Looks like the website is having some trouble with all the HN traffic. Rehosted the ebook downloads on GDrive to save him some traffic. I'll remove them when the post leaves the HN front page.
Just FYI, this book literally teaches you how to identify security vulnerabilities in modern cars and exploit them.
You can purchase it from Amazon here[0], or download the book for free in EPUB[1] or PDF[2].
This is especially heinous given that car manufacturers are trying to keep you from repairing your own car, claiming that the computer systems are copyrighted.
Here in the USA the carmakers are bound by law to not act in a way that prevents you from repairing your own car.
The article that you cited does not seem to advance the argument in your comment, even though it opens with a story of a company getting sued for actual copyright infringement. (Ford has not sued the "ForSCAN" team.)
The carmakers are bound by law to implement the OBD2 application with an acceptable OBD2 PHY. They are also bound by law to provide their dealer system for flash-programming and for operations that cannot be carried out using the OBD2 application. Anyone can obtain a J2534 gateway to use these tools, and anyone can obtain access to these tools.
This is necessary to resolve antitrust issues and because a broken car is a potential emissions problem.
The carmakers have not stopped thirdparty diagnostic providers from reverse engineering the carmakers' tools to develop their own tools for sale. Autoenginuity, Launch X431, Snap-On are examples of companies that do this and who have no connections to the vehicle manufacturer supply chain the way that Bosch, Actia, and Continental do.
“Due to the salvage status of your Model S , I have been instructed to cease providing you with parts. Tesla is very concerned about vehicles with salvaged titles being improperly repaired. Going forward, all salvaged vehicles must be inspected by us or our approved body shop, Precision Auto Body. If declared a candidate for proper repair, reconstruction must be completed by a Tesla-Certified Body Shop.”
They made like 80,000 cars, how many of these are not under warranty anymore? Documentation is available and there is already aftermarket coverage for wear items. If they fail to provide access to a necessary tool for repairs, it will be leaked and distributed, but for now almost nobody seems to care.
Tesla are a small part of the automotive industry, a low volume manufacturer making products with limited availability. I think this will likely change one day, but for now, if I ran an indy mechanic shop, and advertised Tesla services, I would be surprised to get one inquiry in a year.
Actually, since I follow /r/teslamotors, I've seen a couple of projects that involve hacking the internal network on the Tesla and hacking the giant center console touch screen's computer to do things.
Tesla doesn't really lock it down any more than they need to for safety and sanity reasons, as far as I can tell.
I worked for one of those car manufacturers for the telematics unit like putting specific frames on the CAN bus to make the car do remote operations like start/stop engine and also read values from ECUs for DTC codes. We used to teraterm into the unit with a serial cable & a trivial password. The security measure we had during that time was that "we do not give cables to customers so that they cant teraterm into the telematics unit. It might have changed now with the recent CAN Bus hacks.
Ha, Harman tried that with a recent project of theirs that is in serial production now for a big carmaker. I identified the strange connector and asked for a free sample of it, from there it took me ten minutes to disable the firewall and enable SSH access from the ethernet.
I didn't want to give specifics of the hardware. Now that you know , yes its Harman with QNX on Chryslers. Now you need to figure out the remote execution codes to put on the CANBus frames :) . There is a catch though , without the original car keys , you can't move the car or can you ?
In another news , access to the terminal is now based on an "authentication key" , root access is not enough. For development purposes , Harman provides these keys and they expire after a certain period of time. I am not sure those "fixed" telematic models are out there on the market currently.
I attacked a Harman QNX device done for a different carmaker. When I got access to the serial console I was able to look deeper. I found a script to take down the firewall, and that a series of canbus messages will run the script to enable this debug or development mode (very easy with one of the carmaker's leaked engineering tools), so now we know how to break into the device without taking the car apart to gain access to the connector.
The box is really cool, it would be neat to develop our own applets, but mostly people are only interested in changing the splash screen. We found some really neat things about it too, for instance if a second device appears on the ethernet it can be a 'slave' to the first one and access its media.
We have seen demonstrations of the keyless cars from this automaker being started and driven without the actual rfid-key device. Someone apparently used some hardware to bruteforce the private key of the security controller so that the authorised rfid-key information can be read and modified. This is apparently becoming a problem in Europe where a car thief can simply drive east for a while and be out of reach of the law.
I do too; I was a lead on Ford SYNC, GM's Cadillac CUE, and a slew of other OEM ECU modules. First let me say that the book is dated. Example, there is now CAN-FD but they only talk about CAN and Extended CAN in the book.
