The Hacker Mind Podcast: Car Hacking 0x05
We haven’t seen many attacks on our smart cars. That’s perhaps because of a dedicated group of hackers who are working to improve automotive security.
Robert Leale, the driving force behind the Car Hacking village at DEF CON, joins The Hacker Mind to talk about CANBus basics, and whether we’ll see cars subjected to ransomware attacks. He also shares some tools, books, and website resources that you can use to get started hacking cars yourself.
Vamosi: That familiar beep beep as you walk away through a parking lot or garage is enough assurance from most that our car is both locked and safe in my first book, when gadgets betray us. I profiled a young streetwise Carthy who graduated from using a pair of common scissors to steal expensive sports cars off the streets of Prague to using a common laptop to pop open the doors.
The remote communication between a key fob and a car is encoded over the air. You can do what’s called a replay attack by capturing the codes and replaying them, or you can use a previously successful rollover sequence to calculate the key fob code of the next car from the same manufacturer. This is smart for a career criminal working independently of the gang, since he could build his own database through trial and error. This is also risky, when he was arrested in 2006, the Prague Post reported that the thief had the code for 150 stolen cars still on his laptop, enough evidence to convict him.
The point here is that we aren’t used to thinking about our cars as computing devices, and yet they are if common thieves are using laptops and mobile devices to gain access to them. What they do next inside the car is perhaps a bit more complicated, and it actually does require some sophisticated car knowledge, but let’s be realistic, automakers today aren’t necessarily computer security experts, so they can’t realistically be expected to secure our vehicles from all types of attack. Fortunately, there’s a group of automotive hackers that are trying to help. And in a moment you’ll hear from one.
Vamosi: Welcome to the hacker mind an original podcast from for all secure, it’s about challenging our expectations about the people who hack for a living. I’m Robert Vamosi, and in this episode, I’m talking about hacking vehicles, starting with the basics of what is a CANBus and why it’s important to whether we’ll see a day when cars are subjected to ransomware attacks, and I’ll conclude with some tools, books, and website resources that you can use to get started hacking cars yourself
Vamosi: In 2016 I took a two day car hacking training session at BlackHat USA in Las Vegas. This was one year after the Jeep Cherokee remote hack. In that case, rather than just reporting the vulnerability, the researchers had some fun. They had a reporter in the driver’s seat on a Missouri interstate during rush hour, and captured on video how the researchers remotely turned off the brake system. The video led to Fiat Chrysler Automobiles initiating one of the largest automotive recalls in US history, and rightly so, disabling the brakes on a moving vehicle is dangerous to the driver and other vehicles on the road. But remote hacks of vehicles are rare for a number of reasons, as we will hear from someone who knows car systems both inside and out.
Leale: I’ve been working with in the automotive industry, I live in the Detroit metro area, and I, I’m obviously infamous and well known in some circles,
Vamosi: That’s Robert Leale, my car hacking instructor at BlackHat. He’s from CANbushack.com, and he’s also the founder of the annual car hacking village at DEF CON. And he’s been working with the automotive industry for years as a consultant and a hacker.
Leale: I mean it’s a love-hate relationship as you can imagine. And we do, we do work with them right that’s what’s interesting, like we work with them because they have reasons and needs for companies to interact with their systems to test them, etc. But at the same time, you know, it’s still a political battle, as well, you know, you know, manufacturers aren’t just one person, like, like big companies or one person, and that’s the thing that I’ve learned over the years, like you could be one person who hates me, doesn’t want want to talk, talk to to Robert but at the same time in that same organization there may be a group of 10 people who were like hey let’s hire him because he knows he’s the best guy for the job right, so, so it’s just sort of a, It’s, it’s, it’s, it’s a mixed emotion kind of thing
Vamosi: Before we can start to hack a car, we need to understand how a car works. With the exception of a Tesla, perhaps not many are designed as a computer system on wheels, rather, cars today consist of dozens of individual computers actually embedded systems are microcontrollers, that need to communicate and coordinate with each other almost instantaneously. So you don’t have one computer, you actually have many throughout the vehicle.
