Embedded - 149: Flamethrowers Aside
Episode Date: April 27, 2016Craig Smith (@OpenGarages) spoke with us about hacking the software in cars. His book is the Car Hackers Handbook. There is a 40% off coupon toward the end of the show. OpenGarages is Craig's site t...o improve and encourage hacking. Some tools he recommends for getting started are USB2CAN and CANTact. An older (shorter) version of the handbook is on OpenGarages. I Am The Cavalry (iamthecavalry.org) is an excellent site for learning more about security.CERT.org is also good. Theia Labs is Craig's company.
Transcript
Discussion (0)
Welcome to Embedded. I am Elysia White here with Christopher White. Have you ever wanted to hack
your car, soup it up to go faster, protect it against manufacturer's security flaws?
Have you considered writing your own auto drive system? Craig Smith, author of The Car Hacker's Handbook, is joining us today
so we can answer all these questions and more. Before that, the Planet Labs contest winners are
Dave and Jonathan. You'll be receiving t-shirts and coasters and a copy of my book,
which I believe, Jonathan, you have. This isn't your first contest, is it? Anyway,
thank you for playing, and thank you to Planet for giving things away to our listeners.
Oh, hi, Craig. Nice to talk to you today.
Hey, how's it going?
It's been better.
I don't think Chris is going to be talking much given his cold, but that may be the last we kinds of things.
And what do you do with your day job?
The one that pays the bills is a security researcher.
So I do a lot of penetration testing.
It used to be primarily
banking industry, healthcare, those kinds of things. In the last five years or so,
I've moved more into hardware and automotive technology.
So I'm going to ask you some questions and I want short answers. We then will try not to ask you for
more details and sometimes fail.
So let's see how this goes.
Hacking, making,
engineering, or tinkering?
You want me to pick one of those?
Yes.
I think they're all the same, but I
use the term hacking.
Kit or General Lee?
Kit.
What was your first car?
It was a Chevy Cavalier.
What kind of car do you most want now?
Self-driving.
Just self-driving. Just self-driving?
Uh, I don't have a preferred brand.
I'm not even sure I want to buy an off-the-shelf one, but I definitely want to start playing more of self-driving.
Should we bring back the dinosaurs?
Maybe for gas.
When you were young, what did you want to be when you grew up?
Uh, originally I wanted to be an artist um and then i realized that there's a reason they call them starving artists so i went into computers
yeah favorite processor of all time uh all time i started with the 8088 um
still big fan of assembly so so I don't know.
We'll just go with that one.
Cool.
Okay, so now what is a day like for you?
What is a work day like?
A little chaotic since I run my own business.
Typically involves spending a decent amount of time answering emails,
going through my lab.
I'll have different things on my workbench at the time. I've also
started a game development company at night to, I guess, eat up the remaining free hours I have.
So you founded Open Garage. And what is that? So it's really just this distributed collaborative group.
I found that a lot of performance tuners and whatnot would share things on little forums here and there, but not quite at the volume that, say, security researchers do and that we're a little more outspoken about things.
Mainly because we don't have a product we're selling or anything that we're too concerned with when it comes to being
sued.
And so I saw this lack of communication and collaboration that was happening at a more
public scale.
And so I created OpenGrad just as a way for people to set up a community in their area,
kind of get together like once a month and collaborate.
So mechanics need
more help with reverse engineering or somebody like myself needs to know how certain pieces of
the car works and why it's great to get those different professions together so the audience
are engineer computer engineer hackers and mechanics primarily Primarily. Here in Seattle, we also have
maybe another group as well. We have a large Burning Man group here. So there are modifications
to involve things like adding flamethrowers. So it's a little bit different, but that's the
artist side, I guess. Okay. So flamethrowers aside, interesting as they are, why do people hack their cars?
It varies.
I think it starts with customization.
For most people, a lot of people like to customize the things they own.
Cars, people have a lot of affinity towards.
Some people name their cars.
And then it kind of evolves into sometimes performance-related stuff.
Maybe you want to race it.
Maybe you just want different capabilities that weren't there before
or if you're like me a security researcher you want to know how things work um you want to know
is there any additional risk to it is there ways to improve the system so how do people get started
um well i mean it's it's not too difficult.
I assume you can get a hold of a vehicle.
The devices, if you were to buy one that's off the shelf,
it's usually about 60 bucks for a decent one.
You could potentially use like a cheap one.
There's these ELM 327.
They're very common on eDay for like $12.
They'll kind of get you started.
I don't recommend them because you hit a wall pretty quickly.
I recommend things like the USB to CAN or the CANTACT.
They're good enough devices you can do raw bus communication with.
And I wouldn't recommend doing what you drive, of course,
but you could plug it into a vehicle that's on
and get started with that with, you know,
no real risk really to the vehicle or yourself. If you want to go further and actually test things
that maybe you eventually want to like do simulations on the road, I recommend building
a test bench, which is basically just the components from a junkyard put together,
typically the components you want to do an assessment on and then you just connect
to that and do testing on a bench environment instead of an actual moving vehicle okay so
there's so many questions now that i have from all of that you said devices and i think this is an
obd dongle this is the thing that the mechanic usually plugs in and it sniffs the can bust and can pop up the diagnostics that my dealer might give me to say, I don't know, I have a flamethrower installed or something along those lines.
Is that right?
Yeah, that's the typical way of plugging in.
So you have this generic OBD connector and it's primarily invented for EPA and emissions testing.
And so there's a couple of wires that are standardized, one being CAN bus.
Those are always in the same spot.
You get 12 volts out of it.
That's always there.
And your ground's always there.
There's other wires to it, and different manufacturers can use them for different things.
They're almost always different bus networks in the vehicle.
So as you progress in your learning, you'll start out with a basic dongle, most likely,
and you'll just plug into this OBD connector to talk on the high-speed CAN bus.
But you may want to get to other signals that are on different buses.
And that's kind of where your learning will go after that. You can even use T-tap connectors or any kind of wire splicing to go directly into a bus if you want to bypass the OBD altogether.
Okay, so one of the buses that might be interesting is the CAN bus, which I mentioned.
Could you explain for people who don't know what that is, what it is?
Sure.
So the CAN bus is a pretty popular bus network. It's probably the easiest
to get started with. And it's just a two-wire system, uses differential signaling. I don't
know how technically you want to get with that, but it's not really that complicated. It usually
goes about 500 kilobits, I think. It's your 500k baud kind of communication speeds um it's a very simple
packet it has eight bytes for its data and an id so it doesn't have like a source or destination
or anything um so it's if you're not very familiar with networking or if you are really familiar with
it it's going to be a very easy one to get started with um so and I think also because it's standardized on the OBD connector,
all of your sniffers you may want to buy
will at the very least talk to that one.
And so it's a great one to kind of get started with.
I think that's why you see the most attention
to CAN bus as opposed to the other buses.
It's RS-232, like, except that it's got the addresses
and so there can be multiple nodes.
And it's a different voltage, I think.
It's a higher voltage.
Well, the CAN bus is at 2.5 volts,
and the CAN high goes up a volt, and the CAN low goes down a volt.
Okay, so it's differential. Cool.
Mm-hmm.
Okay, so that's sort of CAN bus.
And the reason it's interesting in cars is because it's got all of those addresses. And so you can have your infotainment system, you can have your right rear blinker light if it's intelligent enough, and you can have your... What, they're not always on CAN bus, and then it just kind of varies.
The main goal of that is really to reduce your wiring.
So if you have every component talking to every other component,
it's just a lot of wires, which is more cost and more weight.
And so, you know, by putting a bus line that goes throughout your car,
everybody can just kind of tap into that.
It just cuts down a lot of those things.
So you're going to have some type of bus no matter what and i think as cans become cheaper and a
little more common we're seeing a lot more things just thrown on the canvas so you can really find
just about anything on there just definitely like you mentioned the infotainment units your nav
systems your ecu but it'll have the whole powertrain will also sometimes be on canvas
you can have very generic things such as your windshield
wipers and headlights can also be on CAN bus. It can really just be anywhere. It's kind of up to
the manufacturer what they put onto it. There's no standard as to what they have to put on CAN bus
and what it needs to do other than basic diagnostics. And so with everything passing
by on this bus, it isn't really very secure either, is it?
No, there really isn't any kind of, from a bus perspective, any kind of thought of being in a non-protected environment.
CAN bus is used a lot in manufacturing for robots as well.
So it's just this kind of quick communication.
It's very reliable from dealing with static and that kind of stuff with the differential signaling.
But it has no other concept of security, like say spoofing.
There's no source and destination.
You just have an ID.
And that ID is kind of like a category ID.
So if you have number one, two, three, that could represent all things related to the door locks.
But it's up to the engineer to just kind of pick those things.
There's no way to say who put that on the bus.
I mean, was it the door lock?
Was it somebody else?
Your dongle?
There's no way to determine where that came from.
So the dongle can not only read everybody else's messages, it can generate messages to give instructions.
Yes.
And any compromised device on the bus would be able to do the same.
So if somebody were to compromise, say, the telematics unit
or the IBI nav system, they could also read and transmit on the bus.
I think in your book you mention that the infotainment system
is often Bluetooth hackable,
and so you can get to the bus from outside the car.
Is that right? Yeah, the infotain get to the bus from outside the car. Is that right?
Yeah, the infotainment center has the, yeah, sure.
They have the most kind of like attack surface is what we like to call it.
So the more input you have into something, your greater attack surface.
And so the infotainment or the IVI system, same thing, just abbreviated, tends to have a lot of features.
And a lot of them tend to be wireless.
So they'll oftentimes have cellular in it.
The Telemats will be built into it.
They'll have Bluetooth.
They'll have things like sometimes
in their own access point.
You have digital radio goes into it.
So these are all...
Yeah, USB is more of a physical than wireless,
but that's another input.
Same for CDs, like the map update
cds um my first hack on an ibi i used the map update cd that was how i got code execution on it
okay so you're saying that from outside a car using ble or wi-fi or any of a number of things
you can turn my engine off i I mean, I've seen this
in TV shows and movies, but is it that easy? Well, I mean, it requires research. And so
what happens, say, if you want to go through Bluetooth, what you're really looking for isn't
just to connect on Bluetooth. You're looking for basically the manufacturer to have an old Bluetooth stack,
which isn't all that uncommon.
You know, that radio was made at some point in time.
It probably doesn't have any kind of update mechanism
in it half the time.
And a lot of times the Bluetooth drivers
that came with the OS aren't restricted.
So you have a lot of different ones
that maybe the engineers didn't realize you would
even try, not even looking through the list of drivers that could be there. So you can find
these older drivers for some arcane system. And then if you have a vulnerability for it,
which would be just a standard one you'd find through Metasploit, you would then get code
execution. So if that radio is then attached to a bus which oftentimes they are you could yes then start
controlling the vehicle it keeps stopping at code execution um why i mean okay so yes once i can
read my code on my ivf my infotainment unit um i suppose i get a lot more control of everything.
But what do you do after that?
Well, it's up to you.
Because that's why I typically call that the end game.
Like when you're running your own code on a vehicle,
an attacker's code, you have a lot of control. So if you wanted to spoof different devices on a vehicle, you could.
I mean, you kind of have to be like a sociopath or something
if you want to actually try and kill somebody.
But I guess there is groups of people who'd want to do that, I suppose.
But I would say most attackers would be going for some of the data harvesting
and stuff that happens with an IVI system.
So it's collecting your GPS.
You can turn the mic on in the car.
If they've connected and uploaded their contacts,
you have all that information.
Those kinds of things tend to be more valuable than causing damage.
But I guess it just depends on the motive of the attacker themselves.
But when you have code execution, it's kind of up to you
what you want to do at that stage.
That's why typically just that's kind of the in-game part of the conversation.
Once something's running on there, it's kind of done.
From what you're saying and some from your book, there's a lot of adversarial language,
attack surfaces, breaking the vehicle, weaponizing can findings. Is this a byproduct of security
language or representation of how car hacking exists in the world today?
No, that's very much just the way I speak.
