Security by obscurity isn't really security at all, but it is often the type of “security” available in vehicles since the majority of security researchers and hackers have no access to connected car systems and no understanding of how they work. That’s about to change; last week at the Black Hat Asia security conference in Singapore, former Tesla intern and embedded systems developer Eric Evenchick released an open source toolkit that was designed to work with the Controller Area Network (CAN) bus that controls many functions in connected cars.
“Every new car has multiple CAN buses that let controllers communicate. This bus controls everything from the camshaft on your engine to your power seats,” Evenchick explained before presenting "Hopping on the CAN Bus." After his talk, he opened-sourced the Python-based CANard; it supports his CANtact tool, an inexpensive device about the size of a credit card that can help researchers find security vulnerabilities in CAN systems.
CANtact is cross platform, meaning it can be plugged into a Mac, Linux or Windows laptop via USB and then plugged into any CAN-enabled car via a OBD-II cable. Previous diagnostic tools were expensive and therefore not readily available. Researchers, hackers or the curious can buy CANtact for $59.95, or build their own thanks to the source code and hardware design files on GitHub. “Making diagnostics available for cheap means that we can not only audit the security of these systems, but also use them for their intended purpose: fixing cars,” Evenchick told Forbes.
Last month on 60 Minutes, Dan Kaufman from DARPA’s Information Innovation Office remotely hacked a car, taking control of several car functions including acceleration and braking. It’s not the first time research has proven that a car’s electronics can be remotely taken over, but do vehicle manufacturers know about more security flaws that are vulnerable to remote hacking? A lawsuit filed earlier this month alleged that cars are vulnerable to hackers who could take control of the vehicle and “Toyota, Ford and GM have deliberately hidden the dangers associated with car computer systems.” Attorney Marc Stanley said, "We shouldn't need to wait for a hacker or terrorist to prove exactly how dangerous this is before requiring car makers to fix the defect."
Car manufacturers aren’t keen on telling the public what hacks are possible or letting security researchers probe for vulnerabilities, so the $60 device could serve as a security tool to help more researchers and hackers find flaws. “One of the big problems is access to vehicles,” Evenchick told Forbes. “Ford, let’s say, won’t let anyone with security skills in to hack it.” So far he’s “repeatedly” found weak authentication in vehicles’ diagnostic functions. “You have the ability to read and write data that you really shouldn’t.”
During his Black Hat presentation, Evenchick demonstrated several “real world vulnerabilities,” including “how to read and clear fault codes, crack diagnostics security, and fuzz controllers to take over vehicle operation.” His presentation slides (pdf) include examples of “easy” CAN bus attacks like denial of service (DoS) as well as injection. The image of maxed-out RPMs while going 0 MPH followed his injection example.
It’s important to point out that CANtact only works if a person has physical access to a car, but it might help researchers find holes that could be exploited remotely.
“The CANard library provides tools for rapid development of scripts that interface with CAN bus systems. Since CANard performs hardware abstraction for the CAN bus interface, scripts can be used on different platforms using a variety of CAN bus interfaces,” stated his whitepaper (pdf). Evenchick put his source code and hardware design files on Github. “The open source nature of this tool means that anyone can add support for a CAN interface. CANard is able to communicate with controllers that use the Unified Diagnostic Services standard. This provides a variety of access to the controller, which provides an attack surface in cars.”
He hopes “the code will become a collection of different hackers’ techniques that target individual vehicle makes and models.” In the long run, finding flaws and pushing for fixes could make connected vehicles safer for everyone.