ISSN (Print) : 0974-6846

ISSN (Online) : 0974-5645

Indian Journal of Science and Technology, Vol 12(41), DOI: 10.17485/ijst/2019/v12i41/145568, November 2019

Towards the Prevention of Car Hacking:

A Threat to Automation Industry
Pooja Sharma1, Vaibhav Jha1, Vasudha Arora1 and Prateek Jain2,*
1Department
of Computer Science & Engineering,
Manav Rachna International Institute of Research & Studies, Faridabad 121003, India,
pooja02998@[Link], vaibhavkumar2012@[Link]
2Accendere CL Educate Ltd, New Delhi 110044, India; [Link]@[Link]

Abstract
Background/objectives: Connectivity provides a safer environment, but it also acts as a backbone to provide attack surface
to hackers. There are millions of cars on the road today, and so many are expected to be in future; there might be a risk to
the passengers, vehicle drivers, etc. Methods/statistical analysis: This study discusses the issue of car hacking which is
one of the real threats to automobile as well as automation, and how we can prevent it by studying the details about the
controller area network (CAN) bus architecture so that the auto manufacturer gives more emphasis to developing a secure
vehicular information system. Findings: Hackers gain access to the car system via the internet, Bluetooth, etc. As much as
a car is automated, it is much more vulnerable to cyber-attack. When a car is connected to the internet, it provides access
to the vehicle’s delicate CAN bus. Hackers can hijack non-safety and safety-critical functions such as steering, accelerator,
brake and clutches by sending commands. Improvements/applications: This study gives a general overview of how we
can validate the security features of the vehicle so that we can secure our vehicle from black hat hackers, resulting in saving
millions of people who could be a victim of such menacing cyber-attacks.

Keywords: Car Hacking, CAN Bus, Cyber-attacks, OBD Hacking

1. Introduction In 2017, William Hatzer and Arjun Kumar at Rapid7

claimed that Hyundai Blue Link app can be a reason of
In 2010 researchers at the Center for Automotive the “MAN IN THE MIDDLE ATTACK”. Hackers can
Embedded Systems Security (CAESS), California, detected easily have access to the personal information of the
that gaining a connection with ODB-II port of the car can user. In today’s world, much of the objects that we use in
easily disable the breaks and switch on/off the engine. They day-to-day life and at homes are increasingly becoming
embeded a malicious code in the car’s telematics unit and controllable by the remote. Due to technology there
were able to break its network security.1 is a need to automate everything and to influence and
In 2013 cyber security researchers Charlie Miller and automate the object’s behavior that once required local
Chris Valasek have shown to The Forbes how they could and manual input. Thus, automation has become the
access vehicle controls through a laptop computer via the necessity and an important issue to tackle with.3
ODB port.2 In 2014 Mathew Solnik, an information security Vehicle is one of the most typical productions of
researcher, misguided the car’s engine, brakes and security industries. A vital and necessary consideration of a car
systems from his laptop by wirelessly connecting to the ODB is safety. In the past, car designers did not need to think
port in the controller area network (CAN) bus system. about a problem that a car could be possibly attacked and
In 2015 host Lesley Stahl, in a demonstration by the controlled by hackers. But with a significant development
U.S. military’s Defense Advanced Research Projects in recent years, IT crimes have become a serious problem
Agency (DARPA), drove a car remotely using his laptop. that cannot be ignored. The deficiency of safety on

