By on May 15, 2010


Most car enthusiasts bemoan the rise of electronic systems in automobiles because they create a layer of interference between ourselves and the direct, mechanical control of our cars. Sure, electronic controls are cheaper, lighter and allow for easier diagnostics, but they rob automobiles of the elemental simplicity which is so often fundamental to their appeal. And, as a study by researchers from the Universities of Washington and San Diego [in PDF format here, via ArsTechnica] shows, the various electronic systems in your car actually makes it vulnerable to hackers who could disable key systems remotely. Titled Experimental Security Analysis of a Modern Automobile, the study explains that the electronic complexity of modern cars actually leaves them extremely vulnerable to all kinds of attack, raising serious concerns about how safe we really are in our cars (especially if we happen to have an enemy or two).

The study focused on accessing on-board computers via the federally mandated OBD-II on-board-diagnostics port, and the study shows that physical access to this port for even a brief period is sufficient to upload “malware” programs, which could compromise on-board systems. Physical access could also be granted by installing something as innocuous as an aftermarket stereo system embedded with malware. And though it’s easy enough for anyone to access these ports or install malware-infected components, there need not even be a physical link to the car to compromise its safety and privacy.

The other vector is via the numerous wireless interfaces implemented in the modern automobile. In our car we identified no fewer than five kinds of digital radio interfaces accepting outside input, some over only a short range and others over indefinite distance. While outside the scope of this paper, we wish to be clear that vulnerabilities in such services are not purely theoretical. We have developed the ability to remotely compromise key ECUs in our car via externally-facing vulnerabilities, amplify the impact of these remote compromises using the results in this paper, and ultimately monitor and control our car remotely over the
Internet.

Through these vectors to the OBD-II port, researchers were able to access the Controller Area Network bus, a protocol standard to all new vehicles sold in the US after 2008. The researchers developed “CAR SHARK,” a “custom CAN bus analyzer and packet injection tool,” and were able to identify several serious security issues with the protocol.

Broadcast Nature. Since CAN packets are both physically and logically broadcast to all nodes, a malicious component on the network can easily snoop on all communications or send packets to any other node on the network. CAR SHARK leverages this property, allowing us to observe and reverse-engineer packets, as well as to inject new packets to induce various actions.

Fragility to DoS. The CAN protocol is extremely vulnerable to denial-of-service attacks. In addition to simple packet flooding attacks, CAN’s priority-based arbitration scheme allows a node to assert a “dominant” state on the bus indefinitely and cause all other CAN nodes to back off. While most controllers have logic to avoid accidentally pairs: breaking the network this way, adversarially-controlled hardware would not need to exercise such precautions.

No Authenticator Fields. CAN packets contain no authenticator fields — or even any source identifier fields — meaning that any component can indistinguishably send a packet to any other component. This means that any single compromised component can be used to control all of the other components on that bus, provided those components themselves do not implement defenses; we consider the security of individual components in Section V.

Weak Access Control. The protocol standards for our car specify a challenge-response sequence to protect ECUs against certain actions without authorization…Under the hood, ECUs are supposed to use a fixed challenge (seed) for each of these challenge-response pairs; the corresponding responses (keys) are also fixed and stored in these ECUs. The motivation for using fixed seeds and keys is to avoid storing the challenge-response algorithm in the ECU firmware itself (since that firmware could be read out if an external flash chip is used). Indeed, the associated reference standard states “under no circumstances shall the encryption algorithm ever reside in the node.” (The tester, however, does have the algorithm and uses it to compute the key.) Different ECUs should have different seeds and keys… Furthermore, as described in the protocol standards, the challenges (seeds) and responses (keys) are both just 16 bits. Because the ECUs are required to allow a key attempt every 10 seconds, an attacker could crack one ECU key in a little over seven and a half days.CAN. Given the weaknesses with the CAN access control sequence, the role of “tester” is effectively open to any node on the bus and thus to any attacker.

Moreover, numerous failsafes were easily evaded. Researchers were able to remove all CAN communications from the ECU while the vehicle was moving, and even reflashed the ECU while the vehicle was moving. Moreover, experimenters were able to remove a vehicle’s entire telematics memory, including their keys without authentication, and even cause a car’s Device Control system to disable key components like brakes. And if it seems like any of these attacks would require a deep and intimate knowledge of the inner workings of our cars’ electronic brains, think again.

