Slashdot Mirror
Unpatchable 'Flaw' Affects Most of Today's Modern Cars (bleepingcomputer.com)
Catalin Cimpanu, writing for BleepingComputer: A flaw buried deep in the hearts of all modern cars allows an attacker with local or even remote access to a vehicle to shut down various components, including safety systems such as airbags, brakes, parking sensors, and others. The vulnerability affects the CAN (Controller Area Network) protocol that's deployed in modern cars and used to manage communications between a vehicle's internal components. The flaw was discovered by a collaborative effort of Politecnico di Milano, Linklayer Labs, and Trend Micro's Forward-looking Threat Research (FTR) team. Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a CAN standard design choice that makes it unpatchable.
So let me get this straight: If a component on the network starts sending out uncontrolled messaging that looks like a denial of service, or an out of control / perpetually errored state, the network corrects for this problem by disconnecting the component causing chaos. That sounds like the CAN network is doing exactly what it should be doing: maintaining the integrity of the shared network at the expense of disconnecting an infected or malfunctioning node. What am I missing?
Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
Most vehicles have at least two CANs. A public one, that is accessed through the OBD port shown in TFA. They also have a "private" CAN. That network should be used for vital communications between modules, and the messages are largely proprietary.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
My approach so far is to avoid buying cars that include communications. Eventually, though, even older used cars will have this crap.
At that point, I'll have to disable the comms. Right now, that appears to be easy to do in almost every car (just locate and remove the antenna). Hopefully, that will get me through the rest of my car-driving years.
If one has physical access, I think you will find it is also vulnerable to simple voltage injection, say 110v.
This is easily created using capacitors when a wall outlet is inconvenient.
Why knock out one device when you can kill the whole bus? Am I missing the point? Abs breaks won't work, just time the injection correctly.
It's so we can shut down your cars when you try to drive them into high security areas that are federally controlled.
For exactly that reason.
-- Tigger warning: This post may contain tiggers! --
To perform this DOS attack, you must have a device physically connected to the CAN bus. If an attacker has that kind of access to your car, a DOS attack is not your biggest problem. The attacker could just as easily pump 120 volts into the bus and fry every component. Or leave a time bomb on the driver's seat.
This is nothing new, anyone who has developed a CAN device before knows this, no "shocking new research" needed. It was never designed to be secure, it was designed to be extremely resistant to noisy environments, and does a damn good job at it.
tl;dr if you are a political target, get an older car without an electric throttle body and electric power steering bullshit.
I am so sick of infosec nerds thinking they know more than the engineers at Ford, BMW, etc. About building cars. Coming up with new "vulnerabilities" - "I just need physical access to the car's OBD-II port with a laptop". Stick to Flintstones cars if you feel so insecure, the rest of us will drive fearlessly in luxury.
Special device needed to carry out local attacks
The research team says that all it takes is a specially-crafted device that attackers have to connect to the car's CAN bus through local open ports.
So, to be clear, a specially-crafted device, connected directly to an open local port.
"The only current recommendation for protecting against this exploit is to limit access to input ports (specifically OBD-II) on automobiles," said ICS-CERT experts in an alert released last month.
Um... So don't let strangers with car hacking gear ride along with you in your car -- or watch them *very* closely -- check.
It must have been something you assimilated. . . .
There is another approach. CAN traffic happens over a differential pair. I have a specially-constructed device that can jam CAN traffic. I call it a "paperclip." I bend it and plug it into both data lines on the OBD port and the network is dead.
We need to ban these dangerous hacking paperclips.
"-1 Troll" is the apparently the same as "-1 I disagree with you."
I dont see any problem with this as long as the CAN bus is not accessible from the outside.
I can also create an DoS attack on my PC if I short pins on the motherboard.
You don't need an arduino to get CAN nodes to get into bus-off state, just short the two CAN bus signals together a couple of times.
If you have physical access then you can also disable Airbags, and ABS brakes with a sidecutter.
But plenty of people have access to cars of family members and friends. More than 75% of the homicide victims know their perps. Stranger on stranger murder rate is less than 25%.
So one could sabotage a car of a family member in a manner very difficult to detect using a device plugged into the network, targets the brake system once the car speed is above 75 mph. An average dumb criminal, (all criminals are dumb) would lack the technical knowledge to do it. But now a days I see kits being sold on Amazon for USB sticks that will fry the mother board if plugged in. So it wouldn't be long before such devices make it to the market. Yes, eventually the police will catch one and then it would become standard protocol to look for this. But till then ...
