When you think of car hacking, it’s easy to simply think of it as a nefarious activity when in reality it’s just as likely to be the work of a researcher or DIY enthusiast wanting to extend a vehicle’s capabilities and understand its weaknesses.
Last year we saw Chinese security researchers take remote control of a Tesla Model S from 12 miles away, targeting the car’s breaks, locks, and dashboard computer screen. Tesla was then hacked again in November by researchers at Promon.
Researchers also discovered the Mitsubishi Outlander hybrid car and Nissan Leap Cars were vulnerable to hacking, to name but a few examples. Robert Leale is the founder of CanBusHack Inc, a security research firm focused on vehicle networks and embedded control systems and The Car Hacking Village (CHV), which made its debut at Defcon last year and is featured at this year’s Consumer Electronics Show (CES). I spoke to Leale to learn more.
Leale explained that the goal of the CHV was to increase people’s understanding of car hacking:
“When I say car hacking, what I mean is changing or modifying your car in a lot of different ways, being able to understand the systems so well that you can use them for yourself, whether remotely or not. This can include security implications.”
He explained that car hacking capabilities could include practical hacks to make life easy including “adding your own cellphone app for remotely starting your vehicle and tracking your own vehicle in case it is stolen or something happens to it.
It might include applications that aren’t necessarily available from the car manufacturer or require additional costs or subscription fees. Also in a lot of vehicles, you can write arbitrary text to difference screens, maybe making little messages, translating data from your phone to the car, interacting in ways that aren’t really possible or that the car companies themselves are still catching up with those kinds of applications.”
It’s a good time to be a car hacking enthusiast. In October 2016, a new exemption to the Digital Millennium Copyright Act appeared, ensuring that Americans can hack their own device without fear that the DMCA’s ban on circumventing protections on copyrighted systems would allow manufacturers to sue them. Importantly, this extends to new forms of security research and the digital repair of vehicles, creating scope for a need breed of hacking. The exemptions are limited to a two-year trial period.
The Car Hacking Village provides a series of zones where participants can listen to a talk, attend a workshop, physically dismantle vehicle panels to understand how cars function access tools that are otherwise difficult to procure. One import component of car hacking is the Can Bus, a vehicle bus standard designed to allow electronic control units and devices to communicate with each other in applications without a host computer. As Leale explains:
“In pulling the car apart and improving the modules, and learning diagnostics, there are aspects that are unique to cars as distinct from computers. So our goal is to show people that because there’s a lot of differences as well as overlap between the hardware hacking villages and maybe the crypto hacking or IoT. This enables you to take the tools that you learn from us and combine it with other knowledge you acquire from other villages or talks.
It’s also an opportunity for networking. as there are automotive companies that of companies really need talented people who are interested in learning about these symptoms, companies that might need help.”
You may recall the 2015 Defcon where Charlie Miller and IOActive’s Chris Valasek demonstrated they were able to wirelessly take control of a Jeep using a wifi connected laptop, enabling them to cut the breaks and transmission. They now both work as researchers as Uber.
CHV’s next goal is to make the tools accessible to the hacker community, as many commercial level tools are in the 5-10k price range. Leale’s goal by this year’s DefCon is to “try and get those under the $100 range without compromising the quality of the tools. Having the right tools in the hands of the hackers can really answer people’s questions. We also want to get a web store running that will sell these tools at very low cost, readily available, just like the hacker community in general, keeping costs low, bringing a lot of people into the community and you know see what they do and just do it.”
Leale notes that while they have a good relationship with car manufacturers, he is also subject to a number of cold shoulders:
“At the end of the day you know the truth is, we’re not the first ones to do it. We’re just the first ones so talking about, much like anything, the people who don’t talk about it are the people you should worry about. There’s a lot of room for misuse. But the more knowledge that you equip people with the better everything is. Anybody with the right tools can figure it out, if this knowledge is open then we can all benefit from it.”