I come from a security background and a lot of the focus of the book was kind of teaching how to either secure your automotive device or to assess your automotive device. So I, you know,
I walked through that process using security terminology. Car hacking though, isn't
traditionally that way. You're not usually weaponizing findings. You may find vulnerabilities
in back doors, and it's typically to change the performance or something of your ECU.
Now, as security gets more,
let's just say better implemented into ECU,
say we start using actual cryptography,
we're going to get closer to how you have to route jail
or jailbreak a cell phone.
You'll have to do that with your car.
And so if they don't offer normal tinkering methods,
then all the performance tuners, all the third-party people making stuff are going to have to look at the jailbreaking route.
And so you're going to start seeing that used more in a normal mechanic performance tuner space than you see now.
But right now, that terminology is pretty much suggest security people. So you're talking about jailbreaking, hacking, voiding your warranty versus tinkering that is okay with the manufacturer of the car.
Are these really separate?
Are there any manufacturers that allow you to play?
So this gets really, really kind of gray area so the way um the ecu and stuff works you have a lot
of parameters and stuff um that you can change and as long as you're not violating epa standards
you're not really breaking the law now you may be violating a warranty it just depends and then
what part of the warranty also depends is it the the entire engine? Is it just that component?
But if you change, in my opinion, if you change the entire firmware, you pretty much avoided the warranty.
And I think that's fair.
Now, is it allowed?
I mean, you are.
I mean, it's required. Like if you are a dealer and you have to make changes to a car, you have to modify the firmware.
So for right to repair, you have to modify the firmware so for right to repair you have to do it
also most manufacturers sell even non-street legal components for their vehicle you know for
privatized racing you're just not supposed to use them on the street so you know it's
it's not that they don't want you to tinker it's just they don't want to be liable for your tinkering well that
seems fair if you change your oxygen fuel mixture to the point where your car blows up that's sort
of on you i i fully agree but but but we're such a litigious society and i can see how the car manufacturers would just want to close it down
yeah and i think that's because we're so litigious especially if auto manufacturers is kind of why
we get so much pushback in an area that normally we wouldn't um one example that really surprised
me is when we first start pointing out that you, security related vulnerabilities apply to vehicles.
One of the things we pointed out was, hey, we really need a method for independent researchers to communicate with the dealer, not the dealer, but the manufacturer on findings, you know,
like, can you put an email address?
Like, hey, all security related stuff, please send it here because I can't call customer
support and say, I found this Bluetooth exploit, you know, that they're not going to get it's not going to go anywhere. So we're like, hey, just just put something
because your security team and legal was shut that down. And they shut it down because they're
afraid if you were to tell them something that maybe they can't fix or choose not to fix or
whatever. Now they know about the problem. And if it's better for them, it's just not to know about
the problem, which is crazy thinking from a normal security perspective. It like blew my mind that that was
the typical response. When you ask for just an email address, it'll let you know there's a
problem with your product. Yeah, they're very much a cease and desist kind of group, although
they've gotten better in the last, say, year and a half, I've seen major improvements. But when I
first started this, like three to four years ago, you couldn't get anywhere. It was really difficult.
What do you think caused the improvements?
A lot of it's knowledge, you know, kind of beating the drum, making things more exposed.
You know, it started out kind of small and people giving talks on things. And I think there was,
you know, a lot of these groups had security company,
or not companies, but security departments
that, you know, were paying attention.
You know, they were seeing these security conferences
and people talking about, hey, you know,
we think there's this bigger problem with vehicles.
But they didn't really have a whole lot of voice
inside the company.
I would say, like, you know, to a large degree,
you know, agree with them or not when you have like Charlie Miller and Chris
Valasek publicly owning a car on a public road
that caused a lot of controversy and discussion.
And you had board members cutting through the airport and seeing their car up
on the news. And that kind of changed a lot of discussion.
So then the security teams finally got some voice,
you know, they got some funding to kind of try and fix things. And so it's, it's a good thing.
It's just taken a bit, because they're from a traditional, you know, arena. So the reason
they're like mechanical engineers, you know, that's all the auto manufacturers were. And then
they kind of went to electrical engineers, all discrete chips and whatnot but as we get you know more firmware and more os based stuff uh even ai systems and vehicles
these companies are transitioning to software companies and i think a lot of them just haven't
realized they're already a software company and so they have to kind of evolve another time
yes but they are from the background of, well, they're from the background of cars can hurt people and not just the people who are repairing them and not just the people who are driving them, but they can hurt more people. a very safety frame of mind. And there are car standards for software
to make sure that you don't do things like what Toyota did
with the braking.
And the goal is to make it really safe,
but then when you hack it,
you're not only endangering your car,
which you bought that fine, I have no problem with that,
but also the drivability on a public roadway. your car, which you bought that fine. I have no problem with that. But also
the drivability on a public roadway. How do you balance those?
Well, I think you've always been able to tinker and modify a vehicle and drive it on a public
roadway. Hacking another vehicle is definitely a bad thing. Um, like a malicious hacker, you know, um, if you don't
have access to it, you shouldn't be doing that for sure. Um, the, you know, I don't think there's
anything wrong with making modifications. I think that's actually what causes innovation. Um, you
need to be able to do that. Uh, if you don't do that and you say only the manufacturers can make
modifications, that's, that's going to set a really
bad precedent in that you're basically saying that, okay, because we have lots of money in a
big company, we can make something. Whatever we give you, you're just going to like it. And that's
it. You can't make any modifications to it. You can't make any improvements on it. If you think
you can build your own better self-driving system, too bad. You're not GM.
You're not Bosch. You're not these larger companies. And that's going to really hurt the industry.
I agree. I mean, tinkering is an important thing to do. And yet I am a little squeamish about cars
because I just can't imagine all the things that can go wrong, but I can usually do that
whether it's cars or not. How do we convince the manufacturers? Is there a group that lobbies to
let them know that their whole attitude of we don't even want to know about security is stupid? There are some groups, you know, there's some like I am the Calvary,
which is an outreach group.
They're not lobbyists, but, you know, they make a very, well,
a decent effort to have a kind of an outreach between security researchers
and traditional companies.
And this isn't just automotive, they do medical devices and stuff like that as well.
And it's to kind of bridge this gap.