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
you must have a device physically connected to the CAN bus.
Which *for now* means a laptop connected on the ODB port.
But which could mean in the future hacking into some component of the car that is on the CAN bus it self (like the infotainment center, which needs to get information about fuel consumption and a few other stuff).
Hack remotely (Bluetooth, some even support Wifi and 3G/4G) that component and then you get full access to the CAN bus.
Expect *high range cars* to have two separate CAN bus and the infotainment only talking on the "public" CAN bus (and all the juicy bit staying on the "private" CAN bus).
No risk to the critical component if a non critical (like the infotainment) gets hacked.
Expect *cheap cars* to have the two buses badly segregate or even only one shared bus.
These (badly designed) cars could get completely owned through the music system.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
So glad I did not go for the remote network accessibility option in my new car. Seemed like such a bad idea; yep!
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
Stuck CAN bus signal. From what I've gathered, my first guess when it first hit the news turned out to be the actual problem.
I was involved in writing calibration, diagnostic and simulation tools for GM and their suppliers in the late 90s and early 00s, I saw this problem several times on the low-speed bus, but that wasn't as critical (well, your instrument panel or radio might go wonky, but critical components run a high speed bus)
...if you jam a network, it will stop working. Whoever figures out how to avoid that will win a Nobel. And a position of headmaster at Hogwarts.
Its very unlikely the cheap cars will only have 1 network or that it will be segregrated in a different way (for good or bad) than the higher end models. Almost all car manufacturers address nearly the entire spectrum from entry level to super luxury, and tend to favor standardization to control R&D and maintenance costs. The chief differences between 'high end' and 'cheap' are the quality of materials used for upholstery etc., engine performance, more expensive alternatives of some components, space age materials etc. ... all of which are hardware with actual unavoidable cost for it. But the basic nuts & bolts, and I assume the ECM as well, doesn't really vary between models.
Yes, there are also several other, less dangerous flaws involving frame droppage, but the human driver is the most dangerous, unpatchable flaw in modern vehicles.
excitingthingstodo.blogspot.com
It depends on what the goal of the attacker is. If your goal is simply to destroy the vehicle or make it immobile, then sure a sledgehammer and a knife will do a better and faster job if you have physical access to the car.
If your goal is to for example assassinate someone and make it look like an accident, then it may be a different story. Plus the main troublesome thing about this is not the local access variety, but the fact that it's possible in theory to exploit this remotely if the car is connected to the internet.
Sure I agree, chances are slim that this will happen to anyone, but the fact that we have a hypothetical vector for disabling say, brakes and/or the airbag remotely if the software on the car is buggy or just badly written is a point of concern. Not panic, or a reason to swtich back to horses, but something the industry should look to seriously fix.
"It is the business of the future to be dangerous" -Alfred North Whitehead
Almost all of the older machine control style buses have this exact flaw. NONE of them authenticate. All of them can be MITM very easily. Most IoT systems out there are predicated on the fact that they can do this.
You think it is bad? No, its worse than that. I try not to think about it much.
Doesn't bother me at all. With or without this flaw, people can sabotage your car. In this case, they have to have the technology, knowhow, access and motive to exploit the flaw. Why would they take the difficult path when there are much easier ways to F with your car?
Most IoT systems out there are predicated on the fact that they can do this.
That's only one flaw in IoT. There are many others especially when consumer and commercial products connect to the vendor's central management instead of to the customer's central management. Those flaws include having to have an untrusted device on one's network that has to be able to communicate with the Internet, having software that might not be readily patched yet may be running on a consumer-grade OS, and any vulnerabilities affecting the vendor's central management.
Daktronics, I'm looking at you.
Do not look into laser with remaining eye.
Except that as infotainment systems get more complex and more heavily integrated with the vehicle's CANBUS system and with the Internet via cellular networks, suddenly the possibility that someone can sabotage your car without having ever come within a thousand miles of you becomes a real prospect. Now add drive-by-wire where the vehicle controls are just inputs and the computer more directly controls acceleration, braking, and even steering, and you've got a recipe for a disaster if someone figures out how to exploit all models of a manufacturer with the same flaw. Imagine if all Honda Accords with lane-departure and adaptive cruise control suddenly accelerate at full-speed for five seconds then suddenly turn fifteen degrees to the left. If an attack like that was successful it would probably hurt or kill thousands of people.
