The Hitchhiker's Guide to Hacking Connected Cars: ECUs Demystified
“Tell me and I forget, teach me and I may remember, involve me and I learn.” ― Benjamin Franklin
History of Electronic Control Units
In 1769, the first automobile powered by a steam engine appeared, and over a decade later in 1888, the first combustion engine powered automobile came to market. The first cars that appeared on the road were mechanical constructs and were pneumatic operated. Computers didn't begin getting implemented into automobiles until the 1980's and today, a majority of today's modern automobile's functions are controlled by computers or more specifically ECUs (Electronic Control Units). Many of the early ECUs that were implemented into automobiles performed basic functions, such as setting a limit on the number of RPMs the engine could rev up to, manage fuel mixture, ignition timing, idle speed, variable valve timing, as well as electronic valve control.
Today's Electronic Control Units
Today's ECUs are far more advanced, many are embedded systems that process inputs from sensors using microprocessors in real-time. Many of the ECUs contain Random Access Memory (RAM) running embedded, real-time operating systems and contain input/output interfaces to different in-vehicle network fabrics, such as CAN bus, MOST, or FlexRay. ECUs take input from the different sensors in the automobile, for example, anti-lock breaks, and process that information input and perform a resulting action.
There is also an ECU that controls the airbag system, one of the most important safety features in the vehicle. Once it receives signals from the crash sensors, it processes this data to decide which, if any, airbags should be triggered.
It may be easier to understand ECUs with an example. Have you ever placed something in the front passenger seat of your car and received a notification that the airbag was disabled? This is because there is an ECU there that assumes a person is seated in that seat and because of the weight, assumed that it's a child. It then processed this information from the sensors in the seat and took action to disable the airbags as they can oft-times cause significant injury or death to children, who shouldn't even really be in the front seat anyway.
But I digress, as that's another article for another day.
A modern car today can have more than 100 ECUs, has the computing power of 20 personal computers, features about 100 million lines of programming code, and processes up to 25 gigabytes of data an hour.
Driving this rapid innovation in the auto industry is consumer demand. According to McKinsey who interviewed industry players and surveyed almost 2,000 new-car buyers from Brazil, China, Germany, and the United States for their report, 13 percent of buyers are no longer prepared to even consider a new vehicle without Internet access, and more than a quarter already prioritize connectivity over features such as engine power and fuel efficiency.
Telematics Control Units
A Telematics Control Unit (TCU) sits on the “edge” of the in-vehicle network almost like a router or bridge on a traditional computer network. However, unlike a router, a TCU contains numerous communication interfaces, most commonly Bluetooth and WiFi for communication with ECUs on the in-vehicle network and GSM for communication to the outside world, such as the OEM’s backend servers.
The word “telematics” is a combination of telecommunications and informatics. It is any integrated use of telecommunications with machine information technology.
Some people confuse telematics with GPS, but they are not the same. Telematics systems use GPS signals to locate and track your assets, but provide much more information on top of that. A telematics system takes the GPS coordinates from the connected car plus information from that asset’s computer systems, and sends this data via a cell phone signal to a server where it can be analyzed by the OEM. TCUs don’t just exist in connected cars, they are now often installed in fleets of heavy trucks and off-road equipment for tracking, for example. There are a number of original equipment manufacturers making TCUs that are implemented into connected cars during their production as well as a growing number of aftermarket TCUs.
When performing penetration testing against connected cars, we'll typically target the TCU's GSM interface in an attempt to ultimately send/receive signals onto the CAN bus. More on this in The Hitchhiker's Guide To Hacking Connected Cars: Methodology and Jump Kit Readiness. It's important to note that the TCU will oft-times connect with the Head Unit (HU) or Infotainment System via wireless where the HU will act as the wireless access point (AP) and the TCU will act as the wireless client as discussed in the next section.
The Head Unit (HU) or often referred to as the infotainment system, is the central nerve center of the automobile's audio and information system and has evolved to become a secondary control panel for controlling and configuring different components in the vehicle. It is the graphical user interface (GUI) if you will, to managing almost every facet of a connected car, including audio controls, such as setting the audio source, volume, bass, and treble, but now, depending on the car, allows the driver to configure the color of the LED lights inside the car, enable/disable door chimes, configure rear-view and side-view cameras, and more.
While HUs are pre-installed by the automaker in production, a large aftermarket industry of infotainment systems are available from third-parties, many of which offer so many more advanced features, they are beginning to exceed those offered by the originally installed HU. For example, many aftermarket HUs are now offering a wireless Apple® Car Play option, such as the Alpine iLX-107 that no longer requires the users to connect their iPhone or iPod to a USB cable; a much sought-after feature in stock HUs.
While this article has been somewhat of a circuitous journey on my inimitable tacit knowledge of automotive prose that I've obtained over the last five years in penetration testing of HUs and TCUs; each article will take you one step closer to understanding the tactics, techniques, and procedures in performing penetration testing and risk assessments of connected cars.
This series first started with building your penetration testing lab and hacking connected cars through GSM. However, this second article in the series rewinds backwards, first starting with the most abecedarian information in vehicular mechatronics of what may be a very esoteric topic for many of you who may be new to penetration testing of cyber-physical vehicles. In our next article, I will cover more foundational knowledge in automotive mechatronics, specifically in-vehicle networking, v2x, 802.11P, and other vehicular protocols.
McKinsey & Company (2014). What's Driving The Connected Car. Retrieved from https://www.mckinsey.com/industries/automotive-and-assembly/our-insights/whats-driving-the-connected-car