Slashdot Mirror
Unpatchable 'Flaw' Affects Most of Today's Modern Cars (bleepingcomputer.com)
Catalin Cimpanu, writing for BleepingComputer: A flaw buried deep in the hearts of all modern cars allows an attacker with local or even remote access to a vehicle to shut down various components, including safety systems such as airbags, brakes, parking sensors, and others. The vulnerability affects the CAN (Controller Area Network) protocol that's deployed in modern cars and used to manage communications between a vehicle's internal components. The flaw was discovered by a collaborative effort of Politecnico di Milano, Linklayer Labs, and Trend Micro's Forward-looking Threat Research (FTR) team. Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a CAN standard design choice that makes it unpatchable.
Almost all of the older machine control style buses have this exact flaw. NONE of them authenticate. All of them can be MITM very easily. Most IoT systems out there are predicated on the fact that they can do this.
You think it is bad? No, its worse than that. I try not to think about it much.
So let me get this straight: If a component on the network starts sending out uncontrolled messaging that looks like a denial of service, or an out of control / perpetually errored state, the network corrects for this problem by disconnecting the component causing chaos. That sounds like the CAN network is doing exactly what it should be doing: maintaining the integrity of the shared network at the expense of disconnecting an infected or malfunctioning node. What am I missing?
Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
Most vehicles have at least two CANs. A public one, that is accessed through the OBD port shown in TFA. They also have a "private" CAN. That network should be used for vital communications between modules, and the messages are largely proprietary.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
My approach so far is to avoid buying cars that include communications. Eventually, though, even older used cars will have this crap.
At that point, I'll have to disable the comms. Right now, that appears to be easy to do in almost every car (just locate and remove the antenna). Hopefully, that will get me through the rest of my car-driving years.
If one has physical access, I think you will find it is also vulnerable to simple voltage injection, say 110v.
This is easily created using capacitors when a wall outlet is inconvenient.
Why knock out one device when you can kill the whole bus? Am I missing the point? Abs breaks won't work, just time the injection correctly.
It's so we can shut down your cars when you try to drive them into high security areas that are federally controlled.
For exactly that reason.
-- Tigger warning: This post may contain tiggers! --
To perform this DOS attack, you must have a device physically connected to the CAN bus. If an attacker has that kind of access to your car, a DOS attack is not your biggest problem. The attacker could just as easily pump 120 volts into the bus and fry every component. Or leave a time bomb on the driver's seat.
This is nothing new, anyone who has developed a CAN device before knows this, no "shocking new research" needed. It was never designed to be secure, it was designed to be extremely resistant to noisy environments, and does a damn good job at it.
tl;dr if you are a political target, get an older car without an electric throttle body and electric power steering bullshit.
I am so sick of infosec nerds thinking they know more than the engineers at Ford, BMW, etc. About building cars. Coming up with new "vulnerabilities" - "I just need physical access to the car's OBD-II port with a laptop". Stick to Flintstones cars if you feel so insecure, the rest of us will drive fearlessly in luxury.
Special device needed to carry out local attacks
The research team says that all it takes is a specially-crafted device that attackers have to connect to the car's CAN bus through local open ports.
So, to be clear, a specially-crafted device, connected directly to an open local port.
"The only current recommendation for protecting against this exploit is to limit access to input ports (specifically OBD-II) on automobiles," said ICS-CERT experts in an alert released last month.
Um... So don't let strangers with car hacking gear ride along with you in your car -- or watch them *very* closely -- check.
It must have been something you assimilated. . . .
There is another approach. CAN traffic happens over a differential pair. I have a specially-constructed device that can jam CAN traffic. I call it a "paperclip." I bend it and plug it into both data lines on the OBD port and the network is dead.
We need to ban these dangerous hacking paperclips.
"-1 Troll" is the apparently the same as "-1 I disagree with you."
I dont see any problem with this as long as the CAN bus is not accessible from the outside.
I can also create an DoS attack on my PC if I short pins on the motherboard.
You don't need an arduino to get CAN nodes to get into bus-off state, just short the two CAN bus signals together a couple of times.
If you have physical access then you can also disable Airbags, and ABS brakes with a sidecutter.
"This is the exact feature that our attack abuses. Our attack triggers this particular feature by inducing enough errors such that a targeted device or system on the CAN is made to go into the Bus Off state, and thus rendered inert/inoperable. This, in turn, can drastically affect the carâ(TM)s performance to the point that it becomes dangerous and even fatal, especially when essential systems like the airbag system or the antilock braking system are deactivated."
Airbag systems should be entirely capable of operating on their own with out access to the can network. as for the anti-lock brakes not being available, well you shouldn't be driving a car if you do not know how to cope with such a malfunction (its called threshold braking)
People need to remember that driving is a privilege and not a right. When one sits behind the wheel they are piloting a 3000+ lb projectile that has the capability of taking a life (passengers, pilot and exterior parties)
In other words, be aware of your projectiles vulnerabilities as well as capabilities and plan future purchases accordingly.
