Automotive CyberSecurity | Getting Started

Introduction

A topic I have personally always been interested in is automotive cyber security, it was the second beginning of my RE path as I learned how to reverse engineer networks and remotely replay specific data back to automobiles! As the field of technology grows, so do cars and this industry along with it! For this article as a part of my “Reverse Engineering” section, I will be talking about automotive cyber security, my experience so far in the industry, my experience working with automotive systems, and even what it may take to get started. This article will not be super in-depth and will just have one total section going into it as I want to make these “modules” a bit more shorter for nonadvanced topics!

Automotive CyberSecurity | A Bitter Industry

This section will be dissected into multiple parts, first, we will talk about my personal background in the industry, why I got into it, what is so fun about it, and why I decided to also dedicate some of my research to the automotive industry. I will then talk about how you can get into it and some interesting real-world applications of automotive cyber security and aspects that you might find quite amazing to throw you on the bandwagon. Below I have listed the sections in this article.

• Automotive Security | My Personal Experience: This section names itself, it will talk about the reason I got into it, people I have talked to, people I have also studied along the lines of the automotive industry, and personal experience showing what I have messed around with.
• Automotive Security | Steps To Becoming A Researcher: This section will talk about the steps you should take and some interesting skills you can gather to becoming a security researcher in the field of automotive.
• Automotive Security | A Killer For Resources: A section that talks about locating valid instructions and manuals for getting started in the automotive security world.
• Automotive Security | Understanding The Industry A Bit: A section that talks purely about what I have experienced in this industry by connecting with experienced security researchers and even contacting specific people who have been in the industry for more than I have been alive.
• Automotive Security |Conclusion And Summary: A section that concludes everything talked about in this article and summarizes what we have learned or what I was able to tell.

Warning: Before starting this article, note that most of it is BIAS — as it comes from the authors personal background and experience in the automotive security industry. A ton of the authors known knowledge also comes from experienced professionals who have been in the field longer than the author has been alive. Take this knowledge not as true full fledged knowledge rather as an understanding from someone’s point of view. If you can not read this article with an open mind, you may want to leave NOW and come back when you can. Another note IS TO NOT TAKE INFORMATION SHARED HERE DIRECTLY AS “you should 100% believe this because I said so and I am smart” BS. The scientific field is not for everything or EVERYONE, fields like security research especially starting out is all going to be bias information as everyone has their own road-paths as to what helped them. This article goes over purely my experience and what got me started as a possible suggestion of what you should expect going into an industry as annoying as the automotive security industry is.

Now, without further to say, lets get into it :D

Automotive Security | My Personal Experience

Since this article was developed to give people incite into the automotive cyber security realm, I wanted to talk a little bit about my experience, in hopes to give you a little bit more “security” when I talk about specific topics. So without much more to say let's go ahead and talk a bit! For those who may not know, my name is Ryan and I am a 16-year-old cyber security researcher that has primarily had my fair share of experience in the reverse engineering realm. My main background comes from game cheating but I also spent time reversing engineering the networks inside of automobiles and other various systems to help me better understand what is happening. A ton of my research really comes from my will to research heavy into something, for example, cars. I never wanted to just learn the fundamentals, I wanted to learn something and do it fast. So every time I learned a specific topic such as automotive reverse engineering or security I would dive DEEP and get every book I could find explaining CAN ( Controller Area Network ), Hardware used in cars, API systems, management systems and more and by the end of the month I was ready to hack as much as I could and get slapped into the real world. This ability seriously helped me learn more especially getting books that would talk specifically on the networks themselves or the hardware in the automobiles. A majority of my automobile road-path was just messing around, if I found a road-path that was apart of the automobile hacking phase I went down it if I saw it and took an interest in it. But when I started I seriously did not know where to go, this confusion led me to networking with people I KNEW in the industry or even finding people online since googling and you-tubing videos did not help- due to the lack of knowledge in the automotive security field. I felt that this was a major problem and after getting professional guidance I was able to go into some good communities that had some good information, personal online books that were forgotten about or had 60 year old’s that just knew their way IN AND OUT of cars in an instance, you could have a single dent in a picture of a specific door and they could pin point the cars, they were so good at it and just knew most things about it. I got some amazing knowledge from these people and continued to surround myself not by beginners but with people that knew more than me in every way possible, sure some of them were toxic but it did not deter me from learning more. From here I decided I would take the time to bring people along with me in this field that had an interest, every time I had a friend interested in physical cyber security I would pull them to all these cars and we would continue to see if we can reverse them or figure out some internal and maybe even when it came down to virtually doing it through protocol simulators with different levels and exploration routes you can go through. This article will hit home for me a lot, and one reason I wanted to talk about it was because as a beginner I would have never had the same information I could find. So, I write this article in hopes that you can take something away from it. Me personally, I love taking a stand for something I like to see change- If I do not like something in the world, If I do not like a specific task I will change it and manipulate it. This mind map in my head led me to hack cars, learn how to manipulate Bluetooth signals, learn about radio frequency attacks, hardware attacks, reverse engineering and even led me to creating my own programming languages ( partly, there were other reasons ). That is as far as I will go with my experience as I have touched physical cars, have manipulated the networks in simulators and have also even tried to dig as deep as I could into hardware attacks! Now that we have this out of the way we can go ahead and talk about getting started! WOOP :D!

