Unpatchable 'Flaw' Affects Most of Today's Modern Cars

Catalin Cimpanu, writing for BleepingComputer: A flaw buried deep in the hearts of all modern cars allows an attacker with local or even remote access to a vehicle to shut down various components, including safety systems such as airbags, brakes, parking sensors, and others. The vulnerability affects the CAN (Controller Area Network) protocol that's deployed in modern cars and used to manage communications between a vehicle's internal components. The flaw was discovered by a collaborative effort of Politecnico di Milano, Linklayer Labs, and Trend Micro's Forward-looking Threat Research (FTR) team. Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a CAN standard design choice that makes it unpatchable.

Sounds like good design to me

[captaindomon]

So let me get this straight: If a component on the network starts sending out uncontrolled messaging that looks like a denial of service, or an out of control / perpetually errored state, the network corrects for this problem by disconnecting the component causing chaos. That sounds like the CAN network is doing exactly what it should be doing: maintaining the integrity of the shared network at the expense of disconnecting an infected or malfunctioning node. What am I missing?

Re:Sounds like good design to me

[JohnFen]

Maybe what you're missing is that it shouldn't be possible for an attacker to induce this state in the first place.

Re:Sounds like good design to me

[MachineShedFred]

That's like saying that it shouldn't be possible for an "attacker" to "hack" your brake lines with a hacksaw.

If you have physical access to the vehicle and want to do someone harm, there are far easier ways than a laptop plugged into the ODB2 connector. And, the most obvious way that an auto manufacturer would "fix" this "flaw" is to engage in some scheme reminiscent of DRM, further locking down anyone from being able to repair the car themselves.

Oh, you want to replace the stereo? Fuck you, the security controller for the door locks is in the back, and it all has to have our special firmware on it to talk. You can get the $300 upgrade the stereo at the dealership for $2000.

No thanks, I'll stick with the "flawed" CANbus.

Exploit requires access

[klossner]

To perform this DOS attack, you must have a device physically connected to the CAN bus. If an attacker has that kind of access to your car, a DOS attack is not your biggest problem. The attacker could just as easily pump 120 volts into the bus and fry every component. Or leave a time bomb on the driver's seat.

okay

[ArylAkamov]

This is nothing new, anyone who has developed a CAN device before knows this, no "shocking new research" needed. It was never designed to be secure, it was designed to be extremely resistant to noisy environments, and does a damn good job at it.
tl;dr if you are a political target, get an older car without an electric throttle body and electric power steering bullshit.

Oh enough of this shit

I am so sick of infosec nerds thinking they know more than the engineers at Ford, BMW, etc. About building cars. Coming up with new "vulnerabilities" - "I just need physical access to the car's OBD-II port with a laptop". Stick to Flintstones cars if you feel so insecure, the rest of us will drive fearlessly in luxury.

Re:Oh enough of this shit

[MachineShedFred]

In fact, this is such a known quantity by anyone that knows what the hell is going on in a modern car that there are products you can buy for some cars that actively edit the CANbus signals going into the ECU to tune the car's engine without invasive and potentially dangerous loading of non-sanctioned firmware. And, this additive hardware adds settings and features that were never available to the car from the manufacturer, such as altering turbo boost based on current octane sensor data and oil temperature data - increasing power when safe to do so, but decreasing if fuel quality is bad, or the engine is too hot. It achieves the desired effect in a safer, better, and more reversible way than an ECU flash with a different boost mapping.

And this is possible because you can slap a signal processor in between the ECU and the rest of the CANbus, and the ECU will never know it's happening. Something starts to go wrong, and you disable it or remove it completely (unless something goes REALLY wrong, in which case caveat emptor, buddy.)

Yeah, I'll go ahead and keep the open CANbus instead of some new standard that requires all kinds of lockdown and essentially DRM, and deal with the exactly zero "vulnerability" issues in literally billions of vehicle-miles travelled by CANbus equipped vehicles.

Remote network access to car == REALLY BAD IDEA

[al0ha]

So glad I did not go for the remote network accessibility option in my new car. Seemed like such a bad idea; yep!

Re:All of these have this flaw

[Mr+D+from+63]

Almost all of the older machine control style buses have this exact flaw. NONE of them authenticate. All of them can be MITM very easily. Most IoT systems out there are predicated on the fact that they can do this.

You think it is bad? No, its worse than that. I try not to think about it much.

Doesn't bother me at all. With or without this flaw, people can sabotage your car. In this case, they have to have the technology, knowhow, access and motive to exploit the flaw. Why would they take the difficult path when there are much easier ways to F with your car?

Re:All of these have this flaw

This exploit may require local access, but the more constant connectivity there is in cars, the higher the risk of remote exploits. Then, instead of one person fucking with one other person's car locally at 3am, one person can fuck with 60 million people's cars from across the world.

Centralization is something both companies and consumers are in love with, but it brings major risk factors.

Re:All of these have this flaw

[The+Cynical+Critic]

There's just a "tiny" problem with that... It's called segmentation and encrypted traffic. A number of American and Japanese manufacturers don't really protect their CAN bus traffic at all, but European manufacturers have generally been doing this for well over a decade. Segmenting the CAN bus network is something specially the Germans started doing a long time ago, thou less as an anti-sabotage measure and more as an anti-theft measure when they found that eastern European car thieves were opening doors by connecting the side view mirror's CAN bus port and getting the ignition going by connecting to the CAN bus port in the front passenger footwell. Encryption is a specialty of Volvo's as they tend to have all the data going in the CAN bus encrypted and it's a long and complicated process to get the system to renew the encryption keys whenever you need to replace something that needs to communicate over the CAN bus. Seriously thou, reading this feels like reading an article from a few years ago when people went crazy over the Jeep hack.