Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

7/2/2019
01:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Toyota's Car-Hacking Tool Now Available

'PASTA' hardware and software kit now retails for $28,300.

Toyota officially has begun offering a commercial version of its new Portable Automotive Security Testbed (PASTA) open source testing platform for researchers and nascent car-hacking experts.

The carmaker rocked the cybersecurity industry with the introduction of PASTA last December at Black Hat Europe in London, where Toyota's Tsuyoshi Toyama, a member of Toyota's InfoTechnology Center, along with his Toyota colleague Takuya Yoshida, demonstrated the tool, which sits in an 8-kilogram portable stainless steel briefcase. Automakers traditionally had dismissed cybersecurity research that exposed security holes in automated and networked features in car models, so Toyota's homegrown tool represented a major shift in the auto industry.

The PASTA hardware and software tool product sells for $28,300, including the steel briefcase, so the commercial version isn't necessarily geared for the newbie hobbyist. Toyota earlier this year placed PASTA's open source specifications on GitHub, including those of the platform itself, CAN (controller area network) ID maps, ECU (engine control unit) program codes, and ECU circuit diagrams for vehicle testing.

The PASTA car-hacking tool
Source: Toyota
The PASTA car-hacking tool Source: Toyota

PASTA allows researchers to study how a car's engine control units (ECUs) operate, as well as the CAN protocol used for communicating among elements of the vehicle, and to test vulnerabilities and exploits. It's not, however, meant for live, moving-vehicle hacking and testing such as that pioneered by researchers Charlie Miller and Chris Valasek.

The tool includes four ECUs as well as LED panels that are controllable by the researcher to run tests of the car system operation, or simulate attacks such as injecting malicious CAN messages. It also contains ODBII and RS232C ports, as well as a port for debugging or binary hacking.

The Toyota developers also envision PASTA being employed for R&D purposes on real vehicles: a carmaker could test-run the impact of a third-party feature on the vehicle's security, for example.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/22/2019 | 7:37:44 AM
This looks like an old computer system

I would like to see this application turned into a phone application where the end-devices are connected to the mini-usb port. I could see this put into a smaller form-factor where the application can be installed and taken anywhere. - Todd

Also, Mark, you made some good points about using this tool to create a use case or identify ways in which to show they have a solid product. But this can be skewed where the hacker will think of a multitude of ways attack this system. It is good, hopefully they will continue to evolve this product and make it smaller and smarter or as indicated above.

 

 
MarkSindone
50%
50%
MarkSindone,
User Rank: Moderator
7/22/2019 | 7:35:55 AM
Test and tested
It is highly remarkable for any company at all to actually welcome security experts to try to hack into their system. However, it is the only move to test and prove their capability in this area. If the pros cannot penetrate into their platform, they have just proven themselves. It is a smart way to get professional advice without even having to pay them.
CameronRobertson
50%
50%
CameronRobertson,
User Rank: Moderator
7/22/2019 | 5:22:43 AM
Do it right!
Now this is the way that companies need to go about making sure that their products are safe! I reckon if you offer a reward to people who can hack into a dummy system, people would be (slightly) less inclined to go hacking into the actual system. Of course they've got to be careful that hackers won't have actual access to sensitive information and controls if they succeed though. That would be asking for trouble!
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.