How to Hack Your Mini Cooper: Reverse Engineering Controller Area Network (CAN) Messages on Passenger Automobiles

DEF CON 21

Presented by: Jason Staggs
Date: Saturday August 03, 2013
Time: 15:30 - 15:50
Location: Track 2
Track: Track 2

This presentation introduces the underlying protocols on automobile communication system networks of passenger vehicles and evaluates their security. Although reliable for communication, vehicle protocols lack inherit security measures. This work focuses strongly on controller area networks (CANs) and the lack of authentication and validation of CAN messages. Current data security methods for CAN networks rely on the use of proprietary CAN message IDs along with physical boundaries between the CAN bus and the outside world. As we all know, security through obscurity is not true security. These message IDs can be reverse engineered and spoofed to yield a variety of results. This talk discusses methods for reverse engineering proprietary CAN messages. These reverse engineered messages are then injected onto the CAN bus of a 2003 Mini Cooper with the help of cheap Arduino hardware hacking. Additionally, a proof of concept will be demonstrated on how to build your own rogue CAN node to take over a CAN network and potentially manipulate critical components of a vehicle. The proof of concept demonstrates taking full control of the instrument cluster using the reverse engineering methods presented.

Jason Staggs

Jason Staggs is currently a graduate student in computer science and a security research assistant at the Institute for Information Security (iSec) at The University of Tulsa. He also is involved with The University of Tulsa's Crash Reconstruction Research Consortium (TU-CRRC) where he occasionally gets to hack and wreck a variety of vehicles. Before attending graduate school, Jason worked as a cyber-security analyst for a leading information security firm, True Digital Security in Tulsa, OK. Jason holds a Bachelors degree in Information Assurance and Forensics from Oklahoma State University along with several industry certifications. His research interests include network intrusion detection systems, digital forensics, critical infrastructure protection, and reverse engineering.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats