Towards the Prevention of Car Hacking: A Threat to Automation Industry

Background/objectives: Connectivity provides a safer environment, but it also acts as a backbone to provide attack surface to hackers. There are millions of cars on the road today, and so many are expected to be in future; there might be a risk to the passengers, vehicle drivers, etc. Methods/statistical analysis: This study discusses the issue of car hacking which is one of the real threats to automobile as well as automation, and how we can prevent it by studying the details about the controller area network (CAN) bus architecture so that the auto manufacturer gives more emphasis to developing a secure vehicular information system. Findings: Hackers gain access to the car system via the internet, Bluetooth, etc. As much as a car is automated, it is much more vulnerable to cyber-attack. When a car is connected to the internet, it provides access to the vehicle’s delicate CAN bus. Hackers can hijack non-safety and safety-critical functions such as steering, accelerator, brake and clutches by sending commands. Improvements/applications: This study gives a general overview of how we can validate the security features of the vehicle so that we can secure our vehicle from black hat hackers, resulting in saving millions of people who could be a victim of such menacing cyber-attacks.


Introduction
In 2010 researchers at the Center for Automotive Embedded Systems Security (CAESS), California, detected that gaining a connection with ODB-II port of the car can easily disable the breaks and switch on/off the engine. They embeded a malicious code in the car's telematics unit and were able to break its network security. 1 In 2013 cyber security researchers Charlie Miller and Chris Valasek have shown to The Forbes how they could access vehicle controls through a laptop computer via the ODB port. 2 In 2014 Mathew Solnik, an information security researcher, misguided the car's engine, brakes and security systems from his laptop by wirelessly connecting to the ODB port in the controller area network (CAN) bus system.
In 2015 host Lesley Stahl, in a demonstration by the U.S. military's Defense Advanced Research Projects Agency (DARPA), drove a car remotely using his laptop.
In 2017, William Hatzer and Arjun Kumar at Rapid7 claimed that Hyundai Blue Link app can be a reason of the "MAN IN THE MIDDLE ATTACK". Hackers can easily have access to the personal information of the user. In today's world, much of the objects that we use in day-to-day life and at homes are increasingly becoming controllable by the remote. Due to technology there is a need to automate everything and to influence and automate the object's behavior that once required local and manual input. Thus, automation has become the necessity and an important issue to tackle with. 3 Vehicle is one of the most typical productions of industries. A vital and necessary consideration of a car is safety. In the past, car designers did not need to think about a problem that a car could be possibly attacked and controlled by hackers. But with a significant development in recent years, IT crimes have become a serious problem that cannot be ignored. The deficiency of safety on Keywords: Car Hacking, CAN Bus, Cyber-attacks, OBD Hacking electronic and information system of cars should get more attention.
Considering the modern vehicles, it is quite easy to immediately picture a scenario where a car is controlled using a smartphone. Moreover, this leads to a rise in autonomous vehicles as well as self-driving cars, and this represents the next logical step and is a reality for current scenario. Due to a rise in the complexity of the electronic circuit of the vehicles, there is a need to understand these electronic control units (ECUs) as well as their importance in monitoring the various subsystems of a car. In addition, modern vehicles are able to communicate with other devices using wireless interfaces, potentially exposing the internal network of the car to vulnerabilities. It is our belief that the current state-of-the-art internal communication systems used in modern cars are not ready to handle threats from external attackers. 3 Currently, ECUs are widely used in cars for controlling and achieving most functions of cars. A vehicle may have dozens to hundreds of ECUs to work with. In this case, CAN plays a role that connects ECUs together. The hardware of CAN is called the CAN bus. 4 One feature of CAN is that it follows a massage-based protocol to transfer information. In a real car, the contents of CAN messages depend on the car's designer, but the form of these messages certainly obeys a particular standard (ISO 11898). Because of this, it is not difficult to analyze these messages merely by reading them. Besides, the message form of CAN data frame which is used for sending status information or instructions does not include any field for identifying the sender of messages. 4

Using an Arduino-based RF Transceiver
The first attack we performed was done by a radio device which costed just 2000 INR with a radio receiver, a small control board, but is capable of spying and extracting continues code values used by keyless entry systems ( Figure 1). 5. 6 We included code values in the signal which is sent every time when a driver presses the key buttons, which is then used together to emulate a key that is unique for every vehicle. Then we performed reverse engineering into one component inside a car's network and were able to extract a cryptographic key. Then we combined the two secret keys, which enabled us to clone the key fob and access the car.

Hijack with HiTag2 and a Radio Device in 60 Seconds
In the second method, we used a cryptographic scheme called HiTag2 which is old but still used in millions of vehicles, including Lancia, Opel, Renault, Ford, Alfa Romeo, Chevrolet and Peugeot.
To perform this attack, a hacker needs a tiny radio setup which is similar to the one used in the previous hack. Using a radio device, we were able to read and intercept the strings of the coded signals from the car's key fob.
We discovered that flaws in the HiTag2 scheme with the help of rolling codes would allow cracking the cryptographic key in a second. So these two methods were just for unlocking the car, making it accessible for hackers or thieves to steal it. But if we use a digital system instead of rolling codes, it would be more secure. To hack a car, unlocking it is the first step of every hacker, so that they can tamper the CAN bus system and the OBD port.

