SolisImages - Fotolia
Smart car makers are faced with a potentially lethal hack that cannot be fixed with a conventional software security update.
The hack is believed to affect all smart cars and could enable an attacker to turn off safety features, such as airbags, ABS brakes and power-steering or any of a vehicle’s computerised components connected to its controller area network (Can) bus.
The hack is “currently indefensible by modern car security technology, and to completely resolve it would require broad, sweeping changes in standards and the ways in-vehicle networks and devices are made,” Federico Maggi, senior threat researcher at Trend Micro wrote in a blog post.
“Realistically, it would take an entire generation of vehicles for such a vulnerability to be resolved, not just a recall or an OTA [on-the-air] upgrade,” he said.
Unlike the highly publicised remote hacking of a Jeep Cherokee by security researchers Charlie Miller and Chris Valasek in 2015 that required Can messaging or frame-injection capability, Maggi said this new hack cannot be detected by current intrusion detection and prevention technology.
Car makers cannot simply upgrade the software running on a car device to patch the vulnerabilities exploited by the attack, he added.
Apart from the fact that there is no quick fix, the researchers believe the discovery is significant and troubling because it is an attack that disables devices, including active safety systems, that are connected to the car’s device network in a way that is invisible to state-of-the-art security mechanisms.
Car systems and equipment at risk
According to the researchers, all modern vehicles are likely to be vulnerable because attack is supplier-neutral, but they said specific suppliers may take non-standard countermeasures to make the attack more difficult to carry out.
In the light of these facts, the researchers are calling on standardisation bodies, decision makers and car makers to revise the design of the cyber-physical systems that govern future vehicles because the security issue they discovered lies in the standard that specifies how the car device network works.
The attack abuses the network protocol that connects all in-vehicle equipment – such as airbags – and systems to allow them to communicate.
The only way to eliminate risk entirely, they said, if for an updated Can standard to be proposed, adopted and implemented, which would likely require another generation of vehicles.
Since the Can protocol was incorporated in ISO standard 11898 in 1993, it has been used as a standard for practically every light-duty vehicle currently in circulation, and was being pushed to be the only acceptable one in the US federal courts, according to the researchers.
The problem is that the attack discovered by the researchers abuses the Can error-handling process specified by the standard. If a device sends too many error messages, the standard dictates that the device is cut off from the Can by entering a “Bus Off” state to isolate a potentially malfunctioning device.
This enables attackers to triggers this feature by inducing enough errors such that a targeted device or system on the Can is isolated and rendered inoperable.
“This, in turn, can drastically affect the car’s performance to the point that it becomes dangerous and even fatal, especially when essential systems like the airbag system or the antilock braking system are deactivated,” said Maggi.
“All it takes is a specially crafted attack device, introduced to the car’s Can through local access, and the reuse of frames [messages] already circulating in the Can rather than injecting new ones, as previous attacks in this manner have done,” he said.
However, the attack can also be enabled with any remotely exploitable vulnerability that allows the attacker to reprogram the firmware of an electronic control unit (ECU) such as the infotainment system.
According to Maggi, however, even local attacks should be taken seriously because – with current transportation trends such as ride-sharing, carpooling and car renting – the scenario where many people can have local access to the same car is increasingly common. “As such, a paradigm shift in terms of vehicle cyber security must happen,” he said.
The researchers believe that an effective system will require a drastic change in regulation and policy and would take an entire generation of vehicles to adopt.
Recommendations include altering the topology or segmenting a Can in a vehicle to stop targeted error-flooding from affecting a specific system, and regulating diagnostic port access and creating a special key to protect against unauthorised devices being introduced to the Can.
The recommedations also suggest encrypting Can message ID fields to prevent attackers from identifying which messages to target and making intrusion easier to detect.
ICS-Cert issues security alert
In response to the research findings, the US Industrial Control Systems Cyber Emergency Response Team (ICS-Cert) has issued an alert.
“The only current recommendation for protecting against this exploit is to limit access to input ports (specifically OBD-II) on automobiles. ICS-Cert is currently coordinating with vendors and security researchers to identify mitigations,” the alert said.
The alert also said ICS-Cert provides a control systems recommended practices page on the ICS-Cert website, and that several recommended practices are available for reading or download, including Improving industrial control systems cybersecurity with defense-in-depth strategies.
“Organisations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-Cert for tracking and correlation against other incidents,” the alert said.
Art Dahnert, managing consultant at smart security firm Synopsys, said the development of the Can bus technology goes back to the 1980s, predating the World Wide Web.
“No one at that time thought that someone would deliberately try to sabotage a vehicle over the in-car network,” he said.
Danhert said the attack differs from previously seen proof-of-concept cyber attacks on vehicles because it can be carried out without access to the vehicle and has the ability to persist beyond a restart.
“Taking advantage of connected phones and telematics features, an attack could happen without direct physical access – and this isn’t necessarily isolated to a single manufacture or model of vehicle,” he said.