Since the darlings of car-hacking Chris Miller and Charlie Valesek have started to work as consultants to automakers, it left a hole in the car hacking industry. A former intern at Tesla, Eric Evenchick is selling device to help car hackers break into vehicle Connected Area Network (CAN buses). Let’s look at what the device and software can do and see if we should be worried.
Evenchick will reveal his CANard software and CANtact device the BlackHat Asia conference, where last year hackers showed a $20 Bluetooth device, deviCan Hacking Tool or CHT that could turn off headlights, set off alarms, and roll windows down or set the parking break
Evenchick claims that his tool will make it easier for “researchers” to find vulnerabilities in car systems.
A seminar conducted by Evenchick at BlackHat Asia, similar to the one seen on YouTube (see video below) explores CANard’s features and demonstrates auto software vulnerabilities. He’ll demonstrate how to read and clear fault codes, crack diagnostics security, and fuzz controllers to take over vehicle operation.
CANard tests the Controller Area Network (CAN) using Python. In order to connect in, hardware is necessary. Evenchick is selling only 100 CANtact, CAN to USB devices for $59.95 (USB and OBDII cable not included). If you can’t afford the hardware, he offers directions how how to make your own. The device then can be connected to an Windows, Linux or Apple computer.
In the video, Evenchick says, “Cars are fun, let’s break them.” He formerly worked for CrossChasm maker of technology for electric vehicle and fleet management.
Cars after 2008 allow access to the CAN bus through the OBDII port. If you plug into the OBDII port, you can see what’s going on in the car.
Evenchick claims he can disable a car with one line of code. He also states that with CANard, he wants programmers to share what the find in car codes and what they mean with each other. Evenchick has formed a Github library of scripts for car hackers to share their discoveries
He has warned that you can break the law, by modifying the data to an insurance OBDII port device. Another way to commit a crime would be to change the emission test results.
The good news is that CANard can not control the engine of most cars(except electric or hybrid) because it is controlled by a single directed fuel pedal.
Evenchick says that Bluetooth devices limit hackers and it is scarey that insurance devices can control cars.
Tesla has software development and security in house and is dealing with security better than most automakers, says Evenchick
Evenchick claims that the automakers get software from different places to work with parts, making it easier to hack. He also told reporters that the he did not create the device for malicious mean but to help people better understand their cars better.
From watching the video and looking at how the whole software system works CANard does require the knowledge of Python and a hardwired connection to the actual vehicle. The specific codes for each function in every car make and model are not openly known. The device does not allow for wireless access as seen in the DARPA Chevy Impala hack seen on 60 Minutes.
What usually happens in the cases of public hackers who get a lot media attention is that eventually they sell their consulting services for high sums of money to the companies they hacked.
In fact on Evenchick’s CANTact website he states “I also offer consulting services and training on Controller Area Network and CANtact. If you’d like to work with me on a project, please get in touch.”
The CANtact device support shows community and commercial support available.
Car owners of vehicles made before 2008 have very little to worry about because it is too hard and your car value is not worth the hours and hours of coding necessary to break in.
Because the GitHub library is public, the automakers can also access it.
The basic rule of the thumb for hackers using the CANtact device is they must have physical access to your car. As long as you car and CAN bus are locked and secure, you are safe, for now.
When AUTO Connected Car News asked security expert Mark Fitzgerald from Strategy Analytics about car computer hacking he said that it seldom happens. When a connected device is required it is a lot of trouble to go through to hack a vehicle.
Eric Evenchick is a freelance embedded systems developer. While studying electrical engineering at the University of Waterloo, he worked with the University of Waterloo Alternative Fuels Team to design and build a hydrogen electric vehicle for the EcoCAR Advanced Vehicle Technology Competition. Eric has also worked on automotive firmware at Tesla Motors, and is a contributor for Hackaday.com
On another note, I was at the zoo when all this CANtact stuff went live. There were lions and tigers and bears and elephants and a hippo!
— Eric Evenchick (@ericevenchick) March 25, 2015