*Author for correspondence

 Towards the Prevention of Car Hacking: A Threat to Automation Industry

electronic and information system of cars should get

more attention.
Considering the modern vehicles, it is quite easy to
immediately picture a scenario where a car is controlled
using a smartphone. Moreover, this leads to a rise in
autonomous vehicles as well as self-driving cars, and this
represents the next logical step and is a reality for current
scenario. Due to a rise in the complexity of the electronic
circuit of the vehicles, there is a need to understand
these electronic control units (ECUs) as well as their
importance in monitoring the various subsystems of a Figure 1. Arduino-based RF transceiver.6
car. In addition, modern vehicles are able to communicate
with other devices using wireless interfaces, potentially 2.2 Hijack with HiTag2 and a Radio Device
exposing the internal network of the car to vulnerabilities. in 60 Seconds
It is our belief that the current state-of-the-art internal In the second method, we used a cryptographic scheme
communication systems used in modern cars are not called HiTag2 which is old but still used in millions of
ready to handle threats from external attackers.3 vehicles, including Lancia, Opel, Renault, Ford, Alfa
Currently, ECUs are widely used in cars for controlling Romeo, Chevrolet and Peugeot.
and achieving most functions of cars. A vehicle may To perform this attack, a hacker needs a tiny radio
have dozens to hundreds of ECUs to work with. In this setup which is similar to the one used in the previous
case, CAN plays a role that connects ECUs together. The hack. Using a radio device, we were able to read and
hardware of CAN is called the CAN bus.4 intercept the strings of the coded signals from the car’s
One feature of CAN is that it follows a massage-based key fob.
protocol to transfer information. In a real car, the contents We discovered that flaws in the HiTag2 scheme
of CAN messages depend on the car’s designer, but with the help of rolling codes would allow cracking the
the form of these messages certainly obeys a particular cryptographic key in a second. So these two methods
standard (ISO 11898). Because of this, it is not difficult to were just for unlocking the car, making it accessible for
analyze these messages merely by reading them. Besides, hackers or thieves to steal it. But if we use a digital system
the message form of CAN data frame which is used for instead of rolling codes, it would be more secure. To hack
sending status information or instructions does not a car, unlocking it is the first step of every hacker, so that
include any field for identifying the sender of messages.4 they can tamper the CAN bus system and the OBD port.

2. Different Ways to Unlock a Car 3. Tampering the CAN Bus

2.1 Using an Arduino-based RF Transceiver Two security researchers Javier Vazquez-Vidal and
The first attack we performed was done by a radio device Alberto Garcia Illera have developed CAN Hack, a tiny
which costed just 2000 INR with a radio receiver, a small device, which is even smaller than our mobiles, to hack
control board, but is capable of spying and extracting cars. The device costs 1500 INR, but is able to give away
continues code values used by keyless entry systems the entire control of any car to an attacker from headlights
(Figure 1).5.6 and windows to its steering angles7 and brakes (Figure 2).8
We included code values in the signal which is sent By injecting a malicious code into the CAN ports makes
every time when a driver presses the key buttons, which it possible for an attacker to send wireless commands
is then used together to emulate a key that is unique for remotely from a computer. It can take just 5 minutes or less
every vehicle. Then we performed reverse engineering for coming into the action and then walk away. Whether
into one component inside a car’s network and were able it takes 1 minute or 1 year, a hacker could wait and then
to extract a cryptographic key. Then we combined the two trigger it to do whatever one has programmed it to do.
secret keys, which enabled us to clone the key fob and Once hackers have the control of this network, they can
access the car. control locks, lights, steering and even breaks (Figure 3).9

2 Vol 12 (41) | November 2019 | [Link] Indian Journal of Science and Technology
 Pooja Sharma, Vaibhav Jha, Vasudha Arora and Prateek Jain

Figure 2. CAN bus system.8

Figure 4. Car hacking toolkit.

Figure 3. CAN bus architecture.9

3.1. CAN Bus Architecture

Figure 5. OBD layout.
CAN bus is called the heart of any modern vehicle’s
interconnected systems. The CAN bus is a single, centralised this connector under11 the steering column just above the
network bus on which all of a vehicle’s data traffic is broadcast. break and accelerator panel or hidden elsewhere on the
Every command from the operator is being carried by the dashboard (Figure 5).
CAN bus system such as “apply the brakes” or “roll down
the windows” to readouts from sensors reporting engine
temperature or tire pressure. The emergence of the CAN10
5. Layman Procedure
bus brought improvements in efficiency and a reduction in First of all, as soon as we gain access to an OBD board, we
complications, thus reducing wiring costs too (Figure 4). are able to extract every information of the car. We can
But with the car hacking toolkit (CHT), hackers have use that information to understand the architecture and
already tested on different vehicles and successfully did behaviour of that car.
tricks, which include setting off alarms, affecting the steering, But changes could only be done when a hacker or attacker
applying brakes, and switching off headlights. We performed has access to the CAN bus architecture. For communicating
this with the help of Bluetooth, but we could also do the same with the CAN bus, we require various drivers and software.
with the help of Raspberry Pi or a WiFi router, enabling the The best technique would be to amalgamate the CAN tools
CHT to control the car from a far distance. along with their various interfaces to form a customary
interface so that we could easily share and communicate
4. Understanding the OBD Port between different tools (Figure 6).12
Sockets CAN, an open source driver of CAN and
All the vehicles come equipped with an OBD (On Board official API of Linux kernel, makes it possible to make
Diagnostic) port, which allows the external devices to tools to support CAN. Socket CAN applications use the
interface with a car’s computer system. We generally find standard C socket which comes along with a custom

