loading...

Car Hacking Beginners Guide : Tools and Tutorial

Hello readers, In this tutorial, I will explain more about car hacking, its possibilities and tools which can be used for hacking a car.

In this tutorial, I will go through,

  • Electronic Control Unit (ECU)
  • The Interconnected Car
  • The CAN Bus Architecture
  • CAN Data packet Structure
  • How insecure is CAN bus
  • Securing the automobile
  • Tools that can be used in Car Hacking

 

Modern Automobiles are monitored and controlled by several computers, sensors etc which are connected together by internal vehicular networks. This transformation increased the Efficiency, Safety and Performance but it introduced some modern-day threats. At the Black Hat security conference, automotive cybersecurity researchers Charlie Miller and Chris Valasek presented their car hacking researches and about their 2014 Model Jeep Cherokee hack. Charlie and Chris hacked into a 2014 model Jeep Cherokee by carefully exploiting its CAN Bus Architecture. The hackers managed to control the braking, acceleration etc of the Jeep Cherokee. So they managed to do it?

 

Electronic Control Unit ( ECU )

 

ECU can be considered as the computer of the car. It controls one or more electrical systems say controlling different sensors of a car. There will be multiple ECU’s inside a car. A modern-day car will be having more than 50 ECU’s to control its systems. The key elements of ECU are Core, Memory, Inputs and Outputs. The Core will have a microcontroller, Memory: SRAM, Flash, Inputs: Supply, Digital Inputs, Analog Inputs, Outputs: Relay drivers, H bridge drivers, Injector drivers, Logic outputs.

 

The Interconnected Car

 

This image explains how interconnected a modern-day vehicle is. As you can see from the image, this car is powered by a lot of electronics components and is networked together.

 

What is CAN Bus?

CAN Bus is a single centralized network Bus which carries operator commands to sensor readings. It is a vehicle bus standard designed to allow electronic control units and devices to communicate with each other in applications without a host computer. CAN Bus is a message based protocol.

In CAN Bus,
Any node is allowed to broadcast message
Each message contains an ID that identifies the source or content of a message
Each receive decided to process or ignore each device

With and Without CAN

 

 

 

 

 

 

CAN Bus DataPacket Structure

 

 
As shown in the image a CAN Bus message is having the following parts
1. SF – Start Field indicate the starting of a message
2. Message Identifier – Message identifier defines the origin of the message and its priority
3. Control – it is also known as check field,  the receiver can identify if the message is complete or not
4. Data – This contains the data which is to be transferred
5. CRC – It is used to detect transfer faults
6. ACK – Acknowledge field, where the receiver acknowledges that the data is received
7. EF – End Field which marks the ending of the message

 

CAN Bus Security Issues

 

  • 30-year old architecture
  • Lack of Segmentation and
    Boundary Defense
  • Lack of Device Authentication
  • Unencrypted TrafficFragility to DoS

 

Capturing, Analysing and Modifying CAN Bus Message to Hack a Car!

 

If we want to take control of the car we need to be a part of the CAN Bus network. There are the different way to do that.

  1. Connect our device to the Diagnosing port (Devices like Macchina M2 is very small in size (Smaller than a pendrive)and can be used to capture and reverse engineer the data packet )
  2. Push a Malicious software update to Entertainment system with our backdoor
  3. If there is an option to connect to the car say through WiFi, establish a connection with it and sniff the data packet

 

Macchina M2

Image result for machinam2

MachinaM2 is a hardware which can be used to capture the CAN Bus Data, Modify it and send it back to the Car network.

 

You need to buy MachinaM2 hardware from https://www.macchina.cc/

You can download the Software from GitHub

 

 

 

 

 

Steps To Follow!

  1. Connect the hardware to the onboard diagnosing port and connect the device to our computer via WiFi
  2. Open the given software

The GUI will look like this!

Messages from each component will be shown under a particular ID, we can program our device to broadcast a particular message to the CAN Bus. At first, we need to identify which component is mapped under a particular ID. That can be done by observing the changes while applying and releasing the brake. Once we identify that particular message, clone that message using the tool and program our device to continuously broadcast hat particular message to the CAN Bus. Thereby taking control of the braking system.

 

Securing The Automobile

Automobiles can be secured by,

  • Encryption
  • Device Authorization
  • Security by Design

 

Other Tools !

  • CANoodler

Download it from: https://github.com/newaetech/CANoodler

 

 

CANToolz

Can be used to sniff messages from CAN Bus .

Download it from GitHub

 

 

To be continued …..

 

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: