THE CAR HACKER’S HANDBOOK A Guide for the Penetration Tester Craig Smith San Francisco THE CAR HACKER’S HANDBOOK. Copyright © 2016 by Craig Smith. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. 20 19 18 17 16 1 2 3 4 5 6 7 8 9 ISBN-10: 1-59327-703-2 ISBN-13: 978-1-59327703-1 Publisher: William Pollock Production Editor: Laurel Chun Cover Illustration: Garry Booth Interior Design: Octopod Studios Developmental Editors: Liz Chadwick and William Pollock Technical Reviewer: Eric Evenchick Copyeditor: Julianne Jigour Compositor: Laurel Chun Proofreader: James Fraleigh Indexer: BIM Indexing & Proofreading Services The following code and images are reproduced with permission: Figures 5-3 and 5-7 © Jan-Niklas Meier; Figures 6-17 and 6-18 © Matt Wallace; Figures 8-6, 8-7, 8-8, and 8-20 © NewAE Technology Inc.; Brute-forcing keypad entry code on pages 228–230 © Peter Boothe; Figures 13-3 and A-6 © Jared Gould and Paul Brunckhorst; Figures A-1 and A-2 © SECONS Ltd., http://www.obdtester.com/pyobd/; Figure A-4 © Collin Kidder and EVTV Motor Werks. For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 245 8th Street, San Francisco, CA 94103 phone: 415.863.9900; [email protected] www.nostarch.com Library of Congress Cataloging-in-Publication Data Names: Smith, Craig (Reverse engineer), author. Title: The car hacker's handbook: a guide for the penetration tester / by Craig Smith. Description: San Francisco : No Starch Press, [2016] | Includes index. Identifiers: LCCN 2015038297| ISBN 9781593277031 | ISBN 1593277032 Subjects: LCSH: Automotive computers--Security measures--Handbooks, manuals, etc. | Automobiles--Performance--Handbooks, manuals, etc. | Automobiles--Customizing--Handbooks, manuals, etc. | Penetration testing (Computer security)--Handbooks, manuals, etc. | Automobiles--Vandalism--Prevention--Handbooks, manuals, etc. Classification: LCC TL272.53 .S65 2016 | DDC 629.2/72--dc23 LC record available at http://lccn.loc.gov/2015038297 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. About the Author Craig Smith ([email protected]) runs Theia Labs, a security research firm that focuses on security auditing and building hardware and software prototypes. He is also one of the founders of the Hive13 Hackerspace and Open Garages (@OpenGarages). He has worked for several auto manufacturers, where he provided public research on vehicle security and tools. His specialties are reverse engineering and penetration testing. This book is largely a product of Open Garages and Craig’s desire to get people up to speed on auditing their vehicles. About the Contributing Author Dave Blundell ([email protected]) works in product development, teaches classes, and provides support for Moates.net, a small company specializing in pre-OBD ECU modification tools. He has worked in the aftermarket engine management sphere for the past few years, doing everything from reverse engineering to dyno tuning cars. He also does aftermarket vehicle calibration on a freelance basis. About the Technical Reviewer Eric Evenchick is an embedded systems developer with a focus on security and automotive systems. While studying electrical engineering at the University of Waterloo, he worked with the University of Waterloo Alternative Fuels Team to design and build a hydrogen electric vehicle for the EcoCAR Advanced Vehicle Technology Competition. Currently, he is a vehicle security architect for Faraday Future and a contributor to Hackaday. He does not own a car. BRIEF CONTENTS Foreword by Chris Evans Acknowledgments Introduction Chapter 1: Understanding Threat Models Chapter 2: Bus Protocols Chapter 3: Vehicle Communication with SocketCAN Chapter 4: Diagnostics and Logging Chapter 5: Reverse Engineering the CAN Bus Chapter 6: ECU Hacking Chapter 7: Building and Using ECU Test Benches Chapter 8: Attacking ECUs and Other Embedded Systems Chapter 9: In-Vehicle Infotainment Systems Chapter 10: Vehicle-to-Vehicle Communication Chapter 11: Weaponizing CAN Findings Chapter 12: Attacking Wireless Systems with SDR Chapter 13: Performance Tuning Appendix A: Tools of the Trade Appendix B: Diagnostic Code Modes and PIDs Appendix C: Creating Your Own Open Garage Abbreviations Index CONTENTS IN DETAIL FOREWORD by Chris Evans ACKNOWLEDGMENTS INTRODUCTION Why Car Hacking Is Good for All of Us What’s in This Book 1 UNDERSTANDING THREAT MODELS Finding Attack Surfaces Threat Modeling Level 0: Bird’s-Eye View Level 1: Receivers Level 2: Receiver Breakdown Threat Identification Level 0: Bird’s-Eye View Level 1: Receivers Level 2: Receiver Breakdown Threat Rating Systems The DREAD Rating System CVSS: An Alternative to DREAD Working with Threat Model Results Summary 2 BUS PROTOCOLS The CAN Bus The OBD-II Connector Finding CAN Connections CAN Bus Packet Layout The ISO-TP Protocol The CANopen Protocol The GMLAN Bus The SAE J1850 Protocol The PWM Protocol The VPW Protocol The Keyword Protocol and ISO 9141-2 The Local Interconnect Network Protocol The MOST Protocol MOST Network Layers MOST Control Blocks Hacking MOST The FlexRay Bus Hardware Network Topology Implementation FlexRay Cycles Packet Layout Sniffing a FlexRay Network Automotive Ethernet OBD-II Connector Pinout Maps The OBD-III Standard Summary 3 VEHICLE COMMUNICATION WITH SOCKETCAN Setting Up can-utils to Connect to CAN Devices Installing can-utils Configuring Built-In Chipsets Configuring Serial CAN Devices Setting Up a Virtual CAN Network The CAN Utilities Suite