Much to our surprise, significant attacks do not require a complete understanding or reverse-engineering of even a single component of the car. In fact, because the range of valid CAN packets is rather small, significant damage can be done by simple fuzzing of packets (i.e., iterative testing of random or partially random packets). In- deed, for attackers seeking indiscriminate disruption, fuzzing is an effective attack by itself. (Unlike traditional uses of fuzzing, we use fuzzing to aid in the reverse engineering of functionality.)

By now, your eyes have either glazed over with boredom, or you’re just starting to get interested. For those in the latter category, we suggest checking out the full 16-page report [in PDF format here], and taking a shot at explaining some of this information in a less technical manner.

Get the latest TTAC e-Newsletter!

37 Comments on “Could Someone Hack Into Your Car?...”


  • avatar
    Brian E

    I had a quick read over the paper. It’s another theoretical vulnerability which generates a lot of heat and noise, but I won’t be kept up nights about this. There simply isn’t much of an incentive for anyone to be messing around with my car this way, and those with access to my car could just as easily put water in the gas tank or do something else that destroyed the car if they wanted to.

    I think the bigger concern here is that these problems can also turn into safety or quality issues. Software is not defect free and if key systems on the CAN bus crash when parsing malformed packets (as demonstrated by their fuzzing tool), then a buggy or damaged node could cause safety-critical systems to fail. I would be more interested in hearing about this type of potential problem then about how someone with physical access could pointlessly “hack” my car.

  • avatar
    stationwagon

    I have yet to buy a new car, but isn’t one thing you can do is disconnect or take out the fuse of wireless hardware such as Onstar, or cover the antennas in foil, though it would look goofy, or maybe Onstar has a special antenna in the boot or under the hood. I don’t own a vehicle with bluetooth or sat-nav or wi-fi, so I have nothing to worry about. I want a really simple car that is RWD like Richard Hammond’s kadett a in the Botswana special.

    • 0 avatar
      Robert.Walter

      That car is a ca. 1962 Opel Kadett that then Hamster named Oliver.

    • 0 avatar
      Brian E

      Those measures are not worth taking any more than it would be worth putting bars over all the windows on my house and reinforcing the doors because someone might get in. There’s also a much bigger incentive to get in to my house (namely to steal my possessions) than to mess with my car from the inside (???).

      Oliver is also much more “insecure” than a modern car unless you are willing to discount the advantages of integrated security systems. And even those fall prey to physical manipulation, wit. the “bump” technique on the previous generation Mazda3.

    • 0 avatar
      stationwagon

      @ Brian E
      it is not really about security it is about privacy. I’ll admit I’m a little paranoid. Plus the simpler the better.

  • avatar
    Robert.Walter

    I think the bigger issue here is the possiblity of individuals to hack their own cars … as the chassis-control systems become ever more sophisticated and prevalent, this is bound to happen.

    Just as people have hacked their engine-ECUs via chip-tuning, others will hack the chassis and stability controls in an effort to get unique or enhanced functionality (including brakes and electric steering) and when done poorly these systems will become instable and failure prone.

    • 0 avatar
      Brian E

      How is that a bigger issue than individuals poorly modifying their own cars mechanically?

    • 0 avatar
      Robert.Walter

      Self-steering for example, when an EPAS system decides to do its own thing. (Although this failure mode may be the mechatronic equivalent of a steering shaft, or suspension failure, leading to loss of directional control, it is still an added source of failure due to potential interference on the e.g. CAN-BUS.)

    • 0 avatar

      The question still stands though. Look how many trucks drive around with hydroboost.

  • avatar
    PeriSoft

    Given that these hacks should allow us unprecedented control over our cars’ performance, shouldn’t we be excited? Being able to reprogram your active suspension / esc will make old-school hotrodding seem downright restrictive!

    • 0 avatar
      tced2

      As an engineer who has designed, programmed, developed embedded systems – these systems are typically optimized to a great degree. And often outside (reverse engineering folks) don’t understand some of the issues. Yes, a hacker could change some characteristics of the suspension, but will they know completely the effects? and will the changes be safe? Will changing the suspension settings cause issues with the (anti-lock) braking? Embedded systems usually have processors that are very closely specified to handle just the load of the job and extra software will change responsiveness of service routines – hence change their effectiveness.

  • avatar
    tced2

    I have read that Ford is encouraging the writing of “apps” for their Sync system. This is one way that programs can enter these systems without a wireless connection (wi-fi, bluetooth). Think of how many auto entertainment systems have a USB jack. (Hidden) programs on the USB memory can move into the entertainment system. The path from the entertainment system to the control systems is more unclear. CAN apparently is designed to operate in a closed, trusted environment and therefore the packets are assumed to be authentic. Are we going to have each power door lock “authenticate” each command packet? – or maybe just the safety systems?