So we don't go back
to the same process.
I mean, as you're now realizing
you're a software company,
we don't want you to have
to relearn everything
that software companies have learned
in the last 10 to 15 years.
You know, don't just say,
okay, we'll put a firewall in
and then everything will be secure.
You know, we thought that
10, 15 years ago on the internet,
it didn't do anything. So, you know, we thought that 10, 15 years ago on the internet, it didn't do anything.
So, you know, we're trying to give you the lessons learned.
And also I am a Calvary group, you know,
works with security researchers to kind of let them know like, Hey,
this isn't Facebook. This isn't Google.
You can't shame them into fixing it by Friday.
It just doesn't work that way.
So you have to go about it a different way.
And so it's, it it's it's a nice little
glue aspect of things there there's a couple lobbying alliances but they're more like i think
there's a repair alliance and there's a farmer alliance and they do some lobbying and they fall
into the tinkering and modification piece but there's not nearly as many or as large as the
automotive lobbyists so there's always that kind of uphill battle.
So getting away from the politics and back to the technology, I had some questions about how do I really do this?
I mean, it starts with can for me, probably, or maybe Bluetooth if I think I can get to there.
If I walk up to a modern car in a parking lot and give the taillight a whack,
does that mean I expose the can body control bus?
Can I hook up my, I don't know, discovery board that has can on it
and just pop the locks and take the car?
I mean, except for the illegality of
the last part. Yeah, illegality aside. Yeah, that is definitely a thing that can be done.
It requires, of course, that the CAN bus be running by the taillight. And you know which
signal to send to unlock the car door and assuming that also the door locks are on that same bus.
But if all those things apply, yes, that works. And that has been known to happen before.
You could use the STM32 discovery board.
That works fine.
You'll have to add a transceiver to it,
but that's like a couple bucks.
But no, that would work.
I wouldn't start there,
but it is definitely a proof of concept
of a goal you could go for.
I would start with a basic CAN sniffer, like a $60 one,
plugged into the OBD port under your steering column.
And first just learn what can packets look like,
how to identify your target ones.
So maybe you're looking for door locks.
So how do you look at the stream of data
and then find out which ID in the string, which byte is actually controlling that lock?
So that's the first thing you should be working on.
And once you kind of get that down, in the book, we kind of call it the payload.
I mean, you haven't really hacked anything yet.
You're just understanding how the car works.
And so that payload could be played over a taillight or whatever.
And then also the doors will unlock for that car.
But that's where I would start.
So we do have some listeners who work on these things
and work on other CAN bus systems.
Given that it's broadcast
and you just need to attach to listen and inject packets,
can you suggest some security practices
for things that are important not to change
that are still compatible with the protocol?
So, of course, don't be changing a whole lot of things
while you're driving,
unless you really know what you're doing.
But for the most part,
if you're in a stop state and you're
even fuzzing on the bus you're probably going to be fine you'll cause what's called the christmas
tree effect on the dashboard on the instrument cluster um it's just a bunch of lights blinking
turning off the car and turning it back on will usually reset all that stuff
for a modern car it's it's not too dangerous to just play around with it.
I'm sorry, I think I lost track of the actual question.
No, actually, that's a better direction.
I'll come back to that question.
Okay.
So you are saying that I really should do this on my own car,
that I should not be starting out by going to a parking lot and playing with other people's cars, right?
Yeah, you should never be using somebody else's car,
at least not without the permission.
If you have the permission, yeah, sure, go at it.
But, you know, in general, I would do all my research on my own car
or when I pull it out of the junkyard.
I'm a big component of going to a pick and pull,
spending about $100 to grab all the components you need
and wiring up
basically a plywood board
with an ECU, maybe an instrument cluster
and some wires.
You can do that for
a very cheap amount that can sit on your
desk and you can get the same
result at the end of it.
If you want to, once you're done with your research,
you could use that on, again, your
version of a car when you're legally allowed having access to, to test it all out.
I like this idea of putting it on my desk to try it out.
And you say for like a hundred bucks, I can get a whole system.
What, I mean, an ECU, the car locks, the windshield wiper controller, what would I look for in that system?
Yeah, so it's really like you want to break it down to what you're most interested in.
So a lot of times when I'm building these test benches, like I care about the instrument cluster and the ECU.
Sometimes in order to get the instrument cluster to work, I have to grab a couple other modules. The one I typically use is, let's say,
it's a 2006 Malibu,
and that one also required the body control module,
which is where the fuses are,
and the ignition immobilizer system.
So it's right where the key goes.
So that's a little harder to gather
just because a lot of times in junkers,
you don't have a key.
But the reason being is because the instrument cluster in that case
wouldn't start up unless the handshake went between the key and the ECU
and stuff that normally is there to prevent you from hot wiring.
But still, that entire system costs about $100 in parts.
Most of those things aren't bought by normal people at a junkyard.
They'll buy ECUs, but nobody's really usually buying instrument clusters and stuff. most of those things aren't bought by normal people at a you know a junkyard you know they'll
buy ecus but nobody's really usually buying instrument clusters and stuff so a lot of times
you bring this up to the desk and they don't have a price for it they're just whatever um and those
are nice and i use those because i want to um send signals to the the test bench so i can move the
dials and then see what the can traffic looks like. And then those are great for training people
because you get this immediate feedback.
If you want to do door locks, then yeah, you would get an ECU
and you would grab the controller for the door lock and plug that in.
So it's really just whatever you want to target.
You usually aren't targeting a whole car.
You usually have something in mind.
And so just get those parts.
And so if I wanted to race my car, I would need the ECU, the engine control unit, to, I don't know, add knocks or...
Chris is just looking at me like, what, really? We're not suping up our car.
But if I wanted to, if I wanted to do racing on track day, of course, not drag racing in the city,
that would be bad.
Is the ECU mostly what I'd need or is there something else?
Maybe for that type of research.
So it depends when you're,
when you're doing performance chain,
there's a little more information on it.
