mirror of
https://github.com/V33RU/awesome-connected-things-sec.git
synced 2026-04-10 12:33:45 +00:00
20 KiB
20 KiB
Car Hacking Resources: From Origins to Today
A historical and up-to-date guide to the world of automotive security and car hacking covering foundational breakthroughs, major attacks, community growth, tools, and essential resources.
Table of Contents
- Early Days: 1990s–2000s
- 2010–2014: Proof-of-Concepts and Recognition
- 2015–2018: Mainstream Awareness and Escalation
- 2019–2021: Community, Tools, and Remote Exploits
- 2022–2025: Modern Era and Emerging Frontiers
- Essential Learning & Research Resources
- Getting Started with Car Hacking (Today)
- Summary Timeline of Milestones
- Curated Modern Automotive Security List (2025)
1. Early Days: 1990s–2000s
- First Hacking Points: OBD (On-Board Diagnostics) port introduction enabled access to engine management with custom hardware and proprietary protocols.
- Key Focus: Wired access to in-vehicle networks, mainly CAN (Controller Area Network, CAN Wikipedia, standardized 1991).
- Barriers: Highly proprietary, isolated systems; vehicle-specific strategies required.
2. 2010–2014: Proof-of-Concepts and Recognition
- Researchers began hacking ECUs through direct access, quickly moving to remote attacks via Bluetooth, CD, cellular, and more.
- Notable exploits included 2011 Chevy Malibu remote hacks (Wired Article) and proof that almost any connected vehicle could be at risk.
- Open-source tools and low-cost OBD-II USB adapters made experimentation accessible.
3. 2015–2018: Mainstream Awareness and Escalation
- Landmark Hacks:
- 2013: Miller and Valasek controlled Ford Escape and Toyota Prius (acceleration, steering, GPS spoofing).
- 2015: Jeep Cherokee/UConnect hack allowed full remote takeover - leading to million-vehicle recall.
- Tesla (2016 hack), BMW (ConnectedDrive hack), and Nissan (Nissan Leaf hack) also targeted through remote and telematics attacks.
- Ecosystem Milestones:
- Instrument Cluster Simulator (ICSim) released.
- DEF CON Car Hacking Village - a global hub for car security research.
4. 2019–2021: Community, Tools, and Remote Exploits
- Events: Car Hacking Village (DEF CON) and Car Hacking Village @ DefCamp expand globally.
- Open Garages and online forums centralize tutorials, datasets, and collaborative research.
- Tools like can-utils, python-can, and Scapy/CAN widely adopted in both hobbyist and professional domains.
- Complexity increases - modern vehicles become software-centric and remotely exploitable.
5. 2022–2025: Modern Era and Emerging Frontiers
- API & Backend Attacks:
- Mass remote exploitation of telematics APIs by researchers - impacting brands like Acura, Kia (Kia API bug), BMW, Tesla (Tesla charger exploit), Nissan (Nissan Leaf hack), and Škoda (Škoda Mobile App bug).
- Hardware & Software Expansion: Advanced interfaces and attack tools: Nano-CAN, CANtact, CANPico, M2 by Macchina, ELM327.
- Active Communities: DEF CON Car Hacking Village, ASRG, Car Hacking Village (Europe, DefCamp), Open Garages.
- Ongoing Publications: The Car Hacker’s Handbook, academic surveys (ScienceDirect, MDPI Sensors), live vulnerability tracking (VicOne zero-days).
6. Essential Learning & Research Resources
| Resource/Community | Type | Description/Notes |
|---|---|---|
| The Car Hacker’s Handbook (Craig Smith) | Book | Comprehensive guide to car security |
| Hacking Connected Cars | Book | Techniques and procedures book |
| ICSim | Toolkit/Software | CAN cluster simulation |
| can-utils | Toolkit/Software | CAN bus open-source tools |
| python-can | Toolkit/Software | Python CAN bus library |
| Scapy/CAN Layer | Toolkit/Software | CAN protocol analysis |
| DEF CON Car Hacking Village | Community/Event | Global in-person and virtual hands-on events |
| Car Hacking Village @ DefCamp | Community/Event | European CTF/hack venue |
| ASRG | Community | Auto Security Research Group: global research |
| Open Garages | Forum/Repo | Tutorials, datasets, simulation kits |
| Upstream Security Reports | Research/Survey | Trends, vulnerabilities, industry survey |
| The Hacker News: API survey | News/Research | Mass API attack reports |
| arXiv: UWBAD paper | Research | Ultra-Wideband relay attack research |
| arXiv: SAE J1939 attacks | Research | Heavy-duty transport attacks |
| ScienceDirect: HD vehicle review | Research | Heavy vehicle vulnerabilities |
| MDPI Sensors: SDV security | Research/Survey | Survey on frameworks/attacks |
| VicOne Zero-Day Database | Vulnerability DB | Live CVE, 0-day tracking |
7. Getting Started with Car Hacking (Today)
- Read: The Car Hacker’s Handbook
- Practice: Use ICSim, ELM327, CANtact on test benches.
