Practically since the invention of the automobile, people have been customizing their vehicles. From the fade-away fenders of the 1930s, to the hot rods and muscle cars of the 1950s and 1970s, and on to the "Pimp My Ride" era of the 2000s, people have always expressed their individualism through their cars.

Now that computers are literally driving automobiles, programmers have gotten in on the action. People like Craig Smith, founder of OpenGarages, are working to support open source car hacking tools that both help automobile enthusiasts fine-tune their cars and contribute to the overall security of modern vehicles.

Smith has long been an advocate for open standards and was an early Linux adopter. He's written multiple Linux kernel modules for his own use (personally or for his employer), but he's focused his public contributions at the "application level around security or game development."

He founded OpenGarages to openly share information on how vehicles work. In years past, automakers published operations manuals that told you everything you needed to know about a car—even detailed wiring diagrams to show you how the car worked. Now, much of this information is proprietary, available only from third-party suppliers for $25,000 to $50,000 per definition file, Smith says, which prices most local mechanics and hobbyists out of the market.

He became interested in automotive security research about eight years ago, when he was commuting about four hours a day to work. He had no need for the navigation functionality on his 2009 Honda Civic Hybrid, since he was stuck on the same roads, in the same traffic, day after day. He decided to reverse-engineer the car's in-vehicle infotainment (IVI) system to play music videos instead.

"Not very mature, or all that safe, but a fun project," he says. "I managed to get code execution on the radio unit, then realized that the processor and ancient Windows CE operating system running on a Hitachi SH4 (think Dreamcast) would be a LOT to ask." He published his hack on his local hackerspace's wiki, which drew the attention of Battelle, a science and technology research organization working on vehicle cybersecurity.

At Battelle's invitation, Smith participated in an automotive cybersecurity hackathon it sponsors. The hackathon generated several interesting findings, which were all protected under a non-disclosure agreement. "I loved the event … but I saw a huge flaw in the fact that it wasn't public," he says.

"So I started OpenGarages.org as a way to do something similar without those pesky NDAs getting in the way. I expected it to be a security meetup like 2600, but with a focus on cars." Smith was surprised when most of the people who came to the first meeting were mechanics and performance tuners. "That's when I realized this was a much bigger problem than just security. Mechanics and performance tuners needed the knowledge of the vehicles ... just to do their daily jobs."

I started OpenGarages.org as a way to do something similar without those pesky NDAs getting in the way.

When mechanics tried to share what they'd learned about the cars they worked on, he says they often would face cease and desist letters. "And, since they technically make money on that information, they would often stop sharing, rather than risk their business," he explains. "However, security and open source people don't have that restriction. There was a great benefit to having mechanics show us software people how and why cars work the way they do, and we could show them how to read the bits and bytes."

Going forward, Smith sees a big opportunity for projects like OpenGarage, Automotive Grade Linux, and the GENIVI Alliance. "I think that infotainment units (IVIs) are what a lot of consumers are most annoyed with. These IVI systems cost around $1,300 from the factory, but if you ever need to go somewhere, what do you do? You strap on a $300 cellphone and bring up your map app," Smith says.

"A lot of consumer complaints could be rectified by allowing them [to choose] options with the IVI. If it had an open standard interface, you could install the apps you want, change and customize the look, and really make it what you want it to be. The IVI is the most obvious computer component in a vehicle, and we should just treat it as one."

The IVI is the most obvious computer component in a vehicle, and we should just treat it as one.

How to get involved

And there's a bigger potential issue with the proprietary IVI systems. From a security perspective, Smith expplains, IVI systems have the largest attack surface, whereas an open system makes it much easier to review both code quality and security because all of the code is vetted, fixed, and improved by the community.

If you'd like to get involved with the open source automotive software community, Smith recommends The Car Hacker's Handbook (which is also available for download under the Creative Commons License). He also suggests visiting OpenGarages.org to learn how OpenGarages work and to find a local garage or meetup.

Ultimately, Smith says, projects like OpenGarages serve to assist repairs, hobbyists, innovators, artists, and security researchers. "It's a crucial part of the ecosystem," he says.