Monday, August 5, 2013

Car Hacking: The Content

By  Chris Valasek @nudehaberdasher  and Charlie Miller @0xcharlie

Hi Everyone, 
As promised, Charlie and I are releasing all of our tools and data, along with our white paper. We hope that these items will help others get involved in automotive security research. The paper is pretty refined but the tools are a snapshot of what we had. There are probably some things that are deprecated or do not work, but things like ECOMCat and ecomcat_api should really be all you need to start with your projects. Thanks again for all the support! 


  1. Woah, that's some scary stuff. I have a few questions about the flashing process:

    1. It's possible to upload new firmware over CAN, and the chips could flash themselves back to default with a custom firmware, right? So theoretically, an attacker could e.g. flash the ABS and Engine ECUs so that they wait for the speed to reach 100mph or so, then trick the precollision system into braking. At the same time, your flashed ABS chip could make sure that only one brake works, right? E.g. the front left one? And the flashed engine chip could switch to full acceleration. And then, the chips would reflash themselves after a few seconds. That could work and should make the vehicle spin relatively fast, right? So if someone did that attack in winter, it'd look as if the driver had lost control over his car, no signs of any tampering apart from maybe an entry in the precollision system debug log, right?

    2. In which state does the car have to be for these ECUs to be flashable? They're probably not powered unless the ignition key is present and turned to at least the second position, right? Is it possible to power them through the debug port, or would an attacker without the key need to get access to the chips directly in order to flash them? In other words, my question is: Let's say there's a convertible standing around with an open roof. Could an attacker just plug some device into the debug can port, flash the ECUs that way and take the device back out?

  2. Regarding my last comment: Actually, it doesn't even have to be a convertible because you can get access to the CAN bus from below the car without opening it, right?

  3. Nice show; hopefully car manufacturers DO touch the risks and attack vectors in future and understand the risks in-depth.

    Remote sploits is something which integrated capability w/locating applications, IP-connectivity etc. inevitable brings in.

  4. Hello Chris and Charlie,
    I heard of your work from my neighbour and took a look into it.
    Due to my automotive background, I am not surprised about your findings.

    Currently you need physical access to the CAN network for your hack. Think about the following way:
    The diagnostic interface used in service shops often have a BlueTooth or WLAN connection to the service notebook. If you get into this, you can have access to the connected cars if you are near enough and get into it (not that hard as you most probably know). Via this connection you could replace the radio firmware, which often gives you a programmable interface between the CAN bus and BlueTooth, WLAN or even the connected or integrated cell phone.
    If you have some luck you will even find security flaws in the BlueTooth implementations you can use.

    Possible future way:
    I am not sure if this is in series yes, but you can also look into ISO 13400-2, which is Diagnostics over IP. If this is implemented on WLAN and not only on LAN, it becomes even easier to get into a car.

    Torsten Knodt

  5. Interesting choice with the ECOM CAN device. I have one that I used with an FW Murphy CAN package that I really liked. I must have been the only user because they no longer sell that system.

  6. Hi Chris-Charlie,

    Thanks for sharing this with us, Where I can download the sample videos mentioned in the pdf? Having a 2010 Prius with auto parking system is enough to make all these tests?

    Tranks you again!