Computer scientists have brought new meaning to the term war driving by hacking into a moving car's wirelessly-connected warning systems and generating fake error messages. A team from the University of South Carolina and Rutgers sent fake tire pressure messages to the onboard computer, generating bogus warning messages. Tire …
So other than tires, which for obvious reasons cannot be hard-wired into a car's computer system, and bluetooth phone connections, exactly what other car systems rely on expensive and flaky wireless rather than wired connections for their control-and-command infrastructure?
I have to believe this is alarmist nonsense.
Ah, but the thing is if ANYTHING uses wireless then the hacker has a potential access point into the computer(s). As more of the subsystems interact with each other it is conceivable that using the wireless connection the hacker could inject many different kinds of data, even if the origin of that data was normally a wired connection all they have to do is generate the trouble data code and let the car's computer react in turn. Right now we usually see individual sensor lines to the computer but a bus with multiple sensors on the same subsystem would seem to be the natural trend in automobile electronics evolution.
For example, no oil pressure = shut engine off. Imagine a movie theater where you have a fire alarm. You don't actually have to activate the existing fire alarm to make people think a fire alarm has gone off, you only need to send the same data to the (computer) brain like the sound and lights associated with an alarm.
While I don't suggest this level of hacking is possible today, we do see where car design is moving forward towards more complex computing systems that will inherently introduce more bugs as the code base grows.
The tyres don't have access to the onboard network directly. The tyres just report data to a sensor that reads the tyre data and reports it to the system. This sensor can only generate tyre data. It is not a generic data gateway that can fake engine data etc. All you've done is mess with the sensor data.
Sure you can now trigger tyre pressure warnings. You have not actually achieved access to the vehicle network, just spoofed a sensor.
Not really much different to shining a laser at a temperature sensor to trigger it and triggering an oil temperature warning (except that this can be achieved remotely).
The biggest problem is really that to the Great Unwashed, hearing "wireless" sounds like a network level intrusion.
Or course you could hypothesise some potential alarmist scenario where car designers would use wireless for other more critical data (engine, drive train, airbags...) but they don't do this. This is just alarmism.
Dear Science guys...that seems to me to be a pointless waste of time...
Far better that they get these wheels to let the local fuzz know where they are at all times....
Oh dear we seem to have a sudden loss of tyre pressure in all four alloy wheels at the same time....I wonder why that is.
The first thing that got my attention was...
...that tire (or tyre, for those of you that drive on the "other" side of the street) pressure sensors are **mandatory** on all cars in the colonies since 2008. While a nice option, I guess it further goes to show that folks on this side of the pond can't be arsed to get out of the car and check their own tires.
(Or...perhaps one should instead ask which Congresscritters have a hidden financial interest in the companies that make said sensors...Sheesh again!)
Not all are wireless
Something not mentioned is the tire pressure monitoring system on many cars ISN'T WIRELESS.
The computer just uses the ABS sensors on the weeks to detect a wheel that rotates faster then the others to trigger a flat tire warning.
So, for those cars there's nothing to exploit with regards to that system.
Wait a minute?!
Are they suggesting that safety critical systems shouldn't feature superfluously wireless communication?
So we should be thankful that....
.... malware infections of vehicle systems have never occurred
==> YET <==
It has happened in Knight Rider, and again in Team Knight Rider.
Coat, hat, Kitt!
Wow. Cars can be tracked through these sensors.
Almost as dangerous as requiring all vehicles to display a unique identifier of some sort, possibly mounted fore and aft?
Unique identifier fore and aft
No more dangerous than having a unique physical identifier per individual (ie: a face).
There is an enormous difference between being recognizable anywhere and being trackable everywhere. That difference is called privacy.
If I drive my car to given destination, I do not expect the police - or anyone else, for that matter - to take any notice of my trip as long as I do not cause any accident. Even if a patrol car happens to follow the same route for a few kilometers (or miles), I don't expect them to write my number down until I actually do something reprehensible (like cross a white line, or exceed the speed limit).
If my trip becomes a line in a database whether I've done something wrong or not, then there is violation of my privacy and i will fight against it as much as I can. Nobody has any business tracing my activity without my express consent if I remain within the limits of the law.
I don't know what cars they checked this with, but my car has to be "trained" to listen to a tire sensor. Every time I rotate the tires, we have to go through a jiration process of moving the car key, gas peddle, and stereo buttons to put it in learn mode, then after a few miles it IDs the 5 sensors (4 tires and spare) that have managed to stay with the vehicle eliminating other tire IDs from other cars, and the determines which tire is on which hub so the controls can tell me the front right tire is low.
