folks at Macchina.

The Macchina M1 was the first release of a hacker friendly automotive device from the company. This was an Arduino compatible board, which kept the Arduino form factor but added interface hardware for the protocols most commonly found in cars. This allowed for anyone familiar with Arduino to start tinkering with cars in a familiar fashion. The form factor was convenient for adding standard shields, but was a bit large for using as a device connected to the industry standard OBD-II connector under the dash.

The Macchina M2 is a redesign that crams the M1’s feature set into a smaller form factor, modularizes the design, and adds some new features. With their Kickstarter launching today, they sent us a developer kit to review. Here’s our first look at the device.

Continue reading “First Look: Macchina M2” →

One Hundred Weeks Of Legal Car Hacking

November 10, 2016 by Al Williams 33 Comments

There is a scene in the movie “Magic Mike” where the lead character — a male stripper — explains to a room of women the laws against having physical contact with a performer. Then he intones, “… but I see a lot of lawbreakers up in this house.”

We know if we could look out through the Web browser, we could say the same thing. There’s a lot of gray zone activities considered commonplace. Have you ever ripped a CD or DVD to take with your on your phone? Gray; we won’t judge. A lot of the legal issues involved are thorny (and I should point out, I’m not a lawyer, so take what I say with a grain of salt).

Do you own your car? Well, probably you and the bank, but certainly the deal you made involves the idea that you own the car. If it is paid off, you can do what you like with it, including — if you wanted to — stripping it bare for parts. Back in the day, your car was some wheels and some mechanical devices. These days, it is a computer (actually, a few computers) and some I/O devices that process gasoline into rotary motion. Computers have software. Do you own that software?

The answer has, legally, been no. However, a recent decision by the US Copyright office allows car owners to legally analyze and modify their vehicle software (with some limitations) for the next two years. After that? We’ll see.

Continue reading “One Hundred Weeks Of Legal Car Hacking” →

Books You Should Read: The Car Hacker’s Handbook

June 23, 2016 by Brian Benchoff 44 Comments

I just had my car in for an inspection and an oil change. The garage I take my car to is generally okay, they’re more honest than a stealership, but they don’t cross all their t’s and dot all their lowercase j’s. A few days after I picked up my car, low and behold, I noticed the garage didn’t do a complete oil change. The oil life indicator wasn’t reset, which means every time I turn my car on, I’ll have to press a button to clear an ominous glowing warning on my dash.

For my car, resetting the oil life indicator is a simple fix – I just need to push the button on the dash until the oil life indicator starts to blink, release, then hold it again for ten seconds. I’m at least partially competent when it comes to tech and embedded systems, but even for me, resetting the oil life sensor in my car is a bit obtuse. For the majority of the population, I can easily see this being a reason to take a car back to the shop; the mechanic either didn’t know how to do it, or didn’t know how to use Google.

The two most technically complex things I own are my car and my computer, and there is much more information available on how to fix or modify any part of my computer. If I had a desire to modify my car so I could read the value of the tire pressure monitors, instead of only being notified when one of them is too low, there’s nowhere for me to turn.

2015 was the year of car hacks, ranging from hacking ECUs to pass California emissions control standards, Google and Tesla’s self-driving cars, to hacking infotainment systems to drive reporters off the road. The lessons learned from these hacks are a hodge-podge of forum threads, conference talks, and articles scattered around the web. While you’ll never find a single volume filled with how to exploit the computers in every make and model of automobile, there is space for a reference guide on how to go about this sort of car hacking.

I was given the opportunity to review The Car Hacker’s Handbook by Craig Smith (259p, No Starch Press). Is it a guide on how to plug a dongle into my car and clear the oil life monitor the hard way? No, but you wouldn’t want that anyway. Instead, it’s a much more informative tome on penetration testing and reverse engineering, using cars as the backdrop, not the focus.

Continue reading “Books You Should Read: The Car Hacker’s Handbook” →

EFF Granted DMCA Exemption: Hacking Your Own Car Is Legal For Now

October 30, 2015 by Elliot Williams 19 Comments

The Digital Millennium Copyright Act (DMCA) is a horrible piece of legislation that we’ve been living with for sixteen years now. In addition to establishing a de-facto copyright for the design of boat hulls (don’t get us started!), the DMCA includes a Section 1201 which criminalizes defeating encryption in cases where such could be used to break copyright law.

Originally intended to stop the rampant copying of music in the Napster era, it’s been abused to prevent users from re-filling their inkjet cartridges and to cover up rootkits. In short, it’s scope has vastly exceeded its original aims. And we take it personally, because we like to take stuff apart and see how it works.

The only bright light in this otherwise dark, dark tunnel is the possibility to petition for exemptions to Section 1201 for certain devices and purposes. Just a few days ago, the EFF won a slew of DMCA exemptions, including the contentious exemption for bypassing automobiles’ encryption to check out what’s going on in the car’s firmware. The obvious relevance of the ability for researchers to inspect cars’ firmware in light of the VW scandal may have helped overcome strong pushback from the car manufacturers and the EPA.

The other exemption that caught our eye was the renewal of protection for people who need to hack old video games to keep them playable, jailbreak phones so that you can run an operating system of your choosing on it, and even the right to copy content from a DVD for remixes and excerpts.

This is all good stuff, but it’s a little bit sad that the EFF has to beg every three years to enable us all to do something that wasn’t illegal until the DMCA was written. But don’t take my word for it, have a listen to Cory Doctorow’s much more eloquent rant.

(Banner image courtesy [Kristoffer Smith], who we covered on car hacking way back when.)