The Car Hacker's Handbook: A Guide for the Penetration Tester

Posted on by Ben Rothke

The history of technology is replete with instances of security researchers finding a flaw in a product. The vendors then discount the issue and mock the findings; saying it’s only a theoretical vulnerability. They may even resort to suing the researchers. When the vulnerability becomes widespread, these vendors then run to patch their insecure product.

We are in that situation now with vulnerabilities around automobile systems. While researchers have been sued and their findings removed from public view, it’s only a matter of time until there will be widespread hacks against car systems.

In the just released The Car Hacker's Handbook: A Guide for the Penetration Tester, (No Starch Press 978-1593277031), author Craig Smith has written a fascinating book about how connected cars work, and how they can be hacked. The book provides a substantial amount of information about the applications and embedded software that runs the vehicle.

  If conference titles are any sort of indicator of the importance of an issue, the recent 2016 RSA Security conference shows the importance of automobile security. The following presentations around auto security were given:
  • Collision Investigator: Aftermath of the Auto Hacks (given by author Craig Smith)
  • Braking the Connected Car: The Future of Vehicle Vulnerabilities
  • Do We Need Cyber-Ratings for the Auto Industry?
  • Automobiles are Getting Hacked: What’s Next for Transportation Security?

Adding to the issue is that last week the FBI issued a public service announcement that motor vehicles are increasingly vulnerable to remote exploits. Last week also saw a Tesla Model S hacking keynote during the CeBIT conference.

This is a truly fascinating book showing how connected cars are vulnerable due to poorly written software. As new cars are highly computerized; the underlying security is only as good as it is designed and implemented. Based on that, Smith shows how we are far from that state of secure design and implementation. As detailed in the book, some cars can be hacked with ease. In chapter 9, Smith notes that it is often easy to modify the software as the vendors provide no defense against an attack.

Smith writes that early car systems often had proprietary software systems that made hacking harder. With many manufactures moving to open systems due to cost savings; many of the initial challenges have been obviated. Newer cars now use Ethernet, VoIP and other open standards and protocols.

At the end of the day, anything with connectivity and software can be hacked. Cars have a lot of software and each year with added functionality and more lines of code, the risks increase.

While the book focuses on new cars, older cars can still be network via aftermarket additions. So it’s not so farfetched that an Edsel could be hacked.

The book is an outgrowth of Car Hacker's Handbook from the Open Garages project, of which Smith is the founder. Open Garages are Vehicle Research Labs (VRL) centered around understanding the increasingly complex vehicle systems and provides public access, documentation and tools necessary to understand today's modern vehicle systems.

The book provides the reader with a detailed overview of the computer systems and embedded software ubiquitous in today’s new cars. Smith details that vehicles have numerous entry points where a hack can occur. From the CAN, infotainment system, engine control unit (ECU) and more.

Smith knows the topic eminently well and the book is a fascinating read. This is a highly technical book. Those with coding experience will find the most value in the book.

In Chapter 1, Smith provides a good overview of the many threats that cars face. He writes of the importance of threat modeling when attempting to design a secure car system. A good reference he does not mention which lends itself quite well to the topic is the definitive guide on the topic, Adam Shostack’s Threat Modeling: Designing for Security.

The early chapters provide a significant amount of technical information around the controller area network (CAN) bus. This is a message-based protocol vehicle bus standard, designed to allow microcontrollers and devices to communicate with each other in applications without a host computer.

Smith provides a number of ways that one can review engineer the CAN bus and send fake signals to the systems or engine. While not trivial, these do take programming expertise. But nonetheless, there are far from theoretical.

As history repeats itself, most of the auto manufacturers are focusing more on usability than security. When alerted to the security issues, they will often reply with a generic response that they take security seriously and are continually working to improve the security of their vehicles, including their proprietary vehicle software, as they develop and incorporate even more advanced electronic features into their vehicles. Within that doublespeak is often denial of the bigger pictures. That is the scenario that book addresses.

50 years ago, Ralph Nader wrote Unsafe at Any Speed: The Designed-In Dangers of the American Automobile showing how car manufacturers didn’t put in safety features that were available at the time, and were quite resistant to spending money on improving safety.

Today the situation is the same when it comes to car software. Nader’s book was a wakeup call and it’s hoped that The Car Hacker's Handbook: A Guide for the Penetration Tester will do that same. For those that want to understand what goes on under the hood of the car from a software perspective, this is a most worthwhile read.

Ben Rothke

Senior Information Security Manager, Tapad

hackers & threats security awareness

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community