If they had the ID and could send a powerful enough broadcast to overpower the one from the tire, and stick with my car long enough to trigger it to tell me I had a flat then a) i'd know I don;t (i've had many flats, its pretty friggin obvious, and I'd know to ignore the sensor.) Even if I fell for it and pulled over, i'd quickly ID it is faulty readings, which turns out to be harmless other than wasting my time, they're not hacking the engine...(that's been proven not possible). If I did figure I'd been spoofed, it would have to be a car that had been with me for a few miles thus far, and might even be easy to ID based on looking at other drivers, and I'd call 911 and have them arrested.
Any "hack" that puts you in close proximity to a mark, for an extended period of time, and takes $1500 worth of hardwarer to pull of (without any financial gain or benefit mind you) and which could be seen by the law as potentially harmful or dangerous (or property damaging), is simply not going to be pulled off in any reality setting other than as a proof of concept.... The most this will do is lead to manufacturers changing the TPMS system slightly to prevent such tampering.
Also, as for the "privacy" concerns... a) its illegal for them to collect that data. b) its a FUCKTON of data to keep and would require tens or hundreds of millions in servers and software just to real-time process the signals (let alone thousands of networked sensors), and then on top store and process that data to build patters on people, and c) if they want you, all they need is a warrant and a magnetic GPS device, or a cell trace, so such a monitoring system is completely unnecessary.
That privacy thingy
"Also, as for the "privacy" concerns... a) its illegal for them to collect that data."
So far, that has not kept too many people from doing it. Ask Google, Microsoft, the U.S. Federal Government just to mention the first three that pop to my mind.
"b) its a FUCKTON of data to keep and would require tens or hundreds of millions in servers and software just to real-time process the signals" Not exactly true. Many car manufacturers already offer the service of tracing their cars for the customer's (in)convenience. First of all, the data is compressed, which can be done at a very low overhead without data loss -- we're talking about text and numbers here. Secondly, since it's just text and numbers being transmitted, it's not really all that much data in the first place. Thirdly, this is the age of Terabyte-plus hard disks stacked up in large arrays. Data storage is not a big investment, and data handling -- once again, it's some text and numbers -- is something that could be done with a few late 1990s workstations, let alone the boxes the car manufacturers have standing around, idling along until the next crash simulation is slotted in. Now, THOSE require some oomph. Location and tyre pressure data, even of a few million vehicles, does not even spin up the cooling fans.
"c) if they want you, all they need is a warrant " Not in the U.S. They don't even need a warrant there. They can just barge in on a telco and demand all the files kept on a person, and if the Telco won't comply, it faces severe trouble. Several agencies that had routinely done that have been retroactively declared sacrosanct by the Bush administration, and the Obama administration has done absolutely nothing to rectify this blatant breach of the U.S. Constitution and several of its amendments.
Yes, let's try and argue the obvious away
"If they had the ID "
Yes, they can get that easily enough. You just explained how your car does it: By listening for everything it can find and then filtering out the obvious mistakes. So take two cars, force a reacquirement, and drive them really close for a couple miles, and suddenly both think they've got 10 wheels. Or maybe they'll just pick the five they heard first. Who knows.
Not exactly difficult for someone with a display showing all the tags in the vicinity and an awareness of where he's driving to figure it out without the target even noticing.
"and could send a powerful enough broadcast to overpower the one from the tire"
No if about that.
"Even if I fell for it and pulled over"
Exactly what "they" might have been after. And for some purposes that may well have been worth $1500 and a good chunk of time figuring it out. Even for one single use.
The point isn't that it may or may not be practicable -- which it is, and is relatively cheap as such things go, and they only get cheaper afterward. The point is that the way the manufacturers went about implementing this stupid law means yet one more obvious attack vector that could have easily been avoided. Only because the people in charge "forgot" to implement even the most basic security, perhaps out of cost considerations. And why not, it's just a tickbox item for them. And the chips are cheap. Let's sprinkle some more around!
That cheap sprinkling about of chips reachable by radio and devoid of any security is a trend that, frankly, worries me. And not without cause. Let's see how much abuse it takes for the rest of us to re-learn basic security lessons, shall we?
"Even if I fell for it and pulled over, i'd quickly ID it is faulty readings, which turns out to be harmless other than wasting my time, they're not hacking the engine...(that's been proven not possible)."
-- Michael C.
Citation needed for the fact that "hacking an engine" is impossible, citation should verify every single EMS system under the sun to backup statement.
"Proven not possible"?
Oh, really? That's a proof I'd like to see.
In a car?
Why? You've got to get power to the sensors so why not run a data link down there at the same time?
I guess some loony thought it was a good idea to save money, or something.
