Introduction
This chapter contains a reference to public research around car hacking. In this chapter a few general car hacking papers are discussed. The rest of the research is split up by target or entrypoint.
The 2015 Jeep Cherokee hack brought the subject to a mainstream audience and triggered a 1.4 million vehicle recall; the four earlier papers established the technical groundwork that made it possible.
Experimental Security Analysis of a Modern Automobile
Koscher et al., IEEE S&P 2010 [1]
The first systematic empirical security evaluation of a complete production automobile, this IEEE S&P paper connected a laptop running CARSHARK to the OBD-II port of two identical late-model sedans and mapped what an attacker with network access could do. Because the CAN bus carries no source addresses and no authentication, any node can send any frame to any other.
Injecting the right messages could disengage brakes while moving, lock individual wheels, kill the engine, spoof the speedometer, and block the car from restarting. The car's telematics unit was connected to both the low-speed and high-speed CAN subnets; after reprogramming it from the low-speed side, the researchers used it as a bridge onto the high-speed bus, bypassing the BCM gateway. All attacks required prior access via the OBD-II port or a compromised ECU, a constraint the 2011 follow-on paper addressed directly.
The CARSHARK tool developed by Koscher et al. for sniffing and injecting CAN packets. The left panel lists ECU nodes on both CAN subnets; recently updated values are highlighted. Figure from Koscher et al., 2010 (Experimental Security Analysis of a Modern Automobile).
Comprehensive Experimental Analyses of Automotive Attack Surfaces
Checkoway, McCoy, Kantor, Anderson, Shacham, Savage, Koscher, Czeskis, Roesner, Kohno, USENIX Security 2011 [2]
Where the 2010 paper asked what an attacker could do once on the network, this USENIX Security paper asked how they get there. The same joint UW and UCSD team catalogued external communications channels on a modern sedan, investigated representative examples in each access category, and demonstrated remote compromise through mechanics' tooling, the media player, Bluetooth, and the cellular modem.
Attack vectors were organised in three tiers: indirect physical (OBD-II port via compromised dealer tooling; CD player via a WMA parser buffer overflow; dealership Wi-Fi programmer with weak credentials); short-range wireless (Bluetooth hands-free stack overflow; TPMS receiver); and long-range wireless (cellular telematics unit, containing a modem-layer overflow that bypassed higher-level authentication and accepted audio-encoded commands over a voice call). Post-exploitation, a compromised telematics unit could serve as an IRC command-and-control node over 3G; two vehicles over a thousand miles apart responded to the same IRC command in a live demonstration. The structural finding: automotive software carried the same memory-safety vulnerabilities as desktop software but had no update infrastructure, no per-component privilege isolation, and no bus-level authentication.
Attack surface taxonomy for a modern automobile, showing external I/O channels and which ECUs they reach. Colors group ECUs by function. Figure from Checkoway et al., 2011 (Comprehensive Experimental Analyses of Automotive Attack Surfaces).
Adventures in Automotive Networks and Control Units
Miller, Valasek, DEF CON 21, 2013 [3]
This DEF CON 21 whitepaper targeted a 2010 Toyota Prius and a 2010 Ford Escape. Unlike prior work that withheld vehicle specifics, it released full CAN ID tables, packet formats, source code, and hardware instructions so other researchers could reproduce the results.
The paper covered CAN bus structure, ISO-TP framing, and key UDS diagnostic services, alongside complete ECU topology maps for both vehicles. Attack demonstrations included normal-mode CAN injection to manipulate the speedometer, steering, and braking on the Prius, and diagnostic-mode messages to engage brakes, kill the engine, and reflash the Ford Escape's Parking Assist Module with firmware extracted and disassembled from the HC12 microcontroller. A short section proposed anomaly detection based on the strict periodicity of healthy CAN traffic, prefiguring later IDPS research.
CAN v1 bus wiring diagram for the 2010 Toyota Prius, showing ECU nodes and their physical connections. Figure from Miller and Valasek, 2013 (Adventures in Automotive Networks and Control Units).
A Survey of Remote Automotive Attack Surfaces
Miller, Valasek, Black Hat USA 2014 [4]
This Black Hat survey broadened scope from two test vehicles to twenty-four production cars across model years 2006 to 2015. Each vehicle was rated on remote attack surface breadth, internal network topology, and the set of cyber-physical features that let software actuate physical systems.
