We understand that hackers look for weaknesses in networks to manipulate or take data, but understanding the ways that vehicles can also be accessed either remotely or physically can be a bit surprising.
Today’s guest is Derrick Thiecke. Derrick works as an Embedded Systems Security Tester in the automotive industry where he found himself after spending over a decade in the corporate IT world. When Derrick isn’t data dumping ROM chips, scouring through vehicle log data, or fuzzing CAN networks, he can be found as a brief blur passing by you on the highway.
“We are not at the level of thinking where IT professionals think about cars being hacked. If you are in IT and hardware hacking, look into the automotive industry, because we need your help.” - Derrick Thiecke Share on XShow Notes:
- [0:58] – Derrick shares his background and current role as a security tester for automotive controllers and devices.
- [3:30] – There are differences between vehicle networks and home networks. The main network for vehicles is CAN bus.
- [5:12] – Because it is a bussed network, Derrick explains how all devices on the network can access all the data.
- [6:50] – Previously, you had to have physical access to hack a car, but not anymore.
- [8:19] – Derrick describes how his own vehicle accesses data on a network.
- [9:56] – The implementation of standards has changed the way vehicles are serviced.
- [11:18] – Safety critical features are isolated, but some things can still be accessed that can be harmful.
- [12:29] – There was an event in 2015 where a parking feature was hacked while the vehicle was in motion.
- [13:59] – There are ways to communicate with and change the fuel mapping over CAN bus, but there is usually a physical component required.
- [16:07] – Derrick describes a scenario that creates a potential threat.
- [19:04] – The automotive industry typically sits about a decade behind in technology.
- [21:24] – Derrick lists some of the features in a vehicle that are connected to a network.
- [23:18] – The number of vehicle recalls due to software issues has increased since 2015, but the issues aren’t growing.
- [25:01] – Movies depict vehicle hacking as possible disasters. Derrick shares his concerns.
- [26:44] – When ransomware became a problem, we had the same questions. The threat for the worst case scenario is plausible.
- [28:31] – Derrick describes the most concerning problem he has experienced as a tester.
- [30:59] – Different cars all use the same controllers, even those without the same features.
- [32:26] – There are devices that can unlock vehicles without the key or keyfob.
- [34:18] – When there is an issue with a computer, typically there is an update to solve it. That currently isn’t the case for most vehicles.
- [35:41] – There are some updates that can happen remotely, but the catch-22 is that the wireless connection makes the vehicle susceptible to threats.
- [37:02] – There is a huge shortage of workforce in this industry.
- [38:41] – Derrick recommends the book The Car Hacker’s Handbook if you are interested in this field.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Derrick Thiecke on Twitter
- Email Derrick Thiecke
- The Car Hacker’s Handbook by Craig Smith
Transcript:
Derrick, thank you so much for coming on the Easy Prey Podcast today.
Thanks for having me. I'm glad to be here.
Can you give myself and the audience a little background about who you are and what you do?
I've been a hobbyist/professional in the automotive industry for about half a decade. I live and work in the metro Detroit area, where I am a security tester, kind of red team for automotive-related controllers, microcomputers, and devices.
Nice. What got you interested in the field?
I spent about a decade in corporate IT. I'm super into motorsports. I have a motorcycle. It was a low production motorcycle. Some of you may have heard of it. It's called Buell Motorcycle. They were originally a company located in East Troy, Wisconsin.
My bike had some ongoing dash issues, and a few others had shared that they had similar issues. Sadly, at the time, the motorcycle company was having some financial issues, and you couldn't get a new dash.
I actually reverse-engineered the communication between the engine controller on the motorcycle and the dash unit. With that information, I was able to go out and purchase an aftermarket dash and program it to function on the motorcycle.
From there, I did a talk at the DEFCON cybersecurity convention about how I overcame the non-standards of many recreational vehicles. After that, I was offered a job in the metro Detroit area, where I relocated. Now, I work in the automotive industry pen-testing vehicle controllers.
