Backdooring connected cars for covert remote control

Waterfall Security: Trust issues with your firewalls? Eliminating vulnerabilities that accompany firewalls is a click away.

We’ve all known for a while now that the security of connected cars leaves a lot to be desired. The latest proof of that sad state of affairs comes from Argentinian security researchers and hackers Sheila Ayelen Berta and Claudio Caracciolo.

The pair is set to demonstrate a hardware backdoor for the CAN bus that can be controlled remotely at the upcoming Hack in the Box conference in Amsterdam.

The Bicho

Dubbed “The Bicho,” which is Spanish for small bug/insect, the (open source) hardware backdoor can easily remain hidden due to its small size. It is based on the PIC18F2580 microcontroller and can receive commands via SMS.

That functionality is provided by the SIM800L GSM module, which is popular among hobbyists and in the Arduino community.

“We didn’t use Arduino – we developed our own hardware and it has integrated a SIM800L,” Berta tells me.

“Inside the SIM800L you have to insert a GSM chip, so you will know the telephone number. After you send the SMS to that telephone number, the firmware of our hardware backdoor will know what it has to do.”

backdooring connected cars

The Bicho is pre-programmed via the open source “Car Backdoor Maker” desktop software, which was also developed by the researchers.

The software has a very intuitive graphical interface. Before the backdoor can be used, it has to be connected via USB to the computer running the software and pre-loaded with a variety of payloads to be injected remotely.

backdooring connected cars

“Payloads are CAN frames, so you need to know what CAN frame you want to execute,” says Berta.

They’ve also set up OpenCANdb, an online CAN frames database where users can get specific ones implemented in various cars, but it’s still in the early stages and needs to be populated – hopefully by other hackers interested in this project.

What kind of actions can the Bicho trigger?

The Bicho supports multiple attack payloads and it can be used against any vehicle that supports CAN, without limitations regarding manufacturer or model. Each one of the payloads is tied to a command that can be delivered via SMS from anywhere in the world.

“The only limit is your imagination and the attack surface of the target car,” Berta tells me.

“The more things the car exposes on the CAN bus, the wider the scope for the Bicho. Some cars expose lights, the throttle position, brakes, and so on, so you might control those things.”

At Hack in the Box, the pair will present a new a new feature that allows attackers to remotely kill the car’s ECU and cause the car to stop working.

The Bicho can also be configured to execute an attack payload automatically once the target vehicle is near a given GPS location, has surpassed a set speed, has fallen below a set fuel level, etc.

Responsible use

The Bicho is connected to the CAN bus via the vehicle’s OBD-II port, which is usually found below the vehicle’s steering wheel. Obviously, a prospective attacker must gain physical access to the target vehicle in order to plant the backdoor and be able to use it.

It should do without saying that the researchers intend for their hardware, software, and database to be used responsibly by car hacking enthusiast on their own cars or cars they have been permitted to tinker with by their owners.

“We know that people can use our hardware to do bad things, but we can’t be responsible for their bad acts,” says Berta.

The goal of their research and presentation is to make people and manufacturers aware of the high risk of car hacking.