Unpatchable 'Flaw' Affects Most of Today's Modern Cars

Catalin Cimpanu, writing for BleepingComputer: A flaw buried deep in the hearts of all modern cars allows an attacker with local or even remote access to a vehicle to shut down various components, including safety systems such as airbags, brakes, parking sensors, and others. The vulnerability affects the CAN (Controller Area Network) protocol that's deployed in modern cars and used to manage communications between a vehicle's internal components. The flaw was discovered by a collaborative effort of Politecnico di Milano, Linklayer Labs, and Trend Micro's Forward-looking Threat Research (FTR) team. Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a CAN standard design choice that makes it unpatchable.

Sounds like good design to me

[captaindomon]

So let me get this straight: If a component on the network starts sending out uncontrolled messaging that looks like a denial of service, or an out of control / perpetually errored state, the network corrects for this problem by disconnecting the component causing chaos. That sounds like the CAN network is doing exactly what it should be doing: maintaining the integrity of the shared network at the expense of disconnecting an infected or malfunctioning node. What am I missing?

Re:Sounds like good design to me

[JohnFen]

Maybe what you're missing is that it shouldn't be possible for an attacker to induce this state in the first place.

Re:Sounds like good design to me

[hey!]

Well, it's always been possible for someone with physical access to the car to sabotage it. There are hundreds of ways you can make a car inoperable, likely to break down, or downright dangerous.

What's different for most cars is that there are more elaborate ways of doing it now.

But if the car is at all manageable OTA or wirelessly, that's a different story; we're not talking about needing physical access any more. You could hack someone's car while it sat in their locked garage, or while they were driving down the freeway.

Re:Sounds like good design to me

[MachineShedFred]

That's like saying that it shouldn't be possible for an "attacker" to "hack" your brake lines with a hacksaw.

If you have physical access to the vehicle and want to do someone harm, there are far easier ways than a laptop plugged into the ODB2 connector. And, the most obvious way that an auto manufacturer would "fix" this "flaw" is to engage in some scheme reminiscent of DRM, further locking down anyone from being able to repair the car themselves.

Oh, you want to replace the stereo? Fuck you, the security controller for the door locks is in the back, and it all has to have our special firmware on it to talk. You can get the $300 upgrade the stereo at the dealership for $2000.

No thanks, I'll stick with the "flawed" CANbus.

Exploit requires access

[klossner]

To perform this DOS attack, you must have a device physically connected to the CAN bus. If an attacker has that kind of access to your car, a DOS attack is not your biggest problem. The attacker could just as easily pump 120 volts into the bus and fry every component. Or leave a time bomb on the driver's seat.

Re:Exploit requires access

[Carewolf]

To perform this DOS attack, you must have a device physically connected to the CAN bus. If an attacker has that kind of access to your car, a DOS attack is not your biggest problem. The attacker could just as easily pump 120 volts into the bus and fry every component. Or leave a time bomb on the driver's seat.

Bomb under the car is a wellknown security issue with cars. It has been known for years. OMG!!! When will they solve it???

okay

[ArylAkamov]

This is nothing new, anyone who has developed a CAN device before knows this, no "shocking new research" needed. It was never designed to be secure, it was designed to be extremely resistant to noisy environments, and does a damn good job at it.
tl;dr if you are a political target, get an older car without an electric throttle body and electric power steering bullshit.

Oh enough of this shit

I am so sick of infosec nerds thinking they know more than the engineers at Ford, BMW, etc. About building cars. Coming up with new "vulnerabilities" - "I just need physical access to the car's OBD-II port with a laptop". Stick to Flintstones cars if you feel so insecure, the rest of us will drive fearlessly in luxury.

Re: Oh enough of this shit

I can hack your brakes With à wire Cutter. No Laptops required.

Re:Oh enough of this shit

[Script+Cat]

Just like this server is totally unsecure all I have to do is swap the hard drive and motherboard and I have root access.

