h4cker/car_hacking/README.md
2024-04-25 10:19:32 -04:00

40 KiB
Raw Permalink Blame History

Car Hacking and Security

Cybersecurity in the automobile industry has become increasingly critical as vehicles are now equipped with a variety of networked components and systems that enhance connectivity, functionality, and comfort. However, this connectivity also introduces significant security vulnerabilities that can be exploited by malicious actors.

Key Vulnerabilities

  1. Infotainment Systems: These systems often provide connectivity to mobile devices, access to the internet, and apps. If not properly secured, they can serve as entry points for attackers to gain more extensive access to a vehicles critical functions.

  2. Telematics Systems: Systems that transmit data like GPS location and vehicle diagnostics can be intercepted or tampered with. An attacker could potentially track a vehicle's movements or falsify diagnostic data.

  3. Electronic Control Units (ECUs): Modern vehicles can contain dozens of ECUs, which control everything from the engine and brakes to air conditioning. Compromising one ECU can potentially allow an attacker to manipulate critical vehicle functions.

  4. Software Updates: Over-the-air software updates are convenient for applying the latest updates and patches to vehicles. However, if not properly authenticated, they can be a vector for installing malicious firmware.

  5. Vehicle-to-Vehicle (V2V) Communication: As vehicles begin to communicate with each other to improve safety and traffic efficiency, the risk of intercepting or manipulating these communications grows.

The automotive industry continues to work on these and other cybersecurity elements and to comply with regulatory requirements like ISO/SAE 21434, which focuses on automotive cybersecurity management.

Articles

Presentations

Books

  • 2014 Car Hacker's Handbook - Free guide to hacking vehicles from 2014.
  • 2016 Car Hacker's Handbook - Latest version of the Car Hacker's handbook with updated information to hack your own vehicle and learning vehicle security. For a physical copy as well unlimited PDF, MOBI, and EPUB copies of the book, buy it at No Starch Press. Sections are available online here.
  • A Comprehensible Guide to Controller Area Network - An older book from 2005, but still a comprehensive guide on CAN buses and networking in vehicles.
  • 智能汽车安全攻防大揭秘This book first introduced some basic knowledge of security for automotive R&D personnel, such as encryption and decryption, security authentication, digital signatures, common attack types, and methods. Then it introduced the working principles of some smart cars for security researchers, such as the automotive intranet. Protocol, network architecture, principle of X-By-Wire remote control system, common potential attack surface, etc. Finally, a detailed analysis of some actual automotive attack or security test cases, and defense analysis of the loopholes involved in the case during the analysis process.
  • Controller Area Network Prototyping with Arduino - This book guides you through prototyping CAN applications on Arduinos, which can help when working with CAN on your own car.
  • Embedded Networking with CAN and CANopen - From 2003, this book fills in gaps in CAN literature and will educate you further on CAN networks and working with embedded systems.
  • Inside Radio: An Attack and Defense GuideThis book discusses the security issues in a wide range of wireless devices and systems,Chapter 4 433/315MHz Communication (4.3 4.4 4.5 is about car keys Security)

Research Papers

Courses

Blogs

Websites

  • Automotive Security Research Group - The Automotive Security Research Group (ASRG) is a non-profit initiative to promote the development of security solutions for automotive products.
  • OpenGarages - Provides public access, documentation and tools necessary to understand today's modern vehicle systems.
  • DEFCON Car Hacking Village - Car Hacking exercises from DEFCON 24.
  • canbushack: Hack Your Car - course on Vehicle Hacking methodology.
  • OWASP Internet of Things Project - OWASP's project to secure IoT, from cars to medical devices and beyond.
  • I Am The Cavalry - Global grassroots (eg. volunteer) initiative focused on the intersection of security and human life/public safety issues, such as cars. Participation from security researchers, OEMs, Tier 1s, and many others. Published Automotive 5-Star Cyber Safety Framework.
  • Carloop Community - Community of people interested in car hacking and connecting vehicles to the cloud.
  • Python Security - A website for browsing and buying python-integrated cars having certain vehicular security features.
  • NIST Automotive Cybersecurity Community of Interest - NIST, the organization behind the NVD CVE database and modern cryptographic standards, runs a Community of Interest group for Automotive Cybersecurity that seeks to "provide a way for NIST to facilitate the discussions and receive comments and feedback from the automotive industry, academia, and government.".

