
Hacking an Audi: performing a man-in-the-middle attack on FlexRay - pd0wm
https://medium.com/@comma_ai/hacking-an-audi-performing-a-man-in-the-middle-attack-on-flexray-2710b1d29f3f
======
stuff4ben
I wish I could hack my Lexus RX350's LKAS. It's pretty bad and seems to bounce
left and right between the lanes. It gets to the point that I just shut it off
since I don't want to fight it when driving long distances as it's very
tiring. It's probably a timing issue as the computer isn't getting updates
fast enough and has to keep correcting which causes the bouncing between the
lane. A Tesla this is not!

~~~
kfarr
Maybe it's just me, but the regulatory oversight around these automated
features seems insufficient. I'm trying to imagine equivalents from older
passive safety technology like seatbelts that don't always work, airbags that
pop out prematurely, or cruise control that accelerates without warning.
Doesn't seem like those would pass muster "back in the day"? (Not to mention
Uber autonomous vehicle flat out killing a pedestrian with no criminal
culpability.)

Maybe it's a case of severity -- automated lane guidance isn't viewed as a
serious problem when it fails? But who makes that decision?

I don't drive much anymore but when I do it's in a Zipcar with relatively
recent Subarus that have this lane guidance technology. I always turn it off
as it invariably makes mistakes within a few hours of usage and seems more
dangerous on than deactivated.

~~~
UweSchmidt
Regulating technology is difficult. You can easily set up a mechanical
seatbelt test that tests a mechanism 1000 times, but how would you test an
algorithm? Also, many people died before seatbelts became mandatory; so much
for "back in the day".

~~~
carlmr
>how would you test an algorithm?

You can send out drivers that test if it works well. And then you can record
that data, and check what is causing the issues and add these frames as test
data?

But the testing IMHO is a bit too late. You need UX designers and
psychologists giving inputs from the start. You need SW quality by design, not
by process. You need to rid yourself of any management layers that don't
understand software.

------
_pmf_
> On the Q8, the FlexRay bus has cycle time of 5 ms, so each ECU can send
> messages at 200 Hz.

That's weirdly worded. The cycle repeats (disregarding multiplexed PDUs) every
5 ms, but there are lots of messages within a cycle.

Even on CAN, it's not uncommon to have > 2000 msg/s (looking at Daimler trucks
with 70% utilization).

------
chews
This is a fantastic writeup and it's truly brilliant what the very clever
folks at comma.ai are up to.

Very slick stuff indeed.

------
harywilke
I really wanted the company to be called ",,," when i read: "This medium post
is about a project by three comma employees"

------
Glawen
They do not know about Vector Canoe ? I did this "hacking" every other day
when testing software on a prototype vehicle

~~~
gburdell3
There's a pretty big difference between testing software with a protocol that
you know and understand, and reverse-engineering the communications on a
production vehicle.

------
ex3ndr
I didn't get it, FlexRay usually uses end-to-end encryption and it seems that
everything is in a plain text? Audi just decided not to encrypt something?

~~~
mrlambchop
From experimentation with recent Mercedes and BMW, its encrypted, although I
do recall that early X5's were not protected.

------
jboy55
Is this a 'man in the middle' attack for 3rd party nefarious purposes, like
controlling someone else's Audi ... Or just plain reverse engineering of a
communications protocol to hack the software for 1st party education and
extension? Why the click-baity title as if this is some great compromise to
the integrity of the Audi? Am I missing something?

~~~
mtreis86
The latter, "We built a python script to read a joystick and used a panda to
send the CAN messages to the FPGA, which overrides the appropriate bits on the
FlexRay bus to control the EPS. By combining the results from the previous
steps, we were able to control the steering with a joystick."

