Security vendor Trend Micro has published research showing cars can be hacked with relative ease. The news may finally be the shock that wakes up the automotive industry and forces it to take security seriously. What is disturbing about this attack is that Trend Micro says there is nothing car manufacturers could do to prevent it.
In a blog by Federico Maggi, Senior Threat Researcher, Trend Micro, he says: “It is currently indefensible by modern car security technology, and to completely resolve it would require broad, sweeping changes in standards and the ways in-vehicle networks and devices are made. Realistically, it would take an entire generation of vehicles for such a vulnerability to be resolved, not just a recall or an OTA (on-the-air) upgrade.”
The full technical details can be found in a document entitled: “A Vulnerability in Modern Automotive Standards and How We Exploited It.” It is free to download no registration required.
What is the problem?
The problem lies with the Controller Area Network (CAN) standard. Developed in the 1980’s it was adopted as a standard in 1993. It acts as a central network for the car. With so much controlled by computer today everything uses the CAN. For years, the automotive industry has said this is a secure network but as previous attacks have shown, it is anything but.
In previous attacks, Maggi says manufacturers were able to patch the CAN to prevent future attacks. This time the attack exploits a fundamental capability that means the only real solution is a brand new CAN standard.
Devices on the CAN communicate using frames. When a message is unreadable an error message is sent telling other devices to ignore the device. If enough error messages are sent then the device is put into a Bus Off state where it is cut off from the CAN. This is done to protect other devices from the one that is malfunctioning.
Maggi points out that the effect of this is dangerous. It can force the antilock braking systems or airbags offline.
Is this a real threat?
That’s a good question and the answer is yes. A number of previous attacks have been dismissed as they rely on physical access to the diagnostics port inside the computer. In this case the attack can be launched remotely through any system connected to the CAN. All that is required is that the system can be remotely updated.
Many after market infotainment and even dealer installed high-end systems are designed to be remotely updated. The same is true of a lot of satnav solutions. Car manufacturers have also been looking at moving to wireless across a number of different systems. As some of these are designed to be updatable over the air by dealers, they are also a potential attack vector.
What can be done about it?
Maggi says that the best solution is to completely redesign and rewrite the CAN standard. This would only be effective for vehicles built after the standard is available. It is unlikely that it could be retrofitted to older vehicles.
He also suggests three other steps that can be taken to minimise exploits. These are:
- Network Segmentation or Topology Alteration: By altering the topology or segmenting a CAN in a vehicle, targeted error-flooding can be stopped from affecting a specific system.
- Regulated OBD-II Diagnostic Port Access: The creation of a special hardware key or password in order to open the case where the port is physically located may protect against illegal and unauthorized devices being introduced to the CAN. The implementation of a software-level authentication in order to allow traffic from and to the port can be considered as well. This would require a change in the regulations.
- Encryption: Encrypting CAN frame ID fields can prevent attackers from identifying CAN frames to target, and thus resulting in a noisier and much more detectable attack pattern.
What are other people saying about this?
As might be expected there is a lot of comment from the security industry about this research. However, there is a deafening silence from car manufacturers and regulators. With both the US and European regulators issuing reports on autonomous vehicles recently, both will want to revisit their advice. There is a clear need for tighter cybersecurity controls for vehicles and it will be interesting to see if this research results in a new CAN for autonomous vehicles.
Art Danhert, managing consultant at Synopsys said: “Even though the problem has been identified, resolving it will be a long time coming. There are many factors involved, including the large number of vehicle and component manufacturers as well as the technical difficulties in developing a solution for this type of problem. Not to mention the requirements to allow access by the aftermarket and third party repair establishments.
“You can’t bolt on security, it has to be built in from the beginning. A simple update will not fix the cars on the road today.”
What does this mean?
Once again we have a proven attack against car systems. Unlike previous attacks where the industry has generally chosen to dismiss the attacks it cannot sidestep this one. There is no quick and easy patch to be delivered. Instead, the industry needs to start addressing a fundamental security problem that it has consistently denied existed.
Should we all now worry about getting into and trusting our cars? No. That would be a ridiculous overreaction. However, when choosing an after market system ask if it does over the air updates. If so, it is worth asking what security is in place.
As we get closer to wider trials and licences for autonomous vehicles this is a serious warning. There is nothing wrong with regulators and the industry taking a little time out to deliver a new CAN standard and use that as the basis for all autonomous vehicles. Sadly, that is unlikely to happen as the automotive industry will continue to live in denial.