But plenty of people have access to cars of family members and friends. More than 75% of the homicide victims know their perps. Stranger on stranger murder rate is less than 25%.
So one could sabotage a car of a family member in a manner very difficult to detect using a device plugged into the network, targets the brake system once the car speed is above 75 mph. An average dumb criminal, (all criminals are dumb) would lack the technical knowledge to do it. But now a days I see kits being sold on Amazon for USB sticks that will fry the mother board if plugged in. So it wouldn't be long before such devices make it to the market. Yes, eventually the police will catch one and then it would become standard protocol to look for this. But till then ...
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
you must have a device physically connected to the CAN bus.
Which *for now* means a laptop connected on the ODB port.
But which could mean in the future hacking into some component of the car that is on the CAN bus it self (like the infotainment center, which needs to get information about fuel consumption and a few other stuff).
Hack remotely (Bluetooth, some even support Wifi and 3G/4G) that component and then you get full access to the CAN bus.
Expect *high range cars* to have two separate CAN bus and the infotainment only talking on the "public" CAN bus (and all the juicy bit staying on the "private" CAN bus).
No risk to the critical component if a non critical (like the infotainment) gets hacked.
Expect *cheap cars* to have the two buses badly segregate or even only one shared bus.
These (badly designed) cars could get completely owned through the music system.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
So glad I did not go for the remote network accessibility option in my new car. Seemed like such a bad idea; yep!
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
Do you think Colombo could solve this? Will he? Can he?
Stuck CAN bus signal. From what I've gathered, my first guess when it first hit the news turned out to be the actual problem.
I was involved in writing calibration, diagnostic and simulation tools for GM and their suppliers in the late 90s and early 00s, I saw this problem several times on the low-speed bus, but that wasn't as critical (well, your instrument panel or radio might go wonky, but critical components run a high speed bus)
Having local access to the car, hitting it with an ordinary rock can cause all kinds of systems to malfunction. It's far more effective exploit than CAN denial of service. The CAN cable attached to various system can also be unplugged by an attacker with local access.
...if you jam a network, it will stop working. Whoever figures out how to avoid that will win a Nobel. And a position of headmaster at Hogwarts.
Its very unlikely the cheap cars will only have 1 network or that it will be segregrated in a different way (for good or bad) than the higher end models. Almost all car manufacturers address nearly the entire spectrum from entry level to super luxury, and tend to favor standardization to control R&D and maintenance costs. The chief differences between 'high end' and 'cheap' are the quality of materials used for upholstery etc., engine performance, more expensive alternatives of some components, space age materials etc. ... all of which are hardware with actual unavoidable cost for it. But the basic nuts & bolts, and I assume the ECM as well, doesn't really vary between models.
Yes, there are also several other, less dangerous flaws involving frame droppage, but the human driver is the most dangerous, unpatchable flaw in modern vehicles.
excitingthingstodo.blogspot.com
This piece is füll of handwaving Bull Excrement. Forget it.
Fake news. Stop giving these armchair researchers credibility. Please link to the real research and not the opinion pieces.
This so call nerd needs to be put in his place because he completely misses the mark. There is limited commonality between vehicle types. You must know what you are talking to mess with it. You must have the tools to mess with it. Talk with an actual automotive engineer sometime.
Unpatchable 'Flaw' Affects Most of Peter Falk's Eye
(he opted for glass)
Forward-looking Threat Research (FTR) team
That should be FLTR—a.k.a. FLoaTeR!
Why would someone jam the throttle open on my car, and disable the air bags on yours? Wouldn't an alleged attacker want to potentially do both to the same car?
By the way, many of my coworkers actually are automotive engineers. And you are posting a knee-jerk reaction to a non story. Good work on that.
He was murdered as retribution for General McChrystal, who he had written an expose on and gotten him fired. He was about to do another big one, but instead his car was made after the year 2000, like most on the road today, and was controllable. I learned about the CAN network, reading about his death, years ago.
I feel fantastic, and I'm still alive.
This is common for the Honda Civic / Mazda Speed 3 crowd that you see with ridiculously cambered wheels(stance) and green underglow LED's.
If someone has access to the CAN bus, you are already pwned. It is not much of a flaw, except don't let hostile applications or hardware have direct access to the CAN bus. This is like saying PCs have a flaw, because something plugged in the PCIe bus can do bad things.
There is no such things as an unfixable flaw in a car. It all has to do with how much money you have and how much of it you are willing to spend to fix the issue.
Caution: Contents under pressure
Because I CAN.
"remote" only in the sense that he might be clinging to your undercarriage instead of crouching down under the driver seat.
Or way over on the passenger side floor, under the dash, where the CAN bus connects to the control computer(s).
Stop it, just stop. Stop connecting networked systems to the ECU, it's fuggin stupid. Stop being stupid.
I have a car with a CAN network (two networks actually, with the gauge cluster acting as a gateway between the fast and slow networks)
The only thing the ABS control use uses the CAN bus for is to illuminate the warning lights on the gauge cluster.
The control unit is directly connected to the wheel speed sensors and valves.