- Engage: ASRG, Open Garages, DEF CON Car Hacking Village
- Stay Current: Upstream Reports, arXiv search: automotive security, HackerNews
8. Summary Timeline of Milestones
- 1990s–2000s: OBD/CAN bus hacking (CAN bus)
- 2010–2014: Chevy Malibu hack (Wired), CAN-utils, ELM327
- 2015: Jeep UConnect hack, DEF CON Car Hacking Village
- 2016–2018: BMW, Tesla, ICSim
- 2019–2025: API hacks survey, Upstream Report, VicOne 0-days
9. Curated Modern Automotive Security List (2025)
Approach & Methodology
- In-Vehicle Network, Hardware Hacking, Firmware, Wireless, Mobile App, Cloud/Telemetry, AI-based Security, Supply Chain, Mobility.
Communities & Events
- ASRG
- Auto-ISAC
- Car Hacking Village – DEF CON
- Pwn2Own Automotive
- Automotive Cybersecurity Detroit 2025
- Auto-ISAC Europe Summit 2025
- escar Europe 2025
Educational Resources
- Car Hacker’s Handbook
- Hacking Connected Cars
- ASRG YouTube
- Car Hacking Village YouTube
- CANisLabs Blog
- CANBusHack Blog
Tools & Platforms
Hardware
Software
Libraries
Lists & Platforms
- Awesome Vehicle Security
- wtsxDev/Vehicle-Security
- Carpunk
- pq-flasher
- FOSSA for Automotive
- GitGuardian for Automotive
Research, Papers & Vulnerabilities
- UWBAD – Ultra-Wideband Keyless Entry Jamming (arXiv)
- SAE J1939 Attacks (arXiv)
- ScienceDirect: Heavy-Duty Vehicle Security Review
- MDPI Sensors: Survey on SDV Security
- VicOne Automotive Zero-Day Vulnerabilities
- The Hacker News – API Vulnerability Survey
- Upstream: 2025 Global Automotive Cybersecurity Report
Regulations & Standards
International Automotive Cybersecurity Standards — Regional Table
| Country/Region | Key Standards / Regulations | Regulatory Bodies / Notes |
|---|---|---|
| Global | ISO/SAE 21434 (Cybersecurity Engineering), UNECE WP.29 R155/R156 | ISO, SAE, UNECE. Adopted by most OEMs worldwide. |
| United States | SAE J3061, NHTSA Cybersecurity Best Practices, Auto-ISAC Best Practices, NIST 800 Series | NHTSA, SAE, Auto-ISAC, NIST. J3061 is a precursor to ISO/SAE 21434. |
| EU | UNECE WP.29 R155/R156, GDPR, ENISA Guidance | UNECE, European Commission, ENISA. GDPR covers data privacy. |
| Japan | UNECE WP.29 R155/R156, JASO TP18004 | JAMA, JASO, MLIT. JASO guidance tailors standards to domestic industry. |
| China | GB/T 38629-2020, GB/T 37292-2018, MIIT, CCC Cybersecurity | MIIT, CCC. GB/T standards required for type approvals. |
| South Korea | UNECE WP.29, KATRI Guidance | KATRI, MOLIT. National docs supplement UNECE. |
| UK | UNECE WP.29, DCMS Code of Practice, NCSC Guidance | DVSA, DCMS, NCSC. Dedicated automotive/IoT code post-Brexit. |
| Australia | UNECE WP.29, ACSC Guidance | Dept. of Infrastructure, ACSC. National supplements for cyber and connected fleets. |
| Germany | IT Security Catalogue (BNetzA), UNECE WP.29 | BNetzA. Applies IT/OT security standards to automotive and infrastructure sectors. |
| Switzerland | Basel/FINMA Cyber Guidance | Basel Committee, FINMA. Emphasis on supply chain and digital vehicle resilience. |
Reference Resource Links:
- UNECE WP.29 Regulation Summary
- ISO/SAE 21434 Standard Overview
- Auto-ISAC Best Practices
- ENISA Automotive Cybersecurity
- China MIIT
- DCMS Consumer IoT Code of Practice
- Australian Cyber Security Centre Automotive Guidance
- BNetzA IT Security Catalogue
New & Emerging Threats
- AI Security & Prompt Injection
- Automotive Software Supply Chain Security
- Connected Mobility & Telematics API Security
- EV Charging Infrastructure Vulnerabilities
- Ransomware & Data Breach Response
Recommendations
- Monitor live vulnerability and supply chain intelligence portals (e.g., VicOne, FOSSA, GitGuardian).
- Engage at DEF CON Car Hacking Village, Auto-ISAC Summits, and Pwn2Own Automotive.
- Follow and contribute to open-source and research repositories.
- Stay updated with Upstream Reports, and adapt to regulatory and threat intelligence changes.
This guide covers car hacking’s journey from early OBD/CAN explorations to today’s cloud, API, and AI security challenges - linking you directly to key reference points and resources at each stage.