Leale: Yeah, so they’re there, you’ll have individual controllers, one might be attributed to the brake and the traction control system we like handles all of them at the same time and it because it’s connected to the braking system, it doesn’t necessarily apply the brakes, but it monitors the braking system but there’s any failures, where you might have one that’s connected to the engine it’s managing the engine. So if the engine needs to fire a particular cylinder it manages the fuel, the air fuel ratio, etc. So,
Vamosi: These individual microcontrollers are called Electronic Control Units or ECUs.
Leale: That’s correct: electronic control unit.
Vamosi: The exact number of these ECUs varies depending on the price of the car or the needs of the manufacturer.
Leale: It just depends on what the goal is of the manufacturer. If that’s the best way to describe it. So for some cars, their goal is to sell them at a really low cost right so they’ll only put a few of these controllers in there to save on costs because they’re kind of expensive. Whereas some manufacturers are going for features that estimate costs, the more features, the more control there is you’ll typically have because the controllers kind of manage the features that are in the vehicle.
Vamosi: Some of these microcontroller ECUs are binary, they’re either on or they’re off, although some have gotten to be pretty sophisticated over time.
Leale: Yeah, so I mean they’re changing ever so slightly. You know with modern vehicles, they’re actually becoming like they’re running on bluetooth, they’re running the Android operating system. So, so some controllers are very basic engine controller, its job is really simple, fire some cylinders, it just, it does a lot of simple things, just hundreds and hundreds of simple things, whereas you think about, you know, on a Tesla, maybe your center display might have to display the map and have some apps loading, you got your, you got Spotify running, you know, all of those other things. So, those are more computers than what we’re used to the standard interface. So it just depends on what it’s, again, the goal of that particular controller.
Vamosi: What unites these microcontrollers is not an operating system, rather it’s a bus. What’s that? A bus is a communication system that transfers data between components. It does so by sending that data to all the CPUs at once. And if it’s meant for the brakes, then that ECU will respond. All the others will listen for the next packet, it might be for them.
Leale: I guess you know it’s funny, yesterday I was explaining that .. I’ve got 10-year-old twins … and I was explaining this exact question to them. So I’ll pretend like I’m explaining it to my 10-year-old twins because I know how to do this now. A CANBus is a Controller Area Network, and essentially links controllers which are ostensibly computers that are in the vehicle to each other so they can all talk at the same time. But the unique part is the bus. So when one controller sends a message, because it’s a bus topology of a network, all of the messages are received simultaneously by all of the other nodes, which gives it a unique some unique features that maybe you won’t see in like an Ethernet style typical network
Vamosi: Ethernet is a wired network. You’re probably familiar with an Ethernet in an office network computing system where it is designed to route large amounts of data quickly,
Leale: So some vehicles are starting to add, and have been for a little while but it’s becoming more of a thing, they’re adding Ethernet. But not your typical Ethernet your four wire two pair or two or three pair, Ethernet, you’re getting a single pair so to wire Ethernet,
Vamosi: Apart from the brakes and lights and such that are needed to operate the car manufacturers have been investing more and more in interesting dashboards which require web browsers, which allow for apps to be downloaded and run from the internet,
Leale: They’re using it to transfer data like it like reflashing controllers. They’re using it for media systems multimedia take data from the internet, like Spotify or things like that, and display and display information even newer
Vamosi: Some cars have sophisticated crash avoidance systems that require active sensors throughout the vehicle, and that requires even more data available through the automotive Ethernet.
Leale: Some of the new cars that are going to be coming out have LIDAR
Vamosi: LIDAR stands for light detection and ranging, and it’s used to measure distances, say, How far away is that car ahead of you
Leale: And Lidar is really bug; it’s got a lot of data. Cannabis just couldn’t handle the amount of data that’s coming through that audio video data is going through, they’re just things that need more bandwidth that CAN bus has a lot of limitations with regard to bandwidth but it does really good for real time, but really bad for bandwidth. So for bandwidth intensive applications, Ethernet really solves that problem.