Newsletters

Welcoming contributions!

Conferences

Who to Follow

  • Chris Valasek: Security Lead at UberATC
  • Charlie Miller: Hacked the first Apple iPhone, now does car security.
  • Samy Kamkar: Created MySpace Worm, RollJam, OwnStar.
  • Justin Seitz: Author of Black Hat Python (No Starch Press).
  • Troy Hunt: Pluralsight author. Microsoft Regional Director and MVP for Developer Security. Creator of haveibeenpwned.
  • Ken Munro: British researcher, works at Pen Test Partners; major interest in vehicle security
  • OpenGarages: Initiative to created Vehicle Research Labs around the world.
  • Hackaday: Collaborative project hosting for hackers - there are frequently car projects on here.
  • Pen Test Partners: British penetration testing firm; several posts concern their disclosed car security vulns
  • I Am The Cavalry: Global grassroots (eg. volunteer) initiative focused on the intersection of security and human life/public safety issues, such as cars.
  • Car Hacking Village
  • carfucar: Founder of Car Hacking Village and Speaker or Trainer
  • Ian Tabor / mintynet: Car Hacker, Car Hacking Village staff
  • Daniel Öster: Dala's EV Repair, electric vehicle CAN hacking/upgrading

Podcasts and Episodes

Podcasts and podcast episodes, that either directly focus on vehicle security or have some episodes on it.

Podcasts

  • Security Weekly - Excellent podcast covering all ranges of security, with some episodes focusing portions on vehicle security from cars to drones.
  • TrustedSec Podcast - From the people at TrustedSec, leaders in Social Engineering, their episodes often go into recent vehicle vulnerabilities and exploits.
  • SANS Internet Storm Center - the ISC run a regular podcast going into the latest vulnerabilities and security news.
  • Security Ledger - A podcast focusing on interviewing security experts about topics related to security.

Episodes

Miscellaneous

Projects

  • Open Vehicle Monitoring System - A community project building a hardware module for your car, a server to talk to it, and a mobile app to talk to the server, in order to allow developers and enthusiasts to add more functionality to their car and control it remotely.
  • Open Source Car Control Project - The Open Source Car Control Project is a hardware and software project detailing the conversion of a late model vehicle into an autonomous driving research and development vehicle.
  • Uptane - Uptane is an open and secure software update system design protecting software delivered over-the-air to the computerized units of automobiles and is designed to be resilient even to the best efforts of nation state attackers.

Hardware

Overview of hardware, both open source and proprietary, that you can use when conducting vehicle security research. This article goes through many of the options below.

