You have probably seen the Wired magazine story about the two guys who managed to hack a 2014 Jeep Cherokee using the telematics connection called U-Connect. Although the driver, a writer for Wired, was in on the hack for the sake of the story, the hackers were able to remotely control the transmission, brakes and steering. While the video showing them toying with the magazine journalist was interesting, the hackers’ subsequent paper and 30-minute presentation given at a hacker conference was one of the best training sessions on CAN buses and code.
Chris Valasek, the director of vehicle security research at IOActive (an Internet security company), and Charlie Miller, a security researcher for Twitter, did the hacking. It took more than a year of research, coding and reflashing certain chips in the telematics and entertainment system to be able to take over the vehicle remotely. It was not easy, and they did disclose the findings to Chrysler before they went public.
Their first task was to look at how the head unit that contains the U-Connect system communicates with the Internet using a cellular data connection. Next, they had to look at how the system connects to the CAN bus and the topology of the network. After the topology was figured out, they looked at what language or code the modules and network were speaking. From there, they went about reverse engineering and developing firmware that could “jailbreak” the system. Then they had to reflash the CAN bus interface chip in the head unit with the hacked firmware.
They were able to observe the system and look at the different data packages that were communicated when specific systems were active and how they reacted to specific inputs. For example, in order to control the ABS module functions, they subjected the vehicle to panic stops that would activate the pre-braking system. They would record the CAN bus traffic and deconstruct the data packets along with the corresponding corrective actions.
Even if you are not a code person, the research paper they submitted is a must-read to understand how a CAN bus network system works and the packets of data transmitted over the network. Also, this paper is great at explaining how OEMs make their packets proprietary even though the CAN bus is an SAE standard.
Miller and Valasek explained the two types of CAN packets: normal and diagnostic. Normal packets are used to communicate information and commands like the gas pedal position and the commanded throttle angle. These packets are shared by many modules. For example, a packet that contains information about vehicle speed can be used by the instrument cluster, audio system and transmission module. After analyzing a lot of the packets, they realized that OEMs “wrap” the information in their own protocals and “check sums” to either confuse people trying to steal the code or make sure that their technology only works on their vehicles. Also, they discovered how CAN networks prioritize packets and detect attacks.
The other type of packets they investigated were diagnostic CAN packets. These packets are sent by diagnostic tools to communicate with and interrogate computers. These packets will typically not be seen during normal operation of the vehicle.
As part of their experiment, they purchased a number of OE and aftermarket scan tools. They found that the language of scan tools and diagnostic packets was straightforward and lacked some of the extra coding added by the OEMs. Also, the paper they submitted breaks down how a tool communicates and trades certain keys to transmit bi-directional commands.
While the data shows the hacked car is almost impossible to replicate, what has gotten lost in the sensational headlines is the critical role technicians play in keeping CAN networks up and running.