October 09, 2019
Tesla Hacking – A Technical Spotlight
My name is Kenny and I am a Technical Solutions Consultant at Filament! I work with Filament’s customers to connect their vehicles to new ecosystems using trusted hardware. Getting vehicle data off the CAN bus while keeping both the vehicle and CAN bus secure is more challenging than people think. Ultimately, Filament is betting that companies will use a platform solution like the one we’re building to solve these problems.
As part of Filament’s solutions team, I’m currently working with several automaker customers to build applications which transact value based on a vehicle’s usage. This is different from traditional billing models which are built on time based measurements (for example a week long rental) vs. measurable vehicle data, such as miles recorded by the vehicle.
In order to develop a trusted ecosystem built on vehicle usage, Filament needs to be able to securely measure and record vehicle data for future audits while adhering to consumer data privacy regulations.
In the past, the OBD-II port has been used as a diagnostic tool to ensure regulatory compliance around carbon emissions. Today, OBD-II ports are more relevant for their usage with telematic solutions, especially for fleet management as they are typically the easiest place to access the vehicle CAN bus. As fleets explore switching from combustion to electric vehicles, they’re discovering that many of their telematics devices aren’t compatible with new EVs. We had to find another way to get at that information.
Let me explain how I was able to extract vehicle data from a Tesla Model S and Tesla Model X for use in a distributed ledger.
The first thing I did was review what the Tesla owners’ community had already found. We learned that our best bet for accessing vehicle data was getting to a hidden CAN bus. The vehicle CAN bus is essential a network of microcontrollers communicating in a somewhat organized fashion. Some vehicles, including the Tesla Model S and Tesla Model X, have multiple networks. In order to access this data, we will need to access the real CAN bus.
We used a custom harness to access the CAN bus like so:
After installation of a custom harness and CAN bus sniffer (essentially a CAN to serial converter), we were able to read some messages!
Sometimes reading CAN bus messages feels like this:
There are several pieces of data on the Tesla CAN bus (battery related fields, RPM, HVAC information). Each node on the network carries a unique parameter ID.
We configured our CAN bus sniffer to narrow by parameter ID and output in hexadecimal and we were able to isolate a few of the EV parameters we were looking for which output in a more orderly fashion, like this:
After some data manipulation, we can calculate the battery’s State of Charge. Now that we have decoded the appropriate parameters we are looking for, we can begin developing an audit trail.
So that’s how we got car data off of a Tesla. We’re able to take this CAN bus vehicle data, attest it to the Blocklet ledger, and make the vehicle a secure economic actor in its own ecosystem. I’m looking forward to sharing more about what we’ve been able to accomplish with Blocklet Mobility Platform next time – and how our work translates to increased residual values and usage-based payments for vehicles.