So depending what mods you want to make,
you might just be able to purchase the the password cable and software to do those changes. Now, if the research you want to do is so in order to actually change firmware, there is an security access token. like a random number and then the goal is you say hey i want access to four bytes that's not enough
yeah it's new it's not very big at all and so what happens is you'll you'll say hey i want access to
the firmware it gives you like two to four bytes you know the advanced systems are four
and then your goal is to send the appropriate answer back let's see there are two or four bytes
and if you do that it unlocks the firmware and you can make
your modifications.
So
one thing you may want to do is
you may get an ECU so you can
figure out what that code system
is. So if you didn't want to
pay for it, you know, for somebody else who has
a product that does that
code handshake for you,
you could get the ECU to try different methods
to get that security token exchange.
That's insane.
You're on a questionable area there
if you start doing that,
depending on what you do with the result of information.
But with the DMCA and the most recent exemptions,
ECU firmware modifications and tinkering are permitted.
So you should be okay.
Knock on wood.
You should be okay.
Should be.
Probably fine.
If I wanted to, I don't know, if i wanted to do auto drive that seems like a bigger thing because
i have to involve all these different sensors and probably add some more to my system
is that yeah that one's huge okay so it is it is huge and not just the software. I did it, but he's remarkable. So, yeah, I mean, there is one person who did it on his own that I'm case, he did do it on his own, you should be able to.
But testing on public roads is still an issue.
So you need to be able to test it prior to that,
maybe get to a certain level of certification
before you can start bringing it on to public roads.
And as of right now, we don't have anything like that.
We have no kind of test to say like,
okay, you're safe enough that you can start testing in a suburb.
Okay, now you're at class two
and you can test on highway
or whatever it happens to be.
That's just totally wild west right now.
It's like we need car simulator games
for our auto drive programs.
Yeah, I believe that's actually what Google uses
or has used with the other stuff as well.
I believe they run through simulations.
Oh, of course they have offline sandboxes. It's so much easier to test your algorithms and they've got plenty of data
right and and so i think i think we can still allow that type of tinkering um or modifications
it's just we need to have a way to do it safely um some kind of certification type process and
right now we don't have that well here the FAA is really into certifying every damn thing.
But that's a separate rant.
If you have propellers to it,
then I think you have to certify with FAA.
Exactly.
Or at least, well, anyway.
You mentioned that one of your first hacks
was updating firmware with a map CD.
I don't, updating firmware,
A, seems a little dangerous because it's hard to go back,
but B, I've heard people say that you shouldn't,
that car manufacturers shouldn't allow firmware updates.
And I think that's crazy, but I wondered what you thought.
You know, if it wasn't required to make changes, then I would say that's fine to restrict
it. But unfortunately it is required. I mean, if you change anything really major in your vehicle,
you have to update the firmware. Um, and it's not always just parameter based stuff. Um,
you know, even if you want to do like a tinkering kind of thing, like say ballet mode, you know, you want to make it so, you know, you hit the brake three times before you, you know, even if you want to do like a tinkering kind of thing, like say ballet mode,
you know, you want to make it so, you know, you hit the brake three times before you,
you know, while your car's in parking goes in ballet mode that prevents the car from going
over 35, uh, something like that. That is a software type thing you can do. Um, you can
make modifications to your firmware to do that. Um, and I don't think there's anything wrong with
doing something like that. Uh, I do think you void your warranty.
I think that that's okay to do something of that nature for the manufacturer.
But I don't think they should restrict that from happening.
I don't think that you can.
You can't really make modifications and tell people they can't change firmware.
And that's where the code's at that handles the modification.
It's funny that this is a new problem.
I mean, our cars didn't used to be entirely software controlled.
It didn't have this, should I update the firmware, when we didn't ever talk about firmware or it was all just masked ROMs and you didn't ever get to change it.
And yet, in the last 15 years, it has become that every car has a firmware update mechanism
and some of them are more annoying than others.
Yeah, yeah, yeah, definitely.
And it used to be the network too, the wires,
you know, there were just resistance on a wire,
certain voltages going up and down, and now it's a bus system.
And so before, if you want to make a modification,
you just simply send the same kind of signal and you refine. Now you have to understand what signals are being sent across
the bus in order just to communicate with your vehicle. And unfortunately, one of the things I'd
like to see the audio manufacturers do is to publish at least a large amount of that information,
what signal works for that vehicle. You know, I want to see an owner's manual like we used to have back in the day
that actually told you all the parts and the wires.
You know, I don't want to have to subscribe
to a wiring diagram.
And even having a wiring diagram
but not knowing what's on the wire
doesn't really help me much.
I need to know like, hey, I'm making a piece
that integrates with the radio unit.
You know, what signals do I need to send?
Or I'm replacing the radio unit.
You know, what signals do I want to receive?
Right now they consider that secret sauce. That's ridiculous. I'm replacing the radio unit, you know, what signals I want to receive? Right now, they consider that secret sauce. And that's ridiculous. One, they're only eight bytes
and CZ reverse engineer. But two, you need it to make modifications, you needed to add third party
components and have them work the same. So I'm hoping we'll get there. I'm not too sure how to
get that conversation and the right people to make that change but i'm really have
my fingers crossed that we'll get to the point where it's a lot easier to make modifications
without this whole reverse engineering piece so if i buy a third-party radio for my car
they've had to reverse engineer the manufacturer's um system yeah that's why a lot of times if you
get um even like the name brand ones like pioneer and stuff they don't have the same functionality as your normal in-car radio that you bought with it so
like if you're maybe your radio had a thing where if you sped up uh the radio got louder um most
times they don't have that uh they did a lot of times you had to buy a separate little translation
piece if you want to have your steering wheel buttons control the radio um they just don't
have all the different methods for all the different cars to do
all these things. And it shouldn't be that hard.
It shouldn't be that big of a deal.
That's annoying. I mean, this isn't, this isn't the,
this isn't damaging my car.
This isn't anything that can void my warranty.
This is, thing that can void my warranty this is i want my radio to work when i get one that's slightly
different yes yeah it's it's a lockout situation right now um you know they're it's so you have to
be in their little group of who they've approved to to work with the vehicle and that that inhibits
innovation and it sucks um because i had a radio break and I think it was $1,300 for the
replacement from the factory on 2008 vehicle.
