To participate in the forum you must have a YML.COM account. For the time being, accounts on YML.COM are by invitation only. If you know me and would like to participate here, please contact me directly here.

There is now some basic documentation for the forum.

Subscribe to RSS Feed
General Forum -> Hacking the CAN bus on your car
Not logged in.
2013-07-25 07:33:26
1 of 14
a few articles have come out that it is possible to take over a cars CAN BUS.
most of these hacks had to have actual access to the car but now it is possible

this weekend in Las Vegas at the "blackhat" convention there will be a demo on this;

Comprehensive Experimental Analyses of Automotive Attack Surfaces -
Posted by: mothman
2013-07-26 09:37:04
2 of 14
in reply to #6476
The wireless access is through services like Onstar (at the moment). Many companies have realized the safety issues and are effectively firewalling - 2 CAN busses, one for engine control, the other for convenience/entertainment systems. Even then, entertainment systems are moving off CAN bus- because of the way CAN bus works, there isn't enough room on it to run all the data necessary for video/audio streams, and you can't prioritize messages- for example, you'll never see any sort of brake/throttle by wire over CAN.

Security is always a moving target.
Matt Bennett
Austin TX
Friend of YML since before the .com!
Posted by: Matt
2013-07-26 14:20:16
3 of 14
in reply to #6477
I'm correcting my last reply

they were able to get full control of the brakes & the throttle by using:
cellular such as Onstar or Sync
the CD player - physical
the OBDII port - physical

all of these they were able to get full control
over the CAN bus.

this is in the report:
Comprehensive Experimental Analyses of Automotive Attack Surfaces
Posted by: mothman
2013-07-26 14:50:59
4 of 14
in reply to #6478
I'm sure they messed with the brakes indirectly- CAN bus is a broadcast system- you don't have guaranteed delivery of a message- any company that does actual application of brakes or throttle via CAN bus is doomed to failure and loads of lawsuits.

There have been apocryphal stories of accessing the engine computer via TPM- nobody has actually done it. you're a heck of a lot more likely to mess up a car's computer by keying up a high power transmitter in the car in the next lane. Really, the data bandwidth that is available with TPM is miniscule- maybe you could crash the computer it is connected to, but control? Not going to happen- it is hard enough to get a few bytes/second of data through the types of radios that TPM use.
Matt Bennett
Austin TX
Friend of YML since before the .com!
Posted by: Matt
2013-07-26 22:34:28
5 of 14
in reply to #6476
With the title Hacking the CAN bus I thought there would be links like these:
Posted by: MikeS
2013-07-29 07:56:38
6 of 14
in reply to #6479

Adventures in Automotive Networks and Control Units

Thursday, August 1, 2013

Time 10:00am

Location: DEF CON 21

Session Title: Adventures in Automotive Networks and Control Units

Speakers: Chris Valasek, Director of Security Intelligence, IOActive &
Charlie Miller, Security Enginer, Twitter

if you know anything about IOActive these are some of the best hackers in the world
not a bunch of script kiddies...
Posted by: mothman
2013-07-29 08:14:16
7 of 14
in reply to #6481

"Automotive computers, or Electronic Control Units (ECU), were originally introduced to help with fuel efficiency and emissions problems of the 1970s but evolved into integral parts of in-car entertainment, safety controls, and enhanced automotive functionality. This presentation will examine some controls in two modern automobiles from a security researcherís point of view. We will first cover the requisite tools and software needed to analyze a Controller Area Network (CAN) bus. Secondly, we will demo software to show how data can be read and written to the CAN bus. Then we will show how certain proprietary messages can be replayed by a device hooked up to an ODB-II connection to perform critical car functionality, such as braking and steering. Finally, weíll discuss aspects of reading and modifying the firmware of ECUs installed in todayís modern automobile."
Posted by: mothman
2013-07-29 09:12:56
8 of 14
in reply to #6481
Even at Defcon, the presentations are sensationalistic. *IF* you have a connection to the CAN bus, you can do nasty things to the system- but full control wirelessly... hasn't happened, and as the auto companies discover possibilities, they are working to prevent it.

In vehicles, like servers, if you don't have physical security, you don't have security. More recent vehicles have gone to two separate busses- keeping CAN for safety related, and to other busses like MOST for the others.

Technology constantly evolves. The reason we can get cars with 300 hp that can also get 30mpg while also lasting 100,000 miles is 100% because of computers. A laptop is a hacking tool in the same way a set of wrenches is a hacking tool- just a tool, for a different kind of hacker.

Over time the car companies did stuff that seem unwise today, but were perfectly reasonable when they did them- and yes, there are flaws. But I think we're a long, long time away from when a hacker with a laptop in the next lane is a more likely danger than a brick through the windshield.
Matt Bennett
Austin TX
Friend of YML since before the .com!
Posted by: Matt
2013-07-29 11:19:52
9 of 14
in reply to #6483
The Center for Automotive Embedded Systems Security


Comprehensive Experimental Analyses of Automotive Attack Surfaces


Experimental Security Analysis of a Modern Automobile

real interesting read since you keep saying it can't be done. they obviously found flaws in the architecture that should not allow this to be possible.
Posted by: mothman
2013-07-29 14:24:33
10 of 14
in reply to #6484
I didn't say it couldn't be done, I said that no-one is doing it, and that is particularly evident with wireless attacks.

If you have access to the CAN bus via a wired connection, you've pwned the car. But you've already gained physical access. Without physical security, there is no security. With physical security, it is pretty effing hard to pwn a car, and nobody has done it (yet). I don't consider taking down the ECU a pwn- that's just a simple DOS (denial of service) attack. But at a similar level, clipping the valve stems with a pair of dikes is quicker and probably a more effective DOS.
Matt Bennett
Austin TX
Friend of YML since before the .com!
Posted by: Matt
2013-07-29 22:20:08
11 of 14
in reply to #6485
Ah, the beauty of throttle cables and slave cylinders.
Posted by: 647
2013-07-31 08:00:44
12 of 14
in reply to #6485
"nobody has done this yet"

not the same but this was still a wireless attack.

Hacker Disables More Than 100 Cars Remotely

"Police with Austinís High Tech Crime Unit on Wednesday arrested 20-year-old Omar Ramos-Lopez, a former Texas Auto Center employee who was laid off last month, and allegedly sought revenge by bricking the cars sold from the dealershipís four Austin-area lots"
Posted by: mothman
2013-07-31 08:58:37
13 of 14
in reply to #6487
That's about as much a hack as you deciding to post links to generic viagra sites here. The guy had a password (which was given to him, his employer didn't revoke access when they fired him) to an online system and he fucked with some records.

And the cars were not bricked in any way- the horns started going off.

The companies that run those systems work to a far lower standard than any car company.

You still haven't convinced me- I maintain, nobody has done it yet. (and it didn't disable the cars or affect any sort of safety system)
Matt Bennett
Austin TX
Friend of YML since before the .com!
Posted by: Matt
2013-08-19 12:21:46
14 of 14
in reply to #6489
with Backhat Conference over this is the released report on "Adventures in Automotive Networks and Control Units"

this was also presented at DEF CON 21
Posted by: mothman