Vamosi: Interesting side topic to reduce your consumption, the automotive industry has been trying to reduce the overall weight of the car, given that we are adding Ethernet systems to every car, that’s actually a substantial amount of weight that just goes for cabling cabling in any car, to some degree, CAN bus, or even more than one CANBus does cut down on the amount of cabling required.
Leale: Yeah, the CANBus is. It’s the best. I mean, just like a network in your, in your office, it’s the best way to get, you know, data from one to the other, because if your display wants to display the vehicle speed, right, the only way to really get that information without without having a wire running directly from the display to a sensor at the wheel, or at some motor that’s output it to the wheel is to get it from a network that where that controllers already sit sensing the value so why not share it. And yeah, so they’ll connect these things to the CANBus.
Vamosi: So you’re probably wondering why there isn’t one holistic operating system for every car. Well, that’s not how the computerization of automobiles came about.
Leale: So how do we get to not having an operating system. Well, I mean some of them do have operating systems so it’s really the beginning like operating systems, take a lot of memory resources, and they, they’re slow
Vamosi: cars are life critical systems decisions need to be made in nanoseconds, you tap on the brake, you expect a response instantaneously, having a full on an operating system, it lacks the speed you can get with a CAN bus, I mean
Leale: they’re way too slow to fire an engine. You can’t run an operating system if you’re running like even real time Linux, you probably couldn’t do a very good job of activating the cylinders on your, on your engine controller so even an operating system, it has limitations and so why even bother. You know, if you can’t do the application, because of the limitation, why even bother with an operating system in that situation so so forego an operating system, run your application directly on the controller, and just run it and see, right, like, there’s no reason to have an operating system except for building applications on top of it, that manage resources, like if you’re building everything, like it’s monolithic, it’s really not as important of a requirement.
Vamosi: That’s not to say the average car is ancient, and unchanging. Given the efficiency of the CANBus, you’re starting to see more and more CANBuses layered on top of each other.
Leale: I’d recently saw a future specification for a vehicle that included eight zero 80 CANBuses at which it was, it was sort of like the, this is everything possible, not necessarily what will be there but there’s everything if, if we were to make a vehicle, and we put everything on it, which we won’t know this is like our roadmap, we can select and choose but that one had 80 CANBuses on it. So, what they’re doing is they’re moving away from CANBus being like the central way that controllers will communicate, and it’s more of, they’re kind of pushing it to the edges. They’re kind of making the CANBus. The control between like the thing that needs the control to happen, and the actual controller that’s performing the function so that still has some real time aspects of it, while allowing Ethernet automotive Ethernet backbone so you can have like a gigabit backbone and like 100 megabit like branches to a CANBus, it’s, it’s quite interesting what the concept, the new concepts are coming out.
Vamosi: So now that we have a basic understanding of what’s going on inside the average car. Let’s start over again. Why would anybody want to hack a car?
Leale: Well for me personally, I like to change features of my car like to not not like, I like to add in modify features of my own car, so I kind of started where I wanted to, I started way back, a long long time ago, actually before CANBus was really in cars. I added a computer to my car back before they were really adding , like, like you had nav systems, that’s how long I’ve been hacking cars. And so I really was interested in integrating a computer with my car so I could do more controls, and I think that’s a really valid reason to hack a car, just for your own personal,
Vamosi: Perhaps because cars lack a modernized operating system, the communications over the CANBus tends to be proprietary, I found this particularly frustrating in Roberts class at BlackHat, you’d have to listen to the communication over the CANBus and then observe the end result on the ECU to understand what each signal means each manufacturer uses its own signals, and it’s almost like being back at square one. That’s because the auto manufacturers didn’t communicate how they built their systems out and developed them independently. Some of that was on purpose.
