Abusing the Internet of Things

(Rick Simeone) #1

The value of the result in decimal is 149, which computes to a hexadecimal representation
of 0x95. This is exactly the value of the last byte in our example packet, so we’ve confirmed
that our understanding of Toyota’s checksum works.
Miller and Valasek used the ECOM cable to capture the CAN bus traffic and analyze it on
their laptop. This cable doesn’t directly connect using the OBD2 interface found in most cars,
so the researchers purchased an OBD2 adapter to rectify this. The advantage of this setup is
the availability of the ECOM Developer’s API, which can be used to program and automate
the capture and injection of CAN data. The researchers wrote their own suite of tools using
this API to assist in the security evaluation of CAN packets. The project is called ecomcat_api
and it is free to download.
The first order of business in using the ecomcat_api project to establish a connection to a
car’s CAN bus is to import the necessary modules and set up the fields representing the CAN
bus packet:


from ctypes import *
import time
mydll = CDLL('Debug\\ecomcat_api')
class SFFMessage(Structure):
_fields_ = [("IDH", c_ubyte),
("IDL", c_ubyte),
("data", c_ubyte * 8),
("options", c_ubyte),
("DataLength", c_ubyte),
("TimeStamp", c_uint),
("baud", c_ubyte)]

Next, we initialize the connection to the ECOM cable:

handle = mydll.open_device(1,0)

According to the researchers, 1 represents a high-speed CAN network and 0 represents
that the first connected cable is being used.
Now it is possible to inject a CAN packet onto the CAN bus:


y = pointer(SFFMessage())
mydll.DbgLineToSFF("IDH: 02, IDL: 30, Len: 08, Data: A1 00 00 00 00 00
5D 30", y)
mydll.PrintSFF(y, 0)
mydll.write_message_cont(handle, y, 1000)
mydll.close_device(handle)

This will transmit the packet continuously for 1,000 ms.

EXPLOITING WIRELESS CONNECTIVITY 165
Free download pdf