The Shoddy State of Automotive Wireless Security

angry tapir writes "Researchers from Rutgers University and University of South Carolina have found that wireless communications between new cars and their tires can be intercepted or even forged. While the potential for misuse may be minimal, this vulnerability points to a troubling lack of rigor with secure software development for new automobiles, said Wenyuan Xu, a computer science assistant professor at the University of South Carolina, who was a co-lead on the study. The researchers will present their findings at the Usenix Security Symposium, being held this week in Washington DC."

Probably the right design choice

[Beryllium+Sphere(tm)]

If the potential for misuse is minimal, then it's only common sense to make the tire communications simple and easy to troubleshoot, and to assign the security people to work on something that matters.

Re:Probably the right design choice

[pwagland]

That is a valid point about the communications, however, from the article, if incorrect data is sent by something pretending to be the tire gauge, it was enough to corrupt the controller to the point where even a simple reboot was not enough to fix it. It had to be replaced by the dealer. Certainly resources need to be allocated wisely however when the device crashes due to invalid inputs, that is at best annoying, at worst very expensive to repair.

Re:Probably the right design choice

[DDLKermit007]

Actually this is all old hat at this point. This guy is just stealing from a Def Con talk which needs attribution to Mike Hertzfeld. I was at the talk that first brought this about. It was a little jaw dropping. He came up with ways to track people around cities using the information from the systems. That in itself isn't so bad since almost everyone has Bluetooth and/or active wireless scanning enabled on their phones, but I digress (the police use this method already since it requires no court order). The really meat & potatoes was where if he flooded the system with garbage data over the wireless something interesting happened, the car shut off. Thats the real crazy part to me, that the system is that vulnerable.

Re:Probably the right design choice

[AK+Marc]

And that goes back to input checking. Never trust your inputs. It's possible that interference could create the same pattern, so they should filter the inputs. But, security isn't needed. Just high school level programming basics. (security could reduce the possibility of bad inputs, but never assume valid inputs when you could just as easily check them)

Disconnected from reality...

[http]

FTFA:

Xu said that while it is possible to track someone by their tire IDs, the feasibility of doing so would be quite low. "Someone would have to invest money at putting receivers at different locations," she said. Also multiple tire manufacturers have different types of sensors, requiring different receivers. Each receiver in this test cost US$1,500.

Oh yeah, good thing RFID detectors are so freaking expensive. Plus, someone covertly tracking you is going to be really upset if they can't read your tyre pressure.

Re:Disconnected from reality...

[Yvanhoe]

By the way someone who wants to track a car can use these very convenient numbered plaques visible in front and in the back of the car with only a cheap camera and on-the-shelf software.

I wonder however if a bad pressure signal could be forged, forcing the car to stop ?

Re:Disconnected from reality...

[Anachragnome]

"Plus, someone covertly tracking you is going to be really upset if they can't read your tyre pressure."

I think you fail to recognize the seriousness of the capabilities of a simple RFID system.

Most people do not think much about the RFID chips in their tires until they realize (are told) that EVERY stoplight out there has multiple sensor grids built right into the roadbed (to sense the presence of cars and be able to control the lights accordingly). The looks on their faces usually change the moment comprehension dawns on them.

Those very same grids can be used to detect the RFID chips in your tires. In short, any car with tires made since 2000 can be tracked by the very roadbeds they ride upon.

Seriously. All this technology to check your TIRE PRESSURE? Who the fuck is kidding who?

Go try and buy new tires and see how far you get when you refuse to tell the dealer your name. He (or rather, the government) wants a name associated with the tires RFID chips, and usually ask for all sorts of additional info--for "warranty reasons". Even paying with cash, they will argue with you about not giving them a name (but usually crumble when you say you'll just shop elsewhere). Why is it SO important they have a name? So they can help you join the next class-action against a tire manufacturer?

Media jumped all over the Firestone story, fear-mongered it into something bigger and we end up with this. Tracking tags in our cars. More security theater. Yay.

Re:Disconnected from reality...

