Hack a vehicle tutorial

As a reader of this newsletter, you are probably well acquainted that cyberattacks related to the automotive industry is something that should be considered.  Just as our world will continue to be highly digitally interconnected, the connectivity of vehicles and cooperative infrastructure systems will rapidly grow, and the number of different and new attack surfaces will likewise increase. Consequently, the inevitably urge for cybersecure vehicles and related systems, and systems-of-systems, will also continue to grow in the future, just as it presently is doing. And, the everlasting cybersecurity “arms race” between business security teams and the hacking communities will most likely not come to an end, since by the time tools and strategies to confront one threat have been implement, another has emerged. Further, from a cost perspective only, the cybersecurity war, just as any type of war, is expensive. Failing to prevent an attack can cost the victim heavily. Succeeding an attack though, has likewise costed the victim heavily since it means that the victim had already invested heavily in good security. Yet, main goal of today’s cybersecurity race must be to stay in the lead of the attackers, meaning; accept the reality that investing in cybersecurity technology, education, and planning can never stop, which in a holistic perspective is a more profitable strategy in the long run.

Over the last decades different cyber-attacks related to the automotive industry have been reported, and as the automotive industry is a very large concept, the number of attack vectors to it are quite many. For example, attacks to infrastructure-related systems have been reported, like the Colonial Pipeline ransomware attack, which had unproportionable societal impact affecting the automotive (and other) industries. Another example is when a mobile parking app was hacked, which had less societal impact, but were not so pleasant for the individuals involved.  Further, attacks directed directly to the vehicle are of no news for most of us and has frequently been reported too. For example, manipulating a vehicle by attacking its CAN-bus.

The Controller Area Network (CAN-bus) is a standard in-vehicle network developed by Bosch in the 1980’s, allowing the large number of the vehicles’ electronic control units (ECUs) to communicate with each other’s applications without a host computer. Unfortunately, the CAN-bus do not support proper security mechanisms, which is a dangerous omission in the age of connected and self-driving cars. Attackers have showed accessing the CAN network either directly through physical access to the bus, the diagnostic port (OBD-II) or by first compromising another connected component such as the Infotainment system, and hence been able to inject malicious CAN frames into the bus and/or disrupt delivery of legitimate vital CAN frames, affecting the vehicle. Some notable examples of this are, e.g., what Koscher et al. demonstrated 2010 in a number of attacks that exploited this weakness. The attacks included spoofing attacks to impersonate selected ECUs and manipulate certain vehicle functions such as lights, degrade vehicle functionality via undocumented commands, and denial of service by flooding the bus. In 2013 the mavericks Miller and Valasek compromised the CAN-bus of a vehicle and manipulated the brakes of the vehicle. The attack was achieved through a cord-connected computer to the OBD-II port [1], [2]. Later in 2015, Miller and Valasek demonstrated how they remotely sent CAN packets to a Jeep Cherokee and disabled the vehicle’ braking system and turned off the vehicle while driving on the highway [3]. Based on all this, Lokman [4] et al concluded that “…most modern automobile systems have been designed with safety, and not security in mind…”.

So how hard is it then to perform cyberattacks directed to the automotive industry? Well, some of them might be more complicated and comprehensive than others, but for sure: Everything is easy when you know it. Why not give it a try yourself? Here is a tutorial posted by an Indian hacker, Suman Mondal. The guide will show you how to unlock, start, and control vehicles. And it includes a simulator too, with a tutorial and explanations on how a simulation environment can be set up so that you can use some of this knowledge to analyze and hack a simulated vehicle. Good luck!

Address to tutorial: www.onlinehacking.xyz/ (As always, stay alert and be cautious of what you download. After all, the website is run by a hacker which color of the hat is not clear.)

[1]   C. Valasek and C. Miller, “Adventures in Automotive Networks and Control Units,” Tech. White Pap., 2013.
[2]   A. Greenberg, “Hackers Reveal Nasty New Car Attacks-With Me Behind The Wheel (Video),” Forbes, 2013, [Online]. Available: https://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/?sh=680598eb228c.
[3]   A. Greenberg, “The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse,” Wired, 2016. https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-acceleration-hacks/.
[4]   S.F. Lokman, A. T. Othman, and M.-H. Abu-Bakar, “Intrusion detection system for automotive Controller Area Network (CAN) bus system: a review,” EURASIP J. Wirel. Commun. Netw., vol. 2019, no. 1, p. 184, 2019, doi: 10.1186/s13638-019-1484-3.