From Garage to Grid: How Cybersecurity Experts Turned a Renault Clio into a Video Game Controller

In an era where vehicles are becoming increasingly connected computers on wheels, the field of automotive cybersecurity is rapidly evolving. Understanding how these complex systems communicate and operate is crucial for both security researchers and future professionals. Demonstrating these concepts in a practical, engaging way can be challenging, but one UK-based cybersecurity firm found a novel solution: turning an actual car into a video game controller.

Pen Test Partners (PTP), known for their deep dives into the security of various connected devices, took on a project that sounds like something out of a gamer's dream or a hacker's playground. Their goal was to transform a standard 2016 Renault Clio into a fully functional controller for SuperTuxKart, a popular open-source racing game akin to Mario Kart. This wasn't just a whimsical pursuit; it was a hands-on educational exercise designed to demystify the intricacies of automotive data systems, specifically the Controller Area Network (CAN) bus.

The Heart of the Machine: Understanding the CAN Bus

Modern vehicles are intricate networks of electronic control units (ECUs). These small, embedded computers manage everything from engine performance and braking systems to infotainment and power windows. For these ECUs to communicate reliably and efficiently, manufacturers rely on in-vehicle network protocols. The most prevalent of these is the Controller Area Network, or CAN bus.

Developed in the 1980s by Bosch, the CAN bus was designed to allow microcontrollers and devices to communicate with each other in applications without a host computer. It's a message-based protocol, meaning that instead of sending data directly from one point to another, ECUs broadcast messages onto the bus. Any other ECU on the network can receive and process these messages if they are relevant.

Key characteristics of the CAN bus include:

• Broadcast Communication: Messages are sent to all nodes on the bus.
• Message Prioritization: Messages have an arbitration ID, with lower IDs having higher priority, ensuring critical functions like braking or steering take precedence.
• Robustness: Designed for noisy environments like vehicles, with error detection and fault tolerance mechanisms.
• Real-time Capability: Suitable for applications requiring timely data exchange.

Data transmitted over the CAN bus includes crucial operational information: wheel speed, engine RPM, steering wheel angle, brake pedal position, and much more. For anyone looking to understand or test the security of a vehicle's internal systems, gaining access to and interpreting this CAN data is a fundamental first step. The PTP team recognized that manipulating these signals to control a video game could provide a tangible, engaging demonstration of this process.

Why Automotive Cybersecurity is More Critical Than Ever

As cars become more connected, automated, and reliant on complex software, they also become potential targets for cyberattacks. Vulnerabilities in vehicle systems could lead to serious consequences, ranging from privacy breaches (tracking location data) to safety hazards (remotely controlling critical functions like steering or braking) or even theft.

Security research in this domain is vital for identifying potential weaknesses before malicious actors exploit them. Projects like PTP's Clio controller serve multiple purposes:

• Education: Providing hands-on experience with real-world automotive systems for aspiring cybersecurity professionals.
• Awareness: Highlighting the fact that vehicle controls are increasingly mediated by digital signals that can potentially be intercepted or manipulated.
• Tool Development: Driving the creation and refinement of tools and techniques for analyzing and interacting with CAN data.

Understanding how data flows within a vehicle, how to tap into the CAN bus, and how to decode the proprietary messages is foundational knowledge for automotive security researchers. The Renault Clio project offered a unique, gamified approach to acquiring these skills.

The automotive industry is increasingly focused on securing these complex systems. Companies are investing in intrusion detection systems, secure boot processes, and over-the-air (OTA) update mechanisms. However, the attack surface continues to grow with the addition of more features, connectivity options (Wi-Fi, Bluetooth, cellular), and integration with external services. Research projects, even those with a seemingly 'silly' premise like a car controller, contribute valuable insights into the practicalities of interacting with these systems.

The Project Genesis: A Renault Clio's Second Life

Pen Test Partners maintains an in-house vehicle specifically for automotive security research. Their chosen platform was a 2016 Renault Clio, acquired from a local dealership. This particular model provided a representative example of modern vehicle architecture and its associated CAN bus systems.

