Table of Contents ReadThisFirst Introduction UnderstandingAttackSurfaces InfotainmentSystems VehicleCommunicationSystems EngineControlUnit CANBusReversingMethodology BreakingtheVehicle CANBusTools WeaponizingCANFindings AttackingTPMS EthernetAttacks AttackingKeyfobsandImmobilizers FLASHBACK-Hotwiring AttackingECUsandotherEmbeddedSystems Whatdoesyoruhackergarageneed? CreativeCommons READ THIS FIRST ThisbookisdistributedunderaCreativeCommonsAttribution- NonCommercial-ShareAlike3.0license.Inpartduetomybeliefin theopensourcecommunityandalsoasahattiptoCoryDoctorow’s license. Thislicensemeans: Youarefree: -toShare—tocopy,distributeandtransmitthework -toRemix—toadaptthework Underthefollowingconditions: -Attribution.Youmustattributetheworkinthemanner specifiedbytheauthororlicensor(butnotinanywaythat suggeststhattheyendorseyouoryouruseofthework). -Noncommercial.Youmaynotusethisworkforcommercial purposes. -ShareAlike.Ifyoualter,transform,orbuilduponthiswork, youmaydistributetheresultingworkonlyunderthesame orsimilarlicensetothisone. -Foranyreuseordistribution,youmustmakecleartoothers thelicensetermsofthiswork.Thebestwaytodothisiswith alinkhttp://opengarages.org/handbook/ -Anyoftheaboveconditionscanbewaivedifyougetmy permission Moreinfohere:http://creativecommons.org/licenses/by-nc-sa/3.0/ Seetheendofthismanualforfulllegalcopyinformation. Theonlyexceptionisthecoverofthisbook. Thecoverartisunder aproprietarylicensethatcannotberepurposed. Introduction Congratulations!YoujustpurchasedyourfirstrealOwnersmanual. Thismanualdoesn’tfocusonwhatallthosedashboardlightsare, butonhowtocontrolthem. Modernvehiclemanufacturershavemovedawayfrommakingit easytounderstandandcustommodyourownpurchasedvehicle. Thisbookisheretohelp! Ifyoureadthismanualallthewaythrough,itwilldetailhowto performafullsecurityevaluationofyourvehicle. Itisorganizedin sectionssoyoucangostraighttothepartsyoucareabout. Benefits of Car Hacking Honestly,ifyouareholdingthismanualIwouldhopeyouwould haveacluewhyyouaredoingso. However,ifapproachedand askedwhyyouarehackingcars,wemadethishandychecklistfor youtouse! UnderstandHowYourVehicleWorks-Theautomotive industryhaschurnedoutsomeamazingvehicles,buthas releasedlittleinformationonwhatmakesthemwork. Understandinghowthevehiclecommunicateswillhelpyou diagnoseandtroubleshootcarproblems. WorkontheElectricalSide-Asvehicleshaveevolved,they havebecomelessmechanicalandmoreelectronic. Unfortunatelythesesystemsaretypicallyclosedoffto mechanics. Whiledealershipshaveaccesstomore informationthanyoucantypicallyget,theauto manufacturersthemselvesoutsourcepartsandrequire proprietarytoolstodiagnoseproblems. Learninghowyour vehicle’s electronicsworkcanhelpyoubypassthisbarrier. CarMods-Understandinghowthevehiclecommunicatescan leadtomuchbettermodifications. Thesecanimprovefuel consumption,providethird-partyreplacementparts,or anythingyoucandreamof. Oncethecommunication systemisknown,youcanseamlesslyintegrateother systemsintoyourvehicle. DiscoverUndocumentedFeatures-Sometimesvehicles comeequippedwithspecialfeaturessimplydisabledornot exposed. Discoveringundocumentedordisabledfeatures canenableyoutouseyourvehicletoitsfullestpotential. ValidatetheSecurityofyourVehicle-Asofthiswriting,the safetyguidelinesforvehiclesdonotaddressthreatsof maliciouselectronicnature. Whilevehiclesaresusceptible tothesamemalwareyourdesktopgets,automakersarenot requiredtoauditthesecurityoftheirelectronics. Wedrive ourfamiliesaroundinthesevehicles. Byunderstanding howtohackyourcaryouwillknowhowvulnerableyou vehicleisandcantakeprecautionswhileadvocatingfor higherstandards. About the Author CraigSmithrunsaresearchfirm,TheiaLabs,thatfocuseson securityauditingandbuildinghardwareandsoftwareprototypes. Hehasworkedforseveralautomanufacturersandprovidedpublic research. HeisalsoaFounderoftheHive13Hackerspaceand OpenGarages(@OpenGarages). Hisspecialtiesarereverse