The Coming Battle Over Hacking Your Own Car
Tech News

The Coming Battle Over Hacking Your Own Car

I’m ambivalent about my car, a 2013 Ford C-Max. Ford feels the same, discontinuing the model five years after launch. But when my wife and I bought it, the hybrid crossover seemed modern, even cutting-edge. It had Bluetooth phone pairing, a touchscreen, and voice recognition. Back then, a car that could read your text messages out loud felt like today’s self-driving Tesla.

Sync 2 screen
SYNC 2 (a.k.a. “SYNC with myFord Touch,” or “SYNC by Microsoft”), in all its misguided, insensitive, bizarre-color-scheme glory.

But the car’s dash system, “SYNC with MyFord Touch” (or “SYNC 2”), turned out to be even more awkward and useless than its name. The voice recognition was worthless, the touch input insensitive. SYNC would randomly erase Bluetooth pairings from memory, or kill the car battery updating the satellite radio overnight. Useless software updates made you keep the engine running for 35 minutes. My loathing of SYNC 2 was matched by Consumer Reports, which considered it an actual safety hazard, as did reviewers like J.D. Power and the New York Times

There didn’t seem to be any real fix. The 8-inch SYNC screen isn’t a standard stereo you can swap out. Ford dealers didn’t offer upgrades to SYNC 3, which had a better screen and allowed CarPlay or Android Auto to take over. Every so often, I’d open a bunch of browser tabs, pray that another SYNC 2 hater had a solution, then close them. Cars aren’t cruddy Android tablets; you can’t fix what you don’t like with some code tweaks.

Sync 3 in my Ford Cmax
The SYNC 3 system that was never supposed to be in my car.

Except one day, I did. You can probably hack your car, too. Unless we let car makers act like phone makers and put an end to it.

Allow me to explain.

Shenzhen WeChat friends and truck dudes with cables

After months of wistful searching, I found a SYNC 2-to-3 upgrade kit, at a merely semi-ludicrous price for a nine-year-old car. I paid $550 and sent my car’s VIN number. The seller sent a kit: a pre-programmed screen/computer unit (seemingly pulled from a scrapped car), replacement USB ports, cheap socket and Torx drivers, plastic prying tools, a weird cable, and a tiny CD. The instructions were confusing and poorly illustrated. But they also claimed that if anything went wrong, I could contact someone on WeChat, and, over a remote screen-sharing connection, they could reprogram my car from a Windows laptop. No big deal, right? 

The installation process for a Sync 3 upgrade kit in a 2012-2015 Ford Escape (exactly the same for my 2013 Ford C-Max). 

With the help of YouTube, the installation took one hour (I would rate the process “moderate” on the iFixit guide difficulty scale). My car computer, previously the dumbest, ugliest, slowest gadget I owned, can now navigate with Google Maps, play Spotify and podcasts, and actually read my messages out loud. When I hit the voice prompt switch on my steering wheel, Siri answers. Few people have ever been so excited to hear from Apple’s third-rate voice assistant as this former myFord Touch owner.

Marketing image for an ELS27 cable, showing chips inside
Image from an eBay listing for the ELS27 cable, showing off the chips that OBD/CAN pros are looking for.

As I was putting tools and parts away, I came across the ELS27 cable and tiny CD labeled “FORScan.” What was this stuff? I searched and found a remarkably low-tech homepage. On YouTube, I saw truck dudes excitedly holding up similar cables, and Windows 98-looking screenshots. There were compilations of the “Top 5 Mods” you could pull off. For the first time in my life, I—a lifelong auto agnostic—was excited at the prospect of messing with my car. At least the cables and code parts. 

FORScan can make your Ford accept a new SYNC 3 unit, sure. But FORScan can do a lot more: turn off annoying little honks, automatically fold your side mirrors when parking, keep your fog lights and high beams on simultaneously (“Bambi mode,”) or show a constant tire pressure or engine temperature readout on your dashboard. Dealerships typically toggle options like these for different markets: rental fleets, Europe, police. Sometimes “luxury” features on higher-priced models or packages can be brought to the masses by changing a few variables.

Some of the results when you search “FORScan” in YouTube. Clockwise from top left: moostang09, Authentic Life, Ricardo’s Workshop, Focused Garage.

