The Car Hacker's Handbook

No Starch Press recently released a book about working with automotive software systems: The Car Hacker's Handbook: A Guide for the Penetration Tester, written by Craig Smith. The book is an expansion of Smith's popular and widely circulated e-book of the same title. The old version remains available online at no cost, but there is considerably more content in the new revision—enough to make it a tempting purchase not just for automotive-software fans in general, but for those interested in embedded-device security and in reverse engineering other classes of consumer product.

Roadmap

As the subtitle suggests, the book is written as an overview of reverse engineering and security testing car computers—meaning all of the embedded and user-facing computer systems running in a modern vehicle. It covers interacting with embedded sensors and controllers, in-vehicle infotainment (IVI) dash units, the powertrain control modules (PCMs) that control engine operation, and various wireless systems distributed throughout a vehicle. The book is a comfortable length (278 pages), and retails for $49.95.

The approach Smith takes is to consider the vehicle a security target like any other computer system that one might analyze for vulnerabilities. He constructs a threat model, itemizing and rating every attack surface; he then explores the threats in a systematic fashion. For instance, the controller area network (CAN) bus is one of the easiest entry points to the system, since it connects all of the networked modules in the car. Thus, he first examines the on-wire format of CAN bus traffic, moves on to sniffing and understanding the higher-level message formats transported over CAN, and eventually considers which CAN messages are interesting and how to generate them.

That said, it is clear from the outset that The Car Hacker's Handbook is not intended as a guide to exploiting the vehicles of other people. Smith is a co-founder of the automotive hacker community Open Garages, and the book is peppered with examples of how hacking on one's own car is a valuable skill to possess. Apart from tweaking engine characteristics to improve performance or fuel efficiency (which are the two most common goals), being able to break into a car's computer network is increasingly necessary to swap in aftermarket parts, replace broken or missing components, or simply to understand why something is not behaving as expected.

On this front, the book is quite successful. The text goes out of its way to de-mystify a number of car-computing topics, from reading and decoding the Diagnostic Trouble Codes (DTCs) emitted by electronic control units (ECUs), to capturing messages in various undocumented and proprietary formats, and even to reverse engineering the read-only memory (ROM) found in the PCM. All of these are topics that various industry players (from car makers to the manufacturers of overpriced diagnostic gadgets) takes pains trying to keep from the public eye. In addition, many of the automotive standards and specifications involved are not freely available and must be purchased—usually at high cost. The information in the book on these topics, especially when coupled with the pointers to additional online resources, levels the playing field quite a bit.

Naturally, the same could be said of most of the software discussed; Open Garages is a project driven by open-source software ideals, and Linux is the easiest platform for interfacing with automotive computer systems. Nevertheless, Smith does highlight several cross-platform and web-based tools that will be of interest to Windows users. Smith also discusses several Linux-based and open-source automotive projects, but the focus of the book is on getting into real-world systems, regardless of whether they run Linux, QNX, Windows, or some peculiar, one-off operating system from an automotive subcontractor.

Along for the ride

To briefly outline the topics covered in the book, Smith starts out with a discussion of the networking protocols used in car computing. The aforementioned CAN bus is a low-level transport protocol; he also describes the packet formats of ISO-TP, CANopen, and GMLAN (all of which are protocols that run on top of raw CAN). He also explains SAE J1850, Keyword Protocol 2000, Local Interconnect Network (LIN), Media Oriented Systems Transport (MOST), and FlexRay; each of these protocols is found in a limited subset of cars, but recognizing them in the field is important. Similarly, there are a variety of DTC messaging protocols; Smith describes the major formats and conventions (many of which do not have formal names or specifications).

The book then discusses how to work with the kernel's SocketCAN interface, providing some valuable tips on the CAN utilities available and on how capturing CAN traffic differs from sniffing Ethernet or WiFi packets. For example, Wireshark performs poorly as a CAN sniffer because of how many times noisy CAN modules repeat their messages; the specialized can-utils package is better at filtering the flood of messages and catching only important changes. The book also discusses some tools for capturing, analyzing, and replaying CAN traffic, like Kayak and caringcaribou, plus Smith's own CAN-traffic generator, ICSim.