Leale: They are silos in of themselves like everything is built in fact is intentionally designed to be completely different from their competitors because that’s their competitive advantage. Right. The fact that they’re not sharing this information, now that is slowly eroding, we’re starting to see a little bit more standardization at least conceptually standardization, because it’s getting way more complicated, especially as at Ethernet, so they really need to like all of the manufacturers are kind of coming together and these consortiums to to work together over the sit similar problems just because the cost is super high now they’ll still keep their competitive advantage, but they’ll write software for smaller modules that make their vehicles a little bit more unique, whereas the things that everybody the problem that everybody’s got to solve they’re kind of pushing that up to these consortiums that are solving. Instead, they’re, they’re supplying their own engineers to be a part of the consortium but they’re letting these consortiums kind of work it out together so that everybody kind of makes better tools and things like that to work.
Vamosi: So there are some immediate positives to having Toyotas communicate one way, and Mercedes communicate entirely a different way, figuring out how to hack a Hyundai, doesn’t mean that you can go down the street and hack a Ford that that is absolutely the case yes
Leale: And that’s I think that’s this security through this to just not not being all part of the same ecosystem, I think it’s a really good term, because they have different suppliers essentially that are supplying these telemetry control systems. Because of that, you know that the G pack that happened, you know, in 2016 So back when you were going to take my course that hack affected. One of the suppliers, which was a company called Harmon. And they, they just didn’t password protect something as simple as that, that they, if they had added a password, it would have made that a little bit more difficult honestly impossible but more difficult to to propagate that particular bug.
Vamosi: The researchers who hacked the Jeep Cherokee, found a bug in the Harman Kardon head unit in the dashboard. Harmon is a common supplier to many automotive manufacturers. So why didn’t Ford or GM have the same problem? Well, it’s in the way in which Fiat Chrysler Automobiles happened to implement it.
Leale: When you look at the General Motors, they didn’t suffer from the same attack, because it was a different manufacturer and everything about it. Nothing was the same that the way the servers connected with the password, all of that stuff was completely different. And so they weren’t affected at all, they had different operating systems like if you wrote a virus for Mac and you or you wrote a virus for a PC it wouldn’t, they wouldn’t affect each other.
Vamosi: Up until recently cars didn’t connect directly to the internet. Now, some cars have their own cellular connections for navigation systems and telemetry. Now, cars have the ability to connect directly to the internet and download apps. If you recall from the early days of PCs, internet connection that’s when all the fun and games started happening with worms and viruses, and more recently with ransomware,
Leale: I can neither confirm nor deny that maybe there are potential ransomware applications that are possible, especially as they’re interconnecting these vehicle systems to the internet right so in the beginning, we think about a lot of people that might not have been around at the time but before the internet. It’ll be one of those lucky guys who gets remembered before the internet. If you had a virus, you transferred over floppy disks right and that was a really slow way for a virus to propagate. And that’s kind of where cars are and have been for a long time. If there was a virus, it didn’t propagate very well, very easily. You had to connect you to each individual vehicle to propagate that virus, not a very efficient means of transport. But as we start to connect these things to the internet. We have to be aware that it’s possible, although unlikely because it’s still a very monolithic system that ransomware could be entered into the equation. It’s, it’s very low probability because the company that controls the connection or the pipe is the company that makes the car or is affiliated with the company that makes the car. They have very strict controls over it. But as that changes, which it’s likely going to, we could see some real interesting effects, and attended or attended effects. Regarding that, but that’s neither here nor there. As far as I know there hasn’t been any confirmed ransomware cases. So hacking the cars is just dependent on the application or whatever, whatever application you’re trying to do
Vamosi: As cars become more computerized, only the dealerships had a way to unlock them. This makes it challenging then for the corner mechanic to service different makes and models of cars. And that’s perhaps why you see these independent shops starting to specialize in specific makes and models, someone or some organization then needed to step in and track what’s going on in these different systems.
