So you CAN turn an entire car into a video game controller – Source: go.theregister.com

Cybersecurity nerds figured out a way to make those at-home racing simulators even more realistic by turning an actual car into a game controller.

The UK’s Pen Test Partners (PTP) has an in-house car that’s used for various automotive security research. They thought that their 2016 Renault Clio, which they bought from a dealership down the road from PTP’s HQ, could be a “silly” way of showing aspiring security pros how to work with car data.

Controller Area Network (CAN) data is sent between vehicles and other devices via electronic control units (ECUs) and is what’s used to signal different operations being engaged, like braking and accelerating.

As such, anyone who wants to tinker with cybersecurity in the automotive space for a living must have a strong understanding of how to collect and manipulate CAN data, and who doesn’t love gamified learning?

It was by isolating those CAN data signals sent to initialize the Clio’s brakes, steering, and acceleration that the PTP experts were able to map those controls to SuperTuxKart, a FOSS Mario Kart-like game, using Python.

Resident hardware hacker David Lodge said he used a cheap wire splicer on the CAN wires before trying to decode the data, and which messages sent by the Clio’s functions should be isolated.

It required some diligent searching through documentation, using open source Clio-code-deciphering tools, and simply pressing pedals and turning the steering wheel to see which arbitration IDs corresponded to the controls that needed to be mapped.

Lodge wrote: “Once you get the electrical state right and know the bus speed (which I used a Kvaser Leaf Pro for), a standard CAN packet consists of an 11-bit arbitration ID, 8 octets of data, and a selection of flags and metadata about the packet.

“Because CAN packets are so small (8 octet payload) and there are only a small number of arbitration IDs (0x800, or 2048 in decimal), and smaller arbitration IDs have a higher priority, often messages go down to specific bits within the packet. Several CAN database formats refer to the packet as a stream of bits rather than using octets, but my mind works in octets.”

• Researchers remotely exploit devices used to manage safe aircraft landings and takeoffs
• Fisher Price’s Bluetooth reboot of pre-school play phone has adult privacy flaw
• Pen Test Partners: Boeing 747s receive critical software updates over 3.5″ floppy disks
• Shipping is so insecure we could have driven off in an oil rig, says Pen Test Partners

Armed with the data needed to translate the CAN signals into video game controller input, Lodge found that a simple Python input device wasn’t cutting it. The steering wheel was executing far too many up-down-left-right button presses, leading to delayed in-game response.

He settled on re-architecting the CAN bus, changing it from injecting a key press to updating a state machine using the CAN data.

Brakes were easy, since these are essentially on/off functions, but steering caused some issues. This was largely because the Clio wasn’t moving, which meant those who tried to steer as much in-game as they would on a real race track would be wearing down the tires on the exhibition floor. Making the steering threshold small fixed this to a degree.

Lodge was unable to map a Clio button to use in-game items like bananas and speed boosts, which he dreamed of launching using the Clio’s horn, but the button does not transmit signals using CAN data.

A short deadline meant he didn’t link up the car’s speedometer, but with a longer lead time he said it could be done by sending messages to the Clio’s instrument cluster.

Swatting away draining batteries, frequent system crashes, and the Clio’s engine automatically switching off after five minutes, the team was able to get some good demonstrations in, as you can briefly see in a video of the project. ®