    • 0 avatar
      mcs

      (Hidden) programs on the USB memory can move into the entertainment system How would that happen? It’s not going to move on it’s own. By plugging in a USB drive and reading a music file, how would the malicious program execute? Unless there is code in sync which tells it to scan the USB drive and execute any hidden programs it finds, it’s not going to happen. My phone does have a mode that you can set it into to have it execute a particular named program on it’s memory card, but it involves physically pressing a sequence of keys to throw the phone into that mode.

    • 0 avatar

      A specially crafted music file causes an overflow (either index or arithmetic) in a way to changes a function pointer or a return address, then the rest of the “music” is interpreted as executable. It’s the same mechanism that permits to take over Windows computers by displaying a specially crafted JPEG or GIF in a banner ad, only music is used instead of image.

      I’m more curious how the malware is supposed to jump the stereo. My stereo does not have a CAN connection, so it would have to attack wireless input vectors next. The probability of successful attack is very low (again, only because my stereo does not have a Bluetooth).

  • avatar
    jmo

    Plus the simpler the better.

    Glad to see everyone is such a big fan of beam axels, drum brakes and carburetors. If I didn’t know better I’d think you were all a bunch of retired GM executives.

  • avatar
    mcs

    There’s a big problem with that “study.” It’s based on a lame scenario that isn’t going to happen. Basically, they hooked a laptop to the OBDII port and communicated with the laptop. So, unless you walk out to your car and find a laptop hooked up to the OBDII port, there is no chance of the scenario in this lame study happening. There are bluetooth devices that interface to OBDII, but the broadcast distances are only a few feet and you’d notice it if one was attached.

    Physical access could also be granted by installing something as innocuous as an aftermarket stereo system embedded with malware. And though it’s easy enough for anyone to access these ports or install malware-infected components, there need not even be a physical link to the car to compromise its safety and privacy.

    That’s a total load of crap. Do you know how difficult to would be to embed malicious code in a stereo system? That scenario is so far fetched. It’s not like you’re dealing with a PC. The hacker would have to get a job at the company, figure out how to embed the code in the limited amount of memory in the stereo and sneak it past peer code reviews and quality control. If they did manage to get the hack out the door, the person would be caught immediately because you wouldn’t be able to hide your tracks. It isn’t going to happen.

    The only area that there might be an issue is with bluetooth systems. You’re not going to hack the engine, but a lot of minor mischief is possible like listening to conversations inside the vehicle or broadcasting audio into the car. The problem is that you have to be within close range to do anything.

    • 0 avatar

      If you think that cracking your stereo requires getting a job at Sony first, you might want to study the industry that makes DVD players region-free and unlocks cellphones.

    • 0 avatar
      Robert.Walter

      Is it far-fetched?

      Everready managed to release infected code with their USB battery charger unit, and also post it on their web-site…

      After the malware was discovered, Everready had to recall the units and pulled-down the s/w off their web-site…

      If moles can infect the DoD, CIA, NSA, etc., I don’t think it would be that far-fetched for it to happen in the private-sector (just another kind of industrial espionage… which has also been legion…)

  • avatar
    50merc

    We should worry more about electromagnetic pulse (EMP). One of those would fry the electronics in our cars–and almost everywhere else–and put us back into the Iron Age. Anybody know how much shielding their car, TV, computer, phone, microwave oven, etc. has?

  • avatar
    BMWfan

    @mcs

    Bingo. You hit the nail on the head. There are systems available right now that let you download a cars phonebook to your laptop, or listen in on a persons phone conversation if they are using a bluetooth link. You must be in close physical proximity to the target vehicle in order to do this. It doesn’t help that most bluetooth security codes are only 4 digits, and are 0000 or 1111. You will see much more about making the pairing process much more secure in the near future. Only threat I can see right now is corporate espionage.

  • avatar
    Bob12

    There’s no way someone can hack into my car, because it’s got a firewall!

    Thank you, I’ll be here all week. Please try the fish.

    On a more serious note, consider a (not very distant at all) future where cars’ computer functionality and connectivity greatly exceed their electronic security (compared to a desktop or laptop PC). When people are browsing the Web and checking e-mail from their cars, how hard will it be to capture financial information when they do online banking? Or purchase something online? Alternatively, how about creating a botnet made up of compromised car computers? Questions about range have come up, citing the limitations of Bluetooth. How about 802.11n, LTE, or even WiMax? In this theoretical future, a hacker sitting in a Wal-Mart parking lot would be shooting fish in a barrel.

