This reminds me of what 'old-school hacking' was all about - tinkering beyond typical limits to achieve something cool. I understand how these things can be used for malicious reasons, but the greatest benefit of such knowledge in my view is that it opens up a lot of opportunities to make some cool car gadgets. One of the problems that could arise if security is tightened up on automotive communications/control systems is that it could end up being a lot more difficult to have fun making custom gauges, interfaces, audio systems or perhaps even one touchscreen to rule them all. I wonder what Richard Stallman would create as far as automotive systems go...? Great video! I know this is 6 years on, but the information is still just as relevant in 2024 as it was 6-7 years ago; highlighting what you mentioned about companies not doing much about security. Hopefully they only secure the safety features and leave the rest open for tinkering :)

I am not a computer person by any means, I just have a great curiosity regarding CAN bus and OBD2 (motorbikes / data aquisition). Your video is great. Easy to follow and has helped me understand how easy / hard it is to get into either system. And how little I know! Thanks

Thanks for publishing this video! It was very helpful in developing an ISO9141 to CANbus data transceiver.

Where does Volvo store the expected software numbers within the can network for all the control modules attached to ms can or hs can? Got 2 used control modules, and both of them is setting u030000 incompatible software and u012200 lost communication.

I like having an insecure canbus. Makes it easy to see what is going on.

I've successfully found the codes that control the A/C on my car and the fan speed and stuff. I was wondering if you've ever worked with writing sketches in Arduino to control the vehicle through apps like Blynk. Do you know of any resources that could teach me how to write sketches or scripts to control the vehicle?

Rod, that is one really first class presentation. A great mix of theory and practice, and not a single wasted word in 40 mins. What a fascinating world boys (primarily.... ) have created in which to play! Many thanks.

Great work mate

Crystal clear and we'll explained, some question only so can bus is like UDP broadcast no assurance of nodes have received the message?

How can I know can address when transmit data package? Do you have address for other car lick kia,ford,toyota...?

Hi Was great video But all Hacking you mentioned can easily be done with a good diagnostic too you go to special function of the tool can do everything you mentioned

Great video very interesting

Can you possibly have something like this for use car customizer. For example I love the new Land rover range rover full digital dash/gauges and would like to install into a 1990s honda or and 1985-1993 ford mustang and be able to show all the data for the engine transmission brake ect you get the point. Just a way to fully customize it to our liking and be fully compatible/working with some wiring and maybe changing or few sensors and use the outputs of stock to custom ecus( engine control unit)

it seems the CANtact you mentioned is abandoned project and no longer available. What else you suggest?

Saying the CAN bus is a problem is like saying a USB port on a server is a problem. Trying to encrypt it will not solve the issue of a compromised device giving you access to the CAN bus. It also raises other issues of your ability to control your own device. Which shouldn't you be able to access the CAN bus? So the CAN bus doesn't seem to be the problem. The problem is things which allows you to remotely gain access to it. You shouldn't be able to compromise a web browser and gain access to the CAM bus. And the segregation of the 2 separate CAN busses seems to do that well.

How did you handle the case with CRC used in CAN message. In case of transmitting new data(not replaying old data) with specific CAN ID, how did you manage to calculate the CRC, that is correctly received by the receiver ECU?

Thanks

Thank you. Very informative and crystal clear explanation. Just wondering which online repair data service (paid subscription) you used ? Is it ALLDATA or something else?

Were you able to roll the miles back, I work for Mercedes and the miles are stored in the ignition switch and people open them and install a little module that rolls back the miles in the cluster.

Hi Roderick, thank you for the nice presentation. what inexpensive hardware would you recommend to use in conjunction with Linux tools?

So would the engine fuel shutoff occur if the engine RPM was spoofed over the rev limiter? Fairly easy way to disable the vehicle.

Simply do NOT attach powertrain systems to cellular. Chrysler could have released TSB calling to detach Infotainment B bus from Star Can connector. That way wireless and powertrain are isolated from scammers just wanting more security

10:47 Did you break the law by altering you odometer? You did not list it as an exception to the law in your presentation.