Leale: There is a company or an organization called E tools, that that is sort of the clearinghouse for diagnostic information that the manufacturers are required by law as per the right to repair act now, they don’t give it out to individuals they give it out to companies that are building tools that will connect to the system so it’s the requirement is not that individuals have access, not in the United States, that that has actually changed recently for persons in the state of Massachusetts, where the laws are a little bit different.
Vamosi: I talked about the right to repair movement in Episode 14, with Paul Roberts who happens to live in Massachusetts that state has some of the most progressive right to repair laws on the books, and that state is more or less responsible for the data that we can access from our cars,
Leale: every other state, sort of follows this right to repair, where tool companies can be a part of the tools, if they want to, for the most part, get all of the diagnostic information that a scan tool which is a service tool that a dealership might use that they plug in and say, Hey, what’s wrong with your car. They don’t want just the dealerships to have access to that solely and create a monopoly, they, they allow other companies to make their own tools, and that’s what he tools essentially it’s it’s charters to help those other companies with the data
Vamosi: Automakers already had an onboard diagnostics port and OBD, but it was located in the engine area, Perhaps in response to early right to repair requests the automotive industry started sharing more information about a second onboard diagnostics port or OBD two one located not more than two feet away from the steering column of any vehicle for easy access. It’s a 16 pin J 1962 female connector that provides an external interface into the inner workings of the automobile.
Leale: That’s 100% Yeah, that’s what it’s designed for using the OBD two point.
Vamosi: Now there are specific packets of data that can be retrieved from the OBD two port, such as error codes, but this also creates in some cases the opportunity to externally pass information back to the CANBus. Realizing this, automakers put in some safeguards.
Leale: In fact, yes in fact that’s one of the big takeaways from the G pack that Chrysler did, and still others are catching up to is they added what they, what they call their secure gateway.
Vamosi: The Chrysler Secure Gateway is a kind of firewall that doesn’t allow everyone to send data to the car. It has to be controlled by the vendor. And in order to access certain diagnostic functions. The Secure Gateway requires registration and authentication through an approved device for aftermarket use.
Leale: The challenge is the OBD two port is kind of this. Anybody can plug into it, you know if somebody has access to it they could plug into it and do some interesting things and in my classes I’ve taught people how to just send diagnostic messages, and some of those diagnostic messages are really quite simple, sending a message to turn the windshield wipers on Okay, that seems like that would distract you, of course, but what if your windshield wipers were already on, and you want to turn them off. Now that’s more than a distraction, especially in heavy rain, now you can’t see out of the windshield, or at the same time you can modify the volume and in a lot of cars you can also disable the fuel pump. You know, and you can if you activate multiple features simultaneously, while somebody is driving down the road I mean that is that you as a single person attack that’s really, really challenging. And so the Chrysler gateway actually treats the OBD two port as a hostile network, essentially that anything that’s coming through there should not be considered especially commands should not be easily, easily used
Vamosi: Of course with every security solution, someone has already found a way to defeat the Secure Gateway. There are for example cables that require you to have physical access to the car and effectively defeat the gateway that way.
Leale: Now if you bypass that security. If you bypass it like you plug in somewhere else down the line any of the other controllers that might have a connection to the cannabis Yeah, all of those, all of those precautions are gone, the controllers, except individually they’ll accept those messages as like okay that’s stuff that he went through the Secure Gateway so it must be authentic, I’ll do the thing. And so they’ll still listen but you now have to physically move, move to a different location. That being said, they are very nice of them. They actually include that physical location, like there are still ports that you can plug into that are accessible so if you have physical access to the vehicle, you know, just like anybody if you have physical access to a vehicle you would like pull a brake wire you can you can do some really interesting things to the vehicle so that being said, there is a way to bypass it but it’s it’s through a front door like a system that they’ve created to like certificates and authentication and things like that so you have to be a dealer and have a dealership login and use the dealership that they audit that so they have some traceability at least if this were to happen to somebody.
