Basically, we wanted to prove that it's possible to hack a vehicle, without having a physical access to the vehicle. To validate our idea, we come up with a method that exploits the vulnerabilities from the OBD II port remotely. We weaponize our exploits by reverse engineering the CAN message by leveraging the Vehicle Spy. The manipulated CAN messages are injected into the CAN bus through Neo OBD II Pro dongle. We demonstrate the GM Camero can be controlled, such as shutdown the vehicle, open/close windows, increase/decrease the radio volume, and change vehicle speed, fuel gauge.
Key Fob Radio On-board Diagnostic Port II
The attacking scenarios are listed below:
1) The car owner presses a lock button and an attacker blocks the keyless entry system, which keep the door unlocked. In this implementation, the attacker has physical access to the vehicle and plugs in a Raspberry Pi, with Neo dongle to the OBD II port and hides its visibility.
2) The attacker first sets up a fake wireless Access Point (AP). Then, she connects the AP via the Raspberry Pi, which connects to the Neo OBD II. To do that, the attacker can control the car through the cloud.
3) Piggy-backed on the scenario 2, the attacker sniffs the CAN messages and reverse engineers the CAN messages using Intrepid Neo VI FIRE and Vehicle Spy. The attacker transmits arbitrary CAN messages to the bus to unlock the door, increase the volume up and down, and finally performs a Denial of Service (DoS) attack on the CAN bus. The attack can successfully shutdown the vehicle.
Project Objective: Our project executes the above-mentioned attack scenarios. The goal was to remotely lock and unlock the vehicle, increase the volume, and perform a DoS attack on the bus.
How I built it
We built the project using Raspberry Pi -> SocketCAN -> Neo VI FIRE -> Python -> Pineapple Wireless Access Point -> Kali Linux -> Secure Shell enabled on the Rasberry Pi for remote access -> Neo OBD II Pro cloud Platform to transmitt and receive CAN messages
Challenges I ran into
It took us a while before we get to communicate with vehicle. We overcome the challenges by creating a SocketCAN communication through the Raspberry Pi and using SSH to control the vehicle remotely. Also, reverse engineering CAN message was challenging.
Accomplishments that I'm proud of
We are proud to control a vehicle remotely, increase volume, control windows, and shut down the vehicle completely and the vehicle was not able to start for a while.
What I learned
We learned how to send a messages wireless, control windows, reverse engineer CAN messages
What's next for Vehicle Wireless remote access
Work on implementing a secure gateway so that the adversaries are not going to replicate this attack. Improve security and weakness within the automotive