Automotive Security | Steps To Becoming A Researcher

The first thing we should talk about is the steps you may want to take before becoming a security researcher in the automotive world. What exactly do I mean by steps on it? What do I even mean by becoming a security researcher O_O? Well, this all comes down to mainly how you're going to source your knowledge, plans of what exactly you should tackle first, and maybe even some basic fundamentals that will get you started. So let's go through this a bit.

• How Do I Start: One of the most common questions in any security research field that I have come across and many others do is “How do I start?”. This question by far is often put down by many people or those people who ask get slammed with a horrible set of information that even confuses the experts in the room. Like most security research fields, your best starting position would be to understand exactly what the field is and what you are going to be doing. For example, someone can hop into web security and say “How do I start” but never know exactly what web security actually is until they do start. This means that basically to start in web security you need to get a grasp of what you are going to be doing, what the field entails, the branches in that field. This is the same for automotive security research, we need to be able to look at what currently exists and what we can start out with in terms of actions and what we need first. When it comes to automotive security research it is important that you keep heads and tails on forms of systems, update systems, management systems and more in that field. The security field grows constantly and automotive moves constantly faster every single day and as that tech grows more and more you need to get a good understanding of what those changes are so you can better select your research. Another thing you may want to consider is understanding at a higher level how the protocols, networks and even systems such as braking systems work in a car remotely. Understanding how the networks in cars work might give you a better understanding of automotive internal parts such as the ECU ( Engine Control Unit ), PCM ( Powertrain Control Module ), and EDR ( Event Data Recorders ). Having a basic to intermediate understanding of how these systems work is insanely helpful to your path and most importantly before you dive deep into how those work it's important you have a background in computer science, and an understanding of how hardware works if you want to go deeper into the physical exploitation of systems and even going as far as touching web-based systems so you can catch API’s or sniff some funny little bits of data. We will get more into that later in this article but that should give you a good base.
• Steps To Take: One thing about science-related fields such as science that we should all take seriously is the progression in our knowledge. Most people think that after reading a few books they automatically know exactly what they are talking about; when in reality, they don’t. As far as steps to take when it comes to automotive industries specifically you should maybe consider going the extra mile to learn from other researchers in the field who may be much more knowledgeable about you in that field or even connecting with people who are in the industry that can tell you exactly what you should be doing and where you should be going. For example, without knowing the people I know or connected with I would never have been able to write this article directly without some expert knowledge on the industry or even personal experience myself. Learning from others should be something that is highly commendable because when you think about it, all people do in this field is take previous research and use it to educate others or build their own research in specific groups. These steps may also help you train specific segments in your mental health to get you up and moving and excited about what comes next. Another major thing that came personally to me is practicing exploits or examples you come across. For example, the first thing people learn about automotive security is RFREP ( Radio Frequency Replay Attacks ) which are basically capturing specific sets or sequences of radio frequencies on a network wire and sending them back to the source of the original sets of frequencies. This attack is pretty easy when you start out and from there most people just stop but fail to realize that network protocols like FlexRay also exist and more network emulators or even bigger ones can give you much more real-world simulations. If you continue to practice while also advancing your knowledge, you are bound to actually get up and understand what you have done while properly being able to educate others about it. Something I also want to throw in here, when educating yourself about a field, be sure to write and document my findings. Many people do not understand this until they become writers but even myself as an author, you learn the more you write. It seems crazy because you think that authors should know everything about topics they are writing about but that is not always true. In fact even when teaching groups of 20–80 people I will be learning so much from the target audience because of what other people have found in their research. So even if you feel like you have a small amount of knowledge, try writing about it and showing yourself that you know something in the field you are in. If worse comes to worse you just do not know enough and the worst punishment is just going back to study again and again until you get it right.