Vamosi: All of these scenarios assume that a hostile attacker would have access to the car, or physically be inside the car,
Leale: their threat model is oh so much like if somebody has physical access, we should stop them. It’s really, if somebody has access remotely, and so they also do the same thing with their telephone telematics unit so the thing that’s connected to the internet is also on the same side of the network that the OBD two port is so they hopefully prevent that same kind of attack. Now that being said, there’s probably some methods around it but not too many people are talking about those right now,
Vamosi: independent of the OBD two port, there are other wireless means of getting inside the car. I remember Dr Stephen savage at the University of San Diego, using the tire pressure sensor monitor, why. Well, if the wheel is rotating at 100 times RPM. You can’t have a physical cable connecting the tire to the car. You need a radio frequency connection, which can be intercepted and hacked, and that’s what savage researchers did on an airport tarmac they pulled alongside the target vehicle and were able to hijack the T PSM RF signal. Mind you, they can only make the dashboard warning light go on or off, but still, it was a viable attack.
Leale: Yeah the tire pressure and keyless entry systems are all RF, it just, you know the challenges because you’re not really talking to an operating system you’re really limited to what inputs have been either accidentally or purposefully put there for you to, to send messages to and for the tire pressure monitoring system, you may be able to like, obviously affect the drivers thought of, well, what’s the tire pressure add and should I pull over the side of the road right now and that’s clearly, you know, that could be used as an attack vector. So, there’s some vulnerabilities here.
Vamosi: Savages work predated vulnerabilities in modern telematics today there’s certainly large amounts of data going up to the cloud and then back down to the car, like the proprietary CANBus signals, there is a cloud data pipe that is still controlled by the vendors, it is currently still
Leale: very much in control by the vendors they have a stranglehold on it. I know that recently Massachusetts has been very progressive. They’re trying to get access to the telematics data that’s going back and forth as well because the original right to repair Act actually excluded telemetry data and now they’re just trying to re-add it back in there. To the extent that I you know I can talk about it like there are a lot there’s a lot of information, Just depends on the manufacturer what data they’re going to transfer back and forth it really they can change it anytime they want because they can do an over update to the telematics controller and almost everybody supports this now, some way to like modify what data, what what features can be updated at least over the air to the telemetry controller,
Vamosi: some telemetry systems include over the air updates, which is good for us to send out a USB to its customers and ask them to sit in the driveway, while the car was running in park while it installed the update. Most of us get these updates when we take our cars in for the dealer service. Other manufacturers though like Mercedes and certainly Tesla, simply push out the updates over the air. Mostly this is done for safety critical updates. But occasionally, there are added features as well.
Leale: Some vehicles went so far as to even add it to pass the telemetry controller. I can update another controller. I drive a Tesla, and they do this all the time. There’s constantly software updates and they update the entire vehicle. And that’s a little bit more rare, but it’s becoming commonplace. There’s a lot of value in that. And, and so there’s a lot of data, there’s a lot of information, but they don’t really disclose what that is. And even if you read the Terms of Service, they kind of just talk about it as a general blob of data. I’ve had I’ve had experiences talking with some manufacturers, I won’t say who, but for the most part a lot of the data that goes up from the car is is like you, if you use their telemetry service you’re opting in to them, collecting anonymized data like any, any, like web browser anonymized data about your view vehicle use right so they want to know how you use the vehicle, and I had an opportunity to talk to the engineer about that and he’s like, it’s great information because there are people drive differently, all the time and now we can like, understand how people drive so we can make right our software so there’s a lot of value in that. And to the extent that that that’s what it’s being used for great but you know you really don’t know what other features they could be grabbing for that information so there’s always a challenge and, you know, for the most part it’s opt in, so you have to choose to use the service on the Tesla itself there’s like, you can opt out of, you know them collecting that that same data. So they are at least smart. As far as how you control what information you have and you don’t have it being sent up to the cloud like a manufacturer of stuff now, if you had an aftermarket device that might be a totally different story.
