At the BlackHat Asia conference in Singapore this week, Eric Evenchick, a hacker and former intern at Tesla, presented an open source toolkit designed to interact with the Controller Area Network (CAN) bus that controls most of the functions in many connected cars.
Called CANard, the Python-based system was designed as a tool to help hackers and researchers identify security vulnerabilities in these networks, which can control nearly every function of the car.
Evenchick also developed hardware that will enable users to connect the toolkit to the car. Called CANtact, the device is a CAN-to-USB interface and is available for just $59.95. Although Evenchick told Forbes that he currently only has about 100 units of the device available for sale, which he plans to begin shipping in July, he has also made the source code and design files available on Github and has invited others to build their own similar devices.
In his own experience with the device, Evenchick says he has already found multiple weaknesses, telling Forbes that in many cases, "you have the ability to read and write data that you really shouldn't."
Evenchick also told Forbes that he wants to make it for people to probe connected car systems for weaknesses, largely because car manufacturers tend to keep their systems closed to the outside security community. By designing a tool that can search for these vulnerabilities, Evenchick is enabling hackers to see what kinds of weaknesses made it to the market.
One such weakness was made public in January, when Corey Thuen of Digital Bond Labs reverse engineered the Snapshot device that Progressive Insurance gives out to customers to monitor their driving habits for insurance purposes. Thuen claimed that the location and activity data sent from the device, which plugs into the ODB-II diagnostic port and uses the car's CAN bus to collect that data, is not encrypted before it is sent to Progressive's servers. The security vulnerabilities could have potentially enabled a hacker to control the vehicle.