Smith - The car hackers handbook: a guide for the penetration tester

A Guide for the Penetration Tester

Craig Smith

San Francisco

THE CAR HACKERS HANDBOOK. Copyright 2016 by Craig Smith.

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

20 19 18 17 16 1 2 3 4 5 6 7 8 9

ISBN-10: 1-59327-703-2
ISBN-13: 978-1-59327-703-1

Publisher: William Pollock
Production Editor: Laurel Chun
Cover Illustration: Garry Booth
Interior Design: Octopod Studios
Developmental Editors: Liz Chadwick and William Pollock
Technical Reviewer: Eric Evenchick
Copyeditor: Julianne Jigour
Compositor: Laurel Chun
Proofreader: James Fraleigh
Indexer: BIM Indexing & Proofreading Services

The following code and images are reproduced with permission: Collin Kidder and EVTV Motor Werks.

For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly:
No Starch Press, Inc.
245 8th Street, San Francisco, CA 94103
phone: 415.863.9900;
www.nostarch.com

Library of Congress Cataloging-in-Publication Data

Names: Smith, Craig (Reverse engineer), author.
Title: The car hacker's handbook: a guide for the penetration tester / by Craig Smith.
Description: San Francisco : No Starch Press, [2016] | Includes index.
Identifiers: LCCN 2015038297| ISBN 9781593277031 | ISBN 1593277032
Subjects: LCSH: Automotive computers--Security measures--Handbooks, manuals,
etc. | Automobiles--Performance--Handbooks, manuals, etc. |
Automobiles--Customizing--Handbooks, manuals, etc. | Penetration testing
(Computer security)--Handbooks, manuals, etc. |
Automobiles--Vandalism--Prevention--Handbooks, manuals, etc.
Classification: LCC TL272.53 .S65 2016 | DDC 629.2/72--dc23
LC record available at http://lccn.loc.gov/2015038297

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

Craig Smith () runs Theia Labs, a security research firm that focuses on security auditing and building hardware and software prototypes. He is also one of the founders of the Hive13 Hackerspace and Open Garages (@OpenGarages). He has worked for several auto manufacturers, where he provided public research on vehicle security and tools. His specialties are reverse engineering and penetration testing. This book is largely a product of Open Garages and Craigs desire to get people up to speed on auditing their vehicles.

Dave Blundell () works in product development, teaches classes, and provides support for Moates.net, a small company specializing in pre-OBD ECU modification tools. He has worked in the aftermarket engine management sphere for the past few years, doing everything from reverse engineering to dyno tuning cars. He also does aftermarket vehicle calibration on a freelance basis.

Eric Evenchick is an embedded systems developer with a focus on security and automotive systems. While studying electrical engineering at the University of Waterloo, he worked with the University of Waterloo Alternative Fuels Team to design and build a hydrogen electric vehicle for the EcoCAR Advanced Vehicle Technology Competition. Currently, he is a vehicle security architect for Faraday Future and a contributor to Hackaday. He does not own a car.

UNDERSTANDING THREAT MODELS

BUS PROTOCOLS

VEHICLE COMMUNICATION WITH SOCKETCAN

DIAGNOSTICS AND LOGGING

REVERSE ENGINEERING THE CAN BUS

ECU HACKING

BUILDING AND USING ECU TEST BENCHES

ATTACKING ECUS AND OTHER EMBEDDED SYSTEMS

IN-VEHICLE INFOTAINMENT SYSTEMS

VEHICLE-TO-VEHICLE COMMUNICATION

WEAPONIZING CAN FINDINGS

ATTACKING WIRELESS SYSTEMS WITH SDR

PERFORMANCE TUNING

A
TOOLS OF THE TRADE

B
DIAGNOSTIC CODE MODES AND PIDS

C
CREATING YOUR OWN OPEN GARAGE

The world needs more hackers, and the world definitely needs more car hackers. Vehicle technology is trending toward more complexity and more connectivity. Combined, these trends will require a greater focus on automotive security and more talented individuals to provide this focus.

But what is a hacker? The term is widely corrupted by the mainstream media, but correct use of the term hacker refers to someone who creates, who explores, who tinkerssomeone who discovers by the art of experimentation and by disassembling systems to understand how they work. In my experience, the best security professionals (and hobbyists) are those who are naturally curious about how things work. These people explore, tinker, experiment, and disassemble, sometimes just for the joy of discovery. These people hack.

A car can be a daunting hacking target. Most cars dont come with a keyboard and login prompt, but they do come with a possibly unfamiliar array of protocols, CPUs, connectors, and operating systems. This book will demystify the common components in cars and introduce you to readily available tools and information to help get you started. By the time youve finished reading the book, youll understand that a car is a collection of connected computersthere just happen to be wheels attached. Armed with appropriate tooling and information, youll have the confidence to get hacking.

This book also contains many themes about openness. Were all safer when the systems we depend upon are inspectable, auditable, and documentedand this definitely includes cars. So Id encourage you to use the knowledge gained from this book to inspect, audit, and document. I look forward to reading about some of your discoveries!

Chris Evans ()

January 2016

Thanks to the Open Garages community for contributing time, examples, and information that helped make this book possible. Thanks to the Electronic Frontier Foundation (EFF) for supporting the Right to Tinker and just generally being awesome. Thanks to Dave Blundell for contributing several chapters of this book, and to Colin OFlynn for making the ChipWhisperer and letting me use his examples and illustrations. Finally, thanks to Eric Evenchick for single-handedly reviewing all of the chapters of this book, and special thanks to No Starch Press for greatly improving the quality of my original ramblings.