Cool, now we have a decent idea of how to start; where do we go from here? Something that hurt me a ton when learning about the automotive field was resources- which is our next section

Automotive Security | A Killer For Resources

Unlike most security research fields such as web testing, binary exploitation, reverse engineering, binary analysis, and many many other fields, the information on the automotive security field is very limited. For example, if you go on YouTube and type “ Automotive Cyber Security “ you may be met with a few videos. This always deters people since you can not properly start in a field when there are no “out there resources” so that is what I am here to tell you about. Something I learned quickly that helped me in every security research field was looking for specific resources or categorizing them. If you are not already familiar with it, google dorking is a very very good skill set to have as it allows you to narrow down research. For example, if we go to Google and type “Automotive CyberSecurity” we get the following.

We need to be able to narrow down our search a bit more specifically such as using Google dorks to actually solve where to go. So let's say we want some cool articles about automotive security talking about specific vulnerabilities or topics. We can sum it up by typing

inurl: Automotive CyberSecurity intitle: Getting Started filetype:pdf

and when we hit enter, we can get some better results!

This is not exactly down to the direct specification but it is a good example of what we need to get started or at least search for resources. I bring this up because I eventually got tired of browsing hundreds of YouTube videos learning the same exact thing, there was no direct knowledge on hacking cars and if there was it was just the same old “hack your car with a radio frequency replay” which is not directly hacking more than it is just replaying some radio frequency. Do not get me wrong, if your using raw SDR’s ( Software Defined Radios ) and other various tools it takes a very specific set of knowledge to do so perfectly and its a good introduction but if you wanted to learn about dissecting ECU’s, PCM’s, EDR’s, Diagnostic systems, monitoring systems, third party software, it may seriously not be that easy to find because there is not nearly enough out there that has not been taken down due to ToS violations. So, in sum when we look for material on the hacking side of things, we have to be very specific and understand how to google dork everything might seriously become helpful. There is not much we can say about this and I had to section this off into a sub-section just because I figured it was worth noting for people looking to get started. But of course, if you are looking to have knowledge on specific systems such as CAN there are amazing books that talk about just that protocol or even hacking and attacking other high-end protocols such as FlexRay and systems such as the ECU or EDR. Another great resource would be developer manuals for specific software or models of cars. It may not seem like it but in today's world even back then, computer programmers are 100% required to build a car because they have to be the ones to program the hardware and boards and even electronics that go into that car. Those manuals, scripts even short deeper and older articles go a serious long way when looking for other resources.

Now lets get into the most annoying part of this article and possibly the most experience based part- the industry.

