mirror of https://github.com/V33RU/awesome-connected-things-sec.git synced 2026-04-10 12:33:45 +00:00

Files

`Mr-IoT` 61ab69c950 Update automotive-security.md

2025-07-20 13:27:07 +05:30

20 KiB

Raw Blame History

Car Hacking Resources: From Origins to Today

A historical and up-to-date guide to the world of automotive security and car hacking covering foundational breakthroughs, major attacks, community growth, tools, and essential resources.

Early Days: 1990s–2000s
2010–2014: Proof-of-Concepts and Recognition
2015–2018: Mainstream Awareness and Escalation
International Automotive Cybersecurity Standards — Regional Table
2019–2021: Community, Tools, and Remote Exploits
2022–2025: Modern Era and Emerging Frontiers
Essential Learning & Research Resources
Getting Started with Car Hacking (Today)
Summary Timeline of Milestones
Curated Modern Automotive Security List (2025)

1. Early Days: 1990s–2000s

First Hacking Points: OBD (On-Board Diagnostics) port introduction enabled access to engine management with custom hardware and proprietary protocols.
Key Focus: Wired access to in-vehicle networks, mainly CAN (Controller Area Network, CAN Wikipedia, standardized 1991).
Barriers: Highly proprietary, isolated systems; vehicle-specific strategies required.

2. 2010–2014: Proof-of-Concepts and Recognition

Researchers began hacking ECUs through direct access, quickly moving to remote attacks via Bluetooth, CD, cellular, and more.
Notable exploits included 2011 Chevy Malibu remote hacks (Wired Article) and proof that almost any connected vehicle could be at risk.
Open-source tools and low-cost OBD-II USB adapters made experimentation accessible.

3. 2015–2018: Mainstream Awareness and Escalation

Landmark Hacks:
- 2013: Miller and Valasek controlled Ford Escape and Toyota Prius (acceleration, steering, GPS spoofing).
- 2015: Jeep Cherokee/UConnect hack allowed full remote takeover - leading to million-vehicle recall.
- Tesla (2016 hack), BMW (ConnectedDrive hack), and Nissan (Nissan Leaf hack) also targeted through remote and telematics attacks.
Ecosystem Milestones:
- Instrument Cluster Simulator (ICSim) released.
- DEF CON Car Hacking Village - a global hub for car security research.

4. 2019–2021: Community, Tools, and Remote Exploits

Events: Car Hacking Village (DEF CON) and Car Hacking Village @ DefCamp expand globally.
Open Garages and online forums centralize tutorials, datasets, and collaborative research.
Tools like can-utils, python-can, and Scapy/CAN widely adopted in both hobbyist and professional domains.
Complexity increases - modern vehicles become software-centric and remotely exploitable.

5. 2022–2025: Modern Era and Emerging Frontiers

API & Backend Attacks:
- Mass remote exploitation of telematics APIs by researchers - impacting brands like Acura, Kia (Kia API bug), BMW, Tesla (Tesla charger exploit), Nissan (Nissan Leaf hack), and Škoda (Škoda Mobile App bug).
Hardware & Software Expansion: Advanced interfaces and attack tools: Nano-CAN, CANtact, CANPico, M2 by Macchina, ELM327.
Active Communities: DEF CON Car Hacking Village, ASRG, Car Hacking Village (Europe, DefCamp), Open Garages.
Ongoing Publications: The Car Hacker’s Handbook, academic surveys (ScienceDirect, MDPI Sensors), live vulnerability tracking (VicOne zero-days).