Vol 12 (41) | November 2019 | [Link] Indian Journal of Science and Technology 3
 Towards the Prevention of Car Hacking: A Threat to Automation Industry

Figure 6. Tampering with the CAN system.12

Figure 7. Packets received from the vehicle.
network protocol family, PF_CAN. With the help of
this functionality, kernel handles CAN device drivers to
communicate with existing networking hardware, thus
6.5. Ignition Cycles
providing user-space utilities and a common interface.13 Ignition could get disrupted while driving, causing a
We used this git command to install CAN utils in our sudden stoppage of the car.
package manager.
7. Communicating with the
$ sudo apt-get install can-utils
$ git clone [Link] Wireshark for Reversing CAN
Bus
6. Data Recorder Logging To keep a watch on the activity of CAN, we need a device
called OBD-II that could monitor and generate CAN
All vehicles that came after 2015 are equipped with a kind packets. This device will cost around 2000 INR. Open
of black box called event data recorder (EDR), but it can source hardware and software are ideal to use as it is
record only a finite portion of information that a black compatible with the majority of software tools. We used
box on an aircraft could do. Information stored on an Wireshark to capture and alter the packets, and candump
EDR is as follows14: from the can-utils suite (Figure 7).15,16
Every vehicle has a unique CAN system; therefore,
6.1. Airbag Deployment common packet investigation won’t work for CAN. As
Generally airbags open when a car gets hit on its bonnet, but there’s so much disturbance on CAN, it’s very difficult to
here with the amalgamation of codes we can open it anytime. sort in an order of every packet.

6.2. Steering Angles 7.1. Wireshark

Turning the steering into wrong angles might lead to an For networking, we used Wireshark with SocketCAN
accident. to capture CAN packets. Both canX and vcanX devices
could be listened with Wireshark. If you need to use a
6.3. Vehicle Speed slcanX device with Wireshark, one should change the
name from slcanX to canX.
Engine speed could be tampered using a reverse CAN;
If interface renaming doesn’t work, then one has to
thus, acceleration could be suddenly boosted, leading to
transfer CAN packets from an interface that Wireshark
a major accident.
can’t read; a single CAN could bridge the two interfaces.
To do so, we used the mentioned commands (Figure 8):
6.4. Brake Status $ candump -b vcan0 slcan0
Brakes could be applied anytime by the attacker, which Raw hex bytes are shown because the data section isn’t
might result in a tragedy. decoded. This happens because Wireshark’s decoder is

4 Vol 12 (41) | November 2019 | [Link] Indian Journal of Science and Technology
 Pooja Sharma, Vaibhav Jha, Vasudha Arora and Prateek Jain

{ “name” : “Intersquad”,
“buses”: {
“hs”: {
“controller”: 1,
“speed”: 600000
}
},
“instruction”: {
“0x110”: {
“name”: “Acceleration”,
“bus”, “hs”,
“signal”: {

“signal_of_engine_speed “: {
Figure 8. CAN packets in Wireshark.
“name”: “engine_speed”,
“bit_position”: 4,
not able to deal with ISO-TP or UDS packets but can only
“bit_size”: 18
handle the basic CAN header.

