The Car Hacker’s Handbook isn’t a guide, it’s a wake-up call to automakers

car hackers handbook reveals automotive software secrets hacker
Craig Smith readily admits that he’s paranoid by nature. As a digital security professional, paranoia is part of the job description. But unlike most security professionals, Smith is committed to unlocking secrets and demystifying what goes on in your car’s operating software. The theory goes that the best way to improve the code that keeps your car running is to get it out in the open and let everyone take a whack at it.

To help enthusiasts who want to know what’s really going on under the hood, Smith has written The Car Hacker’s Handbook, available now in both paperback and e-book editions from No Starch Press. The book is currently the top seller in its category on Digital Trends caught up with Smith for a discussion of the issues he raises in the book.

Craig-Smith“It’s about taking control of what you own,” Smith told Digital Trends. “Back in the day, automobile owner’s manuals had complete wiring diagrams, all the part numbers, and everything you needed to make any modification you wanted. Now they don’t. This book is for traditional mechanics who want to get into the electronic aspects of cars but have been stymied by the lack of information about this aspect and the taboo around it.”

The Car Hacker’s Handbook is a comprehensive guide to reverse-engineering and understanding the digital control systems in a modern vehicle. The book includes information on building your own test beds for analyzing the software in a vehicle’s control computers as well as background information on the vulnerabilities inherent in infotainment and two-way connectivity systems.

The result is a practical how-to guide for understanding and manipulating the software that controls virtually every function of a modern car.

Black hat, white hat

As you read The Car Hacker’s Handbook, the first thing that comes to mind is trouble. Malicious individuals could use the information and techniques described in this book to take control of people’s automobiles and use that control to demand ransoms, cause accidents, or even commit terrorism.

“If you knew that there was a vulnerability in a particular make and model of vehicle, you could have that ready to go as the car drove by.”

“The risk concerns me,” Smith admited. “But one thing I’ve learned is that keeping things to yourself works for the black hats. Once you shine a light on things, they get fixed. So if you’re not talking about it, that’s a worse situation. Sometimes it’s off-putting for industries when a researcher says there’s a problem with a product, so we do have to be sensitive. We have to play nice so we can all get safer sooner.”

Yet as previous researchers and hackers have shown, the potential for trouble is very real.

“Your research really needs to happen on test equipment that you build yourself. In that regard, you’re not actively hacking a vehicle that’s driving down the road,” Smith tells Digital Trends. “That being said, it is feasible to make an exploit using your own research and your own equipment that would be able to be deployed quickly. If you knew that there was a vulnerability in a particular make and model of vehicle, you could have that ready to go as the car drove by.”

Sizing up the problem

The average new car now carries about 100 million lines of software code. All that code is required to operate various systems throughout the vehicle, including engine and transmission management, traction and stability controls, and more. About 20 million lines of code are required just to run a standard navigation, infotainment, and connectivity system, and that’s one of the biggest areas of vulnerability.

Researchers Chris Valasek and Charlie Miller successfully hacked several cars through their data communications modules and in some cases managed to take substantial control of moving vehicles. Valasek and Miller’s exploits raised concerns about inadequate security provisions throughout the automotive industry, and prompted automakers to tighten up their safeguards.

What Smith’s book does is expose the tools and techniques that researchers use to identify and then exploit weaknesses in production cars. Starting with the CAN bus that most modern cars use as an onboard network, Smith takes the reader through the steps necessary to access the engine management system as well as the infotainment and communications systems. The book also covers how to write exploits and transfer them into a vehicle via the vehicle’s wireless connectivity systems.

Crowdsourcing security and compliance

One key result of the book is less obvious: The techniques of research and analysis described will enable widespread analysis of any automaker’s operating code. This is good, the author thinks.

The bar for automotive software quality just got raised.

Smith believes that private researchers will spot security holes, but also could potentially uncover intentional malfeasance.

“If you get more eyes on the problem, it’s harder to get away with stuff,” Smith pointed out. “Even just the threat of knowing that people are allowed to look at things will make others think twice about putting backdoors in place.”

Performance tuners and the EPA

The book covers engine management programming and how to alter the manufacturer’s code to increase a car’s power output. This is an area where the amateur may skirt very close to violating Federal law and regulations imposed by the EPA and Dept. of Transportation. It is illegal to tamper with any emissions control device, and a car’s engine management software is very much part of the emission control system.

“Of course it’s not good to add pollutants, but at the same time, we’re talking about 1 percent of people who are performance tuners,” Smith explained. “If we’re going to lock out people because of that fear, then you’re going to miss people like Volkswagen, which disabled an entire fleet of vehicles. In my mind, when the EPA came out with those rules, it wasn’t for the person who makes a race car and runs it around on Sunday. It was for fleets of vehicles.”

Open garages and responsibility

Smith is one of the founders of Open Garages, a loose organization dedicated to providing public access, documentation, and the tools necessary to understand today’s modern vehicle systems. The organization is seeking to bring the ethos of open source software to the automobile world, and this book is part of that effort. Smith is careful to caution that if you break something in your car, you cannot expect the automaker to fix it for you.