This section of the book is focused on how one might discover and isolate the CAN message that performs a specific function in the car (say, unlocking the doors). One of the later chapters then picks up the topic again, explaining how to develop a compact program to use this message of interest, writing the unlock signal out to the bus (drowning out other, contradictory messages if necessary). It also describes how to adapt the necessary code for use with the Metasploit penetration-testing tool. Perhaps the most interesting aspect of that discussion is that it detours into how to fingerprint the make and model of a car by passively observing its CAN traffic; Open Garages is in the process of developing a fingerprinting tool called CAN of Fingers (c0f) for this purpose.

The other major section of the book deals with reverse engineering ECUs. While a complete description of reverse engineering an embedded system would be a topic vast enough to fill multiple books, Smith does an admirable job of outlining the basic process and pointing readers in the right direction. He discusses side-channel attacks, brute-force attacks, and the comparatively straightforward process of dumping an EPROM and analyzing the contents. He looks at some specific tools, mostly of the hardware variety, but with an emphasis on open-hardware options like ChipWhisperer. If all one wants to do is adjust the engine timing or fuel mixture, he notes, little or no code decompilation may be needed: simply finding the right data tables and altering them can be simple.

From a practical standpoint, car hackers have it easier than some reverse engineers, since so many cars (especially older ones) use small CPUs with modest amounts of memory. But this is changing fast as car makers catch up to other electronics companies. It is particularly interesting to note that this section of the car-hacking space is the one with the most missing pieces from a free-software standpoint: most of the ECU reverse-engineering tools, it seems, are still of the proprietary flavor.

In addition to these big topics, there are several self-contained chapters that cover smaller subjects, including vehicle-to-vehicle networking, sourcing test components, attacking wireless systems (like key-fob remotes and tire-pressure monitors), and attacking vehicles via the IVI unit. Some of these discussions are surprisingly brief, but that is in line with the feel of the book, which emphasizes getting into the car's network in order to do something interesting. The IVI unit and wireless interfaces are enormous attack surfaces, but they are primarily of interest to the car hacker precisely because one can go through them to get to the vehicle's other systems. Fiddling around with the IVI system itself to alter or side-load apps may be fun, but is somewhat tangential. A lot has been written elsewhere about vulnerabilities in IVI units and wireless interfaces; Smith points readers to other resources rather than repeat their information.

The book closes with an encouragement for readers to start up their own Open Garages local group (or form a similar car-hacking meet-up), whether attached to a hackerspace or as a stand-alone entity. At the moment, there are only a handful of such groups anywhere in the world, but interest in car hacking as a topic is certainly on the rise. It may take time to catch up with "maker" subcultures like wearable electronics and 3D printing, but Open Garages is a good reminder of how much value a community can add. Its members have developed a lot of code, including projects of vital importance like c0f.

In the rear-view mirror

As a reviewer, I may be personally biased in favor of any book that addresses car hacking, because it is a hobby I find personally interesting (although most of my involvement has been in the Linux-based IVI development camp) and a topic on which there are precious few long-form resources to be found. Setting that aside, however, I remain convinced that The Car Hacker's Handbook is well worth reading in its own right.

For starters, the practical information on automotive networks and protocols is invaluable. Not only are many of the protocols poorly documented (if at all) elsewhere, but many of them are in the "legacy code" bin: companies have moved on and have no interest in continuing to discuss them, but car owners still own a lot of the systems and will for many years to come.

At a little more fundamental level, though, the book also works as an introduction to car computer systems for those who are already experienced hacking other types of devices. And it addresses the various security issues and approaches without assuming too much prior engineering experience, which should make the book useful for shade-tree mechanics with little hacking experience, too. A reader cannot learn how to reverse-engineer ECU firmware in a single chapter, but Smith puts that task in context, explains when it is necessary, and puts the reader on the right path forward. All things considered, that is what one wants from a hacker's handbook.

[The author would like to thank No Starch Press for sending a review copy of the book.]