A how-to for car hackers

  • 22-Sep-2016 01:57 EDT
CarHacker book cover.jpg

The new vehicle you’ve just spent 40 months engineering, testing and validating, that’s soon to be in customer hands, is now a big, fat target. The hackers want in.

How robust was your threat modeling during development? Where among the vehicle’s many potential entry points—the high-risk “attack surfaces” including Bluetooth, Wi-Fi, USB, the OBDII port, tire pressure monitoring system, infotainment, CAN bus, sensors and even an electric car’s charging connections—could malicious external data sneak past your built-in defenses to wreak havoc?

You may have overlooked a potential vulnerability, somewhere within the dozens of microprocessors, the 100 million or more lines of code and two miles of wiring that constitute a typical vehicle’s electrical architecture. The hackers might be sharper than your EEA design team—they could even be former colleagues. Their aims may range from the inquisitive to the downright sinister—vehicle theft, remote shut down, taking over control or installing ransomware.

As Delphi engineering VP Mary Gustanski has noted, it’s not so much a question of “if” your increasingly complex electrical architecture gets hacked. It’s more about how quickly you can identify and “box” the intrusion when it happens.

The automotive cyber wars are just getting started. Regardless of what side of the battle you’re on, there are valuable insights into the other guy’s strategies and tactics in The Car Hacker's Handbook (No Starch Press, 304 pages, $49.95) published last spring. Author Craig Smith, a bright and articulate engineer, has worked at auto companies and runs a research firm, Theia Labs, specializing in security auditing and hardware/software prototyping. He is also founder of the Hive13 hackerspace and OpenGarages.org online community of vehicle-security probers and “penetrators”. He’s even spoken at SAE International professional events.

Smith’s subject expertise is apparent in this first-ever dive deep into the multi-layered computer networks of today’s vehicles—and what makes them (and the V2X infrastructure) vulnerable to attack and manipulation.

“A primary reason for writing the book was actually to help make the next generation of vehicles more secure,” Smith told me by phone soon after his book was announced. “As vehicles get more connected and complex we need more car hackers so we all can know more about the security risks,” he asserted. That’s useful for the electrical architecture design teams that are one audience for the book.

I’m not an EE but I’ve successfully unraveled some frustrating electrical mysteries in my own vehicles over the years. Smith’s writing is nicely balanced for guiding both the hacking novice and expert. His editors made sure the neatly organized and well-illustrated format presents plenty of relevant examples in good “how to” detail.

Topics include how to write Metasploit payloads to attack the infotainment system and take control of a vehicle's engine, steering, brakes, temperature control, door locks and more; reverse engineer the CAN bus and hack the ECU; feed exploits to a vehicle through V2V communication systems, and override factory settings to improve engine performance.

No matter where you stand on the vehicle cybersecurity issue—and perhaps like me you need to learn more about this subject—The Car Hacker's Handbook is an excellent guide and reference. Let’s hope Smith’s publisher keeps it updated.

No Starch Press: http://www.nostarch.co ; orders@nostarch.com. 1-800-420-7240.

HTML for Linking to Page
Page URL
Rate It
2.60 Avg. Rating

Read More Articles On

Euro NCAP will establish a separate category for autonomous vehicles, but there is not likely to be one for cars that are claimed to protect all occupants from serious injury or death.
Motion sickness in autonomous vehicles is the new "elephant in the room," with engineers suffering during autonomous-driving simulator runs. Researchers are working to solve this nasty issue.
Range anxiety is not just affecting EV drivers on the road; it is also a significant hurdle for Formula E teams on the track. U.K. simulator specialist rFpro says its technology can help.
CEO John Krafcik told the Automobili-D audience in Detroit that Waymo is building its own hardware suite with a fully top-to-bottom, full-stack approach. The classic auto industry vertical integration includes all vision sensors, radars and LiDAR, along with related “AI compute” artificial-intelligence platform.

Related Items

Training / Education
Training / Education
Technical Paper / Journal Article
Technical Paper / Journal Article
Training / Education
Technical Paper / Journal Article