TECHNICAL WHITE PAPER Adventures in Automotive Networks and Control Units Chris Valasek, Director of Vehicle Security Research for IOActive [email protected] Charlie Miller, Security Researcher for Twitter [email protected] Executive Summary Previous research has shown that it is possible for an attacker to get remote code execution on the electronic control units (ECU) in automotive vehicles via various interfaces such as the Bluetooth interface and the telematics unit. This paper aims to expand on the ideas of what such an attacker could do to influence the behavior of the vehicle after that type of attack. In particular, we demonstrate how on two different vehicles that in some circumstances we are able to control the steering, braking, acceleration and display. We also propose a mechanism to detect these kinds of attacks. In this paper we release all technical information needed to reproduce and understand the issues involved including source code and a description of necessary hardware Copyright ©2014. All Rights Reserved.- 1 - Contents Executive Summary ............................................................................................................... 1 Introduction ............................................................................................................................ 4 Electronic Control Units .......................................................................................................... 5 Normal CAN Packets ............................................................................................................. 7 Diagnostic Packets................................................................................................................. 8 ISO-TP ................................................................................................................................... 9 ISO 14229, 14230 ................................................................................................................ 10 *ISO 14230 ....................................................................................................................... 11 DiagnosticSessionControl ................................................................................................ 11 SecurityAccess ................................................................................................................. 12 InputOutputControl ........................................................................................................... 12 InputOutputControlByLocalIdentifier ................................................................................. 12 RoutineControl ................................................................................................................. 13 RequestDownload (and Friends) ...................................................................................... 13 The Automobiles .................................................................................................................. 15 Ford Escape ..................................................................................................................... 16 Toyota Prius ..................................................................................................................... 18 Communicating with the CAN bus ....................................................................................... 21 EcomCat .............................................................................................................................. 24 Output ............................................................................................................................... 24 Input ................................................................................................................................. 24 Continuous Send .............................................................................................................. 24 Ecomcat_api ........................................................................................................................ 24 Normal CAN packets ........................................................................................................ 25 Diagnostic Packets ........................................................................................................... 26 PyEcom ............................................................................................................................ 26 Injecting CAN data ............................................................................................................... 26 Problems and Pitfalls ........................................................................................................ 27 Simple Example for the Ford Escape ............................................................................... 30 Simple Example for the Toyota Prius ............................................................................... 31 Attacks via the CAN bus – Normal packets .......................................................................... 32 Speedometer – Ford......................................................................................................... 32 Odometer – Ford .............................................................................................................. 34 On-board Navigation – Ford ............................................................................................. 34 Limited Steering – Ford .................................................................................................... 35 Copyright ©2014. IOActive, Inc. [2] Steering – Ford ................................................................................................................. 36 Speedometer – Toyota ..................................................................................................... 38 Braking – Toyota .............................................................................................................. 38 Acceleration – Toyota ....................................................................................................... 40 Steering – Toyota ............................................................................................................. 42 Attacks via the CAN bus - Diagnostic packets ..................................................................... 46 SecurityAccess – Ford ...................................................................................................... 46 Brakes Engaged – Ford .................................................................................................... 49 No Brakes – Ford ............................................................................................................. 50 Lights Out – Ford .............................................................................................................. 51 Kill Engine – Ford ............................................................................................................. 51 Lights Flashing – Ford ...................................................................................................... 52 Techstream – Toyota Techstream Utility .......................................................................... 52 SecurityAccess – Toyota .................................................................................................. 53 Braking – Toyota .............................................................................................................. 55 Kill Engine – Toyota.......................................................................................................... 56 Lights On/Off – Toyota ..................................................................................................... 57 Horn On/Off – Toyota ....................................................................................................... 58 Seat Belt Motor Engage – Toyota..................................................................................... 58 Doors Lock/Unlock – Toyota ............................................................................................ 58 Fuel Gauge – Toyota ........................................................................................................ 59 Ford Firmware Modification via the CAN bus ....................................................................... 60 Extracting Firmware on PAM ............................................................................................ 60 HC12X Assembly ............................................................................................................. 62 Firmware Highlights .......................................................................................................... 63 Understanding Code “Download” ..................................................................................... 65 Executing Code ................................................................................................................ 68 Toyota Reprogramming via the CAN bus ............................................................................. 72 Calibration Files ................................................................................................................ 73 Toyota Reprogramming – ECM ........................................................................................ 75 Detecting Attacks ................................................................................................................. 83 Conclusions