ebook img

2014 Car Hacker's Manual PDF

72 Pages·2014·12.528 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview 2014 Car Hacker's Manual

Table of Contents ReadThisFirst Introduction UnderstandingAttackSurfaces InfotainmentSystems VehicleCommunicationSystems EngineControlUnit CANBusReversingMethodology BreakingtheVehicle CANBusTools WeaponizingCANFindings AttackingTPMS EthernetAttacks AttackingKeyfobsandImmobilizers FLASHBACK-Hotwiring AttackingECUsandotherEmbeddedSystems Whatdoesyoruhackergarageneed? CreativeCommons READ THIS FIRST ThisbookisdistributedunderaCreativeCommonsAttribution- NonCommercial-ShareAlike3.0license.Inpartduetomybeliefin theopensourcecommunityandalsoasahattiptoCoryDoctorow’s license. Thislicensemeans: Youarefree: -toShare—tocopy,distributeandtransmitthework -toRemix—toadaptthework Underthefollowingconditions: -Attribution.Youmustattributetheworkinthemanner specifiedbytheauthororlicensor(butnotinanywaythat suggeststhattheyendorseyouoryouruseofthework). -Noncommercial.Youmaynotusethisworkforcommercial purposes. -ShareAlike.Ifyoualter,transform,orbuilduponthiswork, youmaydistributetheresultingworkonlyunderthesame orsimilarlicensetothisone. -Foranyreuseordistribution,youmustmakecleartoothers thelicensetermsofthiswork.Thebestwaytodothisiswith alinkhttp://opengarages.org/handbook/ -Anyoftheaboveconditionscanbewaivedifyougetmy permission Moreinfohere:http://creativecommons.org/licenses/by-nc-sa/3.0/ Seetheendofthismanualforfulllegalcopyinformation. Theonlyexceptionisthecoverofthisbook. Thecoverartisunder aproprietarylicensethatcannotberepurposed. Introduction Congratulations!YoujustpurchasedyourfirstrealOwnersmanual. Thismanualdoesn’tfocusonwhatallthosedashboardlightsare, butonhowtocontrolthem. Modernvehiclemanufacturershavemovedawayfrommakingit easytounderstandandcustommodyourownpurchasedvehicle. Thisbookisheretohelp! Ifyoureadthismanualallthewaythrough,itwilldetailhowto performafullsecurityevaluationofyourvehicle. Itisorganizedin sectionssoyoucangostraighttothepartsyoucareabout. Benefits of Car Hacking Honestly,ifyouareholdingthismanualIwouldhopeyouwould haveacluewhyyouaredoingso. However,ifapproachedand askedwhyyouarehackingcars,wemadethishandychecklistfor youtouse! UnderstandHowYourVehicleWorks-Theautomotive industryhaschurnedoutsomeamazingvehicles,buthas releasedlittleinformationonwhatmakesthemwork. Understandinghowthevehiclecommunicateswillhelpyou diagnoseandtroubleshootcarproblems. WorkontheElectricalSide-Asvehicleshaveevolved,they havebecomelessmechanicalandmoreelectronic. Unfortunatelythesesystemsaretypicallyclosedoffto mechanics. Whiledealershipshaveaccesstomore informationthanyoucantypicallyget,theauto manufacturersthemselvesoutsourcepartsandrequire proprietarytoolstodiagnoseproblems. Learninghowyour vehicle’s electronicsworkcanhelpyoubypassthisbarrier. CarMods-Understandinghowthevehiclecommunicatescan leadtomuchbettermodifications. Thesecanimprovefuel consumption,providethird-partyreplacementparts,or anythingyoucandreamof. Oncethecommunication systemisknown,youcanseamlesslyintegrateother systemsintoyourvehicle. DiscoverUndocumentedFeatures-Sometimesvehicles comeequippedwithspecialfeaturessimplydisabledornot exposed. Discoveringundocumentedordisabledfeatures canenableyoutouseyourvehicletoitsfullestpotential. ValidatetheSecurityofyourVehicle-Asofthiswriting,the safetyguidelinesforvehiclesdonotaddressthreatsof maliciouselectronicnature. Whilevehiclesaresusceptible tothesamemalwareyourdesktopgets,automakersarenot requiredtoauditthesecurityoftheirelectronics. Wedrive ourfamiliesaroundinthesevehicles. Byunderstanding howtohackyourcaryouwillknowhowvulnerableyou vehicleisandcantakeprecautionswhileadvocatingfor higherstandards. About the Author CraigSmithrunsaresearchfirm,TheiaLabs,thatfocuseson securityauditingandbuildinghardwareandsoftwareprototypes. Hehasworkedforseveralautomanufacturersandprovidedpublic research. HeisalsoaFounderoftheHive13Hackerspaceand