engineeringandpenetrationtesting. Thismanualislargelya productofOpenGaragesandthedesiretogetpeopleuptospeed onauditingtheirvehicle. How to Contribute Thismanualdoesn’tcovereverything. Wemaymissgreattricksor awesometools. Carhackingisagroupactivityandwewelcomeall feedback. PleasejointheOpenGaragesmailinglistorsendemail directlytotheauthor(craigattheialabs.com). Youcanalsocontact http://www.iamthecavalry.org/andjointheirmailinglistforwaysto getinvolved. Wearealwayslookingforguestauthorstocontributetonew chaptersinthenextreleaseofthisbook. Wewelcomeallfeedback onexistingchaptersaswellassuggestionsonnewones. Please feelfreetoreachouttoTheiaLabsorOpenGarages. Understanding Attack Surfaces Ifyoucomefromthesoftwarepenetration-testingworldyou probablyalreadygetthis.Fortherestofus,attacksurfacemeansall thepossiblewaystoattackatarget. Thetargetcouldbea componentortheentirevehicle. Atthisstagewedonotconsider howtoexploitanypieceofthetarget,weareonlyconcernedwithall the“entrypoints”intoit. Thinkofyourselfasanevilspy,tryingtodobadthingstothe vehicle. Tofindtheweaknesses,evaluatetheperimeterand documenttheenvironment. Foravehicle,weneedtoconsiderall thewaysdatacangetintothevehicle–thatis,allthewaysthe vehiclecommunicateswiththeoutsideworld. Fromoutsidethevehicle: -Whatsignalsarereceived? Radiowaves?Keyfobs?Distance sensors? -Physicalkeypadaccess? -Touchormotionsensors? -Ifelectric,howdoesitcharge? Frominsidethevehicle: -Audioinputoptions:CD?USB?Bluetooth? -Diagnosticports? -Whatarethecapabilitiesofthedashboard? GPS?Bluetooth? Internet? Onceyouhavethoughtaboutthis,youshouldhaverealizedthere areaLOTofwaysdatacanenterthevehicle. Ifanyofthisdatais malformedorintentionallymalicious,whathappens? Threat Modeling WholebooksarewrittenonThreatModeling. Wearegoingtojust giveyouaquicktoursoyoucanbuildyourown. Ifyouhavefurther questionsorifthissectionexcitesyou,thenbyallmeans,grab anotherbookonthesubject. ThreatModelingistakingacollectionofinformationaboutthe architectureofyourtargetanddrawingitoutwithconnectinglines toshowhowthingscommunicate. Thesemapsareusedtoidentify higher-riskinputsandareagreatwaytokeepachecklistofthings toaudit,lettingyouprioritizeentrypointsthatcouldyieldthemost return. Threatmodelsaredoneinlevels,startingat0. Level 0 – Bird’s-eye view Hereiswherewe'llusethechecklistofthelastsectiononAttack Surfaces. Youneedtothinkaboutallhowdatacanenteryour vehicle. Drawyourvehicleinthecenter,andthenlabeltheleft “outside”andtheright“inside,” Belowisanexampleofapossiblelevel0diagram: Ifwearedoingafullsystemaudit,thenthiswillbecomeour checklistofthingsweneedtoensuregetlove. Numbereachinput. Youcouldtechnicallystophere,butitwouldbebettertoatleast pickoneofthesethatinterestsyouanddoaLevel1diagram. Level 1 - Receivers Nowlet’sfocusonwhateachinputtalksto. Thismapisalmost identicaltoLevel0exceptthistimewespecifythereceivingend. Don’tgotoodeepintothereceiversjustyet. Weareonlylookingat thebasicdeviceorareatheinputtalksto. Hereisthelevel1diagram: HereyoucanseethegroupingontheInfotainmentcenter. Notice howeachreceiverisnownumbered. Thefirstnumberrepresents thelabelfromthelevel0diagramandthesecondnumberisthe numberofthereceiver. Thedottedlinesrepresenttrustboundaries. Thetopofthediagram istheleasttrustedandthebottomisthemosttrusted.Themore trustboundariesacommunicationchannelcrosses,themoreriskyit becomes. Wewillfocuson1.1,theInfotainmentconsole,forthe Level2diagram. Level 2 - Receiver breakdown Nowwearegettingtothelevelwherewecanseecommunication takingplaceinsidethevehicle.Wearefocusingontheinfotainment becauseitisoneofthemorecomplicatedreceiversanditisdirectly connectedtotheCANBusnetwork. Herewegroupthecommunicationschannelsindotted-lineboxesto representthetrustboundaries. Thereisanewtrustboundary insidetheInfotainmentConsolelabeled“KernelSpace.” Systems thattalkdirectlytothekernelholdahigherriskthanonesthattalk