Home >Documents >2014 Car Hackers Handbook - Car Hackers Handbook - OpenGarages

2014 Car Hackers Handbook - Car Hackers Handbook - OpenGarages

Date post:31-Mar-2018
View:223 times
Download:4 times
Share this document with a friend
  • Read This First


    Understanding Attack Surfaces

    Infotainment Systems

    Vehicle Communication Systems

    Engine Control Unit

    CAN Bus Reversing Methodology

    Breaking the Vehicle

    CAN Bus Tools

    Weaponizing CAN Findings

    Attacking TPMS

    Ethernet Attacks

    Attacking Keyfobs and Immobilizers

    FLASHBACK - Hotwiring

    Attacking ECUs and other Embedded Systems

    What does yoru hacker garage need?

    Creative Commons

    Table of Contents

  • READ THIS FIRSTThis book is distributed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 license. In part due to my belief inthe open source community and also as a hat tip to Cory Doctorowslicense. This license means:You are free:

    - to Share to copy, distribute and transmit the work- to Remix to adapt the work

    Under the following conditions:- Attribution. You must attribute the work in the manner

    specified by the author or licensor (but not in any way thatsuggests that they endorse you or your use of the work).

    - Noncommercial. You may not use this work for commercialpurposes.

    - Share Alike. If you alter, transform, or build upon this work,you may distribute the resulting work only under the sameor similar license to this one.

    - For any reuse or distribution, you must make clear to othersthe license terms of this work. The best way to do this is witha link http://opengarages.org/handbook/

    - Any of the above conditions can be waived if you get mypermission

    More info here: http://creativecommons.org/licenses/by-nc-sa/3.0/See the end of this manual for full legal copy information.

    The only exception is the cover of this book. The cover art is undera proprietary license that can not be repurposed.


  • IntroductionCongratulations! You just purchased your first real Owners manual.This manual doesnt focus on what all those dashboard lights are,but on how to control them.

    Modern vehicle manufacturers have moved away from making iteasy to understand and custom mod your own purchased vehicle.This book is here to help!

    If you read this manual all the way through, it will detail how toperform a full security evaluation of your vehicle. It is organized insections so you can go straight to the parts you care about.

    Benefits of Car HackingHonestly, if you are holding this manual I would hope you wouldhave a clue why you are doing so. However, if approached andasked why you are hacking cars, we made this handy checklist foryou to use!

    Understand How Your Vehicle Works - The automotiveindustry has churned out some amazing vehicles, but hasreleased little information on what makes them work.Understanding how the vehicle communicates will help youdiagnose and troubleshoot car problems.

    Work on the Electrical Side - As vehicles have evolved, theyhave become less mechanical and more electronic.Unfortunately these systems are typically closed off tomechanics. While dealerships have access to moreinformation than you can typically get, the automanufacturers themselves outsource parts and requireproprietary tools to diagnose problems. Learning how yourvehicles electronics work can help you bypass this barrier.

  • Car Mods - Understanding how the vehicle communicates canlead to much better modifications. These can improve fuelconsumption, provide third-party replacement parts, oranything you can dream of. Once the communicationsystem is known, you can seamlessly integrate othersystems into your vehicle.

    Discover Undocumented Features - Sometimes vehiclescome equipped with special features simply disabled or notexposed. Discovering undocumented or disabled featurescan enable you to use your vehicle to its fullest potential.

    Validate the Security of your Vehicle - As of this writing, thesafety guidelines for vehicles do not address threats ofmalicious electronic nature. While vehicles are susceptibleto the same malware your desktop gets, automakers are notrequired to audit the security of their electronics. We driveour families around in these vehicles. By understandinghow to hack your car you will know how vulnerable youvehicle is and can take precautions while advocating forhigher standards.

    About the AuthorCraig Smith runs a research firm, Theia Labs, that focuses onsecurity auditing and building hardware and software prototypes.He has worked for several auto manufacturers and provided publicresearch. He is also a Founder of the Hive13 Hackerspace andOpen Garages (@OpenGarages). His specialties are reverseengineering and penetration testing. This manual is largely aproduct of Open Garages and the desire to get people up to speedon auditing their vehicle.