The initial idea, as described by the team, was somewhat whimsical – to create a more immersive racing simulator experience by using a real car. However, beneath the fun concept lay a serious educational objective: to provide a practical demonstration of how CAN data works and how it can be accessed and interpreted. For students and professionals new to automotive security, the abstract concept of data packets flying across a vehicle network can be difficult to grasp. Connecting physical actions (turning the wheel, pressing pedals) in a real car to in-game actions provides a powerful, intuitive learning experience.

The project required a blend of hardware hacking, software development, and diligent reverse engineering. The team needed to physically interface with the car's CAN bus, capture the data being transmitted, decode the meaning of specific messages, and then translate those messages into inputs for the SuperTuxKart game running on a computer.

The Technical Deep Dive: Tapping into the CAN Bus

The first critical step was gaining access to the CAN bus itself. In most vehicles, the CAN bus is accessible via the On-Board Diagnostics (OBD-II) port, typically located under the dashboard. However, for more granular access or to tap into specific segments of the network, researchers might need to physically connect to the CAN wires elsewhere in the vehicle.

Resident hardware hacker David Lodge opted for a direct approach, using a simple wire splicer to tap into the relevant CAN wires within the Clio. This allowed him to intercept the raw data signals being transmitted across the network.

Once connected, the challenge shifted to decoding the data. Unlike standardized protocols, the specific messages and their meanings on a vehicle's CAN bus are often proprietary to the manufacturer and even the specific model and year. This requires a process of reverse engineering.

Lodge utilized a combination of techniques:

1. **Tooling:** Using a CAN interface device, such as a Kvaser Leaf Pro, to connect the car's CAN bus to a computer and capture the raw data packets.
2. **Open Source Resources:** Consulting open-source databases and tools developed by the automotive hacking community that contain information about known CAN message IDs and data structures for various vehicle models.
3. **Trial and Error:** This is often the most time-consuming part. By performing specific actions in the car (e.g., turning the steering wheel, pressing the brake pedal, pressing the accelerator) and observing which CAN messages appear on the bus, researchers can correlate specific data packets with specific vehicle functions.

As Lodge explained, a standard CAN packet is relatively small, consisting of an 11-bit arbitration ID and up to 8 bytes (octets) of data. The arbitration ID determines the message's priority and often indicates the type of data it contains. The 8 bytes of data carry the actual information, such as a sensor reading or a command. Deciphering the exact meaning of the bits within these 8 bytes for a specific function requires patience and detailed analysis.

Lodge noted the preference of some CAN database formats to view the data as a stream of bits, while his mind worked better with octets. This highlights the different approaches researchers might take when tackling this kind of data analysis.

Mapping Controls to SuperTuxKart

With the ability to capture and decode the CAN data corresponding to the Clio's controls, the next step was to translate these signals into inputs that SuperTuxKart could understand. The team decided to use Python for this task, leveraging its versatility and extensive libraries.

Initially, the approach involved mapping CAN signals directly to simulated keyboard presses or joystick inputs. For example, detecting a certain CAN message indicating the brake pedal was pressed would trigger a 'brake' command in the game.

However, this simple mapping proved problematic, particularly for steering. A real steering wheel provides continuous input, whereas simulating button presses (left/right) results in jerky, delayed movements in the game. The steering wheel was generating a rapid fire of 'left' or 'right' signals as it was turned, overwhelming the simple input device approach and leading to poor responsiveness in SuperTuxKart.

To address this, Lodge re-architected the system. Instead of directly injecting key presses, the Python script was designed to update a 'state machine' based on the incoming CAN data. This state machine would maintain the current state of the controls (e.g., how much the wheel is turned, whether the brake is pressed) and provide a smoother, more responsive input to the game.

Braking and acceleration were relatively straightforward to map, as they function more like on/off switches or have a clear range of values that could be translated to game inputs. Steering, however, presented unique challenges.

Overcoming the Obstacles

Beyond the technical hurdles of decoding CAN data and mapping controls, the team faced practical challenges inherent in using a real car as a stationary controller.