The attacks in the book are low grade attacks just about anyone with just a basic curiosity could probably pull off - like making up a cable. Ford SYNC, for example, required signed payloads.
Infotainment systems, generally speaking, are not even on the same CAN bus as the engine control unit.
The book spends an inordinate amount of its pages talking about stuff you can easily google and get much more detailed and more accurate information like LIN, ODB2, etc...
Why not talk about CAN arbitration? The book fails to mention a simple attack vector everyone in automotive knows about. ArbID on CAN is not only unique to CAN frame but also used to win arbitration. You can flood a CAN bus with CAN frames using an ArbID of 0x01 or 0x00 to kick off a sort of denial of service attack.
The UDS hacks they talk about are not really hacks at all. They are part of what is known as right to service. Automotive manufacturers are not allowed to lock out small mom & pop service shops or 3rd party tools. The really sensitive stuff typically requires what is known as a VIN unlocker. For example, you can't easily change the ODO (odometer) value. With Ford ECUs, you get a DLL from Ford Motor and a key. You then take CAN data off the bus, pass it through the provided DLL and along with the key, get back a value that you send back out to "unlock" the ECU to program it. Why not talk about reverse engineering this?
They talk about CANiBUS which is a nice tool but a better one is Vehicle Spy which does the same thing and more. Chip tuners use this to reverse engineer the CAN signals.
In the industry, all these CAN bus signals can be decoded if you have what is called a DBC file. DBC file is file format used to lookup values to translate into human readable descriptions. The format is owned by Vector which is another company that makes, over priced, CAN diagnostic and simulation tools that everyone uses.
The Ethernet metasploit looks like pie in the sky talk. Every Ethernet system in a car today is basically infotainment system and benign data like album art, Mirrorlink, and simple data sharing between say a center stack and a cluster. There's nothing there... On top of this, every automotive ethernet is Broad-R-Reach which is Broadcom's 2-Wire Ethernet and to tap into it requires expensive demo boards from Broadcom. It's not like you can simply take a 2-wire Ethernet and put into a Linksys switch to see the packets. More misinformation.
The Keypad for the passive entry looks like good material but it, too, looks very dated.
sorry to be such a downer but felt after reading through the material they should be called out.. buyer beware.
"If the info there is as outdated as you say, where could one find a reasonably complete and up to date intro to car computer technology?"
You won't find this in the public. You would need to work in the industry to get access to all the specs. Much of it is under NBA between companies.
' Are there any tools out there that can be used for simulating a car network (CAN bus, ECU etc.) for lab purposes?"
Yes, Vector CANOE is probably the most widely used tool for this. It has a scripting engine called CAPL that closely resembles the C programming language. dSPACE is another one.
Some very interesting stuff in there... that's bound to make some manufacturers very unhappy. I remember a couple years ago when some Tesla forum geeks got access to the Linux system running the infotainment dashboard of the model ... and got a nice (seriously) message from Tesla engineers to the amount of "good job... but please stop there".
Many folks have mentioned how the Tesla Model S at least is more of a supercomputing cluster on wheels than a car with some ECUs. I don't know how armored their CAN bus(es) are, but I'm sure the "Attacking ECUs and other embedded systems" is giving some safety engineers white hair.
(of course, everything I've said about Tesla is just about equally applicable to other high-end vehicles. It's just that Tesla are a bit more connected to the traditional software world)
>I'm sure the "Attacking ECUs and other embedded systems" is giving some safety engineers white hairs.
If the systems were properly documented for the owners I seriously doubt there would be a problem. Give people a USB stick with docs, sources and signing keys and those who can make sense of them are probably smart enough to hack responsibly.
No way. The carmaker cannot guarantee emissions, safety or its operation if tampering is permitted. I think they should stop at voiding the warranty, though, and not move on to making threats or legal actions.
Just FYI, this book literally teaches you how to identify security vulnerabilities in modern cars and exploit them.
You can purchase it from Amazon here[0], or download the book for free in EPUB[1] or PDF[2].
[0] http://www.amazon.com/2014-Hackers-Manual-Craig-Smith/dp/099...
[1] https://drive.google.com/file/d/0Bzxo-UKxFmN-bDlNSi1IT1JLdHM...
[2] https://drive.google.com/file/d/0Bzxo-UKxFmN-WFVjcEVVX3B5azg...