    How to ContributeThis manual doesnt cover everything. We may miss great tricks or

  • awesome tools. Car hacking is a group activity and we welcome allfeedback. Please join the Open Garages mailing list or send emaildirectly to the author (craig at theialabs.com). You can also contacthttp://www.iamthecavalry.org/ and join their mailing list for ways toget involved.

    We are always looking for guest authors to contribute to newchapters in the next release of this book. We welcome all feedbackon existing chapters as well as suggestions on new ones. Pleasefeel free to reach out to Theia Labs or OpenGarages.


  • Understanding Attack SurfacesIf you come from the software penetration-testing world youprobably already get this. For the rest of us, attack surface means allthe possible ways to attack a target. The target could be acomponent or the entire vehicle. At this stage we do not considerhow to exploit any piece of the target, we are only concerned with allthe entry points into it.

    Think of yourself as an evil spy, trying to do bad things to thevehicle. To find the weaknesses, evaluate the perimeter anddocument the environment. For a vehicle, we need to consider allthe ways data can get into the vehicle that is, all the ways thevehicle communicates with the outside world.

    From outside the vehicle:- What signals are received? Radio waves? Keyfobs? Distance

    sensors?- Physical keypad access?- Touch or motion sensors?- If electric, how does it charge?

    From inside the vehicle:- Audio input options: CD? USB? Bluetooth?- Diagnostic ports?- What are the capabilities of the dashboard? GPS? Bluetooth?


    Once you have thought about this, you should have realized thereare a LOT of ways data can enter the vehicle. If any of this data ismalformed or intentionally malicious, what happens?

  • Threat ModelingWhole books are written on Threat Modeling. We are going to justgive you a quick tour so you can build your own. If you have furtherquestions or if this section excites you, then by all means, grabanother book on the subject.

    Threat Modeling is taking a collection of information about thearchitecture of your target and drawing it out with connecting linesto show how things communicate. These maps are used to identifyhigher-risk inputs and are a great way to keep a checklist of thingsto audit, letting you prioritize entry points that could yield the mostreturn.

    Threat models are done in levels, starting at 0.

    Level 0 Birds-eye viewHere is where we'll use the checklist of the last section on AttackSurfaces. You need to think about all how data can enter yourvehicle. Draw your vehicle in the center, and then label the leftoutside and the right inside,

    Below is an example of a possible level 0 diagram:

  • If we are doing a full system audit, then this will become ourchecklist of things we need to ensure get love. Number each input.

    You could technically stop here, but it would be better to at leastpick one of these that interests you and do a Level 1 diagram.

    Level 1 - ReceiversNow lets focus on what each input talks to. This map is almostidentical to Level 0 except this time we specify the receiving end.Dont go too deep into the receivers just yet. We are only looking atthe basic device or area the input talks to.

    Here is the level 1 diagram:

    Here you can see the grouping on the Infotainment center. Noticehow each receiver is now numbered. The first number represents

  • the label from the level 0 diagram and the second number is thenumber of the receiver.

    The dotted lines represent trust boundaries. The top of the diagramis the least trusted and the bottom is the most trusted. The moretrust boundaries a communication channel crosses, the more risky itbecomes. We will focus on 1.1, the Infotainment console, for theLevel 2 diagram.

    Level 2 - Receiver breakdownNow we are getting to the level where we can see communicationtaking place inside the vehicle. We are focusing on the infotainmentbecause it is one of the more complicated receivers and it is directlyconnected to the CANBus network.

    Here we group the communications channels in dotted-line boxes torepresent the trust boundaries. There is a new trust boundaryinside the Infotainment Console labeled Kernel Space. Systemsthat talk directly to the kernel hold a higher risk than ones that talk

  • to system applications. Here you can see that the Cellular channelis higher-risk than the WiFi channel. Also, notice the numberingpattern is X.X.X, the identification system is still the same as before.

    At this stage we have to guess for now. Ideally you would map outwhat processes handle which input. You will need to reverse-engineer the infotainment system to find this information. Later inthis manual, well offer a procedure for doing just that.

    Threat models are considered living documents. They change asthe target changes or as you learn new things about t

Click here to load reader

Embed Size (px)