Toyota officially has begun offering a commercial version of its new Portable Automotive Security Testbed (PASTA) open source testing platform for researchers and nascent car-hacking experts.
The carmaker rocked the cybersecurity industry with the introduction of PASTA last December at Black Hat Europe in London, where Toyota's Tsuyoshi Toyama, a member of Toyota's InfoTechnology Center, along with his Toyota colleague Takuya Yoshida, demonstrated the tool, which sits in an 8-kilogram portable stainless steel briefcase. Automakers traditionally had dismissed cybersecurity research that exposed security holes in automated and networked features in car models, so Toyota's homegrown tool represented a major shift in the auto industry.
The PASTA hardware and software tool product sells for $28,300, including the steel briefcase, so the commercial version isn't necessarily geared for the newbie hobbyist. Toyota earlier this year placed PASTA's open source specifications on GitHub, including those of the platform itself, CAN (controller area network) ID maps, ECU (engine control unit) program codes, and ECU circuit diagrams for vehicle testing.
PASTA allows researchers to study how a car's engine control units (ECUs) operate, as well as the CAN protocol used for communicating among elements of the vehicle, and to test vulnerabilities and exploits. It's not, however, meant for live, moving-vehicle hacking and testing such as that pioneered by researchers Charlie Miller and Chris Valasek.
The tool includes four ECUs as well as LED panels that are controllable by the researcher to run tests of the car system operation, or simulate attacks such as injecting malicious CAN messages. It also contains ODBII and RS232C ports, as well as a port for debugging or binary hacking.
The Toyota developers also envision PASTA being employed for R&D purposes on real vehicles: a carmaker could test-run the impact of a third-party feature on the vehicle's security, for example.
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.