OpenGarages(@OpenGarages). Hisspecialtiesarereverse engineeringandpenetrationtesting. Thismanualislargelya productofOpenGaragesandthedesiretogetpeopleuptospeed onauditingtheirvehicle. How to Contribute Thismanualdoesn’tcovereverything. Wemaymissgreattricksor awesometools. Carhackingisagroupactivityandwewelcomeall feedback. PleasejointheOpenGaragesmailinglistorsendemail directlytotheauthor(craigattheialabs.com). Youcanalsocontact http://www.iamthecavalry.org/andjointheirmailinglistforwaysto getinvolved. Wearealwayslookingforguestauthorstocontributetonew chaptersinthenextreleaseofthisbook. Wewelcomeallfeedback onexistingchaptersaswellassuggestionsonnewones. Please feelfreetoreachouttoTheiaLabsorOpenGarages. Understanding Attack Surfaces Ifyoucomefromthesoftwarepenetration-testingworldyou probablyalreadygetthis.Fortherestofus,attacksurfacemeansall thepossiblewaystoattackatarget. Thetargetcouldbea componentortheentirevehicle. Atthisstagewedonotconsider howtoexploitanypieceofthetarget,weareonlyconcernedwithall the“entrypoints”intoit. Thinkofyourselfasanevilspy,tryingtodobadthingstothe vehicle. Tofindtheweaknesses,evaluatetheperimeterand documenttheenvironment. Foravehicle,weneedtoconsiderall thewaysdatacangetintothevehicle–thatis,allthewaysthe vehiclecommunicateswiththeoutsideworld. Fromoutsidethevehicle: -Whatsignalsarereceived? Radiowaves?Keyfobs?Distance sensors? -Physicalkeypadaccess? -Touchormotionsensors? -Ifelectric,howdoesitcharge? Frominsidethevehicle: -Audioinputoptions:CD?USB?Bluetooth? -Diagnosticports? -Whatarethecapabilitiesofthedashboard? GPS?Bluetooth? Internet? Onceyouhavethoughtaboutthis,youshouldhaverealizedthere areaLOTofwaysdatacanenterthevehicle. Ifanyofthisdatais malformedorintentionallymalicious,whathappens? Threat Modeling WholebooksarewrittenonThreatModeling. Wearegoingtojust giveyouaquicktoursoyoucanbuildyourown. Ifyouhavefurther questionsorifthissectionexcitesyou,thenbyallmeans,grab anotherbookonthesubject. ThreatModelingistakingacollectionofinformationaboutthe architectureofyourtargetanddrawingitoutwithconnectinglines toshowhowthingscommunicate. Thesemapsareusedtoidentify higher-riskinputsandareagreatwaytokeepachecklistofthings toaudit,lettingyouprioritizeentrypointsthatcouldyieldthemost return. Threatmodelsaredoneinlevels,startingat0. Level 0 – Bird’s-eye view Hereiswherewe'llusethechecklistofthelastsectiononAttack Surfaces. Youneedtothinkaboutallhowdatacanenteryour vehicle. Drawyourvehicleinthecenter,andthenlabeltheleft “outside”andtheright“inside,” Belowisanexampleofapossiblelevel0diagram: Ifwearedoingafullsystemaudit,thenthiswillbecomeour checklistofthingsweneedtoensuregetlove. Numbereachinput. Youcouldtechnicallystophere,butitwouldbebettertoatleast pickoneofthesethatinterestsyouanddoaLevel1diagram. Level 1 - Receivers Nowlet’sfocusonwhateachinputtalksto. Thismapisalmost identicaltoLevel0exceptthistimewespecifythereceivingend. Don’tgotoodeepintothereceiversjustyet. Weareonlylookingat thebasicdeviceorareatheinputtalksto. Hereisthelevel1diagram: HereyoucanseethegroupingontheInfotainmentcenter. Notice howeachreceiverisnownumbered. Thefirstnumberrepresents thelabelfromthelevel0diagramandthesecondnumberisthe numberofthereceiver. Thedottedlinesrepresenttrustboundaries. Thetopofthediagram istheleasttrustedandthebottomisthemosttrusted.Themore trustboundariesacommunicationchannelcrosses,themoreriskyit becomes. Wewillfocuson1.1,theInfotainmentconsole,forthe Level2diagram. Level 2 - Receiver breakdown Nowwearegettingtothelevelwherewecanseecommunication takingplaceinsidethevehicle.Wearefocusingontheinfotainment becauseitisoneofthemorecomplicatedreceiversanditisdirectly connectedtotheCANBusnetwork. Herewegroupthecommunicationschannelsindotted-lineboxesto representthetrustboundaries. Thereisanewtrustboundary insidetheInfotainmentConsolelabeled“KernelSpace.” Systems thattalkdirectlytothekernelholdahigherriskthanonesthattalk

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.