Tampering the CAN Bus
Two security researchers Javier Vazquez-Vidal and Alberto Garcia Illera have developed CAN Hack, a tiny device, which is even smaller than our mobiles, to hack cars. The device costs 1500 INR, but is able to give away the entire control of any car to an attacker from headlights and windows to its steering angles 7 and brakes ( Figure 2). 8 By injecting a malicious code into the CAN ports makes it possible for an attacker to send wireless commands remotely from a computer. It can take just 5 minutes or less for coming into the action and then walk away. Whether it takes 1 minute or 1 year, a hacker could wait and then trigger it to do whatever one has programmed it to do. Once hackers have the control of this network, they can control locks, lights, steering and even breaks (Figure 3). 9

CAN Bus Architecture
CAN bus is called the heart of any modern vehicle's interconnected systems. The CAN bus is a single, centralised network bus on which all of a vehicle's data traffic is broadcast. Every command from the operator is being carried by the CAN bus system such as "apply the brakes" or "roll down the windows" to readouts from sensors reporting engine temperature or tire pressure. The emergence of the CAN 10 bus brought improvements in efficiency and a reduction in complications, thus reducing wiring costs too (Figure 4).
But with the car hacking toolkit (CHT), hackers have already tested on different vehicles and successfully did tricks, which include setting off alarms, affecting the steering, applying brakes, and switching off headlights. We performed this with the help of Bluetooth, but we could also do the same with the help of Raspberry Pi or a WiFi router, enabling the CHT to control the car from a far distance.

Understanding the OBD Port
All the vehicles come equipped with an OBD (On Board Diagnostic) port, which allows the external devices to interface with a car's computer system. We generally find

Layman Procedure
First of all, as soon as we gain access to an OBD board, we are able to extract every information of the car. We can use that information to understand the architecture and behaviour of that car.
But changes could only be done when a hacker or attacker has access to the CAN bus architecture. For communicating with the CAN bus, we require various drivers and software. The best technique would be to amalgamate the CAN tools along with their various interfaces to form a customary interface so that we could easily share and communicate between different tools ( Figure 6). 12 Sockets CAN, an open source driver of CAN and official API of Linux kernel, makes it possible to make tools to support CAN. Socket CAN applications use the standard C socket which comes along with a custom network protocol family, PF_CAN. With the help of this functionality, kernel handles CAN device drivers to communicate with existing networking hardware, thus providing user-space utilities and a common interface. 13 We used this git command to install CAN utils in our package manager.

Data Recorder Logging
All vehicles that came after 2015 are equipped with a kind of black box called event data recorder (EDR), but it can record only a finite portion of information that a black box on an aircraft could do. Information stored on an EDR is as follows 14 :

Airbag Deployment
Generally airbags open when a car gets hit on its bonnet, but here with the amalgamation of codes we can open it anytime.

Steering Angles
Turning the steering into wrong angles might lead to an accident.

Vehicle Speed
Engine speed could be tampered using a reverse CAN; thus, acceleration could be suddenly boosted, leading to a major accident.

Brake Status
Brakes could be applied anytime by the attacker, which might result in a tragedy.

Ignition Cycles
Ignition could get disrupted while driving, causing a sudden stoppage of the car.

Communicating with the Wireshark for Reversing CAN Bus
To keep a watch on the activity of CAN, we need a device called OBD-II that could monitor and generate CAN packets. This device will cost around 2000 INR. Open source hardware and software are ideal to use as it is compatible with the majority of software tools. We used Wireshark to capture and alter the packets, and candump from the can-utils suite ( Figure 7). 15,16 Every vehicle has a unique CAN system; therefore, common packet investigation won't work for CAN. As there's so much disturbance on CAN, it's very difficult to sort in an order of every packet.

Wireshark
For networking, we used Wireshark with SocketCAN to capture CAN packets. Both canX and vcanX devices could be listened with Wireshark. If you need to use a slcanX device with Wireshark, one should change the name from slcanX to canX.
If interface renaming doesn't work, then one has to transfer CAN packets from an interface that Wireshark can't read; a single CAN could bridge the two interfaces. To do so, we used the mentioned commands ( Figure 8): Raw hex bytes are shown because the data section isn't decoded. This happens because Wireshark's decoder is

Writing to the CAN Bus
Then we write back to the CAN bus the below-mentioned code, which handles the steering wheel angle.

$ openxc-control write -name steering_wheel_angle_ value 41.0 $ openxc-control write -bus 2-id 41 -data 0x1234
It is basically called raw CAN hacking. However, one can write an app or embedded graphical interface so that the vehicle could read and react, thus making it the quickest route to own a car for free.

Hacking OpenXC
After our work of reversing CAN signals, one can frame their own OpenXC firmware. As OpenXC is an API for the car, its work is to read as well as translate information from a car's internal network so that the data could become approachable from most Android apps using the OpenXC library. Compiling 17 our own firmware becomes easy which indicates now we could read or write whatever we want and even write code for the "unsupported" signals. To start an engine, we can create a signal for that and then add it to our own firmware in order to provide a layman interface to give ignition to the car. So, this is the power of open source. Consider a signal that renders speed of the engine. Giving 8-8 will set a basic configuration to return the speed signal of engine. Then we sent RPM data with a 4-byte-long instruction ID 0x1110 starting at the fourth byte.
JSON can read human-readable text for transmitting data consisting of array data types and attribute value pairs. As soon as we have the JSON, we compiled the above code into a CPP format which again could be compiled into the firmware:

$openxc-generate-firmware-code -message-set/runbench.json > signal.cpp
With the help of these commands, we recompiled the firmware. If somehow things go wrong and we can't gain access to the CAN bus system, then ECU hacking comes into the picture. 17,18

Conclusion
Cyber security is now the need of hour. Smart cars are the most vulnerable and open to any sort of exploits. One can imagine the situation of being hacked while driving. Even the airbags, brakes and accelerators may not be in one's control on wheel. So, manufacturers need to lay much importance on the CAN bus system by making it more hardware-secured and using secret codes. By finding all possible ways of attack a hacker can perform on the car, we can patch that vulnerability and could save people.