Re:Oh enough of this shit

[MachineShedFred]

In fact, this is such a known quantity by anyone that knows what the hell is going on in a modern car that there are products you can buy for some cars that actively edit the CANbus signals going into the ECU to tune the car's engine without invasive and potentially dangerous loading of non-sanctioned firmware. And, this additive hardware adds settings and features that were never available to the car from the manufacturer, such as altering turbo boost based on current octane sensor data and oil temperature data - increasing power when safe to do so, but decreasing if fuel quality is bad, or the engine is too hot. It achieves the desired effect in a safer, better, and more reversible way than an ECU flash with a different boost mapping.

And this is possible because you can slap a signal processor in between the ECU and the rest of the CANbus, and the ECU will never know it's happening. Something starts to go wrong, and you disable it or remove it completely (unless something goes REALLY wrong, in which case caveat emptor, buddy.)

Yeah, I'll go ahead and keep the open CANbus instead of some new standard that requires all kinds of lockdown and essentially DRM, and deal with the exactly zero "vulnerability" issues in literally billions of vehicle-miles travelled by CANbus equipped vehicles.

Re:Oh enough of this shit

[freeze128]

...such as altering turbo boost based on current octane sensor data...

Is this for real cars, or only for the Knight Industries Two Thousand?

Re:Oh enough of this shit

[DarkOx]

So I am one of those infosec guys and we have been doing CAN bus assessments for the big 3 for some time now. This has to be the stupidest article I have read in some time.

First off the next gen cars are already implementing 'segmented' CAN buses with a firewall module that allows some devices to send white listed messages from the less privileged body areas to the more privileged engine management and safety buses. So this problem is already being solved.

Very few existing cars have a path to remotely introduce CAN messages. Some do but those interfaces have by and large been hardened pretty well, the Jeep stuff from some years ago is long fixed.

So what have here is basically if you are in the car you can do bad stuff by wiring into the can bus. Okay I make the airbag fail too buy yanking it out of the dash board, who cares.

Re:Oh enough of this shit

[gumbi+west]

Okay I make the airbag fail too buy yanking it out of the dash board, who cares.

The person whose airbag you just yanked out of their dashboard?

Re:Oh enough of this shit

[DarkOx]

That is what I am saying though. They are hardening the cellular interfaces which at one point were laughably badly done. They are starting to segment the network and put what are basically firewalls onto the CAN bus.

What you are seeing now is that cellular interface will be connected to the body module, and sure it can send any message it wants, so you pwn the cellular adapter. Alright great, but the firewall module that connects the body modules zone of the CAN bus to the say the engine-management modules zone of the CAN bus will only pass certain messages. It won't say let you change the fuel mix but will pass the "Show me your fault codes" message.

The firewall modules are programmable in terms of policy, I don't know if the one I was looking at could have its policy updated remotely or if you'd need to cable up. That was out of scope, we were assigned to test the policy. The rules were we could plug into the ODB2 port and/or pop the infotainment system out and plug in there. Were were supposed to prove that even if you got code running on the infotainment system (possible can update firmware, handles user provided files, usb etc) you could not interact with anything safety critical.

Another approcah.

[harrkev]

There is another approach. CAN traffic happens over a differential pair. I have a specially-constructed device that can jam CAN traffic. I call it a "paperclip." I bend it and plug it into both data lines on the OBD port and the network is dead.

We need to ban these dangerous hacking paperclips.

Re:Physical access

[harrkev]

Well, you have found the problem: "not accessible from the outside."

Car makers have jumped on the "smart everything" revolution, so they built devices into the cars that can bridge CAN with cell phone networks (On-Star, for example). If you own the On-Star, you can do pretty much whatever you want.

The problem is not with CAN, however. The problem is with the typical crappy security between things that bridge CAN to other data sources.

The one thing to remember about CAN is that it is a SHARED BUS. There is no hub; the same wires go to all devices. This means that a compromised device can jabber and jam all traffic, continually send higher-priority traffic to eat up bandwidth, or even pretend to be any device that it wants to send false data. No protocol can stop this without going to a hub-style arrangement, which increases the amount of wiring. Decreasing wiring (and its cost and weight) was one of the prime reasons for inventing CAN -- to allow multiple devices to share the same wires, so if you want to use a hub, you might as well get rid of CAN and just go back to point-to-point wiring.

