Vulnerabilities / Threats

12/5/2018
02:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Toyota Builds Open-Source Car-Hacking Tool

'PASTA' testing platform specs will be shared via open-source.

BLACK HAT EUROPE 2018 – London – A Toyota security researcher on his flight from Japan here to London carried on-board a portable steel attaché case that houses the carmaker's new vehicle cybersecurity testing tool.

Takuya Yoshida, a member of Toyota's InfoTechnology Center, along with his Toyota colleague Tsuyoshi Toyama, are part of the team that developed the new tool, called PASTA (Portable Automotive Security Testbed), an open-source testing platform for researchers and budding car hacking experts. The researchers here today demonstrated the tool, and said Toyota plans to share the specifications on Github, as well as sell the fully built system in Japan initially.

What makes the tool so intriguing – besides its 8 kg portable briefcase size – is that automobile manufacturers long had either ignored or dismissed cybersecurity research exposing holes in the automated and networked features in their vehicles. Toyota's building this tool and sharing its specifications via open source is a major shift for an automaker.


Toyota's Tsuyoshi Toyama (left) and Takuya Yoshida (right) show off the PASTA testing platform at Black Hat Europe.
Toyota's Tsuyoshi Toyama (left) and Takuya Yoshida (right) show off the PASTA testing platform at Black Hat Europe.

"There was a delay in the development of cybersecurity in the automobile industry; [it's] late," Toyama - the research lead in the PASTA project - said in the pair's talk here today. Now automakers including Toyota are preparing for next-generation attacks, he said, but there remains a lack of security engineers that understand auto technology.

That was a driver for the tool: to help researchers explore how the car's engine control units (ECUs) operate, as well as the CAN protocol used for communicating among elements of the vehicle, and to test out vulnerabilities and exploits.

Toyama said the tool isn't meant for the live, moving-car hacking that Charlie Miller and Chris Valasek performed: the goal was to offer a safe platform for researchers who may not have the expertise of Miller and Valasek, for example. It simulates remote operation of wheels, brakes, windows, and other car features rather than "the real thing," for safety reasons. "It's small and portable so users can study, research, and hack with it anywhere."

The PASTA platform holds four ECUs inside, as well as LED panels that are controllable by the researcher to run any tests of the car system operation, or attacks such as injecting CAN messages. It includes ODBII and RS232C ports, as well as a port for debugging or binary hacking, he said.

"You can modify the programming of ECUs in C" as well, he said.

The researchers integrated the tool with a driving simulator program, as well as with a model car to demonstrate some ways it can be used. PASTA also can be used for R&D purposes with real vehicles: that would allow a carmaker to test how a third party feature would affect the vehicle and its security, or reprogram firmware, for example.

Toyota plans to later add to PASTA Ethernet, LIN, and CAN FD, as well as Wi-Fi, Bluetooth, and cellular communications features for testing. 

PASTA soon will be available on Github, the researchers said.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Apprentice
12/14/2018 | 3:05:20 AM
Hit or miss
I bet the hackers of the world are just waiting for Toyota to launch some competition for this now. It's probably going to be the best way to test if their security team has done a good enough job trying to protect their fleet of cars isn't it? The results will either make or break them though! Tread carefully Toyota!
EdwardThirlwall
50%
50%
EdwardThirlwall,
User Rank: Apprentice
1/3/2019 | 9:05:42 AM
Always improving
It is good to see organizations from different sectors always improving their processes as we evolve forward with time. Progress is key if we would like to see changes being applied towards our own advantage. As we excel, we wouldn't want to know that there is still a small portion that is being left behind without much improvements along the way.
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8948
PUBLISHED: 2019-02-20
PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163.
CVE-2019-8950
PUBLISHED: 2019-02-20
The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET.
CVE-2019-8942
PUBLISHED: 2019-02-20
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image c...
CVE-2019-8943
PUBLISHED: 2019-02-20
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring...
CVE-2019-8944
PUBLISHED: 2019-02-20
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.