By on August 10, 2011

A team of researchers at UC San Diego and the University of Washington, Seattle, has just published a paper titled “Comprehensive Experimental Analyses of Automotive Attack Surfaces“. Behind that dry title is a very exciting research study. In essence, they bought a modern reasonably-priced car with lots of fancy features, including a built-in cellular phone interface, and did a serious reverse-engineering exercise to determine whether it had any security vulnerabilities. It’s the most comprehensive study of its kind.

Curiously, you can read their paper all the way through and not see any name of the particular car they studied; they argue these issues apply everywhere. This seems unnecessarily conservative. Besides, if you read their previous paper and look at the photos, any car nut will be able to identify the car without any trouble. Let’s play along anyway; we’ll just say it’s a Generic Motors product.

You see, Generic Motors (and, I agree that this is about far more than any one car company) thought it would be really cool to have a telematics system that could do a variety of clever things, like automatically connect an operator to your car when the airbags deploy to ask you whether you’re in need of medical assistance. The way a security person looks at that, though, is that there’s a communications path from the inside of the car out to a data center somewhere and back in again. If the attacker can interpose on that, there’s just no end of mayhem that could be accomplished.

Earlier press reports on this research focused on how they found an attack against the car through the CD player. A carefully constructed CD-ROM, using a malicious compressed music file that would play without issue on your regular PC, could exploit a buffer overflow vulnerability and then control the CD player. Meanwhile, in modern cars, everything’s actually networked together. Consequently, from the compromised CD player, the attacker can take over everything else in the car with the greatest of ease: engine control, door locks, you name it.

Still, that attack is for chumps. How’s a car thief supposed to realistically get a malicious CD into your CD player? Do you valet park your car? No, the really exciting attack, and by exciting I mean “expensive factory recall” exciting, focuses on that built-in cellular phone interface. You see, that means that every Generic Motors car has a phone number and it turns out you can call it. Generic Motors got the security all wrong, and an attacker can thus take over your car without being anywhere physically near it.

What could this evil attacker do? Track you, actuate your brakes, listen in to your conversations, etc. This is normally the stuff that only dystopian science fiction authors dream about. If you want to get seriously dystopian, though, you have to read the paper’s own speculation (page 13). The authors imagine a world where a criminal agency tracks all of the Generic Motors cars in the city. When a garden variety criminal has an hankering for a particular car, he phones up the agency and asks where such a car might be and what it’s owners’ habits are. For a suitable fee, the agency directs the criminal to the car, helpfully unlocks the doors, and starts the engine, all for a modest fee. That’s service with a smile! Similarly, think how much fun the paparazzi could have using similar techniques to eavesdrop on the Hollywood starlet du jour.

Is this just a problem for Generic Motors? Far from it. Virtually any modern car can connect to your phone via Bluetooth and increasingly many cars come with built-in phones. To pick one example, the new Audi A7 uses this to great effect with Google Maps for navigation. To pick another example, Tesla has said that the forthcoming Model S will allow third parties to develop “apps” for their car. What could possibly go wrong with that?

Are our automotive companies and their suppliers responding appropriately? Maybe. I’ve spoken to a number of security people, both in the U.S. and Europe, who consult with these companies. The companies prefer to keep their security concerns under wraps. Suffice to say “they’re working on it.”

[Disclosure, I was the "shepherd" for this paper, meaning that the USENIX Security conference program committee asked me to help the authors of the paper make the changes that the committee requested. I'm not a co-author of the paper and I have had not personally participated in any automotive security analyses, unless you count the time, in high school, that we discovered that my Nissan key worked perfectly in a friend's Mazda. Zoom zoom.]

Get the latest TTAC e-Newsletter!

27 Comments on “Can Somebody Steal Your Car By Calling It On The Phone?...”


  • avatar
    aristurtle

    While OnStar and similar services are indeed a security nightmare, the phone-Bluetooth to your stereo thing shouldn’t be a security problem because the computer running your entertainment system shouldn’t be connected in any way with the computer controlling your engine, brakes, door locks, and alarm.

