Paperback(New Edition)
-
PICK UP IN STORECheck Availability at Nearby Stores
Available within 2 business hours
Related collections and offers
Overview
The Car Hacker’s Handbook will give you a deeper understanding of the computer systems and embedded software in modern vehicles. It begins by examining vulnerabilities and providing detailed explanations of communications over the CAN bus and between devices and systems.
Then, once you have an understanding of a vehicle’s communication network, you’ll learn how to intercept data and perform specific hacks to track vehicles, unlock doors, glitch engines, flood communication, and more. With a focus on low-cost, open source hacking tools such as Metasploit, Wireshark, Kayak, can-utils, and ChipWhisperer, The Car Hacker’s Handbook will show you how to:
–Build an accurate threat model for your vehicle
–Reverse engineer the CAN bus to fake engine signals
–Exploit vulnerabilities in diagnostic and data-logging systems
–Hack the ECU and other firmware and embedded systems
–Feed exploits through infotainment and vehicle-to-vehicle communication systems
–Override factory settings with performance-tuning techniques
–Build physical and virtual test benches to try out exploits safely
If you’re curious about automotive security and have the urge to hack a two-ton computer, make The Car Hacker’s Handbook your first stop.
Product Details
ISBN-13: | 9781593277031 |
---|---|
Publisher: | No Starch Press |
Publication date: | 03/01/2016 |
Edition description: | New Edition |
Pages: | 304 |
Sales rank: | 680,803 |
Product dimensions: | 7.00(w) x 9.10(h) x 0.90(d) |
About the Author
Table of Contents
Foreword Chris Evans xvii
Acknowledgments xix
Introduction xxi
Why Car Hacking Is Good for All of Us xxii
What's in This Book xxiii
1 Understanding Threat Models 1
Finding Attack Surfaces 2
Threat Modeling 2
Level 0 Bird's-Eye View 3
Level 1 Receivers 3
Level 2 Receiver Breakdown 5
Threat Identification 6
Level 0 Bird's-Eye View 6
Level 1 Receivers 7
Level 2 Receiver Breakdown 10
Threat Rating Systems 11
The DREAD Rating System 11
CVSS: An Alternative to DREAD 13
Working with Threat Model Results 13
Summary 14
2 Bus Protocols 15
The CAN Bus 16
The OBD-II Connector 17
Finding CAN Connections 17
CAN Bus Packet Layout 18
The ISO-TP Protocol 19
The CANopen Protocol 20
The GMLAN Bus 20
The SAEJ1850 Protocol 20
The PWM Protocol 21
The VPW Protocol 22
The Keyword Protocol and ISO 9141-2 22
The Local Interconnect Network Protocol 24
The MOST Protocol 24
MOST Network Layers 25
MOST Control Blocks 25
Hacking MOST 26
The FlexRoy Bus 27
Hardware 27
Network Topology 27
Implementation 27
FlexRay Cycles 28
Packet Layout 29
Sniffing a FlexRay Network 30
Automotive Ethernet 30
OBD-II Connector Pinout Maps 31
The OBD-III Standard 33
Summary 34
3 Vehicle Communication with Socketcan 35
Setting Up can-utils to Connect to CAN Devices 36
Installing can-utils 37
Configuring Built-in Chipsets 37
Configuring Serial CAN Devices 39
Setting Up a Virtual CAN Network 40
The CAN Utilities Suite 41
Installing Additional Kernel Modules 42
The can-isotp.ko Module 43
Coding SocketCAN Applications 44
Connecting to the CAN Socket 44
Setting Up the CAN Frame 45
The Procfs Interface 45
The Socketcand Daemon 46
Kayak 46
Summary 49
4 Diagnostics and Logging 51
Diagnostic Trouble Codes 52
DTC Format 52
Reading DTCs with Scan Tools 54
Erasing DTCs 54
Unified Diagnostic Services 54
Sending Data with ISO-TP and CAN 55
Understanding Modes and PIDs 57
Brute-Forcing Diagnostic Modes 58
Keeping a Vehicle in a Diagnostic State 60
Event Data Recorder Logging 61
Reading Data from the EDR 62
The SAE J1698 Standard 63
Other Data Retrieval Practices 63
Automated Crash Notification Systems 64
Malicious Intent 64
Summary 65
5 Reverse Engineering the Can Bus 67
Locating the CAN Bus 67
Reversing CAN Bus Communications with can-utils and Wireshark 68
Using Wireshark 69
Using candump 70
Grouping Streamed Data from the CAN Bus 70
Using Record and Playback 73
Creative Packet Analysis 76
Getting the Tachometer Reading 79
Creating Background Noise with the Instrument Cluster Simulator 81
Setting Up the ICSim 81
Reading CAN Bus Traffic on the ICSim 83
Changing the Difficulty of ICSim 84
Reversing the CAN Bus with OpenXC 84
Translating CAN Bus Messages 85