Another thing that's cool is due to financial issues of Buell Motorcycles, they actually relocated into Grand Rapids, and I helped them a little bit, too.
Nice. Let's talk a little bit about the background. For those who aren't familiar with how automotive computers and systems work, I think it's similar to the early days of networking, the Internet. But let's talk through what are the components of the automotive systems, particularly the computers. How do they communicate? And what are the risks with that type of communication?
The primary network, one thing that's pretty different from home networks is that there's a plethora of different in-vehicle network technologies used. But the main one that's used in every single vehicle is a network technology called CAN bus.
CAN is actually an acronym for Controller Area Network. A lot of people may be familiar with LAN, which is a Local Area Network, or WAN, which is a Wide Area Network. CAN is a Controller Area Network. A controller is just a fancy term for saying a computer in its most basic form, really. Basically, all the controllers or computers on your car are going to communicate over this CAN bus.
Another interesting concept is that a home network is what they would refer to as a routed network while this Controller Area Network is a bus network, hence CAN bus. One thing that's interesting about a bus network is that every computer on the network sees all the data coming across no matter who it's from. You program the computers to only read the data that's designated just for them.
Some of the inherent issues with this platform is that I can hop on the network and start seeing all of the data for every single computer on the car and analyzing it. It's how I did my bike. I just hopped on the network, and I started seeing the communication that was happening between all the computers on the bike, and then I was able to reverse engineer that information.
When you say hop on the network, this is not through cellular data connection. You're talking about physically connecting a device to the network?
Yeah. It's physically connecting, which actually was one thing I was going to cover. For decades now, the platform, I guess, that you could say that the automotive industry has used for security practice is the physical access concept. You can't hack a car unless you get physical access. You have to connect to these wires on it to hack it.
As we know, with the age of connected cars and vehicle information being fed to the cloud and stuff like that, that's changing. What's interesting and the huge question that everybody's asking is, are automotive manufacturers going to be able to make this safe migration from relying on physical access as our security protocol, to now people don't necessarily need physical access to hack a car? That's where we're at right now is the slow migration of vehicles and manufacturers switching to more like cellular-connected, Wi-Fi-connected vehicles.
Traditionally, cars have been—you connect a new computer or connect a new device—by that, I don't mean a device like your Android phone or something like that, but you physically connect a system controller to it. There’s this implicit trust that every device trusts everything else that's on the network, right?
Exactly. I think it was ’96 or ’98, they implemented the OBD2 standard. These vehicle networks and communication protocols communicating with computers are typically available at the OBD2 ports. A lot of times, you'll get a gateway or a firewall there. But because of the inherent issues of the Controller Area Network bus, you really just have to get up there and plug in on the other side if you really want to get into these networks.
Today, I own a 2015 vehicle, and the data at the OBD2 port is not gatewayed or firewalled at all. You can read all the data. You could send data through it, and the car will see it.
That's how those consumer systems used to be. If my car's throwing up a warning light, you don't know what it means. But now you can go ahead, rather than taking your car to an automotive center or repair shop, you can now get one of those automatic or a bunch of companies make readers that will read all those error codes for you.
Exactly. There's a set of standard codes, and then manufacturers expand on those standards. Most of the OBD2 readers and stuff like that, you could clear engine event codes and stuff like that. Basically, the reason it was created is because we would all hate if this was manufacturer-specific, and you had to go to the dealership every single time.
I originally come from California where every several years, you have to get a smog check. Imagine if you had to get your smog check done at the dealer because these mom-and-pop shops weren't able to communicate with your car. That's really what it was put there to overcome.
But with the implementations of standards, it gives us more information to know about the vehicle and opens up the attack vector, which is why again—going back to my motorcycle talk—it was a huge thing about circumventing not having very many standards for a recreational vehicle, because those help people a lot in knowing.
The OBD2 standard, which is an acronym for on-board diagnostics, I should say, tells you exactly what's on what pin, so you know, “Oh, these two pins right here are the CAN bus network. This one is a 12-volt power supply, and this one is the ground.” Just knowing that information alone makes it easier for someone to start reading data from it.