Do not look into laser with remaining eye.
Because ransom ware of your car is going to suck.
This exploit may require local access, but the more constant connectivity there is in cars, the higher the risk of remote exploits. Then, instead of one person fucking with one other person's car locally at 3am, one person can fuck with 60 million people's cars from across the world.
Centralization is something both companies and consumers are in love with, but it brings major risk factors.
Because all they need to do is send a malicious RDS message through the FM network to a vulnerable car radio. Many radios are on the CANBUS these days, and it is highly unlikely that the developers of the radio software care about security or that secure channels for expedient software updates were designed in.
However, there are much more exciting things that you can do once you're on the CANBUS, instead of just shutting down ABS.
Finally! A year of moderation! Ready for 2019?
He was murdered as retribution for General McChrystal, who he had written an expose on and gotten him fired. He was about to do another big one, but instead his car was made after the year 2000, like most on the road today, and was controllable. I learned about the CAN network, reading about his death, years ago.
I feel fantastic, and I'm still alive.
Because all they need to do is send a malicious RDS message through the FM network to a vulnerable car radio. Many radios are on the CANBUS these days, and it is highly unlikely that the developers of the radio software care about security or that secure channels for expedient software updates were designed in.
Given that the RDS protocol is really simple, I really doubt you can p0wn a car radio through RDS. Fixed message sizes and few undefined bits make it almost trivial to implement robust parsers for the protocol. You'll have to find another weakness, I think.
There is no hypothetical vector for disabling the brakes. There is a hypothetical vector for turning off the anti-lock function. Big deal.
When these sensors fail (which is what this hypothetical attack simulates), the computer turns off the affected system and lights the malfunction lamp. That is all that happens.
A failed airbag system does not cause you to crash, it just makes it more dangerous if you DO crash.
Which do you think is more likely to happen: some wiring gets corroded and the computer starts getting bad data about your ABS, or some scary hacker remotely sending bad data about your ABS? The first is probably thousands of times more likely to occur, so the systems should be designed to handle that, which they are.
If someone has access to the CAN bus, you are already pwned. It is not much of a flaw, except don't let hostile applications or hardware have direct access to the CAN bus. This is like saying PCs have a flaw, because something plugged in the PCIe bus can do bad things.
The article is about 'today's modern cars". I wasn't talking about the ifs of the future, you are into fully autonomous driving which is a totally different discussion. There are already standards in place on how to deal with mission and safety critical controls. Its not that hard.
Because all they need to do is send a malicious RDS message through the FM network to a vulnerable car radio. Many radios are on the CANBUS these days, and it is highly unlikely that the developers of the radio software care about security or that secure channels for expedient software updates were designed in.
However, there are much more exciting things that you can do once you're on the CANBUS, instead of just shutting down ABS.
But, to my point, if its so easy why isn't it happening in the real world?
But it requires LOCAL access. They could remotely disable the brakes after first installing a remote controlled device into the car. For christ sake, they could do that anyway, if they have local access and can install things in the car, they could just disable the brakes....
There is no such things as an unfixable flaw in a car. It all has to do with how much money you have and how much of it you are willing to spend to fix the issue.
Caution: Contents under pressure
Almost all of the older machine control style buses have this exact flaw. NONE of them authenticate. All of them can be MITM very easily. Most IoT systems out there are predicated on the fact that they can do this.
You think it is bad? No, its worse than that. I try not to think about it much.
Personally I prefer this to adding unnecessary complexity and the real prospect of vendors wielding it to lock people out of performing their own repairs or modifications.
All manufacturers have to do is cut the transmit line from their lame cellular stalker radios and "infotainment" garbage... of course even that's too hard for these idiots.
"remote" only in the sense that he might be clinging to your undercarriage instead of crouching down under the driver seat.
Or way over on the passenger side floor, under the dash, where the CAN bus connects to the control computer(s).
Stop it, just stop. Stop connecting networked systems to the ECU, it's fuggin stupid. Stop being stupid.
AKA why I have no IoT devices, despite the fact that they'd be very useful. Sell me a device, and charge me separately for the software if you must, but I'm not letting anything on my network that leaks information without my permission.
