[titomc]

I worked for one of those car manufacturers for the telematics unit like putting specific frames on the CAN bus to make the car do remote operations like start/stop engine and also read values from ECUs for DTC codes. We used to teraterm into the unit with a serial cable & a trivial password. The security measure we had during that time was that "we do not give cables to customers so that they cant teraterm into the telematics unit. It might have changed now with the recent CAN Bus hacks.

[kw71]

Ha, Harman tried that with a recent project of theirs that is in serial production now for a big carmaker. I identified the strange connector and asked for a free sample of it, from there it took me ten minutes to disable the firewall and enable SSH access from the ethernet.

[titomc]

I didn't want to give specifics of the hardware. Now that you know , yes its Harman with QNX on Chryslers. Now you need to figure out the remote execution codes to put on the CANBus frames :) . There is a catch though , without the original car keys , you can't move the car or can you ?

In another news , access to the terminal is now based on an "authentication key" , root access is not enough. For development purposes , Harman provides these keys and they expire after a certain period of time. I am not sure those "fixed" telematic models are out there on the market currently.

[kw71]

I attacked a Harman QNX device done for a different carmaker. When I got access to the serial console I was able to look deeper. I found a script to take down the firewall, and that a series of canbus messages will run the script to enable this debug or development mode (very easy with one of the carmaker's leaked engineering tools), so now we know how to break into the device without taking the car apart to gain access to the connector.

The box is really cool, it would be neat to develop our own applets, but mostly people are only interested in changing the splash screen. We found some really neat things about it too, for instance if a second device appears on the ethernet it can be a 'slave' to the first one and access its media.

We have seen demonstrations of the keyless cars from this automaker being started and driven without the actual rfid-key device. Someone apparently used some hardware to bruteforce the private key of the security controller so that the authorised rfid-key information can be read and modified. This is apparently becoming a problem in Europe where a car thief can simply drive east for a while and be out of reach of the law.

[emcrazyone]

I do too; I was a lead on Ford SYNC, GM's Cadillac CUE, and a slew of other OEM ECU modules. First let me say that the book is dated. Example, there is now CAN-FD but they only talk about CAN and Extended CAN in the book.

The attacks in the book are low grade attacks just about anyone with just a basic curiosity could probably pull off - like making up a cable. Ford SYNC, for example, required signed payloads.

Infotainment systems, generally speaking, are not even on the same CAN bus as the engine control unit.

The book spends an inordinate amount of its pages talking about stuff you can easily google and get much more detailed and more accurate information like LIN, ODB2, etc...

Why not talk about CAN arbitration? The book fails to mention a simple attack vector everyone in automotive knows about. ArbID on CAN is not only unique to CAN frame but also used to win arbitration. You can flood a CAN bus with CAN frames using an ArbID of 0x01 or 0x00 to kick off a sort of denial of service attack.

The UDS hacks they talk about are not really hacks at all. They are part of what is known as right to service. Automotive manufacturers are not allowed to lock out small mom & pop service shops or 3rd party tools. The really sensitive stuff typically requires what is known as a VIN unlocker. For example, you can't easily change the ODO (odometer) value. With Ford ECUs, you get a DLL from Ford Motor and a key. You then take CAN data off the bus, pass it through the provided DLL and along with the key, get back a value that you send back out to "unlock" the ECU to program it. Why not talk about reverse engineering this?

They talk about CANiBUS which is a nice tool but a better one is Vehicle Spy which does the same thing and more. Chip tuners use this to reverse engineer the CAN signals.

In the industry, all these CAN bus signals can be decoded if you have what is called a DBC file. DBC file is file format used to lookup values to translate into human readable descriptions. The format is owned by Vector which is another company that makes, over priced, CAN diagnostic and simulation tools that everyone uses.

The Ethernet metasploit looks like pie in the sky talk. Every Ethernet system in a car today is basically infotainment system and benign data like album art, Mirrorlink, and simple data sharing between say a center stack and a cluster. There's nothing there... On top of this, every automotive ethernet is Broad-R-Reach which is Broadcom's 2-Wire Ethernet and to tap into it requires expensive demo boards from Broadcom. It's not like you can simply take a 2-wire Ethernet and put into a Linksys switch to see the packets. More misinformation.

The Keypad for the passive entry looks like good material but it, too, looks very dated.

sorry to be such a downer but felt after reading through the material they should be called out.. buyer beware.

[MichaelAza]

Two questions:

* If the info there is as outdated as you say, where could one find a reasonably complete and up to date intro to car computer technology?

* Are there any tools out there that can be used for simulating a car network (CAN bus, ECU etc.) for lab purposes?

[emcrazyone]

"If the info there is as outdated as you say, where could one find a reasonably complete and up to date intro to car computer technology?"

You won't find this in the public. You would need to work in the industry to get access to all the specs. Much of it is under NBA between companies.

' Are there any tools out there that can be used for simulating a car network (CAN bus, ECU etc.) for lab purposes?"

Yes, Vector CANOE is probably the most widely used tool for this. It has a scripting engine called CAPL that closely resembles the C programming language. dSPACE is another one.