[spaceywilly]

This makes me realize how easy it would be to hack a car like this. All you would need to do is sneak into the car and plug in a low profile OBD reader-like device with a cellular modem, and you could send these messages from anywhere.

Just with the information in these articles we now know how to spoof the shifter mechanism, I’m sure similar processes could be used to determine steering and throttle controls. All these Hollywood plot lines and conspiracy theories suddenly don’t seem so far fetched.

[bri3d]

This was true in the mid 2000s, but isn't true on most modern cars. Most modern cars have a Gateway module which sits between the OBD port and the Powertrain CAN busses which the OP is reverse engineering.

These Gateway modules only allow specific diagnostics-related messages through to the various backing buses.

Now, generally the security on the Gateway module itself isn't great, and diagnostic protocols also aren't very well secured, so there's certainly havoc to wreak. But it's not as simple as "plug in a dongle and send commands" - to do what OP is doing, you need to tap into a wiring harness that's usually buried a bit higher up in the dashboard, at least :)

Usually either the Gateway or the control module itself will disallow sensitive UDS commands like the Hard Reset from the article, as well as adaptation / basic settings and output testing commands which are not safe given the current parameters, as well - for example, I doubt you could send UDS Hard Reset to the gear selector module while the car is moving.

[bonestamp2]

I do consulting for one OEM and all of their new vehicles over the past couple of years use encrypted bus traffic. So, it is getting much harder for third party tools to communicate with anything that is not mandated by law (most things other than DTCs and Emissions related APIs).

The sole purpose is security. Trust me, the engineers don't want to introduce any more complexity than necessary, and that's why it has been so open for so long. But, in light of hackers exposing these security vulnerabilities, there is pressure to close them. I'm sure there will be conspiracy theories about making it harder to repair cars so you have to go to the dealer. But, that's also not true -- because of Massachusetts' right to repair laws, OEM tools are available to anyone (or any shop) that wants to pay for them (in and out of MA).

[bri3d]

> because of Massachusetts' right to repair laws, OEM tools are available to anyone (or any shop) that wants to pay for them (in and out of MA).

At a price that's meaningless to a hobbyist and steep for an independent shop, sure.

Also, the actual implementation of these rules has been stalled for years by Alliance for Automotive Innovation v. Healy.

Point me to where I can legally, in a "clean" way, download ODIS for VW, or INPA for BMW, or DAS for Mercedes, at a reasonable price for a hobbyist.

IMO the only reason that manufacturers aren't under even more pressure is that these tools are so widely pirated.

[bonestamp2]

> At a price that's meaningless to a hobbyist and steep for an independent shop, sure.

I agree, they're pricey for hobbyists, and I can't speak for all but the I work with is well priced for independent shops. This is not exclusive to automotive though, professional tools in most industries are not priced for hobbyists -- it's easy to lose money on enterprise software if it's priced for hobbyists.

> Also, the actual implementation of these rules has been stalled for years by Alliance for Automotive Innovation v. Healy.

You're thinking about the newer "expanded rights" law. I'm talking about the original 2012 law that the newer law is trying to expand upon:

https://en.wikipedia.org/wiki/2012_Massachusetts_Question_1

[Czarcasm]

What you can do instead, is slip under the car and splice into the wire harness that is running under the car to the transmission or differential.

The transmission controller and differential speed sensor (or even differential controller on some cars) will be post gateway on the CAN bus.

I've done this on GM vehicles to spoof different vehicle behaviors while evaluating traction control systems.

[BoorishBears]

This is wrong on more than a few levels.

First off, you learned how to send messages to a gear indicator (after it's been ripped out of the car)

That's not the same as being able to spoof messages from the gear indicator to other components in a real vehicle, and then getting them to affect the transmission.

Realistically even if you could somehow send the transmission an instruction to shift in a way that would cause an issue (like telling the transmission to go in Park at highway speeds), there are multiple layers that would stop you in your tracks. At the lowest level the ZF8 most of these GWS shifters came with would never follow that instruction to start with.

-

I hate fear mongering around vehicle security because it leads to things like Mazda locking down their infotainment Linux box because news reports saying "Mazdas can be easily hacked", when the component in question had no tie in at all to anything safety critical.

The reality is physical access to the car is game over. I feel like your comment is intentionally worded to retort "oh well you just need quick access to the inside, vs getting under to cut the brake lines", but if you stick some random custom OBD II device with remote C&C you're making a much larger target for attention.

People are stealing entire catalytic converters off cars with noisy angle grinders, getting more intimate access to a vehicle is really not that hard.

[potatochup]

Usually there is a whitelisted set of messages available through the OBD port, it doesn't give you unfettered access to the CAN bus.

[tjoff]

Enough for https://comma.ai/ to work so can't be that restricted?

Edit: thanks to responders, I misremembered how it worked.

[bri3d]

Comma.ai plugs into the vehicle's "backing" CAN busses (Powertrain, Sensors, infotainment, etc.) behind the Gateway, not the OBD port. This requires the removal of at least a few trim pieces and connectors. For example, the Giraffe module taps in at the high-mounted camera module on many cars, requiring the removal of ceiling trim and the installation of a custom connector / tap onto the CAN bus.

[jaywalk]

Look at the installation procedure for that device. It requires removing the rearview mirror and plugging the device into the existing camera's wiring harness. It's not controlling anything via the OBD-C port.

[mschuster91]

> All you would need to do is sneak into the car and plug in a low profile OBD reader-like device with a cellular modem, and you could send these messages from anywhere.

As the article states, modern cars employ CAN-bus gateways that act as data brokers. The OBD port usually only gets access to the buses that are relevant for emissions certifications and ordinary shop work and that's it.

The movement to separate and gated CAN buses started with people manipulating their engine controllers, initial exploits targeting the radio and then the avalanche of thieves using OBD to disable alarms and reprogram keys.

[HeyLaughingBoy]

If you wanted to kill someone, car bombs are even easier.

[neuralRiot]

I’m not sure with what purpose would anyone do that. Tracking? Assassination? Stealing? There’s simpler an more effective methods for any of that.