Or you can go and get a much nicer looking one, you know, for 400 bucks,
but you're going to lose all those integration features.
And that's ridiculous.
I shouldn't have to pay three times the amount to have some, you know,
steering wheel controls, you know, basic stuff added to the vehicle.
And it's all, well, it's a large part because of that.
That stuff's considered secret sauce.
And there's ways of getting on a list to buy that information that are legal.
A lot of people, because again, you need it to do repairs
and you need it to make modifications.
There is a huge gray market area where ex-employees and engineers
are willing to let go of this.
It's usually just a single text file that has this information in it for a grand or two.
So a lot of people acquire them.
They're well-traded, but they're not legally traded.
And it shouldn't even be something you have to go to gray markets for because it's such a required piece.
No.
Yes, this is ridiculous especially if it's something that a skilled engineer could essentially reverse engineer in
two days given a car yeah we didn't say that's where you should start we just said that like
when you're starting reverse engineering they're're easy. It's silly to have to do that.
It is. And there's this drive to make cars less open all the time. And we're saying like, hey, it's very, very easy to make modifications to firmware, and I don't want a piece of malware making modifications to my ECU. It's fine if I do, but I don't want somebody else to do it. You know, so that security access token being two bytes or four bytes has got to go. And the way to do that is typically a public key infrastructure. So
you have a signed and, you know, updates, you know, that are encrypted that, you know, the ECU
has a secure boot area, it can check the key and say, Okay, yeah, no, this this certificate is
from a manufacturer, I'm going to upload it now. And that's great. And that's a much better system
for taking firmware updates. But unfortunately, if you stop there, you've locked out my ability to modify my car and tinkering. So, you know, like one of the things I've been trying to promote is like, hey, there needs to be a physical switch on ECU, or whatever device we're talking about, so that I can, you know, maybe set a jumper or, or do some kind of like, Oh,
I had to make this extra effort to get to this piece. I mean,
ECUs take at least 15 minutes to get to. So, you know,
it's not like I can just pop out a taillight and upload my firmware.
But if I get to that piece and I can set a jumper,
it should give me an override that voids my warranty, but you know,
lets me upload my own piece of firmware. And once it's been uploaded,
it's that device is tainted. It can't, you know, can't go own piece of firmware um and once it's been uploaded it's
that device is tainted it can't you know can't go back to a non-voided piece it's very similar
to how google chromebooks and stuff work uh the android phones you know you can it's pretty easy
to to root them um there's actually a physical switch on a chromebook at least the original
version and when you flipped it it avoided your warranty but you can put any os you want on it
like i i want that in a vehicle.
You know, I don't want them to see this
as a golden walled garden that we can now move to.
We can fix security and lock out
anybody that's not on our special list.
And I can see that being extremely tempting.
And so I'm really trying to kind of beat the drum,
like, hey, we can totally add encryption,
but we have to be very cognizant of how we do it. We need to take the drum like, hey, we can totally add encryption, but we have to be very cognizant of
how we do it. We need to take the extra effort to have a type of physical backdoor, not like the
FBI Apple backdoors, but one where you're like, no, I know what I'm doing. I'm intentionally
avoiding it because I need to. You need a way of doing that. Do you worry that exposing how to do these things through your book and through OpenGarages, do you worry that it's going to cause problems, that black hats will come and cause trouble for the rest of us?
No, I mean, I've been in security for over 20 years.
And one thing I've learned is exposure is what fixes things.
It's like a
magician if you talk about how trick works it gets rid of the illusion and people can work on the fix
if you don't do that i mean black hats are going to look at it regardless if there's a book on it
or not if there's value to it that's what they're going to do and if they don't tell anybody what it
is you don't even know how to fix your problem or even what your current security state is like
you know is the minivan you drive around is that vulnerable if nobody's talking about these things that's that's a worse position to be in
than to say like well here's how you assess it and yeah you may find some problems and
there are very well maybe a lot of pressure to get that fixed but that's the better route to go
do you hack your own cars yeah it's the only ones I hack.
It's always the ones I've been hired to hack.
Nice try, though. I see what you try to do there.
Do you hack them to make them more secure
from outside intrusion?
So, unfortunately, that's a little difficult
because the only real way to do that,
if you work with a company that actually has a disclosure policy and a way of communicating findings, um, then there's
a good chance you'll get an update and it'll be fine.
But if you're working on an older vehicle or, uh, through a manufacturer who maybe doesn't
yet have any kind of way of reporting vulnerabilities, your best bet is to replace the part.
Um, and so it's good that you know about it, but there isn't,
it's not as easy to reconfigure as say a computer system or a network.
You know,
the bus architecture is wrong and you have everything attached to the bus.
You know,
you have your whole powertrain unit attached to your telematics and there's a
bug in your telematics and that's extremely dangerous,
but you can't just pop in a firewall between the two.
It's difficult to do. I mean, being an engineer i could build one um it's not that hard
but it'd be easier just to take the helm action out to replace it well yes except that one may
not be the manufacturer's one and it may not do all the things you want to do and if the manufacturer
yeah it i was thinking a firewall would not be that hard, but...
No, it's not too bad.
That's not a fun way to spend your time.
I mean, sure, okay.
No.
And you have to put them in sometimes weird locations and kind of make sure they're protected from the environment and that kind of stuff.
So you can't just take a couple of embedded devices.
I mean, technically, from an academic perspective build one
that way but you really need to make it more ruggedized if you're going to drive around with
it and so that's extra work and whatnot for i don't know i'll usually go with less features if
i have to but it's not the way i want it to be you know i want to be able to just report like hey i
found this issue um i know you can't change the architecture of the bus, but can we update the firmware? You know, that kind of stuff.
So actual manufacturers.
If I wanted to get into doing car hacking and I wanted to go to a junk shop,
the pick and place,
which I found out we have one recently,
so I'm sort of tempted.
What kind of car should I look for
if I'm taking parts out?
You want to,
so newer ones are better because they'll,
they'll have more features.
You're more likely to have more canvas stuff.
I mean,
if you can get a 2008 or above,
that's great.
It's nice.
If you can find one of the keys in it,
just because if you took the key in the ECU and you decide later,
you're missing a piece,
like that's what happened with me.