    Note: I realize it’s easy to cook up scenarios like the ones above when speaking in abstractions. I can’t comment with technical accuracy as I have no experience developing embedded systems. However, what I said above sounds very plausible for the near future (to me at least!).

    • 0 avatar
      TrailerTrash

      LOL.

      Really…that firewall crack was good.

      Now on another serious note, this electronic world has really changed everything, not just our cars.
      We all see what a simple programming error can cause looking at the recent Lexis SUV/CReports issue. Stability control is now not such a hard and true friend of mine.
      I now think about it every time I take an off ramp to quickly!

      And yet I thank GOD for the ability to get into these systems.
      My MKS is wonderful driving to Florida watching DVD movies with THX sound!
      I am sure this is not condoled by Ford, or the authorities.

      This sounds like pure Hollywood…the new “hit” tool by “the family”. You can take over control of a person’s car…wow!
      Or take over an airplane!!!!!!
      Sounds like a movie plot.

  • avatar
    dkulmacz

    These guys should go into business selling a Toyota ‘black-box’ decoder . . .

  • avatar
    psarhjinian

    Through these vectors to the OBD-II port, researchers were able to access the Controller Area Network bus…

    There is a truism in computer security: if someone has physical access, they have control of the system. Ergo, any security flaw that relies on physical access isn’t really a “security flaw” at all, or at least not a “serious” one.

    If you have access to the ODB-II port or can otherwise physically tap the bus, you also have easier ways than this method to compromise the vehicle. Many of those ways are mechanical, by the way. It’s an interesting idea, but the way it’s cast comes off as Luddite fearmongering.

    Side note: are there any cars right now that tie the in-car entertainment system to CAN? About the only vectors I can think of that don’t require physical access are BlueTooth to CAN via the ICE (which would be like hacking your PC by way of hooking acoustic couplers to the microphone), or (and this would be my concern) if the OEM’s telematics system (eg, OnStar) was compromised.

    Sure, CAN isn’t IPSec. Neither is USB or SCSI. There’s a reason for this: security layers on protocols that require physical access to compromise waste processing time, silicon space, money and effort. Worry about someone hacking OnStar, not this.

    • 0 avatar
      Robert.Walter

      I was trying to think of additional vectors too, some which might actually exist and others that would need to be invented … the following is less a function of my paranoia, and rather more a function of just a little creative thinking …

      First question is who would be a worthy hack target and why? Persons one wanted to hear the conversation of while they were in the car? …Persons one wanted to implicate or injure in a road accident? Rich and famous?

      Of course, there is also a difference of vectors where one inserts code (less detectable, esp. if it eraseses after performing its function), and where one installs a device in-line for a different purpose (which would remain in-place after the function was performed)…

      If you are just about hoovering up informaiton, and the ICE/speakerphone system is accessable via an on-board net, then you just attach a device which copies this info for later-downloading, or which would broadcast it realtime to and over the cell-network.

      There are plenty of opportunities for one to gain access to an OBD port … just plant someone, or pay someone to look away, at the valet parking, the car wash, the oil change shop, etc…

  • avatar
    Norman Yarvin

    So what car is this, that they hacked into? They coyly say that they won’t tell what make and model it is — but then they print photos of the damn thing. (See the top of page 6 in their paper.) I’m not enough of a car nut to identify it, but some of the people here must be.

  • avatar
    John Horner

    Yes, and your car is also vulnerable to anyone with a screwdriver, wrench, pocket knife, sledge hammer or Krazy Glue. Turn all the inner portions of the valve stems on a car a smidge with a tiny tool that fits in your pocket and you can ensure that the driver will have four flat tires some time well after you have left the scene. Use another pocketable tool to just barely crack open the brake bleeder valves and the vehicle will seem to stop ok for a little while, but not for long. My intent isn’t to give people a how-to list for automotive mischief, but to point out that there are countless mechanical ways to mess up a car which have nothing to do with electronics. Yes, the electronic systems are one more way a person can make mischief with a car. What exactly does that prove?

  • avatar
    cacon

    I’m a software engineer in embedded systems for automotive applications, in other words I develop code for car’s ECU’s. Except for a few of multimedia systems (navidators, sync system, etc) all ECU’s use the embedded approach, which means that they are purpose built, and have very limited memory capacity (both volatile and non volatile memory). They are designed to do most with the less possible. They’re not at all like a PC or laptop, which can do a lot of generic stuff: run any kind of code, read any kind of memory, etc. which a car ECU can’t, period (as of the state of the current ecu developments).