Vamosi: In general, the remote or outside attacks on vehicles remain in the realm of fiction.
Leale: There I like to I’m gonna kind of like an inside out approach because if you try to attack the vehicle from the, from the exterior it’s kind of like it’s hard in Shell, it’s a much more difficult attack factor, but it’s from the inside out they really don’t protect it in that in the same way so you can learn a lot more about the vehicle systems by attacking from the inside out, and then what’s great is, you know, we talked about yeah there’s an ecosystem for a particular manufacturer but if you have a vehicle of a particular manufacturer and you find some exploit from the outside in, you can now apply it to another vehicle of that same manufacturer typically, you know, you know, as long as the year, make, model year are very similar, they probably have the same kind of vulnerability.
Vamosi: Robert and his team returned to DEF CON 29 This year in Las Vegas. This interview was actually recorded just before that event.
Leale: Tell him to go back in time and go to DEF CON, you know, for the most part we’re really excited. We’ve worked really hard on you know having a safe environment for, for our CTF and we hope that people join us. We were trying to make sure we still maintain social distance at our CTF and and in vehicles we’re trying to be as remote as possible so they don’t have to actually go and connect and sit in vehicles themselves. So we’re really working hard to make sure that that happens. And you know obviously every deaf construct.
Vamosi: The last time I was there I want to say it was 2019. It had a lot of different activities going on. For example, there were cars to hack, talks, and even a capture the flag event.
Leale: I’m just trying to get a general interest in the concept of hacking cars like the most part we like. We have a CTF. We started, year two of the Caribbean village we started a CTF and from that it was super successful. We had a lot of teams joining it’s a really great way to for people to just start into like car hacking so this year we’re gonna have to two individual CTF because we’re hybrid and so we wanted to make sure there was one virtual for, for, for people who couldn’t attend or just aren’t able to for various reasons, attend DEF CON in person. So we’ll have a virtual CTF. And we’ll also have an in person when we’re going to keep them a little bit separate because we want to we want to make it still fun in games for the people who are who are there in person, and that the thing is we give away prizes, and we can’t really some of the prizes are pretty big, they’re hard to mail so we can’t really give them away in any other way but in person anyway so we just figured, let’s just have an impersonal one.
Vamosi: So the goal is not necessarily to hack vehicles, and I mean, disable the vehicles with some sort of catastrophic new exploit, but rather to familiarize people with the general concepts of hacking.
Leale: So our goal here is to just you know have a general interest, meet it, make a community out of it, right, not necessarily. Not necessarily to to talk about exploits or really even get to that level because for the most part, like to get an exploit on a vehicle is a significant challenge right like any exploit in the world, doesn’t matter if it’s a car or a PC takes research and understanding, and so, you can’t have an exploiter can’t get into that field until you start understanding what a CANBus is or what attack surfaces are. And so that’s really our main goal is to just through gamification of CTF, and other events there, to have people interact with vehicle hardware that they might be afraid to do otherwise on their own vehicle.
Vamosi: Ah, there’s that. Do you hack your own vehicle, which has considerable value to you, or do you need to go out and buy a vehicle just for the purpose of hacking?
Leale: The number one thing that I like is the sort of restraint that they get for people when they want to get into car hacking as well. They may have a car but they don’t want to hack their own car, they like they’re afraid that they’re going to hurt their own car.
Vamosi: Okay, I feel there needs to be a disclaimer here to hack your own car at your own risk. I do not personally recommend this. There are tools that you can buy that can adequately emulate a car’s system.
Leale: I mean, I simply said, I get that, you know, especially when you’re new you don’t want to like hurt your own car, but you probably won’t like they don’t make these cars in such a way that they’re going to break, so quickly and so easily, you really have to intentionally do something to your car before it really, really stops working, and what’s great about like if you mess up your computer or some software on your computer, what do you do you turn it off and back on again. Well, the same thing happens with cars, you take the battery off to put the battery back on. They’re usually back to normal. In my, you know 10-11 years — oh man, even more than that, 2012 — 15 years now if like actually doing vehicle acts are a badge that have people interact with vehicles like hacking. I have only ever accidentally beta one vehicle network, and it was always a possibility when I was doing I do when I launched the attack legs like this is a possibility that that I could accidentally make this thing that work anymore and that was just happened once you know I mean so it wasn’t, it wasn’t the worst thing that ever happened.
