The average automobile today isn’t necessarily secured against hackers, so much as obscured from them: Digitally controlling a car’s electronics remains an arcane, specialized skill among security researchers. But that’s changing fast. And soon, it could take as little as $60 and a laptop to begin messing around with a car’s digital innards.
Tomorrow at the Black Hat Asia security conference in Singapore, 24-year-old Eric Evenchick plans to present a new device he calls the CANtact. The open source board, which he hopes to sell for between $60 and $100, connects on one end to a computer’s USB port, and on the other to a car or truck’s OBD2 port, a network port under its dashboard. That makes the CANtact a cheap interface between any PC and a vehicle’s controller area network or CAN bus, the collection of connected computers inside of every modern automobile that control everything from its windows to its brakes.
With just that go-between gadget and the open source software that Evenchick is releasing for free, he hopes to make car hacking a far cheaper and more automated process for amateurs. "I realized that there were no good tools for me to play around with this stuff outside of what the auto industry uses, and those are incredibly expensive," Evenchick says, referring to products sold by companies like Vector that can cost tens of thousands of dollars. "I wanted to build a tool I can get out there, along with software to show that this stuff isn’t terribly complicated."
Over the last several years, researchers have shown that car hacking represents a real security threat. In 2013, for instance, Darpa-funded security researchers Chris Valasek and Charlie Miller showed (with me as their chosen crash-test dummy) that it was possible to send digital commands from a laptop connected to a car's CAN bus that affected steering, slammed on brakes, or even disabled brakes at some speeds.
Evenchick's gadget aims to make exactly that sort of testing more accessible to researchers. In their tests, Valasek and Miller used a $150 ECOM cable that they rewired by hand to connect to their test vehicles' OBD2 ports. (Valasek says a stock cable capable of that connection would have cost $1,200.) Evenchick's CANtact is designed to make that connection out of the box at a much lower cost.
The average coder isn't familiar with the protocol most cars' computers rely on to communicate. But Evenchick has written open source software for CANtact that automates much of the manual work of CAN bus hacking. Like the earlier work by Valasek and Miller, the CANtact is designed to send commands in Unified Diagnostics Services, the CAN protocol that auto mechanics use to communicate with electronic control units (or ECUs) throughout a vehicle. That allows anyone to write python scripts that can automatically trigger commands in a car's digital network that range from turning off its "check engine" light to automatically pumping its brakes. "Most people have no idea there’s all this diagnostic stuff that someone who’s connected to the CAN bus can use to do all these interesting things," says Evenchick. "What are the extent of those features? And what implementation problems exist that could be big security holes?"
For now, actually figuring out what a certain UDS command sent from the CANtact might do in a specific vehicle will largely be a matter of trial and error for amateur car hackers, says Evenchick. But by publishing its software on Github, he hopes the code will become a collection of different hackers' techniques that target individual vehicle makes and models. "It would be awesome if people messing around with their cars... could work together to build a library [of code] to do all this stuff," says Evenchick. "You're a Honda owner, and someone else is a Honda owner. If they find some cool things to do and you want to play around with it too, they can share it."
The CANtact, of course, can only test security exploits that require physical access, not remote attacks. But the device does help to automate the testing of security exploits that would be possible once a hacker has already gained a wireless foothold on a car's network. And the notion of a hacker gaining that sort of initial wireless foothold in a car's network is more than theoretical. Researchers at the University of Washington and the University of California at San Diego demonstrated in 2011 that they could gain access to an unnamed car's network through wireless attacks that included a Bluetooth connection, the car's OnStar-like cellular radio, and even Android malware on the driver’s phone.
Evenchick says his CANtact gadget isn't intended to make any sort of malicious car hacking easier. Instead, he argues, it's meant to foster hobbyist car hacking and security research that can expose and help fix real vulnerabilities in the digital components of cars and trucks. Miller and Valasek's earlier research, for example, served as a public demonstration that cars' internal networks lack basic security protections. Their work led to Senator Edward Markey sending a series of questions to 20 automakers that eventually revealed widespread inattention to security and in some cases a potential lack of anti-hacking measures in their cars and trucks. Only seven of the companies said they used third party security auditing for their vehicles, and only two said they currently had features to respond to a hacker intrusion on their vehicles' CAN buses.
The more attention and testing those car systems receive, Evenchick says, the more secure they'll eventually become. "You don't really own a device until you can open it up and tear it apart," says Evenchick. "Your car is more connected than ever before. Just having people know what’s going on with cars and understand them better would be kind of nice."
