Safari, the world’s most comprehensive technology and business learning platform.

Find the exact information you need to solve a problem on the fly, or go deeper to master the technologies and skills you need to succeed

Start Free Trial

No credit card required

O'Reilly logo
The Car Hacker's Handbook

Book Description

The Car Hacker's Handbook shows how to identify vulnerabilities in modern automotive vehicles.

Table of Contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. About the Author
  5. About the Contributing Author
  6. About the Technical Reviewer
  7. Brief Contents
  8. Contents in Detail
  9. Foreword by Chris Evans
  10. Acknowledgments
  11. Introduction
    1. Why Car Hacking Is Good for All of Us
    2. What’s in This Book
  12. Chapter 1: Understanding Threat Models
    1. Finding Attack Surfaces
    2. Threat Modeling
      1. Level 0: Bird’s-Eye View
      2. Level 1: Receivers
      3. Level 2: Receiver Breakdown
    3. Threat Identification
      1. Level 0: Bird’s-Eye View
      2. Level 1: Receivers
      3. Level 2: Receiver Breakdown
    4. Threat Rating Systems
      1. The DREAD Rating System
      2. CVSS: An Alternative to DREAD
    5. Working with Threat Model Results
    6. Summary
  13. Chapter 2: Bus Protocols
    1. The CAN Bus
      1. The OBD-II Connector
      2. Finding CAN Connections
      3. CAN Bus Packet Layout
      4. The ISO-TP Protocol
      5. The CANopen Protocol
      6. The GMLAN Bus
    2. The SAE J1850 Protocol
      1. The PWM Protocol
      2. The VPW Protocol
    3. The Keyword Protocol and ISO 9141-2
    4. The Local Interconnect Network Protocol
    5. The MOST Protocol
      1. MOST Network Layers
      2. MOST Control Blocks
      3. Hacking MOST
    6. The FlexRay Bus
      1. Hardware
      2. Network Topology
      3. Implementation
      4. FlexRay Cycles
      5. Packet Layout
      6. Sniffing a FlexRay Network
    7. Automotive Ethernet
    8. OBD-II Connector Pinout Maps
    9. The OBD-III Standard
    10. Summary
  14. Chapter 3: Vehicle Communication with SocketCAN
    1. Setting Up can-utils to Connect to CAN Devices
      1. Installing can-utils
      2. Configuring Built-In Chipsets
      3. Configuring Serial CAN Devices
      4. Setting Up a Virtual CAN Network
    2. The CAN Utilities Suite
      1. Installing Additional Kernel Modules
      2. The can-isotp.ko Module
    3. Coding SocketCAN Applications
      1. Connecting to the CAN Socket
      2. Setting Up the CAN Frame
      3. The Procfs Interface
    4. The Socketcand Daemon
    5. Kayak
    6. Summary
  15. Chapter 4: Diagnostics and Logging
    1. Diagnostic Trouble Codes
      1. DTC Format
      2. Reading DTCs with Scan Tools
      3. Erasing DTCs
    2. Unified Diagnostic Services
      1. Sending Data with ISO-TP and CAN
      2. Understanding Modes and PIDs
      3. Brute-Forcing Diagnostic Modes
      4. Keeping a Vehicle in a Diagnostic State
    3. Event Data Recorder Logging
      1. Reading Data from the EDR
      2. The SAE J1698 Standard
      3. Other Data Retrieval Practices
    4. Automated Crash Notification Systems
    5. Malicious Intent
    6. Summary
  16. Chapter 5: Reverse Engineering the CAN Bus
    1. Locating the CAN Bus
    2. Reversing CAN Bus Communications with can-utils and Wireshark
      1. Using Wireshark
      2. Using candump
      3. Grouping Streamed Data from the CAN Bus
      4. Using Record and Playback
      5. Creative Packet Analysis
      6. Getting the Tachometer Reading
    3. Creating Background Noise with the Instrument Cluster Simulator
      1. Setting Up the ICSim
      2. Reading CAN Bus Traffic on the ICSim
      3. Changing the Difficulty of ICSim
    4. Reversing the CAN Bus with OpenXC
      1. Translating CAN Bus Messages
      2. Writing to the CAN Bus
      3. Hacking OpenXC
    5. Fuzzing the CAN Bus
    6. Troubleshooting When Things Go Wrong
    7. Summary
  17. Chapter 6: ECU Hacking
    1. Front Door Attacks
      1. J2534: The Standardized Vehicle Communication API
      2. Using J2534 Tools
      3. KWP2000 and Other Earlier Protocols
      4. Capitalizing on Front Door Approaches: Seed-Key Algorithms
    2. Backdoor Attacks
    3. Exploits
    4. Reversing Automotive Firmware
      1. Self-Diagnostic System
      2. Library Procedures
      3. Comparing Bytes to Identify Parameters
      4. Identifying ROM Data with WinOLS
    5. Code Analysis