If your car is worth anything at all, odds are someone will desire to take it. I've seen videos of people stealing various makes of BMW via diag hacks, made easier by alarm blind spots. And it's not limited to high-ish end makes; bog-standard hondas, vws, and fords are stolen and stripped all the time.
It gets much easier with "OnStar"... that's a radio with complete control of the car.
I have a car with a CAN network (two networks actually, with the gauge cluster acting as a gateway between the fast and slow networks)
The only thing the ABS control use uses the CAN bus for is to illuminate the warning lights on the gauge cluster.
The control unit is directly connected to the wheel speed sensors and valves.
The engine ECU and transmission ECU are actually the same thing, so there is no issue with that. If it wasn't auto-transmissions go in to limp home mode if they detect failure and still work.
It has drive-by-wire, but the actuator and sensor are directly connected to the main ECU. No CAN bus needed.
They could disable stability control and ABS. They can't disable the brakes. The individual wheel sensors are connected directly to the control unit, so you couldn't trick it into pulsing or applying the brakes by sending it incorrect wheel speed data. The steering angle and yaw rate sensors are also directly connected to it, so no tricking it into thinking the car isn't going where the front wheels are pointing.
They could stop me using cruise control
They could turn my headlights on and off (providing I have the switch in "auto")
They could lock/unlock the car and play with the windows if they were connected to the low-speed bus (I doubt the gauge cluster forwards those messages from the high speed bus. It doesn't do everything, since it's going from 500kbit to 33kbit) and when the car is off, the high speed bus is inactive.
If they're on the low speed bus they could turn the AC fan/compressor on and off. The indicators too. Maybe the windscreen wipers
They could show garbage data on the nav unit trip computer screen
They could make the gauge cluster show incorrect data
I doubt there is much else they could do. If any of the above systems go offline, a warning light is going to appear on the gauge cluster.
Like those cheap OBDII bluetooth dongles? I fired up my tablet in the driveway once and saw four of those damned things. (having VW specific tools, I could totally fuck with the neighbor's car.)
Unfortunately, they already are. Because so many components are on the CAN bus, replacing them without special tools isn't possible.
The vulnerability affects the petrol tank that's deployed in modern cars and used to hold fuel that runs the vehicle's internal components. The flaw was discovered by college students everywhere, and involves pouring sugar into it. Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a petrol tank standard design choice that makes it unpatchable.
Then there's the "penknife in the side wall of the tires" flaw, the "pull the distributor cap/spark plugs/ignition wiring flaw", the ...
If your car is worth anything at all, odds are someone will desire to take it. I've seen videos of people stealing various makes of BMW via diag hacks, made easier by alarm blind spots. And it's not limited to high-ish end makes; bog-standard hondas, vws, and fords are stolen and stripped all the time.
It gets much easier with "OnStar"... that's a radio with complete control of the car.
The topic was more sabotage than theft. But car thefts have reduced significantly with new technology in place. Stealing cars now is a lot harder than its ever been, and the type of theft you describe is quite rare relative to overall theft numbers.
It might not be that hard, but it doesn't mean auto manufacturers have been following those standards. Just look into the Jeep Liberty hack from a couple years ago.
Valid point, but even then the hack was only performed in what was basically a lab setting, with the hackers having physical access to the car.
>you are into fully autonomous driving ...
I didn't see anything about that - all they initially mentioned was "drive by wire", where there's no direct mechanical linkage between the driver and the car - something which is becoming increasingly common. Just that, and an internet-connected... anything on the same bus, and a hijacker could potentially crash the car at will. Lane assist, etc. might make the attack easier, but then again all they really have to do is spoof the gas pedal sending a "maximum acceleration" signal for a while, and then spoof a "steering wheel is turning".
--- Most topics have many sides worth arguing, allow me to take one opposite you.
It burns the cheapest possible gas and most of the oil I put in it too which I usually also get used because if it's going to burn the oil with the gas it's damn well going to burn the cheap stuff. On the plus side, there's no electronics to hack in this vehicle. Everything is pure analog circuits or mechanical and it's such an ugly car that nobody can be bothered to steal it either. Had the thing since high school and it's a tank that just keeps rolling. American cars used to last and last, not like the shit they build today.
Jeep already had a widely publicized issue that let anyone access the can-bus over the net.
All cars are vulnerable to a local access attack, but some might leave the can-bus accessible to the entertainment system which increases the attack surface significantly... Especially if said system is internet connected.