  • Arduino - Arduino boards have a number of shields you can attach to connect to CAN-enabled devices.
  • CANtact - "The Open Source Car Tool" designed to help you hack your car. You can buy one or make your own following the guide here.
  • Freematics OBD-II Telematics Kit - Arduino-based OBD-II Bluetooth adapter kit has both an OBD-II device and a data logger, and it comes with GPS, an accelerometer and gyro, and temperature sensors.
  • ELM327 - The de facto chipset that's very cheap and can be used to connect to CAN devices.
  • GoodThopter12 - Crafted by a well-known hardware hacker, this board is a general board that can be used for exploration of automotive networks.
  • USB2CAN - Cheap USB to CAN connector that will register a device on linux that you can use to get data from a CAN network.
  • Intrepid Tools - Expensive, but extremely versatile tools specifically designed for reversing CAN and other vehicle communication protocols.
  • Red Pitaya - Replaces expensive measurement tools such as oscilloscopes, signal generators, and spectrum analyzers. Red Pitaya has LabView and Matlab interfaces, and you can write your own tools and applications for it. It even supports extensions for things like Arduino shields.
  • ChipWhisperer - A system for side-channel attacks, such as power analysis and clock glitching.
  • HackerSDR - A Software Defined Radio peripheral capable of transmission or reception of radio signals from 1 MHz to 6 GHz. Designed to enable test and development of modern and next generation radio technologies.
  • Carloop - Open source development kit that makes it easy to connect your car to the Internet. Lowest cost car hacking tool that is compatible with SocketCAN and can-utils. No OBD-II to serial cable required.
  • CANBadger - A tool for reverse-engineering and testing automotive systems. The CANBadger consists of both hardware and software. The main interface is a LPC1768/LPC1769 processor mounted on a custom PCB, which offers two CAN interfaces, SD Card, a blinky LED, some GPIO pins, power supply for peripherals and the ethernet port.
  • CANSPY - A platform giving security auditors to audit CAN devices. It can be used to block, forward or modify CAN frames on the fly autonomously as well as interactively.
  • CANBus Triple - General purpose Controller Area Network swiss army knife and development platform.
  • USBtin - USBtin is a simple USB to CAN interface. It can monitor CAN busses and transmit CAN messages. USBtin implements the USB CDC class and creates a virtual comport on the host computer.
  • OpenXC - OpenXC is a combination of open source hardware and software that lets you extend your vehicle with custom applications and pluggable modules. It uses standard, well-known tools to open up a wealth of data from the vehicle to developers. Started by researchers at Ford, it works for all 2002 and newer MY vehicles (standard OBD-II interface). Researchers at Ford Motor Company joined up to create a standard way of creating aftermarket software and hardware for vehicles.
  • Macchina M2 - Macchina 2.0 is a complete overhaul of our 1.X generation of Macchina. The goals are still the same: Create an easy-to-use, fully-open, and super-compatible automotive interface.
  • PandwaRF - PandwaRF is a pocket-sized, portable RF analysis tool operating the sub-1 GHz range. It allows the capture, analysis and re-transmission of RF via an Android device or a Linux PC. Capture any data in ASK/OOK/MSK/2-FSK/GFSK modulation from the 300-928 MHz band.
  • CAN MITM Bridge by MUXSCAN - a tool to MITM CAN messages, allowing easy interaction with your car.

Software

Overview of software, both open source and proprietary, as well as libraries from various programming languages. This article goes through many of the options below.

Applications

Software applications that will help you hack your car, investigate it's signals, and general tinkering with it.

  • Wireshark - WireShark can be used for reversing CAN communications.
  • Kayak - Java application for CAN bus diagnosis and monitoring.
  • UDSim - GUI tool that can monitor a CAN bus and automatically learn the devices attached to it by watching communications.
  • RomRaider - An open source tuning suite for the Subaru engine control unit that lets you view and log data and tune the ECU.
  • Intrepid Tools - Expensive, but extremely versatile tools specifically designed for reversing CAN and other vehicle communication protocols.
  • O2OO - Works with the ELM327 to record data to a SQLite database for graphing purposes. It also supports reading GPS data. You can connect this to your car and have it map out using Google Maps KML data where you drive.
  • CANToolz - CANToolz is a framework for analysing CAN networks and devices. It is based on several modules which can be assembled in a pipeline.
  • BUSMASTER -An Open Source tool to simulate, analyze and test data bus systems such as CAN, LIN, FlexRay.
  • OpenXC - Currently, OpenXC works with Python and Android, with libraries provided to get started.
  • openpilot - openpilot is an open source driving agent that performs the functions of Adaptive Cruise Control (ACC) and Lane Keeping Assist System (LKAS) for Hondas and Acuras.
  • openalpr - An open source Automatic License Plate Recognition library written in C++ with bindings in C#, Java, Node.js, Go, and Python.
  • metasploit - The popular metasploit framework now supports Hardware Bridge sessions, that extend the framework's capabilites onto hardware devices such as socketcan and SDR radios.
  • Mazda AIO Tweaks - All-in-one installer/uninstaller for many available Mazda MZD Infotainment System tweaks.
  • mazda_getInfo - A PoC that the USB port is an attack surface for a Mazda car's infotainment system and how Mazda hacks are made (known bug in the CMU).
  • talking-with-cars - CAN related scripts, and scripts to use a car as a gamepad
  • CANalyzat0r - A security analysis toolkit for proprietary car protocols.