Vamosi: So what are some of the other barriers to entry besides the fear of breaking your own car.
Leale: Well, I mean I would start with getting some, some relatively inexpensive hardware off the shelf hardware, there’s a bunch of really good tools out there, our, our friend Eric Evenchick makes something called a CANable; our friends over at Karamba makes something called safeCAN, and our friends at Intrepid Control Systems make ValueCAN. Actually our badge this year is going to be a really cool CANBus interface tool. I mean our badges are usually our CANBus interface tools at the village. So, you know, there’s a bunch of different relatively low cost tools. One of the other guys who runs the UK version of the Car Hacking Village has has solid CANBus tools, there’s a lot of, lot of people making cannabis tools now there are other networks there’s automotive Ethernet, which are badges have supported in the past and continue to give this year. There is LIN Bus which our badge again this year is going to support so there’s other network interfaces, but you know start there.
Vamosi: So is it possible for someone to just buy these tools or gain access to these tools, and then start playing around on their own.
Leale: I would also recommend the Car Hacker’s Handbook, I always do, by Craig Smith. And we have Hacking Connected Cars by Alyssa Kniight, those are really two good books to say they’re the only two that I’m aware of right now there probably are some other good books, there’s other good like engineering level books there’s a million other engineering level books that exist out there on, there’s one on automotive Ethernet, the same company that makes the ValueCAN makes the automotive engineering book called Automotive Control Systems. It’s available on Amazon, I think it’s like $100. It’s not cheap but it’s not, it’s not irreproachable. It’s a very big book. There’s a lot of learning material on vehicle network systems and other vehicles. Vehicle hacking. So, you know start with books,
Vamosi: And the car hacking village appears at other conferences as well.
Leale: We’re going to be at GrrCon again this year so that’s in Grand Rapids. I’m originally from Grand Rapids myself so it’s my local con. So, yeah, we’ll also be there. So I highly encourage everybody to join us. That will bring cars as well. It’s a big enough event that we can export cars. It’s not as big of a CTF, but it’s a lot of fun and it’s a great place to learn. Typically we’ll have like five or six events, you know, different conferences in the United States and then we have Ian Tabor who runs the Car Hacking Village UK so he’ll have some UK events, and potentially might dip down into the other parts of Europe. We have Jay Turla. He runs it in the Philippines, so we have a few different collaborators and runners, people who run the village in other places and we’re always looking for more so if you want to rent a car in your village, you know, let us know. We’ll give you some more information about some of the, like, our, like, what you can and can’t do, kind of like part of that but, you know, we’d love to have other people running villages, in other locations.
Vamosi:The Car Hacking Village has a website and it is kept up to date,
Leale: Not only are we online, like virtual this year we have our own discord, as well so you can go to car hacking village check command check it a link to our Discord and join that and ask a bunch of other car hackers, you know, how do I want to get started here. That’s probably the best.
Vamosi: I really want to thank Robert for being on the show. I learned a lot from him at BlackHat, and you can check out the car hacking village calm. To learn more about the activities at the car hacking village at DEF CON. And also check out CANBushack. com, which is Robert’s site, if you ever need to hire a car hacker. You know, you just might someday.
Hey, let’s keep this conversation going. I’d really like to know what your experiences have been with car hacking. The hacker mine is on subreddit, and he even has his own discord channel, go to the hacker mind.com/about. To learn more, or DM me directly @robertvamosi on Twitter.
The hacker mind is brought to you, commercial free every two weeks. Bye, for all secure
for the hacker mind, I’m your cannabis enabled, Robert.