    (Note the use of “shouldn’t be” rather than “isn’t”.)

  • avatar
    PintoFan

    I think the part about having a “phone number” that can be “called” is a gross oversimplification of the problem. Having an identifying link with another computer is not the same thing as having a “phone number,” which is part of a public network. The identifying number of a Generic Motors product is proprietary information that is known only by the company- remember, the engineers didn’t know it until they took the system apart, and even then I’m sure it wasn’t easy to discover. My point is that unless hackers are able to access the number by either stealing the information from corporate or breaking down the car’s code, they have no way of actually “dialing in.” And even then, they say nothing about the encryption of the signal, which is a whole different problem.

  • avatar
    geozinger

    From the eweek article: “Researchers found no evidence that cyber-criminals were using these tactics to attack cars. “This took 10 researchers two years to accomplish,” said Savage. “It’s not something that one guy is going to do in his garage,” he said.

    One factor working against would-be car hackers is the fact that there are significant differences among car systems. An attack might work on an auto make and model one year and then fail against the same model the next year, for example.

    The remote hack was not easy to execute, and there is a high technical barrier for attackers to overcome, researchers noted. It’s still easier to just do it the old-fashioned way, by plugging directly into the car’s systems and uploading malware.”

    OK, so what is the probability of this happening? I’m guessing close to zero. Besides, if someone wants to steal my G6, go for it! I can finally make plans for that Challenger I’ve been wanting. (/sarc)

    @aristurtle: Why do you think OnStar is a security nightmare? Other than the incident with the FBI forcing OnStar to eavesdrop on their suspect, I’ve never heard of any security related issues with them.

    • 0 avatar
      PintoFan

      This is pretty much what I’m saying. A computer isn’t going to replace a brick and a screwdriver as a car thief’s tool of choice any time soon. Actually, I have pretty high hopes that with the evolution of transponder keys and other systems in new cars, auto theft will decline drastically over the next few decades.

      • 0 avatar
        Russycle

        I think we’re already seeing the effect of modern security features. The NICB recently released a report about the most-stolen cars in Oregon, only one of the top 10 was less than 10 years old (2003 Corolla).

        I wouldn’t be too quick to dismiss this threat though. We already have huge networks of hacked computers controlled by crime syndicates, it’s not much of a stretch to imagine them using their know-how to move into car theft.

    • 0 avatar
      aristurtle

      “Why do you think OnStar is a security nightmare? Other than the incident with the FBI forcing OnStar to eavesdrop on their suspect, I’ve never heard of any security related issues with them.”

      Well, of course: as the study notes, nobody’s using this attack vector yet. Please note that in the computer security field, “ten researchers and two years” turns into “one guy, fifteen minutes, and some software he downloaded from the Internet” remarkably quickly.

      The point is that there is a system in the car capable of unlocking or immobilizing the vehicle remotely. Can GM create a system that does these communications in a cryptographically secure way, with no exploitable vulnerabilities? In theory, sure. In practice, security of this sort is incredibly difficult to get right and an attacker only needs to find one vulnerability whereas the developer needs to protect against every vulnerability.

      Last year at DEFCON, there was a demonstration of a fully functional man-in-the-middle attack against GSM, and this year there was one on CDMA as well. Hey, what does OnStar use to communicate with the mothership, again? But hey, like PintoFan said earlier, the car’s unique CDMA identifier (not really a “phone number” but that’s a close enough description for the layman) is proprietary information — it’s only at OnStar central, in the car’s computer itself, and in the headers of the CDMA message itself which are securely encrypted — until last week at DEFCON. Whoops!

      edit: and while we’re on the subject, look at Stuxnet. That was an attack that took years of development to pull off, and targeted vulnerabilities in one specific piece of computerized industrial equipment that wasn’t even connected (even indirectly) to the Internet. Highly improbable attack–until it happened.

