The Art of Car Hacking, Demonstrated by Toyota Itself

The practice of counter-hacking is very important for companies today, as they spend for research and development, funding for ways to be a step ahead from the hackers will help protect their brand from future cyber attacks. This is what Toyota security team is doing, as they sent two representatives to the 2018 Black Hat Europe in London. Their names are Takuya Yoshida and Tsuyoshi Toyama of Toyota, Japan’s InfoTechnology Center.

They revealed their breakthrough in open source car hacking, a new utility dubbed “Portable Automotive Security Testbed” (PASTA). Toyota is set to officially publish the PASTA source code to Github, and also packaged the app with the corresponding hardware for sale, for other professionals who are interested with learning how to use it.

From the outset, the device is no larger than a typical briefcase, containing all the hardware, including a corresponding connector which can check a car for vulnerabilities.

The open-source building tool is said to innovate how car vendor companies will treat a product, cars are not just vehicles for transportation, they are also computers in their own right. It is also very generous for Toyota in funding for a project which it decided not to monopolize, but rather make it inclusive for everyone to use in their car manufacturing as well.

The duo’s official presentation can be viewed in Black Hat Europe 2018’s site, Toyota’s entry to the cybersecurity research operates under the Philosophy anchoring on being open, adaptable, safe and portable. With the device, it is possible to remote control a Toyota car, with the attacker able to drive the car without being inside the car’s driver seat.

Toyota also laid-out the features of the device and what set it apart compared with closed-source alternatives currently sold both openly and in the dark web.

“PASTA has two features that enable practical research, development, and evaluation of vehicle cybersecurity technologies. First, we used non-proprietary technologies to develop PASTA. Researchers can customize it themselves. Second, some of the internal operations of PASTA are displayed in three formats: 1) status display on the attached monitor, 2) physically moving a scale-model vehicle, and 3) with the software vehicle simulator,” explained the Toyota representatives.

Toyota sets the goal for PASTA as an education tool, not just for hackers, but also the curious car enthusiasts. Many of them are just starting to learn the computing-related functionalities of modern cars and discover their vulnerabilities if not checked on a regular basis.

“PASTA uses non-proprietary technology and visualizes vehicle behavior from in-vehicle network messages. This testbed is expected to provide a new platform for vehicle security, which will accelerate research and development. When conducting experiments assuming a specific type of vehicle, it is difficult to completely release the research results. This is because OEMs tend to keep communication between the ECUs in the vehicle, the topology of the in-vehicle network, and countermeasures against expected attacks confidential. Once researchers release their activities, anyone can determine the vulnerabilities of a specific vehicle and confidential specifications and intellectual property,” added Toyota.

Being the first to move in the area of hacking their own cars, Toyota is confident that even if blackhat hackers will check-out PASTA, their own research team and the community of hackers that will learned PASTA system first from Github will be several steps ahead.