When I get the instrument cluster to work
I realized, oh, I can't
just take it. I need to also get this other piece
or the ECU won't finish booting. So I had to go
back and get the body control module
and the ignition switch.
But I did pick a car that already had keys in it
so it wasn't too hard to go back and get those pieces.
But yeah, anything
2008 or above should be fine.
Again, depends what you're looking for you know if you're just looking at
ECUs and those are fine
no
particular brands to
stay or to
stay away from or to head towards
again
it kind of depends what you're going after
so if you're going after like an IVI system
you know the infotainment you might want to go
with one that has a really nice one. And those cases, it grants going to
cost you more money. So it depends who you are. But if you work for a business and you want to do,
say, significant vulnerability research, what you should do is you should pick a
something with a large attack surface like an IBI and just buy a factory one. So, you know,
if you see that, oh, I really like, I don't know,
let's just pick a random vehicle.
Let's say the newest Honda Civic, right?
They have a pretty nice nav system in the new one.
So you're going to probably drop probably about $1,500.
But to get one brand new, you can have it sent to you.
And then just attack that.
I mean, you don't even need the rest of the car.
You can take it apart.
You can go through the firmware, look for JTAG ports, all that good stuff, and look
for outdated software, such like the Bluetooth things and stuff we found.
And that's how you'll go about being a security researcher and finding vulnerabilities.
You know if it's plugged into a bus what the end result is.
So you don't really have to do a full proof of concept unless you're asked to as long as you again you get code execution on it most
engineers at least in the security department knows what that means um so you know again it's
great if they have a way of disclosing that um it's tricky when they when you don't um but if
anybody listening uh finds a vulnerability and is afraid of communicating that with the
auto manufacturer because maybe
they don't have a public policy on it, contact I am the Calvary or CERT.
Those two places can kind of get that information to you and kind of protect you at the same
time.
CERT is C-E-R-T, right?
Yes.
Okay.
And I am the Calvary will be in the show notes, of course.
Sometimes, worst case scenario, we can even use some of our legal people
because then you have a confidentiality between legal and them.
So if the lawyer reports the bug, then they can't actually get to you.
So we can provide that extra kind of safety barrier.
Which shouldn't be necessary.
Sigh.
I agree.
So are there any cars that are less hackable that, I mean,
that you probably don't want to play with because it just is a headache?
Well, the ones I wouldn't start with would be more like semi-trucks,
you know, like the class five vehicles and above, um, simply because they,
they're not as resistant to like fuzzing. Um, if you're sending invalid packets to those systems,
you can permanently damage components in the vehicle. Um, not that a lot of people have
semi trucks sitting around, but just something to be aware of. There are certain types of vehicles
that, uh that aren't as
resilient and you can really cause some permanent damage with them which is not as likely with a car
also the semi-truck up on blocks in your driveway is going to piss off your significant other
yes when that gets bricked and it's just sitting there um that's going to end badly. I think your days of car hacking are done.
In your book, it is all formatted and it talks about security and penetration testing.
And cars are the example platform.
While it's called the Car Hacker's Handbook, it seems like it is more introduction to penetration testing and security with cars as the example was that intentional yeah and i think it's something you just realize
when you start you know get past the mystery of a vehicle like if you come from a software world
like i don't know anything about cars you know it once you kind of get past like well it's not
that hard and you kind of you learn what you're missing, then you can start applying it to anything else.
And I don't think I think cars are just, you know, Internet of Things.
It's just a computer on wheels, just like a bunch of other things are.
And that is that is intentional.
I do want you to make that connection.
I just think that cars are very accessible.
Not everybody has a baby monitor, I guess, the hack or a industrial control center to go after.
But most people can get at least to a junkyard
to get car parts.
And most people understand cars
and you get the real risk of it.
You know, it's not like some kind of doorbell thing
you're hacking or a light bulb.
Like, oh, that was kind of fun,
but you don't really see the implications.
But the methodology is the exact same.
And so that technique works on cars.
It works on airlines. It works on airlines.
It works on anything.
So yeah, there's just a generic kind of,
this is how you do hardware slash software penetration testing.
Just cars are just an acceptable kind of form to do that on.
And it's a fascinating form
because you can do things that you've always wanted to.
My mom made a modification to her car many years ago, off-the-shelf modification, where it talked when it backed up. It was so
embarrassing. I had to hide under the dashboard whenever I was in the car, but she really enjoyed
it saying, this car is backing up over and over again.
I can see how other people would want other things.
Cars are oddly a representation of ourselves.
Absolutely.
We have a rich history of modifying vehicles.
I mean, we always have.
I mean, those are the original car hackers.
I mean, this term is just kind of to add on the extra connected piece of it,
but it's very much so just enabling capability. And I think everybody feels that they spend so
much time in cars, at least a lot of times, that you get this connection with your vehicle. And
if you've modified a vehicle before, it's way more intense of a connection.
Yes, it becomes your car and not just the car.
Absolutely. Yes, it becomes your car and not just the car. Absolutely. Yes. One of the things that
I found interesting in your book was around, well, I don't know, page 49 in my copy,
which were three pages of numbers that looked sort of like those Soviet number stations
that just went on and on. And it keypad entry and if i enter these numbers
into a keypad car it will unlock the car in 20 minutes at least that's what you wrote
that can't possibly be true so so this is somebody else's finding um i have a link there i don't
actually have his real name that's that's in book for it. And it was in a forum posting.
And I want to capture in the book
one because I was afraid the forum posting would
eventually go away, but also
because that's really the way you'd
have to do it. You'd have to print out these codes.
And the bug
is for those keypads on the side of a door.
And the bug that they're discussing here
is if you punch in, let's just say it's five characters.
One, two, three, four, five. You know know obviously it checks to see if that's the password now what
should happen at that stage it should clear the buffer and then you have to put in another five
digits but what actually happened um is that if you punch in one two three four five it got checked
and then when you press six it checked again it's So this time it checked two, three, four, five, and six.
So you didn't have to put in a whole number of five digits
to get a whole different check.
And so that number pattern is a way to not overlap a bunch of tests.
So it reduces your key space you have to put in significantly.