Automotive Security | Understanding The Industry A Bit

Toxicity, Ignorance, Greed, and Power are all sometimes glorious factors of our heavenly planet, after all, they build humans. I am going to keep it a buck with you, when you get into the automotive security world, do not expect to be met with people that are willing to make a change if you do find someone AMAZING but do not expect every person to be like that. If you are not new to the cyber security world it might be quite understandable that most companies especially corporations really only care about the security of their users for either protection on their part if anything happens or reputation. Sadly, from my experience as well as counting 23 other people I closely know in this industry, the automotive security world is extremely toxic on its “corporate” side of things. Even smaller companies have a major problem. Well, what do I mean by this? When I first started in the automotive world, I thought nothing of it, I never wanted to make a change I just thought it was cool to say I hack cars for a living. But the more I got into it and especially recently here, I started to get a bit more hope that maybe I could develop a system to prevent specific attacks from happening in protocols and develop a system that also protects autonomous systems from being attacked by hackers who really weren't hackers. This hope never died and I still have it, but I will say, from my experience sharing that idea it seems that no one truly is in it for saving people. When I purposed some idea’s to a team that was working actively on some projects, they mentioned that the security was “too expensive” and the instant thought to my brain was, “ how is protecting human life too expensive for you? “. I shut my mouth and did not think anything of it and just blew that thought out of my head like it was just another weird miscommunication. Then the same thing happened but instead of pushing it off, I ended up pulling a stupid argument with someone talking about it. One thing they mentioned was that it does not matter how good security is, the only thing the companies care about and want is a good functional product that can improve the usability of the automobile or section of technology such as radio and did not really want to throw money into it. I went to someone I knew close who got pretty big in the industry for locating a few major hardware vulnerabilities and they also mentioned the same thing. They told me something that I honestly did not consider but it went something along the lines of this: “ I know it seems like you have good ideas, most people in this field do, the issue? Barely any major corporation or company that distributes automobiles or automotive systems wants to invest time and money into something that will not bring them money. From my experience, truthfully all they want is just something they can sell and security is not something they can sell “. I had to sit on that and he was totally right, after looking at some reports, vulnerabilities that were discovered vs the patch and update, it seems that for every report, the system was either moved to a nonexposed location or the software was updated 4–5 months after the report was published which is an INSANE amount of lag time for vulnerability patching. But at the same time, I also started to formulate this theory that got me driving a bit more and carried a little bit more knowledge. If we look at countries around and the cyber security world as a whole as well as the history of attacks, no person, no government or most anyway ever took it seriously until something extremely catastrophic happened. Look at something like StuXnEt, it took people something as dangerous as that to BARELY and I mean BARELY open their eyes as to how horrible it is to be using old and outdated software while also not securing systems. The same falls for the automotive industry right now. Researchers keep beating the bad guys to the chase such as finding millions and millions of leaked social security numbers on financial systems or in the case of the automotive world a single API miss-configuration that can brick your Tesla or can cause self-driving systems to go off the rails crazy or even cut specific systems such as breaking systems. I always had this weird sense of heart for wanting to contribute to the world of cyber security but the people on the inside make it hard. What exactly was my part in saying this? It was not to scare you away or kill your hopes and dreams but rather save you from a few broken hearts in the future when some owner of an automotive manufacturer or even sub party comes to absolutely smash your idea’s into pieces by putting a price on human life. Your idea’s are not worthless, even if you feel like you can never make a change and even when it seems like no person will accept your idea’s anyway, proove them wrong and show them up. Because in the end when someone takes your idea that out does some other major corporation there is a high chance that one person will boost you up higher than any other company could. I also like to note that I try my best to educate pople through my experiences while also allowing them to have a free mind and free will to think as they please. But the honest advice I can give you, is no matter how toxic a field of science gets, it is still science; do not let others deter you from chasing something you are genuinely happy to be apart of and do not let them ruin that field for you either. Stay true to yourself and go onto chase and finish or hit goals you were never aware of.

Automotive Security |Conclusion And Summary

This article was super short and was only a few thousand words but I honestly did not need to go deep into this one, it was meant to be an article for people that have never done automotive security in their life and was meant for people that barely know fully what they are doing. Concluding we can say that the automotive industry is super fun and sometimes toxic, but forget about the toxicity and just become a good security researcher or hell just do what you enjoy. If you want to hijack BLE frequencies to exploit a car then go do it just do it with permission of the owner or do it on your own system, if you want to rip out an ECU and electronically/digitally dissect it have at it! The world is yours and the only one that can stop you is you! If you also feel like you can change something then you can change it, you just have to make sure you work with the right people who are not there to exploit you for your money or your ideas or who you are but rather who are there to contribute to your research and ideas. Summing this article up; the automotive industry is an interesting place, the world of automotive cyber security in itself is also quite interesting. As a field of science and technology, it will constantly evolve and despite there not being nearly enough information there we can still try our best to get that information and surround ourselves with information that will help us forever advance in the world of tech!