You are previewing The Car Hacker's Handbook.
O'Reilly logo
The Car Hacker's Handbook

Book Description

The Car Hacker's Handbook shows how to identify vulnerabilities in modern automotive vehicles.

Table of Contents

    1. Why Car Hacking Is Good for All of Us
    2. What’s in This Book
    1. Finding Attack Surfaces
    2. Threat Modeling
      1. Level 0: Bird’s-Eye View
      2. Level 1: Receivers
      3. Level 2: Receiver Breakdown
    3. Threat Identification
      1. Level 0: Bird’s-Eye View
      2. Level 1: Receivers
      3. Level 2: Receiver Breakdown
    4. Threat Rating Systems
      1. The DREAD Rating System
      2. CVSS: An Alternative to DREAD
    5. Working with Threat Model Results
    6. Summary
    1. The CAN Bus
      1. The OBD-II Connector
      2. Finding CAN Connections
      3. CAN Bus Packet Layout
      4. The ISO-TP Protocol
      5. The CANopen Protocol
      6. The GMLAN Bus
    2. The SAE J1850 Protocol
      1. The PWM Protocol
      2. The VPW Protocol
    3. The Keyword Protocol and ISO 9141-2
    4. The Local Interconnect Network Protocol
    5. The MOST Protocol
      1. MOST Network Layers
      2. MOST Control Blocks
      3. Hacking MOST
    6. The FlexRay Bus
      1. Hardware
      2. Network Topology
      3. Implementation
      4. FlexRay Cycles
      5. Packet Layout
      6. Sniffing a FlexRay Network
    7. Automotive Ethernet
    8. OBD-II Connector Pinout Maps
    9. The OBD-III Standard
    10. Summary
    1. Setting Up can-utils to Connect to CAN Devices
      1. Installing can-utils
      2. Configuring Built-In Chipsets
      3. Configuring Serial CAN Devices
      4. Setting Up a Virtual CAN Network
    2. The CAN Utilities Suite
      1. Installing Additional Kernel Modules
      2. The can-isotp.ko Module
    3. Coding SocketCAN Applications
      1. Connecting to the CAN Socket
      2. Setting Up the CAN Frame
      3. The Procfs Interface
    4. The Socketcand Daemon
    5. Kayak
    6. Summary
    1. Diagnostic Trouble Codes
      1. DTC Format
      2. Reading DTCs with Scan Tools
      3. Erasing DTCs
    2. Unified Diagnostic Services
      1. Sending Data with ISO-TP and CAN
      2. Understanding Modes and PIDs
      3. Brute-Forcing Diagnostic Modes
      4. Keeping a Vehicle in a Diagnostic State
    3. Event Data Recorder Logging
      1. Reading Data from the EDR
      2. The SAE J1698 Standard
      3. Other Data Retrieval Practices
    4. Automated Crash Notification Systems
    5. Malicious Intent
    6. Summary
    1. Locating the CAN Bus
    2. Reversing CAN Bus Communications with can-utils and Wireshark
      1. Using Wireshark
      2. Using candump
      3. Grouping Streamed Data from the CAN Bus
      4. Using Record and Playback
      5. Creative Packet Analysis
      6. Getting the Tachometer Reading
    3. Creating Background Noise with the Instrument Cluster Simulator
      1. Setting Up the ICSim
      2. Reading CAN Bus Traffic on the ICSim
      3. Changing the Difficulty of ICSim
    4. Reversing the CAN Bus with OpenXC
      1. Translating CAN Bus Messages
      2. Writing to the CAN Bus
      3. Hacking OpenXC
    5. Fuzzing the CAN Bus
    6. Troubleshooting When Things Go Wrong
    7. Summary
    1. Front Door Attacks
      1. J2534: The Standardized Vehicle Communication API
      2. Using J2534 Tools
      3. KWP2000 and Other Earlier Protocols
      4. Capitalizing on Front Door Approaches: Seed-Key Algorithms
    2. Backdoor Attacks
    3. Exploits
    4. Reversing Automotive Firmware
      1. Self-Diagnostic System
      2. Library Procedures
      3. Comparing Bytes to Identify Parameters
      4. Identifying ROM Data with WinOLS
    5. Code Analysis
      1. A Plain Disassembler at Work
      2. Interactive Disassemblers
    6. Summary