A very interesting and educational video on the CAN bus. But you can't compare hacking a cars CAN bus to deface a web site. A web site is accessed remotely and you accessed the CAN bus directly on the hardware. That is like accessing a computer hosting a web site directly on the hardware. This is always insecure. The problems with modern cars are remote access (Wifi or Bluetooth) through, for example, a insecure entertainment system that is directly connected to the CAN us on the vehicle. If you let the mischief's inside your vehicle, then you certainly are going to be pwned!

Thank you for the video!

I've just received my USB2CAN module, I'm struggling to get it installed, I only have a MacBook Pro for which there is no support, so I've installed VirtualBox and Ubuntu in a virtual machine, but the instructions for building the drivers on linux are not very good, can you help?

That B-CAN bus is not that also called LIN-Bus which is a 1 wire bus ?

Great! Keep it up!

how can you clone the firmware?

Very cool! Do you do any consulting on CAN related projects?

don't expect car manufacturers to start integrating pieces of architecture Bosch has not yet designed. Security is always an after thought because it eats into profits 🙂

Well done!

The body control module passes select packages between the two isolated buses. Via the can bus one could... Roll up the windows and keep them up, Lock the doors and keep them locked, Set off all the airbags, Disable the power steering, Fool the anti-lock brakes so that the brake pedal has no effect, Wide open throttle the engine, Full field overcharge the battery, Keep the fuel pump turned on after a crash Even alter the ignition timing in the engine to intentionally cause backfiring to promote a vehicle fire... Scary stuff! You could have really upped the impact of your speech if you had gone into the implications a little farther. Also, a fair number of ECU's were equipped with RF linking to enable checking emission codes "on the fly". So wireless access doesn't necessarily require a cellular connection like the Tesla from your example, just proximity to the vehicle.

good job!

Bit alarmed by the use of the word attack here, like you say, with a direct connection the only level of security is the black boxness of the software in each module, establishing what each data packet does is mostly just elimination and testing time. Those speed conversion factors are often listed (due to wheel size and market and different dash configuration) within any odb tool for the car for soft coding. You slightly mentioned different can protocols but didn’t say on many vehicles with a gateway module you’ll have to pick carefully where you join the network if you want to play effectively. A more attacky thing would be how to circumvent the software to carry out custom updates without pulling the eeprom like imitating a factory tool.... yes yes I know, hide a data sniffer inside and send in your car for a software update but that’s not fun. Most half decent automotive oscilloscopes can record and decode can these days, n if you prefer doing things the fun way Arduino is totally the way to go imo. Re the radio hack you mention at the start it’s sparked my interest, I assume that somehow forces the radio to then send spoofed can signals into the network? On most cars the infotainment is on a higher baud rate than the drivetrain and comfort can networks, I’m guessing actually gateway modules are there now to block those spurious packets? Thank you for the vid!

Great..

Hello Sir, Do you know any ready made or DIY device available in market which can detect a running Engine’s RPM (via non-contact method or via Crankshaft sensor) and then via “CAN protocol output” pass-on this RPM value to any of following DC Controller (to control DC Motor’s RPM)? 1. www.nocoev.com/product/curtis/manual/1229%20(15B).pdf 2. www.nocoev.com/product/curtis/manual/1244%20(13E).pdf 3. OR Any other 200+ Amp DC Motor SPEED & TORQUE Controller (which you will recommend) Please do let me know if you have any appropriate device? Thanks!

I'm planning to hack my car i20 to automatically door lock after reaching some speed and unlock as engine is off. So, which variant of CAN BUS shield is suitable for my project? Thanks.

Hi Roderick its nice research and nice presentation. i am a digital forensic student in AUT auckland. one quick quection have you phisically connect to the OBD port in vehicle? and can i conntact you via email if i need any help? regards loku.

If you are going to copy his work, you could at least give Eric Evenchick some credit.

This really isn’t hacking, it’s just reading a network and replaying packets.

22:50

ABSOLUTE CRAP