For each vehicle the authors mapped every ECU with a wireless interface against the safety-critical ECUs it could reach. Forty-two percent of 2014 model-year vehicles had no segmentation between at least one cyber-physical ECU and one with a remote attack surface. The 2014 Jeep Cherokee ranked highest: its Uconnect radio handled Bluetooth, cellular, Wi-Fi, FM RDS, and app connectivity while sitting directly on CAN-C alongside the ABS, electric power steering, and adaptive cruise ECUs, forming a complete three-stage attack chain. Miller and Valasek found the needed software bugs the following year, documented in the next section. The paper also noted that manufacturer patching still largely depended on dealer visits rather than automated OTA updates as of July 2014.
Network architecture of the 2014 Jeep Cherokee, showing the Uconnect radio (with Bluetooth, cellular, and internet connectivity) directly bridging onto CAN-C alongside safety-critical ECUs including ABS and power steering. Figure from Miller and Valasek, 2014 (A Survey of Remote Automotive Attack Surfaces).
Remote Exploitation of an Unaltered Passenger Vehicle
Miller, Valasek, IOActive 2015 [5]
Published in August 2015, this IOActive whitepaper delivered the first complete end-to-end remote exploit against a production vehicle with no prior physical access and no vehicle modifications required. The target was a 2014 Jeep Cherokee running the Harman Uconnect 8.4AN head unit on QNX 6.5.0. The Uconnect system held an IP address reachable from other Sprint devices, though not from the public internet, and an unauthenticated D-Bus service accepted arbitrary shell commands from any caller. By scanning Chrysler's allocated cellular IP ranges from a Sprint-connected host, Miller and Valasek could connect to vulnerable vehicles anywhere in the United States and obtain a QNX shell from a laptop miles away.
Gaining shell access to the head unit was only the first stage. The Uconnect OMAP SoC communicated with a NEC V850 microcontroller over SPI; the V850 bridged both the CAN-IHS and CAN-C buses and relayed messages to every ECU in the vehicle. The authors reversed the SPI protocol, discovered an undocumented debug command, and reflashed the V850 with modified firmware that forwarded arbitrary CAN frames from the OMAP. Because V850 firmware updates were accepted without any code-signing verification, this step required no additional vulnerability. With the bridge active, the researchers could disable the transmission, spoof gauges, control body functions, and, at low speeds where diagnostic sessions were accepted, affect brakes and steering through the relevant ECUs.
The disclosure timeline began in October 2014 with the D-Bus finding and concluded with FCA releasing a patch on July 16, 2015, followed by a voluntary recall of 1.4 million vehicles five days later. The Sprint network independently blocked port 6667 traffic. The paper's influence extended beyond FCA: Tesla's subsequent adoption of OTA firmware code signing is widely attributed in part to the attention this research generated.
Uconnect touchscreen displaying a firmware update prompt, used in the USB-based jailbreak that established the initial code execution path. Figure from Miller and Valasek, 2015 (Remote Exploitation of an Unaltered Passenger Vehicle).
CAN Message Injection - OG Dynamite Edition
Miller, Valasek, IOActive 2016 [6]
Published in June 2016, this IOActive follow-up examined a question left open by the 2015 Jeep paper: given arbitrary CAN message injection, how much physical control is actually achievable, and why do naive injection attempts often fail?
The core problem is confliction. Every legitimate ECU broadcasts its messages continuously at a fixed interval. When an attacker injects an adversarial message with the same CAN ID, the receiving ECU sees two conflicting streams. Safety-critical ECUs in the Jeep resolved confliction by disabling the contested feature rather than acting on either message, which meant flooding the ABS module disabled braking rather than applying it. The paper described three approaches to overcome this: placing the transmitting ECU into a diagnostic session to halt its normal messages, forcing it into Bootrom mode, or fully reflashing it to eliminate the conflicting sender. A fourth technique, analysing how the receiving ECU processes incoming data and exploiting edge cases in that logic, was demonstrated against the Power Steering Control Module. Combining these methods, the authors achieved braking, acceleration via cruise control emulation, and steering on both the Jeep Cherokee and a Toyota Prius. The paper also proposed several defensive countermeasures, including message authentication and anomaly detection on CAN timing.