For older cars, where you can connect to the CAN bus yourself as—we’ll use the term hacker for simplicity’s sake—what things can you do to the car by playing around on the CAN bus?
To be perfectly honest, most of the safety-critical things are isolated from there. Even with throttle by wire and stuff like that, you can't manipulate throttle bodies. A lot of the braking stuff isn't there. But there are things, like I haven't really come across a vehicle with a Controller Area Network, where you couldn't manipulate the headlights.
You could potentially turn off the lights while somebody is driving. You could obstruct their view, by turning on the windshield wipers and the windshield wiper fluid spray or something like that. You can unlock and lock the doors a lot of times. That poses threats. I should also add that it's not 100% of the time that some of these safety-critical things are not on there.
Whenever I tell people I'm in vehicle security to cybersecurity professionals, they typically reference one instance that was brought to everybody's attention at DEFCON back in 2015, and it is what we refer to as the infamous G pack, where people were able to actually remotely connect into a Jeep and manipulate the braking system on the Jeep.
It was designed—because if I remember correctly, the Jeep had a self-parking feature, where it would manipulate the braking power and stuff, and it was all automated. They were able to manipulate that self-parking data while the vehicle was in motion.
That's a little bit scary.
Yeah.
With the physical CAN bus access, are most people tinkering with it trying to get better, more horsepower out of their car at the expense of emissions and things like that?
No, not so much on the CAN bus. For that, there are other communication protocols that aren't really network protocols, so to say. There's a network protocol called JTAG, which I don't actually know what that acronym stands for. It's typically used for programmers to interface with a chip or something along those lines. There's also UART, which is a very common one. These are interfaces that are more for what they call debugging and stuff like that.
There are ways to communicate and change the fuel mapping, so to say, of a vehicle over CAN bus. But even those typically require a method of putting the controller into a certain state and involve a little bit more.
There's a line of pretty popular controllers that require you on two pins to put waveforms at different frequencies, and then you enter a boot mode, as they call it. You can then upload different fuel mappings to tune the fuel injection for greater performance and stuff like that. Usually, that requires the removal of it. I shouldn't say two. There are a few out there.
One thing I use for an example all the time is that with motorcycles, for example. A lot of people who ride motorcycles are more into the performance of their vehicle than people who drive cars. A lot of times, people will put these little Bluetooth dongles on to the communication connector of their motorcycle. They'll get some software that will allow them to change the fuel mapping and stuff like that.
I think the huge security risk comes in when they grab their tablet. They're like, “Oh, man. Let's upload this fuel mapping that I found online,” which in and of itself should not be done unless you really know what you're doing, because any fuel mapping can be online that can cause catastrophic failure to your engine.
They're like, “OK, we're done. I put on a new exhaust and air filter. I got my new tune,” and they throw their tablet in their backpack, and they ride their motorcycle for a test ride down to the cafe. They never remove their Bluetooth Wi-Fi dongle that they use for tuning. They get to the cafe, and they take out their tablet. They're like, “OK, my air-to-fuel ratio looks good.” But really, there's a threat there for them.
Chances are, too—I see it all the time—they did not change the credentials to this device or anything. Now, somebody could throw on a malicious fuel mapping, and their engine blows up on the way home or something like that.
I always tell people, the greatest way to avoid a security threat if you're into tuning and stuff like that, is really try to make it so your vehicle does not broadcast any wireless connections, unless it's needed at that point in time.
It's like, do your work, do your programming in the garage, and then take out the dongle once you're done with everything.
Exactly. Go for your test ride without the dongle. I wouldn't even recommend checking things at a coffee shop. Coffee shops are a plethora for computers, and it increases your rate of potentially individuals who know what they're doing. The more computer people are around on their laptops, the greater possibility of somebody being a very computer-savvy individual are there.
Honestly, I think one huge issue why we're talking about this today is that it's actually getting harder and harder. The wireless connectivity may not be allowed by the gateway to the rest of the computers on your car, but I don't know of a vehicle today that doesn't broadcast Bluetooth all the time. Do you really want to turn off and on your Bluetooth every single time you get in the car?