The engine ECU and transmission ECU are actually the same thing, so there is no issue with that. If it wasn't auto-transmissions go in to limp home mode if they detect failure and still work.
It has drive-by-wire, but the actuator and sensor are directly connected to the main ECU. No CAN bus needed.
They could disable stability control and ABS. They can't disable the brakes. The individual wheel sensors are connected directly to the control unit, so you couldn't trick it into pulsing or applying the brakes by sending it incorrect wheel speed data. The steering angle and yaw rate sensors are also directly connected to it, so no tricking it into thinking the car isn't going where the front wheels are pointing.
They could stop me using cruise control
They could turn my headlights on and off (providing I have the switch in "auto")
They could lock/unlock the car and play with the windows if they were connected to the low-speed bus (I doubt the gauge cluster forwards those messages from the high speed bus. It doesn't do everything, since it's going from 500kbit to 33kbit) and when the car is off, the high speed bus is inactive.
If they're on the low speed bus they could turn the AC fan/compressor on and off. The indicators too. Maybe the windscreen wipers
They could show garbage data on the nav unit trip computer screen
They could make the gauge cluster show incorrect data
I doubt there is much else they could do. If any of the above systems go offline, a warning light is going to appear on the gauge cluster.
It burns the cheapest possible gas and most of the oil I put in it too which I usually also get used because if it's going to burn the oil with the gas it's damn well going to burn the cheap stuff. On the plus side, there's no electronics to hack in this vehicle. Everything is pure analog circuits or mechanical and it's such an ugly car that nobody can be bothered to steal it either. Had the thing since high school and it's a tank that just keeps rolling. American cars used to last and last, not like the shit they build today.
There are a few older and more popular options for attackers with local access to disable your brakes. The most popular uses a knife.
Remotely? Well, connecting a local control bus to the internet certainly is a flaw.
This is all FUD. It's like saying that I didn't know that if I have physical access to the vehicle that I could cut the fuel line or put 1000v though any wiring in the vehicle. Why is this any different?
Yes I could plug a device into the obd port and remotely control it but I choose to do that. That device could discharge 1000v if I don't trust it! Don't plug a device in you don't trust - it's that simple. Just like you don't leave your keys lying around.
CAN is not a secure bus. And it was never meant to be one. CAN, when it was invented, was to be a lightweight bus system that connects internal car systems. And as such it works perfectly. At its conception, there was neither any kind of provision to make it "user space safe" nor was any form of wireless connection to it foreseen.
And if you use it as such it is a great bus system and does its job. Of course if you let marketing run amok, well, you get what you get when you let marketing amok. I highly doubt that any engineer said it would be a really splendid idea to make user systems part of the mission critical CAN bus (read: The one that any of the car's important systems listen to) or to allow wireless connections to it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Its very unlikely the cheap cars will only have 1 network or that it will be segregrated in a different way (for good or bad) than the higher end models. Almost all car manufacturers {...} tend to favor standardization to control R&D and maintenance costs.
The idea isn't a manufacturer design separately a secure and a non secure car computer.
Modern cars are far from having a single computer inside. They litterally have dozens of elements with embed CPUs.
The metaphor of a car being "a datacenter on wheels" used by Musk isn't far off.
This will lead to several results :
- a car manufacturer is seldom going to design from the ground up every single element.
- except lots of them to be either subcontracted or even off-the-shelf component
- To lower the cost of production of a car model, except the manufacturer to buy cheaper elements.
More precisely :
- as on any other network of computer nodes, the security will require a box acting a router/firewall.
- you can expect that such a router is going to cost quite a bit, just because of all the various certifications it needs to be used in a car.
You can expect some manufacturer deciding to cut corners and completely forgo the router. Why add a device that costs a few percent of the total price of the car and doesn't provide something immediately visible at the autodealer shop ?
Unless it's something that is mandate by government or considered standard (and both in enough country that it makes more sense to put it as a standard feature in all cars instead of going on a per market availability), you know manufacturer will try to get away without it.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I DO NOT have a "modern" car so Hey Nana Boo-boo, stick you're head in Doo-Doo!
(quickly scans linked article... yeah I know, who does that anymore?)
FTFA: "...Bosch developed the CAN protocol in 1983, and it became an ISO standard in 1993."
OH NOES!!!!!
I see a bunch of insightful comments to the effect that "mitigating DoS is a good thing", etc., and decrying infosec folks because of crying wolf, not balancing security with other factors, not understanding engineering, etc. Your car likely has a network-accessible device on your CAN-BUS. Got bluetooth in your car stereo? Also got nav system or steering wheel controls for the stereo? Guess what?
If an attacker compromises a system on your car that is connected to your CAN-BUS, then they might be able to co-opt that system into doing nasty things on your CAN-BUS. Your entertainment system probably has the biggest wireless attack surface, but more and more frequently CAN-BUS is externally accessible, as through your side mirrors, likely the case if you have mirrors that tilt in reverse, etc.
And, these aren't even theoretical vulnerabilities; entertainment system remote exploit has already been demonstrated to disable brakes, etc.:
https://www.wired.com/2015/07/...