but fortunately no-one dies when a system gets hacked.
The sysadmin will be hanged of course.
Car brakes and other critical systems can be hacked via car infotainment systems, security researchers at NCC Group have revealed. The ingenious hack, demonstrated in an off-road environment, works by sending attack data via digital audio broadcasting (DAB) radio signals. This is similar to a hack that allowed security …
I assume it's down to the use of a universal communications bus. In some cars the infotainment 'has' to have some communication with the critical components so that it can do things like adjust the volume according to engine RPM. For a given value of 'has' perhaps :)
Ideally they wouldn't be on the same bus. It ought to be possible to retrieve that information using a dedicated communication link that only returns a number. But of course that's an extra bit of dedicated electronic gubbins. It's likely cheaper just to stick everything on the bus and let components talk amongst themselves. Car manufacturers will do anything to shave pennies of build cost.
It's probably the fact that that most cars use a CAN type bus to exchange message between different systems. For example most car music systems offer speed depended volume to cover road noise so there's one connection. The nice display on these Infotainment systems are great for systems messages too so it now must exchange info with other systems handling brakes (wear, ABS), engine (temp, ECU issues etc.).
Once you have access to that common bus you have the opportunity to send "trusted" messages between most systems in the car.
> It's probably the fact that that most cars use a CAN type bus to exchange message between different systems.
My 15 year old Peugeot had two such canbus networks (or was it vanbus?). One for the critical stuff and a "comfort" bus for the fripperies. As far as I know the critical bus wasn't physically capable of receiving data from the comfort bus (I think it could send).
I kind of assumed this was standard practice and am a little bewildered that it's not...
@ 8Ace " ...The nice display on these Infotainment systems are great for systems messages too ...."
Maybe they hired away some of the people responsible for that M$ Office GUI mess known as "the ribbon".
The more eye candy, the more problems....
One has to wonder, however, just how much automation is necessary. Safety, yes, eye-candy gobbledegook, no.
(Overly) smart cars lead to stupid drivers. An example of this would be people who rely too much on the parking-system sensors - sometimes it pays to watch where you're going.
Surely the infotainment system would be separate from the drive systems?
One problem is that entertainment systems like TVs, or SatNav units, need some info from the drive systems. For example front TV screens must be disabled if the car is moving, certain SatNav features can only be used when the handbrake is on, selecting reverse gear can trigger rear camera display on the infotainment screen, etc. It should not be possible to send information in the opposite direction, but that is what these hacks are doing.
Since it's a bus it's hard to make the bus itself one-way, but this sort of hack suggests that:
- No-one bothers to make the infotainment system secure because "who cares if someone breaks the MP3 player", forgetting that such a system can, when hacked, send data to the bus.
- The serious flaw seems to be that senstive systems like brakes accept commands from all devices on the bus.
All those sensitive subsystems should have a firewall, and a whitelist of bus clients from which they will accept a specific list of control operations,. Any anomalies, such as commands from unexpected sources, apparent address conflicts, etc. should immediately trigger a lockdown and fallback to a safety mode, perhaps a shutdown of all non-essential devices. You'll never be able to guarantee that a device with an external connection cannot be hacked, but you should be able to have the other devices protect themselves a lot better. It seems that few manufacturers bother to do so (some do, apparently).
I worked for a few years developing new drivetrain components, so let me chime in.
Firstly, the address from which a CAN signal is sent can be spoofed. The engine we were using, as is standard, would only accept commands from a limited number of places, including up to a maximum of 2 transmission controllers (with allowable source addresses hard-coded into the engine ECU). Once we knew that, we simply told our component to pretend to be the second transmission. Bingo. Complete control over the engine.
Secondly, the messages that control a drivetrain are completely standardised. Once you understand it ( see https://en.wikipedia.org/wiki/SAE_J1939 ), you can figure out pretty much how to make the engine, gearbox etc do anything you want it to. If you have a compromised node in the powertrain CAN system, I don't think there is any way currently to protect against it.
From this point of view, separation of the essential (powertrain) systems from non-essential (infotainment, radios, lights, HEVAC etc) systems on separate CANs, with a carefully designed translator between them, strikes me as the only sensible way forward.
Now on heavy vehicles, this is already done, as there are so many components, from different manufacturers, each with their own complete ECUs that a single CAN would be too crowded (there are probably dozens of other attack vectors though, as there are so many programmable ECUs around). But in cars, where the engine, gearbox and other functions are often run from one super-ECU, and so less communication is required between them, there is more room to put other things on that CAN. So it's technically feasible to only have one CAN, and of course it's cheaper.
Once exploits like this become more public, and especially if they are used in the wild, I would expect the security of these systems to increase massively.
But there is no reason to need to have the infotainment system on the CAN bus in the first place. It only needs to receive signals (such as speed, climate control etc) and then adjust volume or display the relevant screen.
Therefore it would just require an interpreter on the CAN bus which receives signals on the CAN bus and sends them to the infotainment system. All data is sent broadcast style with no need for an ack or allow of any data to flow back (as long as L1 is sound then everything above that is not possible in the other direction).
