Building a Car Hacking Development Workbench: Part 1
There is a vast body of knowledge hiding inside your car. Whether you are an
auto enthusiast, developer, hobbyist, security researcher, or just curious about
vehicles, building a development bench can be an exciting project to facilitate
understanding and experimentation without risking possible damage to your
vehicle. This is a perfect project for people of a wide range of ages and skill
levels. Even if you have never worked on a car before, or you do not feel like
Metasploit Framework Valentines Update
Valentines day is just around the corner! What could be a nicer gift for your
sweetie than a bundle of new Metasploit Framework updates? The community has
been as busy as ever delivering a sweet crop of sexy exploits, bug fixes, and
interesting new features.
Everyone Deserves a Second Chance
Meterpreter Scripts have been deprecated for years
[https://github.com/rapid7/metasploit-framework/pull/3812] in favor of Post
Exploitation modules, which are much more flexible and easy to debug.
Car Hacking on the Cheap
Metasploit's HWBrige comes with an automotive extension. This works out of the
box if you happen to have a SocketCAN compatible CAN sniffer hanging around.
However, if you don't have one, there is a decent chance you have a cheap sub
$10 vehicle dongle in a drawer somewhere. If not you can probably pick one up on
ebay super cheap. Metasploit supports the ELM327 and STN1100 chipsets that are
very popular in these dongles. Metasploit comes with a tool to connect these
devices provided your device
Exiting the Matrix: Introducing Metasploit's Hardware Bridge
Follow the white rabbit...
Metasploit is an amazing tool. You can use it to maneuver through vast networks,
pivoting through servers and even embedded OSes. Having a single interface for
your team and yourself to control a web of servers and networks is extremely
powerful. But sometimes you want to do more than control the virtual world. You
want to control the physical world. You need to exit the Matrix.
We recently announced a new addition to Metasploit to help you do exactly that:
Hacking Cars is Sexy
Five years ago, if you wanted to publicly demonstrate a car hack it usually
meant you would (at the very least) get a series of cease and desist letters.
Of course this made it very hard for researchers to report problems. If a
security researcher found something that they were concerned about and wanted to
see it addressed, they would turn to the vendor to try and get it fixed.
Unfortunately, automaker's websites didn't have a place to report security
findings. You could try contacting supp
Rapid7 Supports Researcher Protections in Michigan Vehicle Hacking Law
Yesterday, the Michigan Senate Judiciary Committee passed a bill – S.B. 0927
that forbids some forms of vehicle hacking, but includes specific protections
for cybersecurity researchers. Rapid7 supports these protections. The bill is
not law yet – it has only cleared a Committee in the Senate, but it looks poised
to keep advancing in the state legislature. Our background and analysis of the
bill is below.