There's just a "tiny" problem with that... It's called segmentation and encrypted traffic. A number of American and Japanese manufacturers don't really protect their CAN bus traffic at all, but European manufacturers have generally been doing this for well over a decade. Segmenting the CAN bus network is something specially the Germans started doing a long time ago, thou less as an anti-sabotage measure and more as an anti-theft measure when they found that eastern European car thieves were opening doors by connecting the side view mirror's CAN bus port and getting the ignition going by connecting to the CAN bus port in the front passenger footwell. Encryption is a specialty of Volvo's as they tend to have all the data going in the CAN bus encrypted and it's a long and complicated process to get the system to renew the encryption keys whenever you need to replace something that needs to communicate over the CAN bus. Seriously thou, reading this feels like reading an article from a few years ago when people went crazy over the Jeep hack.
"Why should I want to make anything up? Life's bad enough as it is without wanting to invent any more of it."
There are a few older and more popular options for attackers with local access to disable your brakes. The most popular uses a knife.
Remotely? Well, connecting a local control bus to the internet certainly is a flaw.
Easily fixable. Infotainment and other fluff on one canbus - vehicle control on another canbus. No ip-capable things on the 'important' bus.
Except for the fact that the autopilot has to get navigation information over the internet. And everything is controlled with the same touch screen. Not so easy to separate everything anymore.
CAN is not a secure bus. And it was never meant to be one. CAN, when it was invented, was to be a lightweight bus system that connects internal car systems. And as such it works perfectly. At its conception, there was neither any kind of provision to make it "user space safe" nor was any form of wireless connection to it foreseen.
And if you use it as such it is a great bus system and does its job. Of course if you let marketing run amok, well, you get what you get when you let marketing amok. I highly doubt that any engineer said it would be a really splendid idea to make user systems part of the mission critical CAN bus (read: The one that any of the car's important systems listen to) or to allow wireless connections to it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The article is about 'today's modern cars". I wasn't talking about the ifs of the future, you are into fully autonomous driving which is a totally different discussion.
What he was describing doesn't require fully autonomous cars though. Semi-autonomous features such as adaptive cruise control (pretty standard on modern cars), and lane departure correction designed to gently nudge your car back into the lane if certain conditions are met would be have sufficient control over the car to cause a problem if it happened all at once and unexpectedly.
Its very unlikely the cheap cars will only have 1 network or that it will be segregrated in a different way (for good or bad) than the higher end models. Almost all car manufacturers {...} tend to favor standardization to control R&D and maintenance costs.
The idea isn't a manufacturer design separately a secure and a non secure car computer.
Modern cars are far from having a single computer inside. They litterally have dozens of elements with embed CPUs.
The metaphor of a car being "a datacenter on wheels" used by Musk isn't far off.
This will lead to several results :
- a car manufacturer is seldom going to design from the ground up every single element.
- except lots of them to be either subcontracted or even off-the-shelf component
- To lower the cost of production of a car model, except the manufacturer to buy cheaper elements.
More precisely :
- as on any other network of computer nodes, the security will require a box acting a router/firewall.
- you can expect that such a router is going to cost quite a bit, just because of all the various certifications it needs to be used in a car.
You can expect some manufacturer deciding to cut corners and completely forgo the router. Why add a device that costs a few percent of the total price of the car and doesn't provide something immediately visible at the autodealer shop ?
Unless it's something that is mandate by government or considered standard (and both in enough country that it makes more sense to put it as a standard feature in all cars instead of going on a per market availability), you know manufacturer will try to get away without it.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I see a bunch of insightful comments to the effect that "mitigating DoS is a good thing", etc., and decrying infosec folks because of crying wolf, not balancing security with other factors, not understanding engineering, etc. Your car likely has a network-accessible device on your CAN-BUS. Got bluetooth in your car stereo? Also got nav system or steering wheel controls for the stereo? Guess what?
If an attacker compromises a system on your car that is connected to your CAN-BUS, then they might be able to co-opt that system into doing nasty things on your CAN-BUS. Your entertainment system probably has the biggest wireless attack surface, but more and more frequently CAN-BUS is externally accessible, as through your side mirrors, likely the case if you have mirrors that tilt in reverse, etc.
And, these aren't even theoretical vulnerabilities; entertainment system remote exploit has already been demonstrated to disable brakes, etc.:
https://www.wired.com/2015/07/...