Any wireless signals would then be handled directly by the infotainment unit (GPS, DAB, 3G etc) and not bother the CAN bus.
However my prediction for a future attack vector - Government/Insurance mandated speed limiting based on GPS location. GPS spoofing hack slows every vehicle on the [fast moving motorway] to the lowest speed available in the system.
In my car, you can change the mode that the car is using via the infotainment system (between ECO, normal and sport) which changes how the steering, accelerator and suspension behave. Without this connection via CANBUS to the ECU, I cannot think how this system would work
Disclaimer: Definitely no expert on this subject :)
Couple of things:
1. J1939 is used mainly on trucks and heavy vehicles, cars tend to run a variation of CANopen, usually with a customer specific protocol.
2. Cars tend to have separate ECU's rather than a monolithic brain, some OEM's are investigating this approach, but it is not in general use, generally as the various sub-systems are supplied by different manufacturers.
3. Most run multiple ETHERNET/FLEXRAY/CAN-FD/CAN/LIN buses for various tasks.
The question mark is over the programming mechanisms, given some modern vehicles offer OTA updates, via the infotainment systems, this is probably the primary weak spot.
Good points. As far as
If you have a compromised node in the powertrain CAN system, I don't think there is any way currently to protect against it.
would the standard allow for a handshake with key exchange, perhaps on each total battery-off power cycle? If so you should be able to ensure that you only ever accept a confirmed device as, say, a transmission controller. Any other device popping up later on the bus with that address but not the agreed key would be ignored.
Not foolproof, if you could make your compromised device get recognised as that valid controller at power-on, but it would then need to fully implement all the functions of the device it was spoofing as well, or you'd not get very far.
Not sure that'd help. Adding a device to the CAN means you've got physical access, in which case you could cut the brake line, spray oil on the disks etc. etc. anyway.
Isn't the problem under discussion that of allowing devices with external links to post data onto the CAN. As others have said the solution of having two CANs with a one way send only link seems the obvious solution and I thought at least some manufacturers did exactly that.
Personally I'd like to see an end to running apps in cars as it seems to me that it's becoming more and more of a distraction... but that's another story.
Thank you Andy, for sharing some actual knowledge, rather than frankly useless speculation and little rants.
To the know-it-alls: it's easy to criticise someone else's job when you've never done it or know anything about the constraints they have to work with. But you knew that already, of course.
Cars that drive themselves ?
Terrorists wet dream I would of thought, how many cars on the road at any one time? OK lets just put every single one on full acceleration. Job done country is absolutely completely crippled.
closer to this story, how good is the security at radio stations? take over station quietly, please play this track from blah blah.
As the designated geek, over the years I've answered many a question from family worried by the latest laughable Hollywood depiction of computers and hacking. Some top misses from my back-catalogue...
No, you won't get infected just by opening a mail...
Just looking at a picture? I think that's quite safe...
That's a PDF, so it's much safer than a Word file because it doesn't run macros...
A proud legacy of overconfidence ... So clearly my next triumph will be:
Hacked just by driving a new car? No, there was only a single vulnerability but thanks to the good fundamental design of the car's data bus it was swiftly fixed and in the meantime was easily avoided by switching off RDS traffic reports...
My best hope is that the aggressive bluetooth scanning by trojan on my phone interferes too much with the car radio (I got rid of the trojan last week but the worm on my smart TV reinfected it, and the rooted smart meter on my house is blocking my attempts to download a clean TV image...)
"The real muppets are the ones whose poor programing practices allowed such things to happen in the first place!" -- Graham Marsden
I disagree, they are merely inexperienced graduates and/or other noobs. Or, quite often, they have already raised concerns only to have them airily dismissed. The real muppets are those who actually have the power to make decisions (which, in practice, always means budget controllers) on hiring, testing, and quality control.
Even a single, highly experienced and or qualified software/security engineer attached to one or more of these teams would make a difference in quality. The difference that 1st level management see is a 1% increase in their budget, so they demur. But even these managers are relatively blameless: they know that, whatever they say, those above them see only $ signs, and that if they are seen to increase their budget by 1% they are automatically regarded as failing, as no justification would be understood (to be honest, even given an audience) by higher management.
This status quo will continue until those at the top suffer financially or legally. They cannot be allowed to continue to micromanage budgets all the way down and then shrug their shoulders at the almost inevitable consequences.
"This status quo will continue until those at the top suffer financially or legally. They cannot be allowed to continue to micromanage budgets all the way down and then shrug their shoulders at the almost inevitable consequences."
Except being at the top automatically shields you from blame. Either you can scapegoat someone or you can bribe the government to look the other way. As a last resort, you can take your ill-gotten gains and then vanish out of the reach of extradition.
"This status quo will continue until those at the top suffer financially or legally."
Amen to that.
In one job, when I started, none of the computers had antivirus installed. When I questioned this, the boss told me "We've never had a virus, so why bother". Then we got a virus.
