Car Hacker's Handbook (opens in new tab)

The article that you cited does not seem to advance the argument in your comment, even though it opens with a story of a company getting sued for actual copyright infringement. (Ford has not sued the "ForSCAN" team.)

The carmakers are bound by law to implement the OBD2 application with an acceptable OBD2 PHY. They are also bound by law to provide their dealer system for flash-programming and for operations that cannot be carried out using the OBD2 application. Anyone can obtain a J2534 gateway to use these tools, and anyone can obtain access to these tools.

This is necessary to resolve antitrust issues and because a broken car is a potential emissions problem.

The carmakers have not stopped thirdparty diagnostic providers from reverse engineering the carmakers' tools to develop their own tools for sale. Autoenginuity, Launch X431, Snap-On are examples of companies that do this and who have no connections to the vehicle manufacturer supply chain the way that Bosch, Actia, and Continental do.

The attacks in the book are low grade attacks just about anyone with just a basic curiosity could probably pull off - like making up a cable. Ford SYNC, for example, required signed payloads.

Infotainment systems, generally speaking, are not even on the same CAN bus as the engine control unit.

The book spends an inordinate amount of its pages talking about stuff you can easily google and get much more detailed and more accurate information like LIN, ODB2, etc...

Why not talk about CAN arbitration? The book fails to mention a simple attack vector everyone in automotive knows about. ArbID on CAN is not only unique to CAN frame but also used to win arbitration. You can flood a CAN bus with CAN frames using an ArbID of 0x01 or 0x00 to kick off a sort of denial of service attack.

The UDS hacks they talk about are not really hacks at all. They are part of what is known as right to service. Automotive manufacturers are not allowed to lock out small mom & pop service shops or 3rd party tools. The really sensitive stuff typically requires what is known as a VIN unlocker. For example, you can't easily change the ODO (odometer) value. With Ford ECUs, you get a DLL from Ford Motor and a key. You then take CAN data off the bus, pass it through the provided DLL and along with the key, get back a value that you send back out to "unlock" the ECU to program it. Why not talk about reverse engineering this?

They talk about CANiBUS which is a nice tool but a better one is Vehicle Spy which does the same thing and more. Chip tuners use this to reverse engineer the CAN signals.

In the industry, all these CAN bus signals can be decoded if you have what is called a DBC file. DBC file is file format used to lookup values to translate into human readable descriptions. The format is owned by Vector which is another company that makes, over priced, CAN diagnostic and simulation tools that everyone uses.

The Ethernet metasploit looks like pie in the sky talk. Every Ethernet system in a car today is basically infotainment system and benign data like album art, Mirrorlink, and simple data sharing between say a center stack and a cluster. There's nothing there... On top of this, every automotive ethernet is Broad-R-Reach which is Broadcom's 2-Wire Ethernet and to tap into it requires expensive demo boards from Broadcom. It's not like you can simply take a 2-wire Ethernet and put into a Linksys switch to see the packets. More misinformation.

The Keypad for the passive entry looks like good material but it, too, looks very dated.

sorry to be such a downer but felt after reading through the material they should be called out.. buyer beware.

If the systems were properly documented for the owners I seriously doubt there would be a problem. Give people a USB stick with docs, sources and signing keys and those who can make sense of them are probably smart enough to hack responsibly.