The Car Hacker's Handbook

Book description

Modern cars are more computerized than ever. Infotainment and navigation systems, Wi-Fi, automatic software updates, and other innovations aim to make driving more convenient. But vehicle technologies haven't kept pace with today's more hostile security environment, leaving millions vulnerable to attack.

The Car Hacker's Handbook will give you a deeper understanding of the computer systems and embedded software in modern vehicles. It begins by examining vulnerabilities and providing detailed explanations of communications over the CAN bus and between devices and systems.

Then, once you have an understanding of a vehicle's communication network, you'll learn how to intercept data and perform specific hacks to track vehicles, unlock doors, glitch engines, flood communication, and more. With a focus on low-cost, open source hacking tools such as Metasploit, Wireshark, Kayak, can-utils, and ChipWhisperer, The Car Hacker's Handbook will show you how to:

  • Build an accurate threat model for your vehicle
  • Reverse engineer the CAN bus to fake engine signals
  • Exploit vulnerabilities in diagnostic and data-logging systems
  • Hack the ECU and other firmware and embedded systems
  • Feed exploits through infotainment and vehicle-to-vehicle communication systems
  • Override factory settings with performance-tuning techniques
  • Build physical and virtual test benches to try out exploits safely
If you're curious about automotive security and have the urge to hack a two-ton computer, make The Car Hacker's Handbook your first stop.

