Craig Smith

Car Hacking on the cheap

Blog Post created by Craig Smith on Feb 8, 2017

Metasploit’s HWBrige comes with an automotive extension. This works out of the box if you happen to have a SocketCAN compatible CAN sniffer hanging around. However, if you don’t have one, there is a decent chance you have a cheap sub $10 vehicle dongle in a drawer somewhere. If not you can probably pick one up on ebay super cheap. Metasploit supports the ELM327 and STN1100 chipsets that are very popular in these dongles. Metasploit comes with a tool to connect these devices provided your device uses a USB connector or is Bluetooth. Here is a sample of an inexpensive ELM327 Bluetooth dongle:

 

These devices are not very fast and are only meant to query diagnostic services. However, it is possible to transmit raw CAN packets with these devices. These devices are not good for sniffing, but Metasploit can use them for transmission just fine.

 

Both the USB version and the Bluetooth version speak serial. So you will need to get the ruby gem ‘serialport’

 

 

$ gem install serialport


Once that is installed go ahead and plug in your device. If it is a bluetooth device you will need to configure your system to connect to that as well:

 

$ rfcomm connect /dev/rfcomm1 "00:0D:18:AA:AA:AA"


Once your device is up and running and you know what Serial port it is connected to (check dmesg if unsure) then you are ready to start. First you must run the elm327_relay.rb program:

 

$ cd tools/hardware

$ ruby elm327_relay.rb -h

Usage: elm327_relay.rb [options]

 

Specific options:

  -b, --baud <serial_baud> (Optional) Sets the baud speed for the serial device (Default=115200)

  -s, --serial <serial_device> (Optional) Sets the serial device (Default=/dev/ttyUSB0)

  -h, --help Show this message


As you can see it takes only two parameters, the serial port and the baud of your device. Specify any changes you need from the defaults then start the relay.

 

$ ruby elm327_relay.rb -s /dev/ttyUSB1

Connected. Relay is up and running...


If you see a message that the relay is up and running then you are all set! Currently the relay’s port is hard coded to port 8080. So now from your local machine or another machine on your network with Metasploit you can connect to this relay

 

msf > use auxiliary/client/hwbridge/connect

msf auxiliary(connect) > run


 

[*] Attempting to connect to 127.0.0.1...

[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-01-31 13:32:40 -0800

[+] HWBridge session established

[*] HW Specialty: {"automotive"=>true} Capabilities: {"can"=>true}

[!] NOTICE: You are about to leave the matrix. All actions performed on this hardware bridge

[!] could have real world consequences. Use this module in a controlled testing

[!] environment and with equipment you are authorized to perform testing on.

[*] Auxiliary module execution completed

msf auxiliary(connect) > sessions


 

Active sessions

===============


 

  Id Type Information Connection

  -- ---- ----------- ----------

  1 hwbridge cmd/hardware automotive 127.0.0.1 -> 127.0.0.1 (127.0.0.1)


That’s it. You can run all the same post modules like post/hardware/automotive/getvinfo. Currently only the CANbus interface is supported on the ELM327s but additional protocol support maybe added. Also do not expect great speed from one of these devices. If you have a post module that floods the bus, it probably will not work very well using an ELM327 chipset.

Outcomes