[marten_77]

It should be pointed out that sometimes these tracking features (such as OnStar) can be used in ways that actually do not serve the interests of the government. For instance, in my jurisdiction, police recently set up a sting operation designed to catch car thieves. Undercover agents set up a storefront for purchasing stolen cars, and collected dozens of vehicles over about a half-year period. When car thieves would come in to sell the cars, they would be paid in marked bills, and the undercover agents would drive the cars into a hidden parking deck. The agents didn't want to blow their cover early, though, so they didn't immediately return the stolen cars. (After all, in their minds, catching criminals was considerably more important than returning stolen property.) They left the vast majority of the recovered vehicles in the hidden parking deck for months, without ever notifying the victims that their property had been recovered. This, of course, translated into a significant financial loss for the victims (and their insurance companies). There was one class of victims, however, who got their cars back in short order -- the ones whose vehicles were equipped with OnStar. When asked by law enforcement to keep the operation secret from the vehicle owners so as not to hinder the sting operation, OnStar flatly refused, notifying police that they would immediately provide the GPS coordinates of the missing vehicles to their customers so that the customers could begin legal actions to recover them. Faced with this problem, the undercovers immediately drove the OnStar-equipped cars out to an abandoned lot and then anonymously notified local law enforcement that they had been discovered. The cars that were not so equipped sat in the hidden deck until after the entire sting operation had concluded.

Re:Disconnected from reality...

[tweak13]

Go try and buy new tires and see how far you get when you refuse to tell the dealer your name. He (or rather, the government) wants a name associated with the tires RFID chips

As someone who sold tires for years, I can tell you that there's a foolproof way to get tires without giving out your name. I realize it's crafty and devious, which is why you may not have thought of it. Here it is: Make something up. Wild, I know, but there's about a 99% chance it will work because nobody gives a shit. Seriously, take off the tinfoil hat.

When I was working for a major chain selling tires, I asked for a name for one and only one reason. Our software wouldn't let me make an invoice without a name. It also required a few other things, but it's just as easy to make up a phone number too. If you lied to me at any point, how the hell would I know? It's not like I asked people to present ID to get tires.

This is onstar!

We currently show you driving 95 miles an hour with four flat tires. Would you like to be routed to a service station?

If you've got a toll tag...

[pongo000]

...the government is tracking you already (where I live, toll tag transponders can be seen on telephone poles miles from the toll roads). If you have OnStar (even if it's "disabled"), GM can still locate your vehicle. I suspect it's even possible to monitor a vehicle's CANBUS for unique signatures that would identify a specific vehicle. Hell, your cell phone will give you up.

For some reason, I'm not too worried about the RFID tags on my tire valve stems.

Re:If you've got a toll tag...

Hell, your cell phone will give you up.

At least Rick Astley won't give you up, nor will he let you down.

Lets skip to the heart of the matter

[CdBee]

Cars don't need wireless sensors. In fact they don't need most of the electronics that gets built in at all. This may seem old-fashioned but for nearly a century a complicated non-electronic system called 'THE DRIVER" would monitor the state of the car and act appropriately when a deflating tyre is detected. I believe this system is moderately effective and not subject to radio spoofing.

Ask me to design my ideal car and it'll have a lightweight but strong aluminium body, a simple, efficient diesel engine, comfortable seats and a decent stereo. Everything else is chaff, I don't even need ABS.

Re:Lets skip to the heart of the matter

[Thanshin]

Ask me to design my ideal car and it'll have a lightweight but strong aluminium body, a simple, efficient diesel engine, comfortable seats and a decent stereo. Everything else is chaff, I don't even need ABS.

I'd rather have airbags than a decent stereo.

However, before even thinking about airbags, I'd really enjoy to have lights, windshield, mirrors, ...

Brakes are nice too. unless you're planning to go slow enough to brake with your foot.

Re:Lets skip to the heart of the matter

[Thanshin]

Ask me to design my ideal car and it'll have a lightweight but strong aluminium body, a simple, efficient diesel engine, comfortable seats and a decent stereo. Everything else is chaff, I don't even need ABS.

I'd rather have airbags than a decent stereo.

However, before even thinking about airbags, I'd really enjoy to have lights, windshield, mirrors, ...

Brakes are nice too. unless you're planning to go slow enough to brake with your foot.

Wheels are a nice feature too.

Re:Lets skip to the heart of the matter

[Gordonjcp]

You can use the ABS sensors to detect a soft tyre. Some Volkswagens can actually have a soft tyre warning added, by a firmware update!