It's a potential there with, again, as we mentioned at the beginning, the security practices of the automotive industry for decades prior has been physical access. Have they really put the security concern on the wireless connection that doesn't require that physical access anymore?
Is it the automotive industry with respect to software security? Is it 10, 20, 30 years behind what you might think of as your home networks and the Internet?
Yeah. I think, typically, the automotive industry sits a decade or two behind on technology. They've closed the gaps over the years. If you just think like we were talking about, how long it took for every single car on the market to be implemented with Bluetooth, versus when Bluetooth was actually implemented, when phones started having them, when wireless speakers were out, and stuff like that?
It definitely took, like, a good five to 10 years after the popularity of Bluetooth speakers and Bluetooth headsets for cars to be like, “Oh, you know? We should really do this.”
Bluetooth isn't really even the only one. Slowly now, we've seen cars roll out with Wi-Fi, cellular, the G pack that happened. That was a cellular-connected vehicle. It's just growing. The question in places: Will the security be on point with the growth and popularity of wireless connectivity to vehicles?
I assume that starts meaning that there are a lot more cars with software in them in the sense that it used to be, you got your AM/FM radio, your cassette, or your CD player. There's no real infotainment system. Now, almost every car has some smart infotainment system in it. Even your entry-level cars are more than just that. Are we starting to see more issues with software in cars going bad?
Yeah. I was looking up some information a while ago about the growth in software in vehicles and stuff like that. If we think back just to 1980, the only computer in a car was the fuel injection system, the engine controller. Now, we think of today, we have the engine controller, the body controller, which controls the door locks, the windows, and all the good stuff like that, the alarm system, and all the way to what we're getting into now as the driver assist-related car controllers.
The automotive controllers for the driver assist, we aren't just talking one. We're talking a good 10-20, for radar, for the actual control of the vehicle and stuff like that. A lot of times, there are different types of radar systems on these vehicles, so different controllers for that. It just opens up the threat. If we think, since we're on the talk of vehicles, there's the old saying in mechanical engineering: The more moving parts, the more capable of issues.
It's the same thing. When you keep implementing more code, more computers, and that code base continues to grow, there's just a higher probability for issues, whether there are just bugs that maybe very particular to a scenario that 0.001% of people are going to come about, or whether it's a huge, huge issue, such as the G pack.
I think one thing that's really interesting is that, in my search for statistics, while the growth of vehicles that have been recalled to software-related issues has grown immensely since 2015, the actual amount of software-related recalls has only increased by one additional recall since 2015.
It actually offers a sense of security for us that, oh, there are clearly tons and tons more vehicles with a larger code base and stuff like that, but the issues aren't growing. That gives us a sense of security that despite the high number of vehicles that are going on the road that are highly controlled by computers, the issues aren't growing at the same rate of vehicles using them. That's somewhat comforting.
Let's move on to the question that everybody is asking. Everybody has seen the Fast and Furious movie where all the cars are taken over, and it's raining cars off of parking structures, and the cars are swarming down the streets because they've been hacked. What do you think the likelihood of that type of scenario coming out is?
Obviously, this is movies, but where do you see the automotive security and hacking going with driver-assist features that cannot only say, “Hey, I'm going to put on the brakes so you don't run into the wall,” but we're now starting to see parking-assist features, lane assist, Tesla's full self-drive beta, Chevy's got their blue cruise? There are a lot more systems that are controlling things—acceleration, deceleration, turning—so much more than just windows and locks.
I don't know. I don't want to be concerned, but at the same time I'm concerned. Again, I just keep thinking back to the 2015 scenario with the Jeep. If at the time, that automotive controller was implemented into 20 more cars, that could have posed a huge issue. It already was a huge issue, but that could have been catastrophic.
Especially with the fact that a lot of automotive manufacturers actually utilize the same controllers. It's not just like, oh, Chevy only uses Chevy controllers. These companies are sharing these controllers developed by companies like Continental and stuff like that. We're seeing these same controllers implemented across multiple vehicles.