Libraries and Tools

Libraries and tools that don't fall under the larger class of applications above.

Custom Applications SDK for Mazda Connect Infotainment System - A micro framework that allows you to write and deploy custom applications for the Mazda Infotainment System.

C

  • SocketCAN Utils - Userspace utilites for SocketCAN on Linux.
  • vircar - a Virtual car userspace that sends CAN messages based on SocketCAN
  • dbcc - "dbcc is a program for converting a DBC file primarily into into C code that can serialize and deserialize CAN messages." With existing DBC files from a vehicle, this file allows you to convert them to C code that extracts the CAN messages and properties of the CAN environment.

C++

  • High Level ViWi Service - High level Volkswagen CAN signaling protocol implementation.
  • CanCat - A "swiss-army knife" for interacting with live CAN data. Primary API interface in Python, but written in C++.
  • CANdevStudio - Development tool for CAN bus simulation. CANdevStudio enables to simulate CAN signals such as ignition status, doors status or reverse gear by every automotive developer.

Java

  • ITS Geonetworking - ETSI ITS G5 GeoNetworking stack, in Java: CAM-DENM / ASN.1 PER / BTP / GeoNetworking

Python

  • CANard - A Python framework for Controller Area Network applications.
  • Caring Caribou - Intended to be the nmap of vehicle security.
  • c0f - A fingerprinting tool for CAN communications that can be used to find a specific signal on a CAN network when testing interactions with a vehicle.
  • Python-CAN - Python interface to various CAN implementations, including SocketCAN. Allows you to use Python 2.7.x or 3.3.x+ to communicate over CAN networks.
  • Python-OBD - A Python module for handling realtime sensor data from OBD-II vehicle ports. Works with ELM327 OBD-II adapters, and is fit for the Raspberry Pi.
  • CanCat - A "swiss-army knife" for interacting with live CAN data. Primary API interface in Python, but written in C++.
  • Scapy - A python library to send, receive, edit raw packets. Supports CAN and automotive protocols: see the automotive doc
  • CanoPy - A python gui used to visualize and plot message payloads in real time.
  • canTot - A python-based cli framework based on sploitkit and is easy to use because it similar to working with Metasploit. This similar to an exploit framework but focused on known CAN Bus vulnerabilities or fun CAN Bus hacks.
  • SocketCAN Python interface to SocketCAN
  • canmatrix Python module to work with CAN matrix files
  • canopen Python module to communicate with CANopen devices
  • cantools Python module to decode and encode CAN messages using a DBC file
  • Caring Caribou Next - Upgraded and optimized version of the original Caring Caribou project.

Go

  • CANNiBUS - A Go server that allows a room full of researchers to simultaneously work on the same vehicle, whether for instructional purposes or team reversing sessions.
  • CAN Simulator - A Go based CAN simulator for the Raspberry Pi to be used with PiCAN2 or the open source CAN Simulator board

JavaScript

Companies and Jobs

Companies and job opportunities in the vehicle security field.

  • UberATC - Uber Advanced Technologies Center, now Uber AV - info@uberatc.com.
  • Tesla - Tesla hires security professionals for a variety of roles, particularly securing their vehicles.
  • Intrepid Control Systems - Embedded security company building tools for reversing vehicles.
  • Rapid7 - Rapid7 does work in information, computer, and embedded security.
  • IOActive - Security consulting firm that does work on pentesting hardware and embedded systems.
  • Cohda Wireless - V2X DSRC Radio and Software
  • VicOne - A subsidiary of Trend Micro which focuses on automotive security

Coordinated disclosure

  • General Motors on HackerOne - Coordinated disclosure submissions accepted
  • Stellantis on Bugcrowd - Coordinated disclosure submissions accepted, paid bounties offered
  • Tesla Motors on Bugcrowd - Coordinated disclosure submissions accepted, paid bounties offered
  • ASRG - The ASRG Disclosure Process is to support responsible disclosure when direct communication with the responsible company is unavailable or not responsive.
  • Zeekr - Zeekr and Geely Responsible disclosure program