“I recommend a switch or a jumper on the vehicle’s computer that disables the forcing of code-signed updates [from the automaker],” Smith said. “Now granted, when you do that, the secure boot loader should mark the car as tainted. So if you cause any damage to the engine, it’s on you. If you sell the car to anyone else, it would be obvious that the car was in its original factory-safe state or if it had been tampered with. That’s the same model Google uses with Chromebooks. I like that model, and I’d really like to see that.”

Don’t steal this book

Every so often, a book is published that pushes the boundaries of a controversial topic. Abbie Hoffman’s classic Steal This Book, published in 1971, detailed how to use and abuse government anti-poverty programs and charities, including how to cheat and steal effectively.

At the time, outraged people warned that Steal This Book posed a serious threat to continued freedom of the press — but it didn’t happen that way. People did steal the book, which led to bookstores keeping it under lock and key. Today, it’s a collector’s item and the material in it is simply quaint.

The Car Hacker’s Handbook is much the same. The information in this book is controversial, but not truly threatening. Malefactors who want to steal your car aren’t likely to spend months decoding assembly language programming to take control of your anti-lock braking system – they’d rather jump you at a stoplight.

This book is a wake-up call to automakers, legislators, and regulators, announcing the fact that technology enthusiasts can and will continue to fiddle with their cars. The bar for automotive software quality just got raised.


Intel hates that your car is dumber than your phone. Here’s how they’ll fix it

Motorists are often underwhelmed and/or frustrated with their car's native infotainment system, so millions of them rely on Android Auto and Apple CarPlay. Intel is helping Google and Volvo change that by bringing phone-like tech to the…

PS5 rumored to be more powerful than Xbox’s Project Scarlett

A rumor claiming that the PlayStation 5 will be more powerful than Xbox's Project Scarlett surfaced before the official reveal at the Xbox E3 2019 briefing. Now that we have more information, let's compare the two systems.

Facebook’s crypto isn’t a new Bitcoin, it’s Disney Dollars for a new world order

Facebook has already secured tens of millions in investments for its new cryptocurrency for Facebook known as Libra. The platform is still being developed, but has already brought in backing from Visa, Mastercard and PayPal.

Fisker wants to make sure Tesla’s Model Y isn’t in a class of one when it lands

Fisker Inc. plans to launch an electric SUV with a base price of under $40,000, and a range of around 300 miles in 2021. The unnamed vehicle could compete with the Tesla Model Y, if it ever gets into production.

Kia draws inspiration from Greek mythology to create a crossover for millennials

Kia will expand its global portfolio of crossovers and SUVs when it unveils a model named Seltos on June 20, 2019. Developed for milennials, the Seltos is a small, high-tech model named after the son of Hercules.
Emerging Tech

Awesome Tech You Can’t Buy Yet: Plant-based shoes and a ukulele learning aid

Check out our roundup of the best new crowdfunding projects and product announcements that hit the web this week. You may not be able to buy this stuff yet, but it sure is fun to gawk!

Don’t let the SUV bodies fool you, BMW’s X3 M and X4 M are bona fide M cars

BMW is launching the first M versions of its X3 and X4. The 2020 X3 M and X4 M Competition pack a new 503-horsepower 3.0-liter twin-turbocharged inline-six and BMW’s usual array of performance tech.

After years of Le Mans misfortune, Toyota becomes impossible to beat

Toyota scored a one-two finish at the 2019 24 Hours of Le Mans, its second win a row at the legendary French race. Toyota is the first Japanese automaker to win Le Mans twice, but its wins came without any real competition.

Uber drivers reportedly triggering higher fares through Surge Club

Uber drivers are reportedly participating in a so-called Surge Club to artificially trigger higher fares. Many drivers said that they do not want to join the shady practice, but they are forced to do so due to pay cuts.

Could a high-performance Nissan Leaf steal the mighty GT-R’s lunch money?

Nissan developed the electric Leaf with range and practicality in mind, but the hatchback could lend its hardware to a high-performance flagship. One of Nissan's chief executives announced a four-motor, 850-hp model could arrive during the…

Forget turrets. Hummer could fight its next war in the electric SUV segment

General Motors is considering resurrecting the Hummer brand it axed in 2010 to make electric off-roaders. The plan hasn't been approved yet, and it risks alienating some die-hard Hummer fans, but it makes sense on several levels.

This futuristic driverless pod will soon be delivering pizza in Texas

Pizza delivery using driverless pods is about to become a thing. Domino's has partnered with autonomous-tech specialist Nuro to use the futuristic pods for a trial delivery service starting later this year.

Flat-six makes a brief but triumphant return in Porsche’s hot-rodded 718 duo

Porsche unveiled a pair of 718-based sports cars that brazenly buck the industry's downsizing trend. The 718 Cayman GT4 and the 718 Spyder ditch the turbocharged flat-four in favor of a naturally aspirated, 4.0-liter flat-six rated at 414…

Waymo at last fires up the self-driving smarts of the Jaguar I-Pace

A year after inking a deal with Jaguar to use its I-Pace crossover for its self-driving program, Waymo has started testing the electric vehicle in autonomous mode with a view to adding it to its driverless ridesharing service.