While typically safety-critical systems are not controlled by CAN, like I mentioned before, it's not 100%. The threat is always there. The same way when ransomware came out, and you probably asked the same question. What do you think the likelihood of a hospital computer that controls people's hearts and stuff, are going to be ransomed?
I imagine they probably said the same thing. It's the worst possible scenario, and we hope it doesn't happen. But at the same time, the threat is still there. It's still there, and it's still plausible. With ransomware, clearly, we saw hospitals get ransomed. There's no way to tell, but the only thing we can hope for is—I keep going back to the automotive industry—to be able to keep up with the wireless connectivity that they start to implement. That's partly my job, so I'm trying my best for all of you.
Is at least, there's currently the advantage that, and I won't say all cars because I don't know enough, that almost all cars are physical steering linkage, physical brakes, that it's not a whole lot of drive-by-wire yet? Like the infamous TV shows, like the person's driving and all of a sudden, “Oh, even though I'm stamping on the brake pedal, nothing's happening.” That says you have a physical connection. You could still stamp on the brake, even if your car is hacked, so to speak.
Yeah. The only issue that I've seen myself that was probably the most concerning, that I still was able to easily overpower, like it didn't require any strength, is that there was a vehicle that I was playing with at one time out of the several hundred or so vehicles that I had done some data logging and testing with my previous employer. There was one vehicle in particular that I was able to plug into the OBD2 ports.
By feeding it rogue data, like I said, because of the bus, when you feed it data, all the controllers will see it that are on the network. The steering wheel started moving as I fed it randomized rogue data. This car had no driver-assist features at all. There actually was not even a trim level for this vehicle that had driver-assist features, but yet I was able to control the steering wheel.
Usually, features like that aren't even accessible through the OBD2 port by a third-party because, typically, you have to bypass what one could think of as a firewall, if you're familiar with standard computing and the firewall that protects you from the Internet. It's the same way. There's a firewall that protects the car from rogue data coming in. There are a few.
The security on the firewall varies vehicle to vehicle, but it typically just won't allow you to send this rogue information. The fact that I was able to send this rogue information and access a safety-critical system definitely blew me away.
Like I had mentioned, it was fairly easy to just grab the steering wheel and not allow it to control the vehicle. This vehicle, because it was a very base model one, also had no wireless connection aside from a Bluetooth phone connection. It wasn't like, “Oh, this could be attacked through a cellular network,” or anything like that.
That also goes back to the fact how I was sharing that different cars all use the same controller. This car didn't have these features, but because it shared a controller with one, and it also appeared to possibly share the steering column capabilities of a vehicle that I was able to manipulate this data and manipulate the steering wheel on it. It's there. The threat, I think, is real. It just looms more and more as more vehicles have those wireless connections.
The threat, I think, is real. It just looms more and more as more vehicles have those wireless connections. -Derrick Thiecke Share on XIt's scary, and at the same time, encouraging that it isn't a current problem, really.
Yeah. One thing that's funny is, I had thought about trying to program a video game controller that I could plug into the OBD2 port of this car and just drive it around with a video controller.
That's great.
There's one other question I wanted to ask. I don't know if this is up your alley or not. I've seen videos online of people coming into the neighborhood with a wireless device and unlocking people's cars, even though they don't have the key fob. Are there really such devices like that? If there are, what can consumers do to keep their cars from being unlocked like that?
Definitely. That's a real one. It's probably the thing most thought of when I mention car hacking to non-technical individuals. They're like, “Oh, unlock a car without the remote and stuff like that.” It definitely is a huge issue.
There was a vehicle manufacturer that was hitting the news because people were doing black box—as they would call them—attacks on the vehicle. There was another individual who, a while back, released an attack on some Hondas.
Then there was another one from another vehicle manufacturer, where you could pull off the plastic around the steering column and use a USB cable to start it. You didn't need to send anything across the USB cable. I can't remember exactly how it was, if it involves shorting or what, but the thread is definitely there.