      1. A Plain Disassembler at Work
      2. Interactive Disassemblers
    6. Summary
  18. Chapter 7: Building and Using ECU Test Benches
    1. The Basic ECU Test Bench
      1. Finding an ECU
      2. Dissecting the ECU Wiring
      3. Wiring Things Up
    2. Building a More Advanced Test Bench
      1. Simulating Sensor Signals
      2. Hall Effect Sensors
    3. Simulating Vehicle Speed
    4. Summary
  19. Chapter 8: Attacking ECUS and Other Embedded Systems
    1. Analyzing Circuit Boards
      1. Identifying Model Numbers
      2. Dissecting and Identifying a Chip
    2. Debugging Hardware with JTAG and Serial Wire Debug
      1. JTAG
      2. Serial Wire Debug
      3. The Advanced User Debugger
      4. Nexus
    3. Side-Channel Analysis with the ChipWhisperer
      1. Installing the Software
      2. Prepping the Victim Board
    4. Brute-Forcing Secure Boot Loaders in Power-Analysis Attacks
      1. Prepping Your Test with AVRDUDESS
      2. Setting Up the ChipWhisperer for Serial Communications
      3. Setting a Custom Password
      4. Resetting the AVR
      5. Setting Up the ChipWhisperer ADC
      6. Monitoring Power Usage on Password Entry
      7. Scripting the ChipWhisperer with Python
    5. Fault Injection
      1. Clock Glitching
      2. Setting a Trigger Line
      3. Power Glitching
      4. Invasive Fault Injection
    6. Summary
  20. Chapter 9: In-Vehicle Infotainment Systems
    1. Attack Surfaces
    2. Attacking Through the Update System
      1. Identifying Your System
      2. Determining the Update File Type
      3. Modifying the System
      4. Apps and Plugins
      5. Identifying Vulnerabilities
    3. Attacking the IVI Hardware
      1. Dissecting the IVI Unit’s Connections
      2. Disassembling the IVI Unit
    4. Infotainment Test Benches
      1. GENIVI Meta-IVI
      2. Automotive Grade Linux
    5. Acquiring an OEM IVI for Testing
    6. Summary
  21. Chapter 10: Vehicle-to-Vehicle Communication
    1. Methods of V2V Communication
    2. The DSRC Protocol
      1. Features and Uses
      2. Roadside DSRC Systems
      3. WAVE Standard
      4. Tracking Vehicles with DSRC
    3. Security Concerns
    4. PKI-Based Security Measures
      1. Vehicle Certificates
      2. Anonymous Certificates
      3. Certificate Provisioning
      4. Updating the Certificate Revocation List
      5. Misbehavior Reports
    5. Summary
  22. Chapter 11: Weaponizing CAN Findings
    1. Writing the Exploit in C
      1. Converting to Assembly Code
      2. Converting Assembly to Shellcode
      3. Removing NULLs
      4. Creating a Metasploit Payload
    2. Determining Your Target Make
      1. Interactive Probing
      2. Passive CAN Bus Fingerprinting
    3. Responsible Exploitation
    4. Summary
  23. Chapter 12: Attacking Wireless Systems with SDR
    1. Wireless Systems and SDR
      1. Signal Modulation
    2. Hacking with TPMS
      1. Eavesdropping with a Radio Receiver
      2. TPMS Packets
      3. Activating a Signal
      4. Tracking a Vehicle
      5. Event Triggering
      6. Sending Forged Packets
    3. Attacking Key Fobs and Immobilizers
      1. Key Fob Hacks
      2. Attacking a PKES System
      3. Immobilizer Cryptography
      4. Physical Attacks on the Immobilizer System
      5. Flashback: Hotwiring
    4. Summary
  24. Chapter 13: Performance Tuning
    1. Performance Tuning Trade-Offs
    2. ECU Tuning
      1. Chip Tuning
      2. Flash Tuning
    3. Stand-Alone Engine Management
    4. Summary
  25. Appendix A: Tools of the Trade
    1. Hardware
      1. Lower-End CAN Devices
      2. Higher-End CAN Devices
    2. Software
      1. Wireshark
      2. PyOBD Module
      3. Linux Tools
      4. CANiBUS Server
      5. Kayak
      6. SavvyCAN
      7. O2OO Data Logger
      8. Caring Caribou
      9. c0f Fingerprinting Tool
      10. UDSim ECU Simulator
      11. Octane CAN Bus Sniffer
      12. AVRDUDESS GUI
      13. RomRaider ECU Tuner
      14. Komodo CAN Bus Sniffer
      15. Vehicle Spy
  26. Appendix B: Diagnostic Code Modes and PIDs
    1. Modes Above 0x10
    2. Useful PIDs
  27. Appendix C: Creating Your Own Open Garage
    1. Filling Out the Character Sheet
      1. When to Meet
      2. Affiliations and Private Memberships
      3. Defining Your Meeting Space
      4. Contact Information
      5. Initial Managing Officers
      6. Equipment
  28. Abbreviations
  29. Index
  30. Footnotes