• **Steering Sensitivity:** With the car stationary, turning the wheel significantly would cause excessive wear on the tires. The team had to set a small steering threshold, meaning only slight movements of the real steering wheel were needed to achieve full turning in the game. This compromised the realism slightly but protected the car's tires.
• **Non-CAN Controls:** Not every button or function in a car communicates over the main CAN bus. Lodge had hoped to map the Clio's horn to trigger in-game items like bananas or speed boosts, but found that the horn button did not transmit signals via CAN data. This highlighted that accessing *all* vehicle functions might require tapping into different networks or systems within the car.
• **Speedometer Mapping:** Due to project deadlines, the team didn't integrate the car's speedometer into the game display. However, Lodge noted that this would be possible with more time by sending messages back to the Clio's instrument cluster, demonstrating the bidirectional nature of CAN communication and the potential to not just read data but also inject messages.
• **Vehicle Power Management:** Cars are designed to shut down systems, including the engine, when stationary for a period to save battery. The Clio's engine would automatically switch off after five minutes, interrupting the game session. The team had to manage this, likely by restarting the car or finding ways to keep the necessary systems active.
• **System Stability:** Integrating multiple systems – the car's ECUs, the CAN interface, the Python script, and the game – inevitably led to occasional system crashes that needed troubleshooting.

Despite these challenges, the PTP team successfully got the setup working well enough for demonstrations. A video showcasing the project briefly illustrates the unique experience of controlling a racing game from the driver's seat of a real car.

Broader Implications and Educational Value

While the project's immediate outcome was a fun, albeit slightly unwieldy, racing simulator, its significance extends far beyond gaming. The process undertaken by Pen Test Partners provides a clear, practical illustration of fundamental concepts in automotive cybersecurity:

• **CAN Bus Interaction:** Demonstrating how to tap into, read, and interpret data from the vehicle's primary communication network.
• **Reverse Engineering:** Showing the necessity of decoding proprietary messages when documentation is unavailable.
• **Data Manipulation:** Illustrating how captured data can be used and translated for external applications.
• **System Integration:** Highlighting the complexities of interfacing disparate hardware and software systems.

For individuals looking to enter the field of automotive security, projects like this offer invaluable hands-on experience that complements theoretical knowledge. It moves the concepts from abstract diagrams to tangible interactions with real vehicle hardware.

Moreover, the project serves as a reminder of the potential vulnerabilities present in modern vehicles. If researchers can tap into the CAN bus and control fundamental functions like steering and braking (even in a game context), it underscores the importance of robust security measures to prevent unauthorized access and manipulation by malicious actors. As vehicles become increasingly connected and potentially autonomous, the integrity and security of their internal networks will be paramount.

The future of automotive technology involves even more complex communication, including Vehicle-to-Everything (V2X) systems that allow cars to communicate with infrastructure, other vehicles, and even pedestrians. Securing these communication channels and the internal systems they interact with is a grand challenge for the industry. Practical research and educational projects like the Renault Clio controller contribute to building the necessary expertise to meet this challenge.

The project also touches upon the growing intersection of physical systems and the digital world. Controlling a physical object (a car's steering wheel and pedals) to influence a digital environment (a video game) is a clear example of this convergence. Understanding the security implications of this convergence is crucial across various industries, from automotive to industrial control systems.

Conclusion

Pen Test Partners' project to turn a Renault Clio into a SuperTuxKart controller is a creative and effective demonstration of automotive cybersecurity principles. By successfully intercepting and interpreting CAN bus data to control a video game, the team provided a tangible example of how vehicle systems communicate and how these communications can be accessed and manipulated.

Beyond the novelty of playing a racing game with a real car, the project serves as a valuable educational tool, offering aspiring security professionals hands-on insight into working with automotive data. It also highlights the critical importance of ongoing research and development in vehicle cybersecurity to ensure the safety and security of increasingly complex and connected automobiles on our roads.

The challenges encountered, from decoding proprietary data to managing the car's power systems, underscore the complexities inherent in automotive security research. Yet, the successful outcome demonstrates that with persistence and technical skill, it is indeed possible to bridge the gap between the physical controls of a car and the digital world of a video game, all while shedding light on the fascinating and vital field of vehicle cybersecurity.

This project stands as a testament to the ingenuity of security researchers and their ability to find engaging ways to explore and explain complex technical concepts. It transforms the abstract idea of 'car hacking' into a concrete, albeit unconventional, demonstration that resonates with anyone who has ever played a racing game or wondered what goes on beneath the surface of their vehicle's electronic systems.