I asked my coworkers if they’d ever seen apps like FORScan. Arthur Shi, a teardown engineer, used the VCDS app to install a backup camera on his 2012 Jetta SportWagen. Volkswagen never offered a backup camera for Arthur’s 2012 SportWagen, but it did for a different sedan version, built on a similar platform. After installing an original Volkswagen camera and wiring it to his head unit, Arthur plugged in an OBD cable, loaded up VCDS, and changed a value or two in his car. The next time he put his car in reverse, the screen showed his rear video—unavailable car option, now available.

Car hacks are a deep, fun rabbit hole (I can’t even get into performance chip tuning, but it’s a related hobby). And they’re helpful: upgrading my C-Max’s console has likely put off new-car thoughts for some time. But as with most hacking, you might wonder about laws, and safety. Is this legal? How badly could a car hack go? And are car makers going to start clamping down on this?

How your car talks to itself (and how to argue with it)

If you know anything about your car’s data systems, you probably know about its OBD-II port. It allows you or any shop to see repair and emissions codes. iFixit CEO Kyle Wiens wrote recently about plugging a scanner into his Toyota Highlander Hybrid, searching the code, and installing a $9 spark plug to fix the “cylinder-two misfire error” that activated his Check Engine light. Kyle saw the same thing a repair shop would have seen, and saved a good bit of time and money.

The democratizing OBD port exists because the California Air Resources Board demanded it for new cars in 1991, to enforce emissions laws. The port is still useful because of a 2012 Massachusetts Right to Repair ballot initiative, which requires that crucial diagnostic data be available to any repair shop. Auto manufacturers eventually agreed to make this a national standard. Were it not for this universal data port and the Right to Repair initiative, car makers would have significantly boxed out third-party parts suppliers and repair shops by now.

An Arduino-based controller taking readings from the OBD-II port in a car. Via Flickr/lungstruck

The OBD-II port works by hooking into your car’s CAN bus, essentially its electronic nervous system. The bus connects all of the car’s electronic control units (ECUs), the nodes that measure and control things. Each node has data: engine temperature, cruise control speed, how far you’ve pressed the brake pedal down. These messages are all thrown onto the bus,  passing through every single node in a circuit. Each node examines the message, determines if it’s important, then passes it back onto the network. It’s an old system, far behind modern networking tech. But it lets car makers hook up everything in your car with cheap, durable wire, in any pattern, rather than map out new networks for each car model.

Forscan running on my post-install CMAX
FORScan, running through every module on my Ford C-Max, post-SYNC upgrade.

An OBD-II diagnostic tool requests a read-out from critical emissions and repair nodes. But lots of other non-regulated, car-specific data comes back, too: heated seat settings, tail light configurations, SYNC settings. Car makers sell expensive, proprietary tools and apps that can work with their cars’ data. You can technically buy these tools yourself, but you might not want to spend, for example, $900, unless you’re fixing up a lot of Fords.

The sub-$900 car programming solution 

That’s where FORScan, VCDS, and other third-party programming tools come in: they let you mess with all the stuff moving openly around your car’s CAN network with a Windows laptop and an OBD-to-USB cable.

YouTube channel At The Wheel’s VCDS introduction, “EVERY VW & AUDI OWNER SHOULD HAVE THIS!

VCDS was launched in 2000 by founder Uwe Ross, an avid auto-crosser tired of taking his GTI to the dealer for fixes he could do himself. Ross bought Volkswagen’s official diagnostic tool, analyzed how it communicated with his car, and reverse-engineered his own app, said Santos Vega, North American marketing and sales manager for Ross-Tech. When someone wants to replace the throttle body on their Volkswagen, they don’t need to tow it to a dealership; they just need a USB-to-OBD cable. VCDS sells not only to enthusiasts and repair shops, but dealers, Vega said; some prefer its faster, leaner interface for non-warranty work.

Ross-Tech can openly sell VCDS from its office in Lansdale, Penn., because reverse engineering is generally legal under U.S. copyright laws. It helps that CAN is an old system, designed for quick, low-level communication between parts. There is almost no security on most nodes; it wouldn’t fit on CAN’s tiny data packets. As a result, there are similar diagnostic and programming apps and OBD rigs for most car models.

The more I learned about cars, CAN, and OBD tools, the more I was struck by the irony. In 2021, it’s easier to work with third-party parts and software in a highly regulated, 2,000-plus-pound car than it is in an iPhone.