      • 0 avatar
        geozinger

        @aristurtle: Fair enough. But two things come to mind: the software in the “one guy fifteen minutes” has to come from somewhere. The “ten researchers and two years” people pave the way with their proof of concept research and *magically* these things get released in the wild.

        Second is that security is an ever moving target on both sides of the equation. I would be astonished if the producers of GSM and CDMA protocols had absolutely nothing planned for the eventuality of being ‘hacked’, it would be irresponsibility on a grand scale.

        But like I said before, I’d love to get into that new Chally somehow…

      • 0 avatar
        aristurtle

        The “ten researchers and two years” people pave the way with their proof of concept research and *magically* these things get released in the wild.

        Once it’s known that an attack is possible, duplicating and expanding on it is simpler. Somebody’s gotta publish the vulnerabilities, though, or the manufacturer just pretends there isn’t a problem and owners and insurance companies just shrug and say “geez, I guess these new Caddys are big targets for theives or something…”

        But like I said before, I’d love to get into that new Chally somehow…

        Well, if you can find a buffer overrun in the code that communicates with the wireless tire pressure sensors, maybe you might be able to get from there to the power locks…

      • 0 avatar
        Steven02

        Before you go over board, well, too late really, the details of the CDMA attack at DEFCON aren’t actually known yet. Packets were crafted to create a man in the middle attack that launched a pop on the device and required a user button press to install a root kit.

        I can’t find anywhere that said they got the CDMA identifier from an attack. By that, I mean getting the CDMA identifier before installing the root kit. If you don’t have this data, it is going to be pretty difficult to target the attack to do something useful. Else, you are just trying random numbers or identifiers to try the hack.

        Also, Stuxnet was targeted using an attack analogous to the CD player hack in a car. You needed someone to carry a USB key or something into the private network. While it worked for Stuxnet, I think your analogy to what is possible is more similar to the CD example and not to CDMA.

      • 0 avatar
        Steven02

        This also isn’t only a GM problem. BMW, Toyota, Hyundai and others have similar types of systems.

      • 0 avatar
        aristurtle

        Look, everyone, just skip to Section 4.4 of the paper. With nothing but the car’s “phone number” and a vulnerability in the authentication system, they could access everything on the car’s CANBus network (e.g. power brakes, power assist steering, power locks, ignition, engine control) and could also get the thing’s GPS coordinates from the navigation system. Oh, and the VIN. And a stream of all audio in the cabin. And they could upload a program that would keep running in the background so they would only need to break through auth once.

        So, yeah, they need the car’s “number”. (Or, alternatively, they can just go through the entire list of “numbers” assigned to the manufacturer.) This does not mean “hey everything’s fine!” It means you are one relatively simple piece of information away from a “recall everything” level problem.

        Right now they got the car’s “phone number” by using a different exploit to have the car call a number they controlled and read the number off of caller ID. Are you sure that they won’t find any easier way to get this, ever? How sure?

        Security is not an industry for optimists.

      • 0 avatar
        Steven02

        I doubt there is a list floating around that says it belongs to a manufacture, only numbers that belong to Verizon. They don’t belong to a manufacture either once the car is sold and the is an onstar subscriber, then it is John Smith’s phone number.

        So why is the car supposed to call this number? Is it a user calling the number in the car?

        So, to steal the car, you need the number of a specific car. Not the easiest thing to get, but not impossible. Then you need the car to call you. Then you can run an exploit on it. I am just saying that right now, there are some pretty simple safe guards there. Don’t call people from your car is number 1. Number 2, don’t call people you don’t know from the car.

        Read the document. Where is the other exploit talking about having the car call a specific number? I would like to see that one.

        In section 4.4, there are some obvious problems. When you have the number, you can make about 128 calls and get authenticated if the car is on the entire time. This can be fixed though. A few software updates to fix the authentication problem, and it is done. The updates could probably even be done OTA, this is doubtful though.