Publisher resources

View/Submit Errata

Table of contents

  1. Cover Page
  2. Praise for "The Car Hacker's Handbook"
  3. Title Page
  4. Copyright Page
  5. About the Author
  6. About the Contributing Author
  7. About the Technical Reviewer
  8. Brief Contents
  9. Contents in Detail
  10. Foreword by Chris Evans
  11. Acknowledgments
  12. Introduction
    1. Why Car Hacking Is Good for All of Us
    2. What’s in This Book
  13. Chapter 1: Understanding Threat Models
    1. Finding Attack Surfaces
    2. Threat Modeling
      1. Level 0: Bird’s-Eye View
      2. Level 1: Receivers
      3. Level 2: Receiver Breakdown
    3. Threat Identification
      1. Level 0: Bird’s-Eye View
      2. Level 1: Receivers
      3. Level 2: Receiver Breakdown
    4. Threat Rating Systems
      1. The DREAD Rating System
      2. CVSS: An Alternative to DREAD
    5. Working with Threat Model Results
    6. Summary
  14. Chapter 2: Bus Protocols
    1. The CAN Bus
      1. The OBD-II Connector
      2. Finding CAN Connections
      3. CAN Bus Packet Layout
      4. The ISO-TP Protocol
      5. The CANopen Protocol
      6. The GMLAN Bus
    2. The SAE J1850 Protocol
      1. The PWM Protocol
      2. The VPW Protocol
    3. The Keyword Protocol and ISO 9141-2
    4. The Local Interconnect Network Protocol
    5. The MOST Protocol
      1. MOST Network Layers
      2. MOST Control Blocks
      3. Hacking MOST
    6. The FlexRay Bus
      1. Hardware
      2. Network Topology
      3. Implementation
      4. FlexRay Cycles
      5. Packet Layout
      6. Sniffing a FlexRay Network
    7. Automotive Ethernet
    8. OBD-II Connector Pinout Maps
    9. The OBD-III Standard
    10. Summary
  15. Chapter 3: Vehicle Communication with SocketCAN
    1. Setting Up can-utils to Connect to CAN Devices
      1. Installing can-utils
      2. Configuring Built-In Chipsets
      3. Configuring Serial CAN Devices
      4. Setting Up a Virtual CAN Network
    2. The CAN Utilities Suite
      1. Installing Additional Kernel Modules
      2. The can-isotp.ko Module
    3. Coding SocketCAN Applications
      1. Connecting to the CAN Socket
      2. Setting Up the CAN Frame
      3. The Procfs Interface
    4. The Socketcand Daemon
    5. Kayak
    6. Summary
  16. Chapter 4: Diagnostics and Logging
    1. Diagnostic Trouble Codes
      1. DTC Format
      2. Reading DTCs with Scan Tools
      3. Erasing DTCs
    2. Unified Diagnostic Services
      1. Sending Data with ISO-TP and CAN
      2. Understanding Modes and PIDs
      3. Brute-Forcing Diagnostic Modes
      4. Keeping a Vehicle in a Diagnostic State
    3. Event Data Recorder Logging
      1. Reading Data from the EDR
      2. The SAE J1698 Standard
      3. Other Data Retrieval Practices
    4. Automated Crash Notification Systems
    5. Malicious Intent
    6. Summary
  17. Chapter 5: Reverse Engineering the CAN Bus
    1. Locating the CAN Bus
    2. Reversing CAN Bus Communications with can-utils and Wireshark
      1. Using Wireshark
      2. Using candump
      3. Grouping Streamed Data from the CAN Bus
      4. Using Record and Playback
      5. Creative Packet Analysis
      6. Getting the Tachometer Reading
    3. Creating Background Noise with the Instrument Cluster Simulator
      1. Setting Up the ICSim
      2. Reading CAN Bus Traffic on the ICSim
      3. Changing the Difficulty of ICSim
    4. Reversing the CAN Bus with OpenXC
      1. Translating CAN Bus Messages
      2. Writing to the CAN Bus
      3. Hacking OpenXC
    5. Fuzzing the CAN Bus
    6. Troubleshooting When Things Go Wrong
    7. Summary
  18. Chapter 6: ECU Hacking
    1. Front Door Attacks
      1. J2534: The Standardized Vehicle Communication API
      2. Using J2534 Tools
      3. KWP2000 and Other Earlier Protocols
      4. Capitalizing on Front Door Approaches: Seed-Key Algorithms
    2. Backdoor Attacks
    3. Exploits
    4. Reversing Automotive Firmware
      1. Self-Diagnostic System
      2. Library Procedures
      3. Comparing Bytes to Identify Parameters
      4. Identifying ROM Data with WinOLS
    5. Code Analysis
      1. A Plain Disassembler at Work
      2. Interactive Disassemblers
    6. Summary
  19. Chapter 7: Building and Using ECU Test Benches
    1. The Basic ECU Test Bench
      1. Finding an ECU
      2. Dissecting the ECU Wiring
      3. Wiring Things Up
    2. Building a More Advanced Test Bench
      1. Simulating Sensor Signals
      2. Hall Effect Sensors
    3. Simulating Vehicle Speed
    4. Summary
  20. Chapter 8: Attacking ECUS and Other Embedded Systems
    1. Analyzing Circuit Boards
      1. Identifying Model Numbers
      2. Dissecting and Identifying a Chip
    2. Debugging Hardware with JTAG and Serial Wire Debug
      1. JTAG
      2. Serial Wire Debug
      3. The Advanced User Debugger
      4. Nexus
    3. Side-Channel Analysis with the ChipWhisperer
      1. Installing the Software
      2. Prepping the Victim Board
    4. Brute-Forcing Secure Boot Loaders in Power-Analysis Attacks
      1. Prepping Your Test with AVRDUDESS
      2. Setting Up the ChipWhisperer for Serial Communications
      3. Setting a Custom Password
      4. Resetting the AVR
      5. Setting Up the ChipWhisperer ADC
      6. Monitoring Power Usage on Password Entry
      7. Scripting the ChipWhisperer with Python
    5. Fault Injection
      1. Clock Glitching
      2. Setting a Trigger Line
      3. Power Glitching
      4. Invasive Fault Injection
    6. Summary
  21. Chapter 9: In-Vehicle Infotainment Systems
    1. Attack Surfaces
    2. Attacking Through the Update System
      1. Identifying Your System
      2. Determining the Update File Type
      3. Modifying the System
      4. Apps and Plugins
      5. Identifying Vulnerabilities
    3. Attacking the IVI Hardware
      1. Dissecting the IVI Unit’s Connections
      2. Disassembling the IVI Unit
    4. Infotainment Test Benches
      1. GENIVI Meta-IVI
      2. Automotive Grade Linux
    5. Acquiring an OEM IVI for Testing
    6. Summary
  22. Chapter 10: Vehicle-to-Vehicle Communication
    1. Methods of V2V Communication
    2. The DSRC Protocol
      1. Features and Uses
      2. Roadside DSRC Systems
      3. WAVE Standard
      4. Tracking Vehicles with DSRC
    3. Security Concerns
    4. PKI-Based Security Measures
      1. Vehicle Certificates
      2. Anonymous Certificates
      3. Certificate Provisioning
      4. Updating the Certificate Revocation List
      5. Misbehavior Reports
    5. Summary
  23. Chapter 11: Weaponizing CAN Findings
    1. Writing the Exploit in C
      1. Converting to Assembly Code
      2. Converting Assembly to Shellcode
      3. Removing NULLs
      4. Creating a Metasploit Payload
    2. Determining Your Target Make
      1. Interactive Probing
      2. Passive CAN Bus Fingerprinting
    3. Responsible Exploitation
    4. Summary
  24. Chapter 12: Attacking Wireless Systems with SDR
    1. Wireless Systems and SDR
      1. Signal Modulation
    2. Hacking with TPMS
      1. Eavesdropping with a Radio Receiver
      2. TPMS Packets
      3. Activating a Signal
      4. Tracking a Vehicle
      5. Event Triggering
      6. Sending Forged Packets
    3. Attacking Key Fobs and Immobilizers
      1. Key Fob Hacks
      2. Attacking a PKES System
      3. Immobilizer Cryptography
      4. Physical Attacks on the Immobilizer System
      5. Flashback: Hotwiring
    4. Summary
  25. Chapter 13: Performance Tuning
    1. Performance Tuning Trade-Offs
    2. ECU Tuning
      1. Chip Tuning
      2. Flash Tuning
    3. Stand-Alone Engine Management
    4. Summary
  26. Appendix A: Tools of the Trade
    1. Hardware
      1. Lower-End CAN Devices
      2. Higher-End CAN Devices
    2. Software
      1. Wireshark
      2. PyOBD Module
      3. Linux Tools
      4. CANiBUS Server
      5. Kayak
      6. SavvyCAN
      7. O2OO Data Logger
      8. Caring Caribou
      9. c0f Fingerprinting Tool
      10. UDSim ECU Simulator
      11. Octane CAN Bus Sniffer
      12. AVRDUDESS GUI
      13. RomRaider ECU Tuner
      14. Komodo CAN Bus Sniffer
      15. Vehicle Spy
  27. Appendix B: Diagnostic Code Modes and PIDs
    1. Modes Above 0x10
    2. Useful PIDs
  28. Appendix C: Creating Your Own Open Garage
    1. Filling Out the Character Sheet
      1. When to Meet
      2. Affiliations and Private Memberships
      3. Defining Your Meeting Space
      4. Contact Information
      5. Initial Managing Officers
      6. Equipment
  29. Abbreviations
  30. Index
  31. Footnotes

Product information

  • Title: The Car Hacker's Handbook
  • Author(s): Craig Smith
  • Release date: February 2016
  • Publisher(s): No Starch Press
  • ISBN: 9781593277031