The security/repair debate in your engine block

There is, of course, some danger in direct access to your car’s unprotected nervous system. This is especially true with the newest cars, which have wireless telematic systems connected to the CAN system. That’s how hackers can remotely kill a Jeep on the highway, use an insurance company’s “safe driving” OBD dongle to cut a Corvette’s brakes, or exploit ambulances through their fleet-monitoring GPS software.

Car makers like their wireless access, though, so some are working fast to secure their cars against remote attacks. In doing so, they’re also cutting off access to DIY automotive tweaks and fixes.

Fiat Chrysler Automobiles (FCA), an auto group that also includes Jeep, Dodge, Ram, and Alfa Romeo, installed an OBD gateway known as “SGW” on its cars starting in 2018. A third-party service, AutoAuth, can authorize repair techs working on FCA vehicles, but they must stay connected to online servers to do so. FCA says their gateway is about security, not restricting repair access. Even so, requiring fixers to check in online for every fix is a repair model rife with problems.

Volkswagen’s diagram of their new Vehicle Diagnostic Protection scheme, involving online tokens and regular online access.

One repair industry executive told a conference in January 2020 that he had heard of “at least two [other]” car makers moving toward an authorized-access model. Volkswagen may be one of them. Ross-Tech’s Vega said that the electric ID.4 is the first U.S. Volkswagen model with Vehicle Diagnostic Protection, requiring authentication from VW servers to alter nodes. Volkswagen (which did not return emails for comment) has seemingly not offered access to customers, or software like VCDS. As of July 2021, VCDS’s founder and its most fervent customers were trading anger, disbelief, and Right to Repair links in a long-running thread.

Eric Evenchick

Eric Evenchick, a security researcher and noted CAN hacker, empathizes with both sides of the CAN conflict. He once helped a friend convert a Volkswagen microbus to electric power—first using forklift batteries, then the powertrain from a scrapped Nissan Leaf. Without free CAN access, that retrofit was impossible. At the same time, working as a consultant, he once showed a car manufacturer how sending just five data frames over CAN could wipe the firmware off an engine controller, rendering the car inoperable.

“‘Who is this trying to protect against?’ is a good question here,” Evenchick said. “Some of these measures are probably good-natured. I would like to buy and drive cars with some assurance that the firmware hasn’t been modified. … On the other hand, if this is just a way to sell a software subscription to heated seats, or more mileage, that’s something else entirely.”

The future of low-key hacking your car

Evenchick is not just guessing at the future. Heated seat “subscriptions” and other software-unlocked features are actual BMW products. Tesla (whose cars have five different CAN systems) has already rolled out cars that drive differently based solely on how much you’re willing to pay. The next generation of CAN, CAN FD, pushes a larger, more unwieldy amount of data around the car, and offers a “Secure CAN bus” for auto makers. That, combined with the rise of wireless telematic data and car control, makes the future of DIY car computer modification seem less exciting.

I asked Brian Lovelace, founder of NaviUpgrade and enthusiastic Ford-hack YouTuber, what he thought about the future of self-guided upgrades. Lovelace got into car hacking like I did—he wanted a better screen for his 2017 Ford Focus ST—but took it much, much further. He read wiring diagram books, learned how FORScan and SYNC and CAN worked. Now he sells DIY SYNC upgrades, and helps customers with everything, including the programming.

Lovelace has a Ford Bronco Badlands on order, but it won’t come until 2023, thanks to demand and global shortages. He’s read up on the SYNC 4 system inside, which is deeply tied to Ford’s wireless systems. It’s also just more work to figure out. SYNC 3 has roughly nine data blocks on its node, with 1-5 lines in each, Lovelace said. SYNC 4 has 30 to 40 blocks, 1-7 lines each. Still, Ford hasn’t put any locks on it yet, so there’s  probably some fun to be had.

“That’s one of the things people like about Ford, they seem to be into the cool things people can do to their cars,” Lovelace said. “That could be changing, maybe with their electric lineup coming soon. But I think there’s a lot of possibilities.”

Evenchick thinks there’s a future for both secure cars and enthusiastic car modding. All it would take is a return to the principles of the movement that launched the original Right to Repair automotive movement.

“We want to secure all this, but we have to make good tools available to legitimate repairers,” he said. “But anybody can be a legitimate repairer.”