        Now, I am not trying to make this too simple, but just trying to point out that this isn’t the end of the world. For the cell problem, the car needs to be on for it to work. For the bluetooth problem, you need to be by the car for a long time when it is running.

        I also do think you are going the wrong way about this. The cars can probably be more easily stolen than using these exploits. Much easier. From their own FAQ…

        We believe that car owners today should not be overly concerned at this time. It requires significant sophistication to develop the capabilities described in our papers and we are unaware of any attackers who are even targeting automobiles at this time.

        However, we do believe that our work should be read as a wake-up call. While today’s car owners should not be alarmed, we believe that it is time to focus squarely on addressing potential automotive security issues to ensure that future cars — with ever more sophisticated computer control and broader wireless connectivity — will be able to offer commensurately strong security guarantees as well.

        We are pleased to say that, following the publication of our first paper, industry is now taking automotive security more seriously. For example, both the Society for Automotive Engineers (SAE) and United States Council for Automotive Research (USCAR) now have efforts focused on automotive computer security. We have also had positive discussions with multiple car manufacturers and various U.S. government agencies. All the parties we have talked with are taking computer security for automobiles very seriously.

        Also, this…

        While our experiments are focused only on a limited set of cars (the cars for our May 2010 paper and the cars for our August 2011 paper), the automotive sector has many common suppliers and common development processes. We have no reason to believe that the types of issues we identified are not industry-wide.

        Again, this isn’t a GM problem. It is an industry problem, one that could become serious, but isn’t at that point yet.

      • 0 avatar
        aristurtle

        I don’t know why you think I’m attacking GM. I used OnStar because it’s the most recognizable example, but this applies to all manufacturers: the CAN bus network should not be connected to a system that receives commands remotely.

        You need to read the study more carefully, because it’s kind of clear that you didn’t get it.

        1) The car has a cellular radio on-board for an OnStar-like system.
        2) The cellular radio can control send out packets over the CAN bus based on commands from this system.
        3) These commands are carried over the normal voice cell network, in-band (i.e. as old-fashioned audible tones) in an attempt to increase range.
        4) By calling the car’s phone number (not the phone number for your Bluetooth-connected cellphone, the phone number of the OnStar-like cell radio) the security researchers could connect to this system and send these commands.
        5) Because the manufacturer half-assed the authentication, it requires, on average, 128 attempts (i.e. calls) to gain access to, and complete control of, the car. Each call takes at most twelve seconds. The CAN bus controls everything from engine timing to the power brakes to the windows and locks and alarm. By breaking the telematics unit you can send arbitrary commands over CAN.
        6) Interestingly, they could also upload a program that would stay resident in the OnStar-like computer’s memory so they wouldn’t need to go through the authentication again. This means they can remotely root your car and just deal with it later.
        7) Also, data exfiltration is possible: they demonstrated using the program mentioned in (6) to broadcast the GPS coordinates of the vehicle and the VIN, and to record cabin audio (read: what people are saying in the car).

        So, yeah, they just need the OnStar(-like) unit’s internal phone number and the time when the car is on. Smart money is that the car is probably on between, say, 7:30 and 9:30 AM, and 4:30 to 6:30 PM, but there’s little reason why they can’t just keep trying all day; the attack is not visible to the driver unless the attacker wants it to be. Phone numbers are generally allocated in blocks: find the phone number of your car (trivial if you already own the car) and try the ones next to it, incrementing by one until the GPS coordinates find one near you.

        If you don’t see this as a big deal, I don’t know what to tell you. It’s not a big deal if the CANbus network’s security is primitive when the only way to get into it is by plugging something into the OBD port. It’s a huge deal if you can dial into random cars halfway across the country and root them over the cell network from the comfort of your own basement.

