• OTW

Automobile Hacking, Part 3: Metasploit for Car Hacking


Automobile or car hacking is the leading edge of the hacking/penetration testing field. With the arrival of self-driving cars in the very near future, this field will only become even more important. For some background on this field, read my articles on the CAN protocol and the SocketCAN to better understand the technologies involved.

As part of this rapid development in automobile/car hacking, one of my favorite hacking tools, Metasploit, has developed the capability and modules to connect to cars (for more on Metasploit, check out my series "Metasploit Basics" and my upcoming Metasploit Kung-Fu course that now includes car hacking with Metasploit).

If your version of Metasploit does not have the hardware module, you can always enter msfupdate to get the latest version and modules. It's important to note that Metasploit has only begun their efforts in this field and the Framework's capabilities in car hacking are fairly limited, but we expect more car hacking modules in the near future. The important task we want to address here is "How can I link my Metasploit Framework to my car's network"?

If you have read my earlier articles on automobile hacking, you understand that the dominant protocol in automobiles is CAN and that it is serial protocol. What we will be doing here is to connect to the automobile's CAN protocol via a serial interface. From there, we can send malicious traffic over the car's network with several of the pre-built modules in Metasploit.

Step #1 Acquire OBD II Connector Hardware

Let's begin by acquiring a device to connect to the automobile's ODC II connector. There are several on the market, but we will be using a relatively inexpensive, Bluetooth ODB II mini interface. I purchased one on Amazon for under $12. In comes with the ELM327 chipset that effectively communicates to the car's CAN network and connects to your system with Metasploit by Bluetooth, so you will need to have a computer with built-in Bluetooth or purchase a Bluetooth USB adapter. For more on the Bluetooth protocol, read my "Bluetooth Hacking, Part 2: Bluetooth Reconnaissance" article.

To order this Bluetooth ELM327 adapter, click on the link below.

Step #2: Install Serial Port

Now that we have our hardware in place, we need to set up the requisite software. Remember, the CAN protocol is a serial protocol, so we will need install the ruby gem "serialport" in order to "speak" serial.

kali > gem install serialport

Step #3: Connect to the Bluetooth on the ELM 327

Next, we need connect our Bluetooth adapter to talk to the ELM 327 adapter in our car. It might be worth noting here that you need to place the ELM 327 in the ODB II connector in the car and turn on the utilities in the car.

To connect to the ELM 327 device, we need its MAC address. We can use the built-in utility hcitool to scan for Bluetooth devices and provide us with the MAC address.

kali > hcitool scan

As you can see, mine returned a MAC address of 00:19:6D:36:4A:9D. Your will be different.

Now, we need to connect our Bluetooth adapter to the ELM 327 using its MAC address. Make sure that you use the MAC address between double quotes, like below.

kali > rfcomm connect /dev/rfcomm1 "00:19:6D:36:4A:9D"

Step #3: Run the ELM 327 Relay program

The next step is to run the ELM 327 relay that enables Metasploit to communicate with the ELM 327 chipset. You can find it by going /usr/share/metasploit-framework/tools/hardware.

kali > cd /usr/share/metasploit-framework/tools/hardware

kali > ls -l

Before we run it, let's take a look at its help screen.

kali > ruby elm327_relay.rb -h

As you can see, its basically requires just two parameters; the speed (default is 115200) and the serial device (default is /dev/ttyUSB0). To determine which serial device to use, check the Linux utility dmesg (display message) and grep for "tty". In my case, that was ttyS0.

Now, run the elm327 relay with the serial device and leave the speed at the default as seen below.

kali >ruby elm327_relay.rb -s /dev/ttyS0

Step #4: Start Metasploit

Now that we have configured our Kali Linux to talk to the ELM 327 device, we need to create a hardware bridge to Metasploit. Remember, Metasploit is built to communicate by TCP/IP. We need it now to communicate via the serial port with the CAN protocol native to the automobile.

First, start Metasploit.

kali > msfconsole

Then, search for the automotive modules

kali > search automotive

As you can see, there are really only a few automotive modules at this time and their capabilities are limited. Let's pray for more Metasploit automotive modules soon.

We need to use the auxiliary/client/hwbridge/connect module. We can load it by entering;

msf >use auxiliary/client/hwbridge/connect

We can obtain more information on this module by typing info after loading it.

kali > info

Finally, let's execute that module to create our hardware bridge.

msf >exploit

Step #5: Use the Metasploit Automotive Modules

Now that we have created our hardware bridge between Metasploit and the CAN protocol in the vehicle, we can begin using Metasploit's car hacking modules.

For instance, if we wanted to retrieve the vehicle's info, we could use the post/hardware/automotive/getvinfo.

msf > use post/hardware/automotive/getvinfo

When we enter info for this module, we can see that this module will query and gather all the vehicle DTCs (Diagnostic Trouble Codes) and other info such as speed, coolant temp, VIN and even clear the DTC's.

Now, we can connect our Linux system and Metasploit Framework directly to the car's network for communicating directly with the car's devices!

Look for more Automobile Hacking tutorials and my upcoming Automotive Hacking courses!


6,922 views