Writing to the CAN Bus 86
Hacking OpenXC 87
Fuzzing the CAN Bus 88
Troubleshooting When Things Go Wrong 89
Summary 90
6 ECU Hacking 91
Front Door Attacks 92
J2534: The Standardized Vehicle Communication API 92
Using J2534 Tools 93
KWP2000 and Other Earlier Protocols 94
Capitalizing on Front Door Approaches: Seed-Key Algorithms 94
Backdoor Attacks 95
Exploits 95
Reversing Automotive Firmware 96
Self-Diagnostic System 96
Library Procedures 97
Comparing Bytes to Identify Parameters 101
Identifying ROM Data with WinOLS 103
Code Analysis 106
A Plain Disassembler at Work 107
Interactive Disassemblers 110
Summary 113
7 Building and Using ECU Test Benches 115
The Basic ECU Test Bench 116
Finding an ECU 116
Dissecting the ECU Wiring 117
Wiring Things Up 119
Building a More Advanced Test Bench 119
Simulating Sensor Signals 120
Hall Effect Sensors 121
Simulating Vehicle Speed 123
Summary 126
8 Attacking ECUS and Other Embedded Systems 127
Analyzing Circuit Boards 128
Identifying Model Numbers 128
Dissecting and Identifying a Chip 128
Debugging Hardware with JTAG and Serial Wire Debug 130
JTAG 130
Serial Wire Debug 132
The Advanced User Debugger 133
Nexus 134
Side-Channel Analysis with the ChipWhisperer 134
Installing the Software 135
Prepping the Victim Board 137
Brute-Forcing Secure Boot Loaders in Power-Analysis Attacks 138
Prepping Your Test with AVRDUDESS 139
Setting Up the ChipWhisperer for Serial Communications 140
Setting a Custom Password 141
Resetting the AVR 143
Setting Up the ChipWhisperer ADC 143
Monitoring Power Usage on Password Entry 145
Scripting the ChipWhisperer with Python 147
Fault Injection 148
Clock Glitching 148
Setting a Trigger Line 154
Power Glitching 156
Invasive Fault Injection 156
Summary 156
9 In-Vehicle Infotainment Systems 157
Attack Surfaces 158
Attacking Through the Update System 158
Identifying Your System 159
Determining the Update File Type 160
Modifying the System 161
Apps and Plugins 163
Identifying Vulnerabilities 164
Attacking the IVI Hardware 166
Dissecting the IVI Unit's Connections 166
Disassembling the IVI Unit 168
Infotainment Test Benches 170
GENIVI Meta-IVI 170
Automotive Grade Linux 173
Acquiring an OEM IVI for Testing 174
Summary 175
10 Vehicle-to-Vehicle Communication 177
Methods of V2V Communication 178
The DSRC Protocol 179
Features and Uses 180
Roadside DSRC Systems 181
WAVE Standard 184
Tracking Vehicles with DSRC 186
Security Concerns 186
PKI-Based Security Measures 188
Vehicle Certificates 188
Anonymous Certificates 189
Certificate Provisioning 189
Updating the Certificate Revocation List 191
Misbehavior Reports 192
Summary 192
11 Weaponizing Can Findings 193
Writing the Exploit in C 194
Converting to Assembly Code 196
Converting Assembly to Shellcode 199
Removing NULLs 199
Creating a Metasploit Payload 200
Determining Your Target Make 202
Interactive Probing 203
Passive CAN Bus Fingerprinting 204
Responsible Exploitation 208
Summary 208
12 Attacking Wireless System with SDR 209
Wireless Systems and SDR 210
Signal Modulation 210
Hacking with TPMS 211
Eavesdropping with o Radio Receiver 212
TPMS Packets 213
Activating a Signal 214
Tracking a Vehicle 214
Event Triggering 214
Sending Forged Packets 215
Attacking Key Fobs and Immobilizers 215
Key Fob Hacks 216
Attacking a PKES System 219
Immobilizer Cryptography 220
Physical Attacks on the immobilizer System 228
Flashback: Hotwiring 230
Summary 231
13 Performance Tuning 233
Performance Tuning Trade-Offs 234
ECU Tuning 235
Chip Tuning 236
Flash Tuning 238
Stand-Alone Engine Management 239
Summary 240
A Tools of the Trade 241
Hardware 241
Lower-End CAN Devices 242
Higher-End CAN Devices 245
Software 246
Wireshark 246
PyOBD Module 246
Linux Tools 247
CANiBUS Server 248
Kayak 248
SavvyCAN 248
O2OO Data Logger 249
Caring Caribou 249
Of Fingerprinting Tool 250
UDSim ECU Simulator 250
Octane CAN Bus Sniffer 250
AVRDUDESS GUl 251
RomRaider ECU Tuner 251
Komodo CAN Bus Sniffer 251
Vehicle Spy 252
B Diagnostic Code Modes and PIDS 253
Modes Above 0×10 253
Useful PIDs 254
C Creating Your Own Open Garage 255
Filling Out the Character Sheet 255
When to Meet 257
Affiliations and Private Memberships 257
Defining Your Meeting Space 258
Contact Information 258
Initial Managing Officers 259
Equipment 259
Abbreviations 261
Index 263