} }
7.2. Writing to the CAN Bus } }
Then we write back to the CAN bus the below-mentioned }
code, which handles the steering wheel angle.
With the help of OpenXC, our modifications of CAN
$ openxc-control write –name steering_wheel_angle_ system are stored in JSON. JSON is used for storing and
value 41.0 exchanging data. First of all, we increased acceleration of
$ openxc-control write –bus 2–id 41 –data 0x1234 the car using the above code, thus modifying the bus by
framing a JSON with a text editor. In the code, we framed
It is basically called raw CAN hacking. However, one a signal of JSON for a high-speed bus running at 600
can write an app or embedded graphical interface so kilobytes per second.
that the vehicle could read and react, thus making it the JSON can read human-readable text for transmitting
quickest route to own a car for free. data consisting of array data types and attribute value
pairs. As soon as we have the JSON, we compiled the
7.3. Hacking OpenXC above code into a CPP format which again could be
After our work of reversing CAN signals, one can frame compiled into the firmware:
their own OpenXC firmware. As OpenXC is an API for $openxc-generate-firmware-code –message-set/run-
the car, its work is to read as well as translate information [Link] > [Link]
from a car’s internal network so that the data could become
approachable from most Android apps using the OpenXC With the help of these commands, we recompiled the
library. Compiling17 our own firmware becomes easy firmware. If somehow things go wrong and we can’t gain
which indicates now we could read or write whatever we access to the CAN bus system, then ECU hacking comes
want and even write code for the “unsupported” signals. into the picture.17,18
To start an engine, we can create a signal for that and then
add it to our own firmware in order to provide a layman
interface to give ignition to the car. So, this is the power of
8. Conclusion
open source. Consider a signal that renders speed of the Cyber security is now the need of hour. Smart cars are the
engine. Giving 8-8 will set a basic configuration to return most vulnerable and open to any sort of exploits. One can
the speed signal of engine. Then we sent RPM data with imagine the situation of being hacked while driving. Even
a 4-byte-long instruction ID 0x1110 starting at the fourth the airbags, brakes and accelerators may not be in one’s
byte. control on wheel. So, manufacturers need to lay much

Vol 12 (41) | November 2019 | [Link] Indian Journal of Science and Technology 5
 Towards the Prevention of Car Hacking: A Threat to Automation Industry

importance on the CAN bus system by making it more networks: a tire pressure monitoring system case study.
hardware-secured and using secret codes. By finding all USENIX Security; 2010. P. 323–38.
possible ways of attack a hacker can perform on the car, 9. Kaspersky lab daily. [cited 2019 May 22]. https://
we can patch that vulnerability and could save people. [Link]/wiki/Kaspersky_Lab.
10. Brief history of car hacking. [cited 2017 Aug 30].
[Link]
References 11.
hacking-2010-present/.
Studnia I, Nicomette V, Alata E, Deswarte Y, Kaâniche M,
1. Currie R. Developments in car hacking. SANS Institute; Laarouchi Y. Survey on security threats and protection
2015. mechanisms in embedded automotive networks. In: 43rd
2. Smith C. The car hacker’s handbook: a guide for the annual IEEE/IFIP conference on dependable systems and
penetration tester. No Starch Press; 2016. networks workshop; 2013. P. 1–12.
3. Jafarnejad S. A car hacking experiment: when connectivity 12. Ring M. Survey on vehicular attacks-building a vulnerability
meets vulnerability. In: IEEE globecom workshop; 2015. P. database. In: IEEE international conference on vehicular
1–6. electronics and safety; 2015. P. 208–12.
4. Zhang Y. Controlling a car through obd injection. In: IEEE 13. Hacking news. [cited 2017 Feb 03]. [Link]
3rd international CONFERENCE on cyber security and com/2017/02/03/metasploit-now-supports-hacking-cars/.
cloud computing; 2016. P. 26–9. 14. Cui X, Li J. Tools and practices. Secure and trustworthy
5. Martinelli F. Car hacking identification through fuzzy logic transportation cyber-physical systems. Singapore: Springer;
algorithms. In: IEEE international conference on fuzzy 2017. P. 143–59.
systems; 2017. P. 1–7. 15. Kroker A, Kroker M. Hacking the future: stories for the
6. Samara G, Al-Salihy AHW, Sures R. Security analysis of flesh-eating 90s. New World Perspectives; 1996. P. 1–146.
vehicular ad hoc networks. In: Second international conference 16. Miller C, Valasek C. Remote exploitation of an unaltered
on network applications, protocols and services; 2010. passenger vehicle. Black Hat USA; 2015. P. 1–91.
7. Van Osch, Michiel, Smolka SA. Finite-state analysis of the 17. Cui W. Automatic reverse engineering of input formats. In:
CAN bus protocol. In: Proceedings sixth IEEE international Proceedings of the 15th ACM conference on computer and
symposium on high assurance systems engineering. Special communications security; 2008. P. 391–402.
topic: impact of networking; 2001. P. 42–52. 18. Malekian R. Design and implementation of a wireless
8. Rouf I, Miller R, Mustafa H, Taylor T, Oh S, Xu W, et al. OBD II fleet management system. IEEE Sens J. 2016,
Security and privacy vulnerabilities of in-car wireless 17(94):1154–64.

6 Vol 12 (41) | November 2019 | [Link] Indian Journal of Science and Technology