Basically what you do is you measure the output of all four wheel sensors (as the ABS unit does anyway), and see if one is consistently a higher speed than the others. Soft tyre == smaller rolling radius == faster rotation for the same road speed. It won't catch if all your tyres are equally flat.

Re:Lets skip to the heart of the matter

[nospam007]

"a complicated non-electronic system called 'THE DRIVER" would monitor the state of the car and act appropriately "

Is that the system that is unable to differentiate between gas and breaks in a Toyota?

Re:Lets skip to the heart of the matter

[zippthorne]

You might think you don't need ABS, but as another driver on the road, I'd prefer you had it. I'd prefer it a lot.

I don't care if you think you can pump the brakes well. ABS can pump them a lot faster, and it can do something you can't ever do without drastically changing the controls design: it can pump the brakes individually by wheel.

If the only danger was you sliding off a curve into a a tree or ravine after losing your steering, I'd say, "Go for it, we can always use less people." But it's not. There's also the danger of you not being able to avoid an accident with me, and I like being alive!.

Please be considerate of your other drivers.

Re:Lets skip to the heart of the matter

[Beyond_GoodandEvil]

I don't care if you think you can pump the brakes well. ABS can pump them a lot faster, and it can do something you can't ever do without drastically changing the controls design: it can pump the brakes individually by wheel.
Not sure why parent is a troll, since he is correct modern ABS can brake each wheel individually allowing for maximum control under braking. So unless you're driving the McLaren MP4/12, ABS can do a better job braking each wheel then you can.

Re:Lets skip to the heart of the matter

[nacturation]

"a complicated non-electronic system called 'THE DRIVER" would monitor the state of the car and act appropriately "

Is that the system that is unable to differentiate between gas and breaks in a Toyota?

In some cases, this non-electronic system called "THE DRIVER" is unable to distinguish between brakes and breaks.

Re:Lets skip to the heart of the matter

[boring,+tired]

My last car did this. Driving on snow or very wet roads would trigger the low tire pressure warning. It did detect an actual low tire once but there were so many false positives that I learned to ignore it. One good thing is that it forced me to keep a pressure gauge in the car so I could check the tires and reset the warning light.

Re:Lets skip to the heart of the matter

[MiniMike]

Brakes are nice too. unless you're planning to go slow enough to brake with your foot.

His ideal car doesn't have a transmission or wheels, so unless he's on a steep enough hill that his lightweight but strong aluminum body can skid down it, he'll just be sitting in his driveway going 'vroom vroom' anyway. If his ideal house has a driveway, that is. As his ideal car also doesn't have a floor pan, he'll have no trouble using his feet to pretend to brake.

Re:Lets skip to the heart of the matter

[gad_zuki!]

I hate this neo-luddite position people take when any little thing goes wrong. Your dream car is my nightmare death-trap car. I want airbags, ABS, wireless tire gauges, proximity sensors, ability to pull codes from computer, etc. I suspect most people do. If you want a specialized custom car, then built it yourself, but don't pretend your simplistic car needs speak for anyone else but yourself.

Not to mention its foolish to throw the baby out with the bathwater. I remember people like you when the web started to become popular. "Oh who needs this crap, I already have TV and the newspaper!"

I'm probably older than you and I certainly remember the PITA carburetors were compared to fuel injectors. Heck, my dad had to deal with vapor lock. When was the last time you needed to rebuild a carburetor or wait out vapor lock? I think you're just spoiled by the technology you decry.

Re:Lets skip to the heart of the matter

[camperdave]

you slam them on when you absolutely have to, they start 'chattering', and won't stop you in time.

If you had regular brakes, the wheels would have locked and you would not be able to steer at all. You would have slid into the other car. You only have control when the tire is gripping the road.

This is a suprise.... How?

[Platinumrat]

Typically, I find that the engineers that work in these industries (automotive/transport/white goods/manufacturing) have very little motivation to think about security. The pressure is all on building features into products. They are generally led by electrical or mechanical engineering managers, who are pushed with limited budgets and time-to-market constraints to get something out the door. So they do the most limited research on how to add widget X to the product. As engineers, their dangerous enough to think they know how to program, when most of their experience is microcontrollers or some simple scripting. Security is something that just adds cost in most of their minds.