    1. The Basic ECU Test Bench
      1. Finding an ECU
      2. Dissecting the ECU Wiring
      3. Wiring Things Up
    2. Building a More Advanced Test Bench
      1. Simulating Sensor Signals
      2. Hall Effect Sensors
    3. Simulating Vehicle Speed
    4. Summary
    1. Analyzing Circuit Boards
      1. Identifying Model Numbers
      2. Dissecting and Identifying a Chip
    2. Debugging Hardware with JTAG and Serial Wire Debug
      1. JTAG
      2. Serial Wire Debug
      3. The Advanced User Debugger
      4. Nexus
    3. Side-Channel Analysis with the ChipWhisperer
      1. Installing the Software
      2. Prepping the Victim Board
    4. Brute-Forcing Secure Boot Loaders in Power-Analysis Attacks
      1. Prepping Your Test with AVRDUDESS
      2. Setting Up the ChipWhisperer for Serial Communications
      3. Setting a Custom Password
      4. Resetting the AVR
      5. Setting Up the ChipWhisperer ADC
      6. Monitoring Power Usage on Password Entry
      7. Scripting the ChipWhisperer with Python
    5. Fault Injection
      1. Clock Glitching
      2. Setting a Trigger Line
      3. Power Glitching
      4. Invasive Fault Injection
    6. Summary
    1. Attack Surfaces
    2. Attacking Through the Update System
      1. Identifying Your System
      2. Determining the Update File Type
      3. Modifying the System
      4. Apps and Plugins
      5. Identifying Vulnerabilities
    3. Attacking the IVI Hardware
      1. Dissecting the IVI Unit’s Connections
      2. Disassembling the IVI Unit
    4. Infotainment Test Benches
      1. GENIVI Meta-IVI
      2. Automotive Grade Linux
    5. Acquiring an OEM IVI for Testing
    6. Summary
    1. Methods of V2V Communication
    2. The DSRC Protocol
      1. Features and Uses
      2. Roadside DSRC Systems
      3. WAVE Standard
      4. Tracking Vehicles with DSRC
    3. Security Concerns
    4. PKI-Based Security Measures
      1. Vehicle Certificates
      2. Anonymous Certificates
      3. Certificate Provisioning
      4. Updating the Certificate Revocation List
      5. Misbehavior Reports
    5. Summary
    1. Writing the Exploit in C
      1. Converting to Assembly Code
      2. Converting Assembly to Shellcode
      3. Removing NULLs
      4. Creating a Metasploit Payload
    2. Determining Your Target Make
      1. Interactive Probing
      2. Passive CAN Bus Fingerprinting
    3. Responsible Exploitation
    4. Summary
    1. Wireless Systems and SDR
      1. Signal Modulation
    2. Hacking with TPMS
      1. Eavesdropping with a Radio Receiver
      2. TPMS Packets
      3. Activating a Signal
      4. Tracking a Vehicle
      5. Event Triggering
      6. Sending Forged Packets
    3. Attacking Key Fobs and Immobilizers
      1. Key Fob Hacks
      2. Attacking a PKES System
      3. Immobilizer Cryptography
      4. Physical Attacks on the Immobilizer System
      5. Flashback: Hotwiring
    4. Summary
    1. Performance Tuning Trade-Offs
    2. ECU Tuning
      1. Chip Tuning
      2. Flash Tuning
    3. Stand-Alone Engine Management
    4. Summary
    1. Hardware
      1. Lower-End CAN Devices
      2. Higher-End CAN Devices
    2. Software
      1. Wireshark
      2. PyOBD Module
      3. Linux Tools
      4. CANiBUS Server
      5. Kayak
      6. SavvyCAN
      7. O2OO Data Logger
      8. Caring Caribou
      9. c0f Fingerprinting Tool
      10. UDSim ECU Simulator
      11. Octane CAN Bus Sniffer
      12. AVRDUDESS GUI
      13. RomRaider ECU Tuner
      14. Komodo CAN Bus Sniffer
      15. Vehicle Spy
    1. Modes Above 0x10
    2. Useful PIDs
    1. Filling Out the Character Sheet
      1. When to Meet
      2. Affiliations and Private Memberships
      3. Defining Your Meeting Space
      4. Contact Information
      5. Initial Managing Officers
      6. Equipment