So if you were to sit there with your finger on the book
and a finger on a keypad, you could run through that.
Some of this has been fixed in some of the more modern cars.
I don't remember exactly which one that worked on, but there's a couple of years that that worked.
And you can sit there and it takes you about 20 minutes, worst case scenario, to get through it.
But if you hit a code earlier, it unlocks earlier.
So it does work.
It's interesting.
I really enjoyed that hack.
That was a very clever hack.
And so I want to capture that in the book.
How important is it to look up what other people are doing?
Oh, it's very important.
I try and give researchers credit whenever I can,
when I use something.
There's actually so much research now
that it's hard to even know what everybody's doing.
I find new things all the time that it's like,
oh, wow, you know,
I wish I wouldn't have known that when I wrote the book,
because that would have been really cool to capture,
or it would have saved me a bunch of time.
You know, this book was pretty much so,
at least the security aspect of it was me being excited about my research
and trying to share that with other people.
And, you know, things that I've learned when I was, you know,
going through this process.
But, you know, right now we've been discussing
having certain conferences
that just showcase the tools
and stuff that people are using
and try and collaborate more on those
and get that even more than OpenGarages is,
but actually have a full-blown showcase
just to try and get all the people on the same page
and see what people's current hurdles are.
Black Hat Autotopia yeah how do i find good non-malicious modifications to build on if i'm searching online where do i go
um what are you asking for like well like you want to use like a patch or something or
what are you looking for like the ecus we want to use a patch or something? Or what are you looking for?
Well, Nick, the ECUs, we've been sort of saying that they are a thing.
But you need a lot of information about the ECU from the manufacturer,
except they don't always give it out.
And so where do I go to get that information?
And then if somebody else has done what I want to do,
how do I know that their update doesn't include other things?
Yeah, I mean, that part, unfortunately, is a little bit difficult.
I mean, performance tuning forms are the best place
for those kind of like off-the-shelf firmware mods, like Valet Mode.
There are several software packages that have that
capability that you can push down now those usually are not open source tools uh that those
those groups usually are they don't come from the open source background they're starting to
you're starting to see a lot more of it but um back then they don't a lot of small shops making
small little tools here and there that do different features um and finding them is you know it can be
a challenge um you know you can try
using open garages and posting on their mailing list and see if somebody's done something they
point you in the right direction but i don't know that's all that much better than just posting to
a random forum the same question um there isn't currently a very centralized way of just saying
like hey i have this car what kind of modifications can i make in a list of all these different places and things you can get to do that i wish maybe we'll build one of those yeah i wish
the manufacturers had a a forum that was mods that maybe they didn't agree with maybe they've
your warranty anyway but at least there was a place to talk to other enthusiasts yeah yeah that'd be nice yeah there's it's just
decentralized right now um there's a couple forums for different types of cars that are more popular
than others um but yeah it's about as close as you're gonna get and there's no like app store
for mods yet oh that'd be fun that actually would be a lot of fun. I think somebody should build one of those. That
would be really cool. Okay. So I think we are about out of time. So I'm going to do my last
few questions. Your book, Car Hacker's Handbook, was published by NoStarch recently, last month?
Yeah. I believe it finally came out. And there is a free version available, although it's a little older and quite a bit shorter.
Is that right?
Yes.
Yes, that was the very first book I wrote.
And that was self-published.
And it was really just to go along with some classes I was teaching at Virginia Tech.
It was just like a free course book for them.
And it turns out it was really, really popular, even though it's little book um and that's i kind of got the attention of no starch and so
we've gone that way out you can you can still get the free 2014 version and eventually no starch
will release this one free i don't know exactly how long that'll take um but this will also be
on recreative commons eventually well yeah but they're going to keep it until it's not making money for them.
O'Reilly told me my book would be open source at some point.
But since they're still sending me checks, I assume that isn't going to happen this month.
Yeah, that's my biggest fear.
When we negotiated that, I guess I should have put a timeline on there.
That's lessons learned for me. me well they're reasonable people you might be able to talk them into a two-year
i don't know and people still buy the book even if it's free so it'll work out yeah yeah i mean
i was selling the book when it was free and they were both released at the same time and
people still bought them probably not in the same quantity you know but whatever like it's you don't really make much money as a author
anyway so i'm okay with that so are you ready to write another book
no not really only an idiot would write a second book. The first one's much too hard.
Christopher, do you have any voice left? That was a head shake, so not so much.
Craig, do you have any last thoughts you'd like to leave us with?
Yeah, just if any listeners are interested in basically some of the stuff we talked about,
you know, even just from an activist kind of perspective, you feel passionate
that, hey, I don't necessarily want to hack my car,
but I believe in
getting third-party components or
getting an app store kind of thing
for mods. I Am The Calvary
is a great group for that because
it's not just technical people.
We need people who can speak
to normal humans,
whereas a lot of us engineers are really bad at that.
So the more help we can get, the better off it is.
Cool.
My guest has been Craig Smith, author of The Car Hacker's Handbook,
founder of Open Garages, and the talent behind Thea Labs.
Nostarge has given us a coupon for his book.
Embedded Car will get you 40% off.
I think that's all caps, but you may have to try it a couple ways.
If you have trouble, send me email and I'll contact them.
But Embedded Car.
Try that at Nostarch and get 40% off.
Thank you so much for being here, Craig.
Thank you guys for having me it's been great
thank you also to allison shaken for introducing us to craig and thank you to christopher for
producing and maybe not so much co-hosting this week but general co-hosting and of course thank
you for listening please check out our blog and newsletter. You can find it all on the Embedded.fm
website along with a contact link if you'd like to say hello. We'll be here next week with something
a little different. I think we're talking to our accountant about having a business in the U.S.
Some of you won't like that. That's okay. I'm looking forward to it. She's got a mustache on
her finger so that when she holds her finger up to her mouth, it's a mustache.
So I'll be giggling the whole time.
In the meantime, here's a final thought to tide you over to next week or the week before.
This one is from the movie Cars.
Lightning McQueen says,
Okay, here we go. Focus. Speed. I am speed. One winner, 42 losers. Lightning McQueen says, Quicker than quick. I am lightning.