Re:Sudo

[16Chapel]

I dunno about you, but I'd rather tell my wheels to brake.

what about ELEVATORS?

[orange47]

I mean, anyone can program them to go to 20000th floor and we could end up in orbit or something.

Tracking is NOT an issue

[Mr.+Freeman]

"If the sensor IDs were captured at roadside tracking points and stored in databases, third parties could infer or prove that the driver has visited potentially sensitive locations such as medical clinics, political meetings, or nightclubs,"

The issue described in the article is that you can identify the tires by their RFID tag. This means that you could track cars. The article completely fails to mention that you ALREADY HAVE A FUCKING LICENSE PLATE ATTACHED TO YOUR CAR! The license plate is a unique identifier required by law on all motor vehicles. Anyone who wants to prove you visited location XYZ is simply going to use a $20 camera and get a shot of your license plate. Yeah, getting readings with RFID is a little easier then setting up a camera and some plate scanning software, but neither one is very hard for someone who wants to track you.

As for "confounding" the control unit, that's not a problem with security, that's a problem with the fucking control unit. The article mentions that once they sent false data to it, they couldn't get the thing to work correctly even after rebooting it. Any device that can't handle junk data is worse than useless. Something being intolerant of noise is not a security problem, it's a stupid engineer problem. Sure, it might not function while you're jamming it with garbage, but if it fails to work after a reboot then you've done something seriously wrong.

Tire sensors must last years on battery

[gmueckl]

Tire sensors are built to run on battery for years. You can't easily get to them and change the battery, so these things are extreme low power devices. Each line of code for these controllers costs real world battery lifetime and shortens maintenance cycles. The same goes for extra crypto hardware: every transistor costs. So I'm not surprised that the protocol is not secured to oblivion. There simply isn't room for that unless battery storage capacities rise by an order of magnitude or two. So, a part of me wonders whether this researcher has had a look at the constraints of these systems and understood them before he tried to make the news.

Still, this is no excuse for being able to corrupt the receiving controller irreparably by some protocol error. These errors can occur normally as transmission errors, not just through deliberate attacks. This is where the sloppy engineering exists and the only part of the story that is actually newsworthy.

Relevant experience

[AlecC]

A colleague recently got a call from his wife: her car dash had lit up with warning lights. After about half an hour he traced it to a single fault: an under-inflated tire, presumably reported (correctly) by one of the sensors described in TFO. One tire warning light - OK so far.But the tire warning system had talked to the ABS system, which had decided for inscrutable reasons that it wouldn't work with an underinflated tire. And that had talked to the central monitoring system, which had turned on the "Safety Critical Fault" light. And maybe a few other things. The result was, like Three Mile Island, a single underlying fault had turned into a christmas tree of warnings that an unskilled interpreter (the wife) was terrified of and a skilled engineer (my colleague, a very good hardware engineer) took half an hour to troubleshoot.

The point being that there is a possibility for a dangerous prank here. By fooling cars into thinking their tires are dangerously underinflated, you can give the driver a serious fright - with possibilities comic to the simple minded, but potentially dangerous if the driver is distracted or does something unexpected like braking to a sudden halt.

It's all FUD by a researcher trying to get noticed

[Lumpy]

Sorry but you will not figure out how to bomb a embassy by reading the tire pressure in my front left tire. All this is nothing but FUD and fear-mongering by a researcher that is late on the scene to automotive hacking. Many of us in the automotive hacking circles have done this stuff for well over 30 years. Now suddenly just because one guy who decided to make a lot of noise about it it's a problem?

it is not a problem, ignore this attention whore.

You cant send a virus down the tire pressure comms channel to the ECM and cause the car to explode or disable the brakes. (Except for toyota cars... JOKING!) and his demos with wirelessly changing the dashboard and other "hacks" are via a 3rd party wireless device he installed in the car.

If I buy a new windows server and install VNC without a password can I demonstrate to the world how horribly insecure the newest windows server release is? It's the same thing. Everyone glosses over the fact that none of his hacks are possible without having the target's car for a few days and installing a lot of gear in it.

The ONLY wireless OEM hack I have ever seen is the one where you blast mp3 files to bluetooth devices with the codes set to 0000 or 1234.. and that was to a BMW. Unfortunately it did not allow me to take control and steer the car or control the brakes. It did allow us to play audi adverts to the guy.