Cipher Book Review, Issue E131

The Car Hacker's Handbook: A Guide for the Penetration Tester
by Craig Smith

No Starch Press 2016.
ISBN 978-1-59327-703

Reviewed by  Richard Austin   3/17/2016 

A penetration test on your car? Have we really gotten to the point where even our cars have networks, multiple computers, panoplies of sensors and, of course, software to make them all work together? Smith assures us that we have and then proceeds to walk us through a solid introduction to this bizarre world and how things in it can be made to misbehave.

Smith opens the book with a welcome chapter on threat models which orients the reader for the material that follows and how it might be applied by security professionals. Far too many books of this type open with a frantic rush to get to the tools and leave the reader to contextualize and position the material as best they can with the usual result of a vague impression of a long list of tools and commands that all do something but really no idea of how they might fit together into a whole.

The next three chapters introduce the important protocols, how communication within the vehicle is done, and an introduction to the diagnostic and logging data maintained by the vehicle (if you've ever had a "Check Engine" light illuminate, you've seen the "user mode" interface to this data). Chapter 5, "Reverse Engineering the CAN Bus", reflects the important point that these are proprietary systems and manufacturers have little incentive to disclose their details. This leaves the security professional with the task of capturing traffic, decoding it to form theories about what is actually going on and then apply the theory to verify that it is somewhere close to correct. Smith demonstrates use of the tools with screenshots and sample commands to get you started. He thoughtfully provides a troubleshooting guide for when you accidentally put the vehicle into a state where it no longer works correctly.

The next chapter, "ECU Hacking", describes how to interact with a vehicle's ECU's (Electronic Control Units) in three ways: front door attacks using the manufacturer's access mechanisms; backdoor attacks using the more or less traditional hardware analysis techniques (dumping and disassembling firmware, etc.); and exploits where you discover unintentional access methods.

Chapter 7, "Building and Using ECU Test Benches", describes how to "run" an ECU outside the vehicle so you can interact with it in isolation from the rest of the vehicle. Smith also covers the important topic of how to simulate the sensor signals the ECU is expecting to process. Working with the EXU outside the vehicle reduces the noise introduced by other units and also reduces the consequences of an "Oops!".

The next chapter, "Attacking ECUS And Other Embedded Systems", gets to the meat of the matter in interacting with these devices. This is an excellent chapter that introduces a plethora of tools and hardware accessories in a single place without having to scour multiple websites and online forums. Some of the techniques (e.g., JTAG) will be familiar if you've done hardware debugging but Smith's additional discussion of how these tools can be used to change the desired operation of embedded systems in ways an adversary might desire is both eye opening and invaluable.

Chapter 9, "In-Vehicle Infotainment Systems", extends the discussion to that nice touchscreen found in many vehicles that is the interface to multiple applications such as navigation and climate control.

The next chapter, "Vehicle-to-Vehicle Communication", provides an introduction to one of the more frightening possibilities in vehicle systems: cross-communication. Though it might be useful for a truck loaded with dynamite to notify vehicles in its vicinity that it's transporting hazardous material, the potential mischief of false notifications or suppressed notifications is obvious. This is a developing technology and could well use input from the security profession. Chapter 11, "Weaponizing CAN Findings", describes how to "take an exploit and make it easy to use" (p. 193). Smith lucidly demonstrates how to take an exploit (found during your research using the techniques described in the earlier chapters) and package it as a Metasploit payload (it doesn't get much easier to use than this).

The next chapter, "Attacking Wireless Systems with SDR", describes how to use inexpensive Software Defined Radio (SDR) equipment to interact with vehicle systems using wireless technology. While wide coverage radio transceivers may cost several thousands of dollars, a SDR costs typically less that $500 (SDR receivers can be found as cheaply as $30). The systems used as examples are the TPMS (Tire Pressure Monitoring System) and key fobs (more interesting because they use cryptography). Smith begins with a discussion of modulation, how information is imposed onto a radio signal, and moves on to receiving the signals and interpreting them. Once you know the frequency, modulation and the format of the information itself, you are in a position to generate your own signals to trigger the desired action.

Chapter 13, "Performance Tuning", describes a well-developed, application for modifying the operating parameters of vehicle systems to improve performance. This is a masterful demonstration that these are not abstract possibilities but, at least in their more benign applications, already well-developed.

Our world is rapidly being filled with things that are computers and communication networks but don't look like them. And, like any other complex system, they expose vulnerabilities that can be exploited by a malicious adversary. The consequences of suddenly killing the engines of several vehicles surrounding a truck carrying hazardous materials on a busy interstate highway are horrifying to contemplate.

Smith has done a marvelous job of providing a practical introduction to the world of vehicle systems and the tools used to interact with them for both benign and malicious purposes. The challenge for the security profession is to engage with the engineers designing these systems to build understanding of the security implications of design and implementation decisions. With Smith's introduction under our belt, we will be much better prepared to speak their language. Definitely a recommended read.

It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin fearlessly samples the latest offerings of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org