Toyota Builds Open-Source Car-Hacking Tool—threats/toyota-builds-open-source-car-hacking-tool/d/d-id/1333415

Toyota Builds Open-Source Car-Hacking Tool
‘PASTA’ testing platform specs will be shared via open-source.
BLACK HAT EUROPE 2018 – London – A Toyota security researcher on his flight
from Japan here to London carried on-board a portable steel attaché case that
houses the carmaker’s new vehicle cybersecurity testing tool.

Takuya Yoshida, a member of Toyota’s InfoTechnology Center, along with his
Toyota colleague Tsuyoshi Toyama, are part of the team that developed the new
tool, called PASTA (Portable Automotive Security Testbed), an open-source
testing platform for researchers and budding car hacking experts. The
researchers here today demonstrated the tool, and said Toyota plans to share
the specifications on Github, as well as sell the fully built system in Japan

What makes the tool so intriguing – besides its 8 kg portable briefcase size –
is that automobile manufacturers long had either ignored or dismissed
cybersecurity research exposing holes in the automated and networked features
in their vehicles. Toyota’s building this tool and sharing its specifications
via open source is a major shift for an automaker.

Toyota’s Tsuyoshi Toyama (left) and Takuya Yoshida (right) show off the PASTA
testing platform at Black Hat Europe.
“There was a delay in the development of cybersecurity in the automobile
industry; [it’s] late,” Toyama said in the pair’s talk here today. Now
automakers including Toyota are preparing for next-generation attacks, he
said, but there remains a lack of security engineers that understand auto

That was a driver for the tool: to help researchers explore how the car’s
engine control units (ECUs) operate, as well as the CAN protocol used for
communicating among elements of the vehicle, and to test out vulnerabilities
and exploits.

Toyama said the tool isn’t meant for the live, moving-car hacking that Charlie
Miller and Chris Valasek performed: the goal was to offer a safe platform for
researchers who may not have the expertise of Miller and Valasek, for example.
It simulates remote operation of wheels, brakes, windows, and other car
features rather than “the real thing,” for safety reasons. “It’s small and
portable so users can study, research, and hack with it anywhere.”

The PASTA platform holds four ECUs inside, as well as LED panels that are
controllable by the researcher to run any tests of the car system operation,
or attacks such as injecting CAN messages. It includes ODBII and RS232C ports,
as well as a port for debugging or binary hacking, he said.

“You can modify the programming of ECUs in C” as well, he said.

The researchers integrated the tool with a driving simulator program, as well
as with a model car to demonstrate some ways it can be used. PASTA also can be
used for R&D purposes with real vehicles: that would allow a carmaker to test
how a third party feature would affect the vehicle and its security, or
reprogram firmware, for example.

Toyota plans to later add to PASTA Ethernet, LIN, and CAN FD, as well as
Wi-Fi, Bluetooth, and cellular communications features for testing.

PASTA soon will be available on Github, the researchers said.