        CAN needs to be disconnected from a cell radio, period, and I’ll never buy a car where it’s connected like that.

        edit: You said “This can be fixed though. A few software updates to fix the authentication problem, and it is done. The updates could probably even be done OTA, this is doubtful though.”

        in other words, “yes, they probably need to recall every car in circulation with this ‘north american telematics system that may or may not be OnStar’ in order to update the authentication software”. Thank you, that’s what I was saying.

      • 0 avatar
        charly

        Gone in 1536 seconds

        Terrorism is also a possibility

        Find the phone numbers block of Hummers or Priuses. Own them and then Borg them

  • avatar
    tankinbeans

    Ahh…an article related to a potential problem shown in an irritating commercial regarding a “convenience feature”. That’s all I have to say about that.

  • avatar
    threeer

    Next up…our “star attempts to steal our reasonably-priced car” segment…

    Sometimes you read stuff like this and you begin to think that the dude driving the old beater is really onto something…

  • avatar
    Conslaw

    You said you could go up to $35k? Get a Ford Escape Hybrid. You’ll get almost double the city mpg of some of the alternatives, and let’s face it, that’s where you’ll drive it most of the time. On the highway, most owners are reporting about low 30s. You might find that hypermiling is about as fun as driving through the twisties, and you can do it more often. Besides, driving a slow car fast is more fun than driving a fast car slow.

  • avatar
    zerofoo

    I believe the new 7 series has two system busses for this very reason.

    I think CAN bus is used for “critical” things like engine/transmission/body control modules and plain old ethernet is used for the “entertainment” network (audio, video, handsfree, backup cameras…etc).

    Critical and non-critical systems should be separated by an “air-gap”. Although it’s cool, do we really need our door-locks and window regulators accessed by an outside system? Ford’s keypad lock-unlock seems to do the job well enough.

    -ted

  • avatar
    George B

    Sad thing is this vulerability is the result of car manufacturers pushing telematics in hopes of getting monthly revenue instead of car consumers demanding that a their car have it’s own cell phone. Having the phone and the phone bill tied to the driver and not the car is clearly a better deal for the consumer. Who wants their car to call the outside world independent of the driver and his or her phone? Who wants yet another monthly bill to pay?

  • avatar
    redmondjp

    Maybe they can steal it, but they certainly can listen in to your in-car conversations. The FBI used Onstar to do just that several years ago (and you don’t even have to have a subscription ;).

    Welcome to our Brave New World! We now have cars that can report our wherabouts, record our top speeds, and e-book readers from which books that we have “purchased” can be instantly sucked back, all without our control or consent. Car reposessors are going to love this technology methinks.

    It’s not technology in itself that I’m worried about; it’s what can be done with it that concerns me . . .

  • avatar
    Lorenzo

    “unless you count the time, in high school, that we discovered that my Nissan key worked perfectly in a friend’s Mazda. Zoom zoom.”

    Heh. When I was in the Navy, I found that the key to my ’65 Impala would NOT work on a shipmate’s ’63 Corvette, but DID work on another shipmate’s ’68 Ford Cortina. Hold the zoom-zoom.

  • avatar
    V-Strom rider

    Back in the 70′s there were only 24 unique keys for the Honda 750 (the gun sportsbike of it’s day). A friend of mine had one, but I declined his offer of free use of his spare key so I could “acquire” one of my own.

  • avatar

    Wireless Mobile phones connectivity is a better option, but it can be a harmful for us because if your mobile will steal than your car is in the danger. Now a day’s many cars having so many security options, and it will be increasing for more secure future of us and our cars.


Back to TopLeave a Reply

You must be logged in to post a comment.

Subscribe without commenting

Recent Comments

New Car Research

Get a Free Dealer Quote

Staff

  • Authors

  • Brendan McAleer, Canada
  • Marcelo De Vasconcellos, Brazil
  • Matthias Gasnier, Australia
  • J & J Sutherland, Canada
  • Tycho de Feyter, China
  • W. Christian 'Mental' Ward, Abu Dhabi
  • Mark Stevenson, Canada
  • Faisal Ali Khan, India