    As far as my knowledge goes, there is no car computer that can run any type of code, except for what is stored in its own memory. What can be done (looking at the “hacked message” in the cluster) is to supplant its inputs and outputs: hack the CAN channels or any other type of digital communication, sensor readings, etc and supplant them with what you want, which can be dangerous, but not that much, since all critical ecu’s have fail-safe working modes (supposedly).

    Why the car’s ECU’s are “small” (memory availability speaking), embedded and purpose built (not generic)?:

    - To create them as simple as possible
    - For them to be robust (it’s tied to the simplicity), as far as SW based systems robustness goes.
    - Fast responses (ABS systems, airbags, engine control, and all the critical systems that a car has).
    - Reliability
    - and many more…

    For you to be able to hack and do whatever you want with an embedded system you must have a very deep knowledge of what you’re doing, how the embedded system works or do reverse engineering. The previous apply for any kind of application, not just cars.

    A system level of security is always determined by the probability of it being hacked, this also applies with any kind of application. Going from this, if you want to temper with the system of any car is easier to do it phisically than electronically. Basically you have to put the car’s security into context.

    In conclusion ANY electronic system (secure or not) can be hacked if you know what you’re doing. The more complex, the more you can do if you have control on it.

    In page 3 of the paper: “However, our work is focused squarely on the possibilities after any such infiltration. That is, what are the security issues within a car, rather than external to it.” So in theory anything is possible:

    Personally I think that the paper is the result of a bunch of engineers with a lot of free time and nothing better to do.

  • avatar
    GS650G

    Somewhere, someone is planing to exploit this technology for the benefit of government. Just think of he endless possibilities for tax, control, and regulation.

    • 0 avatar
      John Horner

      While many people worry about the government interfering with their lives and privacy, it is more often private companies which are actually doing it.

      Who do you think is looking at the details of what you buy, where you buy it and how much you pay? Your credit card companies, that’s who. And, they are selling that information to other companies which in turn want to sell you stuff. On the ‘net, it is private companies who are tracking your every move. Something to think about.

    • 0 avatar
      windswords

      The big difference John, is that if I don’t want the credit card companies collecting data on me I just use cash (or debit or even a different credit card). If the government decides it wants by fiat to collect info on you there is nothing you can do about it.

    • 0 avatar
      PeriSoft

      The endless possibilities of CAN bus snooping and opcode fuzzing for government taxation?

      You seriously need to have a nice lie-down to clear your head. Taking the tin foil hat off first will make it more comfortable.

  • avatar
    newcarscostalot

    I can see it now:

    “Vinny, what are you doin?” “I’m gonna cut da brake lines on dis car, boss.” “Vinny, Vinny, Vinny. It’s the 21st century! We don’t cut break lines on cars nos mores. We hack the electronics!” “Hows do we do dat, boss?” “See, that’s the reason I’m the brains around here.”

  • avatar
    windswords

    I guess this gives Toyota and excuse for their SUA. It was just these guys fooling around with some malware.

  • avatar
    redmondjp

    The CAN protocol was first designed for industrial machinery controls and it has gradually migrated over to vehicles of all types. It is heavily used in the off-highway and agricultural equipment sectors as well. It was never intended to be hacker-proof! The SAE publishes specifications for the CAN protocols used in vehicles should you care to read more.

    On a somewhat related note, searching the web a few years’ back I came across a lawsuit against the federal gov’t involving the FBI’s use of Onstar to eavesdrop on potential suspects without their knowledge (IIRC it was a “warrantless wiretap”). The hands-free cell phone built into the car makes the perfect bug. It goes without saying that you need not be an Onstar subscriber for them to do this. If you don’t use Onstar, you may consider introducing the antenna wiring to your diagonal cutters, if you are paranoid about such things (Big Brother may already be listening . . . SUPV: “Bill, anything from the car lately?” EMPL: “Well, they’re listening to Glen Beck” SUPV: “Bring ‘em in STAT for questioning!”)


Back to TopLeave a Reply

You must be logged in to post a comment.

Subscribe without commenting

Recent Comments

New Car Research

Get a Free Dealer Quote

Staff

  • Authors

  • Brendan McAleer, Canada
  • Marcelo De Vasconcellos, Brazil
  • Matthias Gasnier, Australia
  • J & J Sutherland, Canada
  • Tycho de Feyter, China
  • W. Christian 'Mental' Ward, Abu Dhabi
  • Mark Stevenson, Canada
  • Faisal Ali Khan, India