Ben’s Book of the Month: Review of “Hacking Connected Cars: Tactics, Techniques, and Procedures”

In the classic hacker movie, The Net, attackers hack the navigation system in the plane on which one of the characters is aboard. It directs him to fly into a pole, leading to his death. That scene shows that nothing instills fear in the public like having planes hacked out of the sky.

Last year, IOActive security researcher Ruben Santamarta dropped a bombshell at the Black Hat 2019 conference that the Boeing Dreamliner is susceptible to hacking. While he left it as a theoretical threat, the media, not understanding the more in-depth technical and security issues involved, wrote it up as though the plane were in imminent danger. The fact is, as I had written, the Dreamliner can’t be hacked out of the sky, or even in the air. 

But what can be hacked today are computers on wheels, also known as cars. In Hacking Connected Cars: Tactics, Techniques, and Procedures (Wiley 978-1119491804), author Alissa Knight has written an engaging guide for those who want to understand some of the threats to, and how to hack into parts of, connected cars and autonomous vehicles.

Sponsorships Available

Sponsorships Available

Sponsorships Available

While the gold standard on the topic of car hacking is The Car Hacker’s Handbook: A Guide for the Penetration Tester, Knight provides the reader with a good overview of how one can both hack into specific systems in a connected car, and how to mitigate those vulnerabilities.

She opens the book with the notion that automotive cybersecurity is perhaps the most unique and challenging security problem that humankind has ever faced. While that observation may include more than a bit of hyperbole, it is debatable whether the car manufacturers today are doing all they can to mitigate the many security risks. As Knight indicates, they certainly can do a better job. I would suggest they could do a significantly better job. 

Today’s newer cars have evolved to a computer network on wheels, and they scream out to be hacked. And it is not just cars; every mode of transportation has networked systems. Even John Deere—the world’s largest agricultural machinery maker—holds that farmers don’t own their tractors. Because computer code snakes through the DNA of modern tractors, farmers receive “an implied license for the life of the vehicle to operate the vehicle.” Perhaps a future version of the book will be about hacking farm equipment. 

The book is not a comprehensive guide to all aspects of a connected car, as it focuses mainly on the entertainment and information systems, in addition to the telematic control unit (TCU), which is the system on the vehicle that controls its tracking.

Knight details how to use numerous hacking tools to perform penetration tests of these systems. But these are limited to these systems via wireless and Bluetooth connectivity. 

In these autonomous vehicles, it is the Controller Area Network (CAN bus) that allows all systems to interact and communicate. The book does not discuss hacking the CAN bus, where complete control of the vehicle could result in its complete takeover. 

At 225 pages, the book provides a solid introduction to the topic. Some years ago, a car manual was under 50 pages. Now, Tesla manuals are larger than this book, indicating the complexity of today’s cars. 

For those who want to gain a better understanding of what is going on under your car’s hood, and within its computer systems, Hacking Connected Cars is a good start to comprehending that network on wheels.