I think the big thing is to avoid these, because a standard user can't really do much to avoid these, or it's coded in the car. It’s a bug. But I think one of the huge issues is actually with cars, and there's a catch-22 here. When we have a bug on our home computer, Microsoft says, “Hey, you have an update.”
As much as we hate to do it and as much as we may be behind on our updates, it's a simple process. You hit the update. You restart your computer, or your computer restarts in the middle of you trying to do something important by itself to install them, so you can't use it for the next 20 minutes. The fact is it's easy to do and can be done from home.
That currently isn't the case for most vehicles. You have to go into your dealer. Imagine right now how far behind some of the people may be on their Windows updates, or how far you may be on your updates. Imagine if you had to take your computer to a Dell service center, or a Hewlett-Packard service center to get updated every single time it needed to get updated. It would be hard.
The best thing is to take your car in and get it serviced every once in a while at the dealership at least, so that they could deploy any software upgrades they need to do. Follow recalls, which I'm sure people already do. It's pretty common to look up recalls on the vehicle.
The catch-22 I was mentioning here is what they call OTA, or over-the-air updates, which is when a car has a cellular network or it rolls into the garage and connects to the Wi-Fi at the house, it will download the update and update itself just as the computer does. The catch-22 is that that is a wireless connection that makes the car susceptible to issues.
Of course, too, there's the fear that maybe there's a bug in that new update. But as I come from corporate IT, doing some CIS admin work and stuff like that, I am adamant about always doing the latest update. There's the issue, because a lot of people are like, “My computer or my car has been working fine forever. I don't want to update it, because that could institute a new issue.” Of course, there is that, that a new issue could be implemented with a software update and then of course, the wireless connectivity issue that allows your car to be attacked remotely.
How crowded is your field of automotive system security?
That's actually a huge thing with this growing need of security professionals, where there's a huge shortage of employment. It's one of the things that actually worries me most. We are not going to have the workforce of security professionals to keep up with the need for security. A lot of people, when they go into security, they think of things like, oh, web apps, because websites get hacked, or corporate IT security because corporations get hacked.
It's just now starting to be like IoT, or Internet of Things, security, because an Alexa could get hacked. We still haven't crossed into where people are thinking like, “Oh, cars could get hacked.” The need is great. It's there. It pays well. Like I mentioned, I've only been doing this hobby/professionally for half a decade.
I skyrocketed into the field faster than I ever did in corporate IT. It's there. If you're in IT and into security, especially if you're into hardware hacking, Internet of Things hacking, look into the automotive industry because we need your help.
Are there any particular resources that people can go to to find out more or you have to dig on your own to find them?
There's actually a book that's very popular called The Car Hacker's Handbook by Craig Smith. The book is actually a legal free PDF online that you could get. The Car Hacker's Handbook version two is coming out. I could promise you that, because I actually helped with a chapter about recreational vehicles, motorsports, and stuff like that on it.
I definitely would start with that book and then attend your local hacker con. Whether it be DEFCON or whether it be your BSides hacker con, and look for the car-hacking village. We just had our Grand Rapids cybersecurity conference. We had an amazing capture the flag car hacking village area where we drove in a semi. I actually borrowed a motorcycle from Buell Motorcycles so that people could hack the motorcycle.
We had a few engine controllers there and some others. I think there was an air brake system that people were allowed to try to hack. The community's great and the utilities are there. The ability to learn at these events is huge.
That's really cool. If people want to be able to connect with you online, where can they find you?
My Twitter handle is @CanBusDutch. That's probably the best way to get at me, I guess. Because of the unknown looming fate of Twitter, I'll actually give my email, too, which is canbusdutch@gmail.com. If Twitter hits the very unwanted fate, you could reach me by email.
We'll make sure to throw a link to The Car Hacker's Handbook PDF in the show notes. That way, people can easily find it there.
Derrick, thank you so much for coming on the Easy Prey Podcast today.
Thanks a ton for having me. It was good times.