The same will happen with various dubious security practices at the company, lack of redundancy or backup on critical systems etc. eventually, all of which I had raised and been told they were not important (with recorded and backed up email threads to prove it when it happened).
Eventually, they may realise that the IT techs who point out these problems are not just trying to spend their money, but are trying to save them from a future catastrophe.
I'm waiting on the first crypto locker attack on a car now.
It's going to be far more profitable to disable someone's car and demand a payment to release it than to kill them. Killing them tends to make people take action as well.
If I just skim off $500 from a few thousand people I'll probably make a fair bit of profit and the law won't bother for a while.
I'll be the one without an Android power ICE in the future.
If you really want to scare people just imaging a future where self driving cars are commonplace (which they will be). And I hack your car to ignore stop signs or red lights or just program it think the destination is 10m west of whatever you put in. again I doubt that would happen too much since there probably isn't much money to be gained from it.
Olaf > the destination is 10m west of whatever you put in
Me >> <pedant_mode>I think I'm quite capable of walking 10 metres in an easterly direction when I get there</pedant_mode>
BlaneBramble >>> Not if there is a substantial obstacle 10m West (wall, lake, large drop, etc.) of your destination."
Well, when I'm driving the car myself, I have an additional gadget that warns me of obstacles unknown to the satnav, aka Mk I Eyeball; self-driving cars have radar / lidar. But my original comment was just a poor attempt at humour, I knew that 'm' meant miles in this context.
Olaf's point, though - that someone could quietly reprogram your satnav, is quite an interesting one - especially combined with control over speed, doors etc (or a self driving car), it could certainly facilitate carjacking or abduction.
> it could certainly facilitate carjacking or abduction.
From personal experience, nothing facilitates carjacking or abduction like an AK47 pointed in your general direction by some ghat crazed bastard. :-(
You keep daydreaming about Hollywoodian first-world aesthetically attractive but utterly impractical misdeed scenarios.
Vehicles use the CAN Bus or variations of. Its behaviour is that a client on the bus broadcasts to all other clients on the bus, providing the bus is currently free or only a lower priority broadcast is underway. Its up to other clients to look at the message and decide if they want to do anything with it.
To be honest it's a great design for the scenarios it was intended for. However, integrating it with the public internet provides some very specific design challenges that perhaps it isn't best suited for. All devices on the bus are trusted by default. Anything on a public network should be untrusted by default.
Firesign Theater saw this coming, years ago, with their album,
"I Think We're All Bozos On This Bus".
Al Yankovic did too, with "Another One Rides The Bus".
Hmmm... Early INFOtainment. (And really good, too).
Apparently the Porsche Panamera uses (or used - article is from 2010) SIX CAN buses for various systems, and has gateway ECUs. There's a PDF at http://vector.com/portal/medien/cmc/press/PND/
with more info. (You'll need to splice the two halves of the URL together, somehow it wouldn't fit here).
I would think they could have a "software" firewall to go with the hardware firewall they already have.
Having said that, the "drive" toward self-driving cars (and government control thereof?) makes problems like this more and more likely...
Paris, Prosecco, and Porsches...
the DAB radio in my Car only broadcasts FM that is picked up by the FM Radio in my old Swedish Tank.
I really would like someone to come up with a way to take control my 'the tank' using a DAB broadcast.
Back to the real topic. If a car has an attack vector via the Radio, can we be 100% sure that this was not put there at the behest of a Three Letter Agency (or 4 in the case of the UK)?
we can't. So lets wait for the jolly car makers to issue a recall so that they can fix it. No recall then either it is not a problem in reality or the TLA's have said No.
Aren't wet Friday's great for conspiracy theories!!!
I adore my 1998 Mini Cooper S and having seen all this about "connected cars" and "infotainment" (ugh) as vectors for hacking has made me love it even more.
The thing I enjoy most about it is the fact that it's all about the driving. Fast responsive steering, excellent performance ( I still don't know how fast it goes as the speedo only goes up to 110 mph) and the sheer joy of the handling. So to see worries that the brakes, accelerator, airbag etc. could be tampered with in more modern cars does mean that I am grateful that I have a simple, uncomplicated little car instead of one of these "travelling computers" that seem to be in vogue at the moment.
OK, a Mini is not for everyone but I do think that the marketeers at the car makers have got too strong a hold on things and are pushing "shiny" at the expense of safety. Too many features, not enough thinking things through.
It may be a bad thing when a PC or laptop gets hacked but at least in most cases it won't be travelling down the motorway at 70mph when it does.
"My old car doesn't have any of this connected stuff, but if someone wants to cause damage to it then it's easy enough. Vulnerabilities range from concrete blocks lobbed off bridges to nails in tyres."
Sure, but try doing it from ten miles away where you can hightail it before the police even know you hacked a car and caused it to crash (oh, BTW, this kind of hacking leaves very little to work with in terms of evidence, too, since you can work from a hotspot to cover your tracks).
Biting the hand that feeds IT © 1998–2019