Think a bit next time...
The sensors either use an embedded lithium cell or are powered remotely by the transceiver. How exactly did you think someone could run a power cable into a wheel?
So Mr smarty pants A/C...
How would you connect a wire to a tyre pressure sensor? That's tyre as in big rubber thing that goes round and round and round and round and round (getting the idea now?).
Most tyre pressure monitoring systems do not require power in the wheel.
Last time I looked, the sensors were battery powered.
I guess 'some loony' didn't think that through?
I seem to recall seeing a clever invention that would generate electricity when flexed. It was announced that a strip of this around the inside of a tyre would then be able to power a small wireless transmitter when the tyre started going flat. You see, although the flat bit is always at the bottom it doesn't stay in the same place relative to the rubber, so it is constantly bending as you drive. Measure how much electricity is being generated and you have a flat tyre warning.
All of you
who think there's no way to get power from a stationary source into a rotating object have obviously forgotten (or never learned) about how commutators and brushes in electric motors work...
Slip rings for electrical contacts
What puzzles me, however, is how the air lines work for the really fancy tyre inflation system that can work as the car is being driven. There must be some really trick seals involved in that setup.
Safety critical sensor with *no* authentication
Let me guess that the handling characteristics of your vehicle will change drastically when your vehicle thinks one (or for real "fun") more of your tires has blown.
Smart. Make that mandatory and require *no* security.
Unfortunately wrong. The TPMS only generates a warning that there might be a problem. Handling characteristics would only be affected by an actual tyre problem. Any stability system wouldn't be connected to this, the relationship is indirect and based on deviation between measured and 'normal' behaviour and as the tyres aren't flat this isn't going to be happening.
ONe of the new Chinese car manufactureres (I forget which one...) decided on a new safety system where, if the car detected a flat tyre it would automatically apply the brakes to stop you dangerously driving on a flat.
It was then pointed out to them there might actually be very good reasons for needing to stay as much control as possible in the even of, say, a blowout.
A wireless link between a car tyre and instruments isn't secure because no one gives a shit. Do they think crims are going to go round demanding money with the threat of putting a temporary false warning on your dash?
As for car tracking maybe they never noticed the big plates with a unique combination of numbers and letters front and back.
"the threat of putting a temporary false warning on your dash..."
...that makes you pull over to check the tyres yourself, with, "the crims", very close to your car...
Get it yet?
Didn't look which type of car
...but I can say that the VAG group uses the ABS system sensors to spot if a wheel is spinning at a different speed and therefore likely to have lost pressure.
It's not wireless and therefore invulnerable to this kind of hack. To be honest I thought all European manufacturers who gave these warning used the same technique.
This is all very clever, but what's the practical application? I mean, apart from being showcased as the latest Q-branch gadget in a (probably never coming) Bond film. I could see this being useful for a narrow spectrum of BlackOps mission profiles, but where could this be problematic for us regular blokes going about our daily lives? I don't travel abroad much, so I needn't worry about being kidnapped by the Russian mafia or Taliban or whatever.* CIA/NSA/FBI aren't subtle enough to use something like this, so no real usefulness there either.
I suppose they eggheads behind this are merely employing a variation Sir Edmund Hillary's maxim.
* but anon, just in case
Key Sentence for me...
The key piece of information is that there is no basic input verification. So if it blindly accepts data, does that mean that it is potentially vulnerable to buffer overflow or code injection style attacks? Interesting, but so far, not the end of the world.
Lack of authentication doesn't mean anything with regard to overflows or injection attacks in this case.
These systems are usually run with a very basic dedicated microcontroller and while they may accept spoofed sources due to only doing a sensor ident check, they still only do something with sensors they are expecting an input from. And the packets are fixed format with bounded values so you can't make the system do really stupid things. And even if you could get it to do something unusual it really doesn't matter because what's going to happen - you can't get anywhere into other systems and if you crash the uC it'll just restart.
It's nice that someone thought it was worth the effort to 'prove' the lack of security in these systems - which is immediately obvious from the sensor/controller documentation - but the reason there's no security is because it isn't necessary - why bother with the complexity and overhead for something that no-one will bother with, and even if they do it won't matter anyway?
No you twonk
It's a sensor input. No data path to the canbus, see.
This is not a general purpose data interface like a web browser or such. The wireless interface only knows how to process tyre pressure info. It will just grab a 40-bits or so packet, and parse it for sensor data. This will then be reported to the system as a tyre pressure status command.
If you stuffed code or huge buffers into it all you'd get is crappy pressures.
THis is not really much different to the link used by a wireless mouse (not the BT kind). If you could "hack" it, you'd be able to generate mouse clicks etc. You can't inject code via that interface.