International Automotive Cybersecurity Standards — Regional Table

Country/Region	Key Standards / Regulations	Regulatory Bodies / Notes
Global	ISO/SAE 21434 (Cybersecurity Engineering), UNECE WP.29 R155/R156	ISO, SAE, UNECE. Adopted by most OEMs worldwide.
United States	SAE J3061, NHTSA Cybersecurity Best Practices, Auto-ISAC Best Practices, NIST 800 Series	NHTSA, SAE, Auto-ISAC, NIST. J3061 is a precursor to ISO/SAE 21434.
EU	UNECE WP.29 R155/R156, GDPR, ENISA Guidance	UNECE, European Commission, ENISA. GDPR covers data privacy.
Japan	UNECE WP.29 R155/R156, JASO TP18004	JAMA, JASO, MLIT. JASO guidance tailors standards to domestic industry.
China	GB/T 38629-2020, GB/T 37292-2018, MIIT, CCC Cybersecurity	MIIT, CCC. GB/T standards required for type approvals.
South Korea	UNECE WP.29, KATRI Guidance	KATRI, MOLIT. National docs supplement UNECE.
UK	UNECE WP.29, DCMS Code of Practice, NCSC Guidance	DVSA, DCMS, NCSC. Dedicated automotive/IoT code post-Brexit.
Australia	UNECE WP.29, ACSC Guidance	Dept. of Infrastructure, ACSC. National supplements for cyber and connected fleets.
Germany	IT Security Catalogue (BNetzA), UNECE WP.29	BNetzA. Applies IT/OT security standards to automotive and infrastructure sectors.
Switzerland	Basel/FINMA Cyber Guidance	Basel Committee, FINMA. Emphasis on supply chain and digital vehicle resilience.

Essential Learning & Research Resources

Resource/Community	Type	Description/Notes
The Car Hacker’s Handbook (Craig Smith)	Book	Comprehensive guide to car security
Hacking Connected Cars	Book	Techniques and procedures book
ICSim	Toolkit/Software	CAN cluster simulation
can-utils	Toolkit/Software	CAN bus open-source tools
python-can	Toolkit/Software	Python CAN bus library
Scapy/CAN Layer	Toolkit/Software	CAN protocol analysis
DEF CON Car Hacking Village	Community/Event	Global in-person and virtual hands-on events
Car Hacking Village @ DefCamp	Community/Event	European CTF/hack venue
ASRG	Community	Auto Security Research Group: global research
Open Garages	Forum/Repo	Tutorials, datasets, simulation kits
Upstream Security Reports	Research/Survey	Trends, vulnerabilities, industry survey
The Hacker News: API survey	News/Research	Mass API attack reports
arXiv: UWBAD paper	Research	Ultra-Wideband relay attack research
arXiv: SAE J1939 attacks	Research	Heavy-duty transport attacks
ScienceDirect: HD vehicle review	Research	Heavy vehicle vulnerabilities
MDPI Sensors: SDV security	Research/Survey	Survey on frameworks/attacks
VicOne Zero-Day Database	Vulnerability DB	Live CVE, 0-day tracking

Getting Started with Car Hacking (Today)

Read: The Car Hacker’s Handbook
Practice: Use ICSim, ELM327, CANtact on test benches.
Engage: ASRG, Open Garages, DEF CON Car Hacking Village
Stay Current: Upstream Reports, arXiv search: automotive security, HackerNews

Summary Timeline of Milestones

1990s–2000s: OBD/CAN bus hacking (CAN bus)
2010–2014: Chevy Malibu hack (Wired), CAN-utils, ELM327
2015: Jeep UConnect hack, DEF CON Car Hacking Village
2016–2018: BMW, Tesla, ICSim
2019–2025: API hacks survey, Upstream Report, VicOne 0-days

Curated Modern Automotive Security List (2025)

Approach & Methodology

In-Vehicle Network, Hardware Hacking, Firmware, Wireless, Mobile App, Cloud/Telemetry, AI-based Security, Supply Chain, Mobility.

Communities & Events

Educational Resources

Tools & Platforms

Hardware

Software

Libraries

Lists & Platforms

Research, Papers & Vulnerabilities

Reference Resource Links:

New & Emerging Threats

AI Security & Prompt Injection
Automotive Software Supply Chain Security
Connected Mobility & Telematics API Security
EV Charging Infrastructure Vulnerabilities
Ransomware & Data Breach Response

Recommendations

Monitor live vulnerability and supply chain intelligence portals (e.g., VicOne, FOSSA, GitGuardian).
Engage at DEF CON Car Hacking Village, Auto-ISAC Summits, and Pwn2Own Automotive.
Follow and contribute to open-source and research repositories.
Stay updated with Upstream Reports, and adapt to regulatory and threat intelligence changes.

This guide covers car hacking’s journey from early OBD/CAN explorations to today’s cloud, API, and AI security challenges - linking you directly to key reference points and resources at each stage.

20 KiB Raw Blame History Unescape Escape