Re: the reason there's no security is because it isn't necessary
So all that ruckus about EBIL CHINESE HACKURS R IN TEH SCADA SYSTEMS is entirely unfounded? Oh well, more golfing time for the various "cybersecurity czars" then.
Missing the point
In Spain, it is a common technique for criminals to pull alongside your car and indicate that you have got a problem. When you stop to look, you are mugged.
Bear in mind that in the open country or on a motorway it is quite usual to be in close proximity to the same vehicle for miles.
So you are driving along, and the dash indicates a loss of pressure. Do you ignore it until it gets bad enough to feel, or do you pull in at the next parking place and check it out?
And yes, there is probably far more wireless connection in your car than you think. The wireless chip is very cheap, copper wire is increasingly expensive and requires more labour to install. My 12 year old Peugeot has a wireless connection from the ignition key to the engine management system, and you can bet a new car has lots more.
YOUR car will be part of Skynet.
"so we should be thankful that malware infections of vehicle systems have never occurred. "
Just like the terminatrix did in T3?
Tyre pressure sensor?
I use my eyes ( "that tyre looks a bit soft") I think. Anyway - hacking standard protocols for their not intended use is probably a little bit naughty. Good job they can't make a tyre fail happen - that really would be much worse than a dodgy flashing tyre pressure indicator on a modern plastic dashboard thingy
Try guessing you tyres are a bit soft with a 40 or 35 profile tyre. Doesn't work too well...
Ye,Ye, mr AC
I like your low profile tyre boasting, good stuff!!! Anyway - if my eyes aren't working properly I usually notice the tyre pressure problem when driving about.
The con men are gonna love this
The con where they get tourists to pull over because of a supposed deflating tyre and steal the luggage whilst helping to change the tyre is going to get a lot easier to pull off.
Easy to fix...
Firstly, a screwdriver through the alarm speaker (if you haven't already gotten sick of it endlessly fucking beeping while your door is open), then, a bit of black marker over the dash obscuring the warning light.
Where can I order?
Sounds like just what I need to get the slow moving taxi driver out of my way (why do they always do 28mph when they have passengers, and 35mph when empty?)...
Oh, and just thing how great it would be to get the (insert latest rep mobile here) that's trying to climb into your boot/trunk to back off on the motorway?! Although in that case I think I'd still prefer a 6 inch steel spike I could launch out the back of my car and straight through the following radiator...
Crashing the ECU?
This from another article...
"The pressure sensors contain unique IDs, so merely eavesdropping enabled the researchers to identify and track vehicles remotely. Beyond this, they could alter and forge the readings to cause warning lights on the dashboard to turn on, or even crash the ECU completely.
Unlike the work earlier this year, these attacks are more of a nuisance than any real danger; the tire sensors only send a message every 60-90 seconds, giving attackers little opportunity to compromise systems or cause any real damage. Nonetheless, both pieces of research demonstrate that these in-car computers have been designed with ineffective security measures."
My Dad's previous car (Toyota Avensis, circa 2007) had, like most Toyotas built around the turn of the 21st century, a 100% fly-by-wire accelerator system hooked into the ECM/ECU.
I can imagine a time not too far from now when the entire pedalset is wirelessly linked, probably encrypted with WEP knowing how tempting it is to not bother with all that tricky 2048bit private key nonsense
Mine's the one with a real metal key to put into the ignition of my backup 2001 Ford
People can typically track cars by their number plates, so yeh, that's a massive worry.
This sort of stuff amazes me, it's already been shown that most of the firmware on electronic components in cars is vulnerable to buffer overflows, spoofing and just about every other slopping programming mistake in existence.
Combine this with one sloppy mistake in the control software for the tire pressure sensors and you've got something out of a James bond movie.
I'm waiting for the...
Apple patent. The signals from the tyre pressure sensors are picked up by an iPhone, this information is forwarded to Apple. Apple send Kwik Fit adverts to your mobile.
"the trick reportedly took a great deal of ingenuity to pull off."
WTF - that's like "what do we do first", "well, duh, sniff the wireless data"
ten minutes later
Given the total lack of security considerations, I wonder if hardwired sensors in the car are tied into the same protocol, perhaps they could be targeted just by changing some sensor ID bytes in the wireless message.
- Product round-up Six of the best gaming keyboard and mouse combos
- China building SUPERSONIC SUBMARINE that travels in a BUBBLE
- Boffins attempt to prove the UNIVERSE IS JUST A HOLOGRAM
- Review Raspberry Pi B+: PHWOAR, get a load of those pins
- Linux turns 23 and Linus Torvalds celebrates as only he can