I can imagine changes to the PHY to stop the "jabbering idiot" problem, but nothing that would prevent the other attacks.

Re:All of these have this flaw

[Mr+D+from+63]

Almost all of the older machine control style buses have this exact flaw. NONE of them authenticate. All of them can be MITM very easily. Most IoT systems out there are predicated on the fact that they can do this.

You think it is bad? No, its worse than that. I try not to think about it much.

Doesn't bother me at all. With or without this flaw, people can sabotage your car. In this case, they have to have the technology, knowhow, access and motive to exploit the flaw. Why would they take the difficult path when there are much easier ways to F with your car?

Re:All of these have this flaw

[TWX]

Most IoT systems out there are predicated on the fact that they can do this.

That's only one flaw in IoT. There are many others especially when consumer and commercial products connect to the vendor's central management instead of to the customer's central management. Those flaws include having to have an untrusted device on one's network that has to be able to communicate with the Internet, having software that might not be readily patched yet may be running on a consumer-grade OS, and any vulnerabilities affecting the vendor's central management.

Daktronics, I'm looking at you.

Re:All of these have this flaw

[TWX]

Except that as infotainment systems get more complex and more heavily integrated with the vehicle's CANBUS system and with the Internet via cellular networks, suddenly the possibility that someone can sabotage your car without having ever come within a thousand miles of you becomes a real prospect. Now add drive-by-wire where the vehicle controls are just inputs and the computer more directly controls acceleration, braking, and even steering, and you've got a recipe for a disaster if someone figures out how to exploit all models of a manufacturer with the same flaw. Imagine if all Honda Accords with lane-departure and adaptive cruise control suddenly accelerate at full-speed for five seconds then suddenly turn fifteen degrees to the left. If an attack like that was successful it would probably hurt or kill thousands of people.

Re:All of these have this flaw

This exploit may require local access, but the more constant connectivity there is in cars, the higher the risk of remote exploits. Then, instead of one person fucking with one other person's car locally at 3am, one person can fuck with 60 million people's cars from across the world.

Centralization is something both companies and consumers are in love with, but it brings major risk factors.

Re:All of these have this flaw

[amorsen]

Because all they need to do is send a malicious RDS message through the FM network to a vulnerable car radio. Many radios are on the CANBUS these days, and it is highly unlikely that the developers of the radio software care about security or that secure channels for expedient software updates were designed in.

However, there are much more exciting things that you can do once you're on the CANBUS, instead of just shutting down ABS.

Re:Remote network access to car == REALLY BAD IDEA

[Carewolf]

Yeah, but the CAN bus isn't remote. It is the local backbone between the various computers in a car. I had always been under the impression it was not secure it was assumed any hardware on it was trusted.

Re:All of these have this flaw

[Carewolf]

But it requires LOCAL access. They could remotely disable the brakes after first installing a remote controlled device into the car. For christ sake, they could do that anyway, if they have local access and can install things in the car, they could just disable the brakes....

Cars don't need a networked ECU.

[dicobalt]

Stop it, just stop. Stop connecting networked systems to the ECU, it's fuggin stupid. Stop being stupid.

Re:All of these have this flaw

[arglebargle_xiv]

Exactly. Here's another serious flaw in cars:

The vulnerability affects the petrol tank that's deployed in modern cars and used to hold fuel that runs the vehicle's internal components. The flaw was discovered by college students everywhere, and involves pouring sugar into it. Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a petrol tank standard design choice that makes it unpatchable.

Then there's the "penknife in the side wall of the tires" flaw, the "pull the distributor cap/spark plugs/ignition wiring flaw", the ...

Re:All of these have this flaw

[Immerman]

>you are into fully autonomous driving ...

I didn't see anything about that - all they initially mentioned was "drive by wire", where there's no direct mechanical linkage between the driver and the car - something which is becoming increasingly common. Just that, and an internet-connected... anything on the same bus, and a hijacker could potentially crash the car at will. Lane assist, etc. might make the attack easier, but then again all they really have to do is spoof the gas pedal sending a "maximum acceleration" signal for a while, and then spoof a "steering wheel is turning".

Re:All of these have this flaw

[The+Cynical+Critic]

There's just a "tiny" problem with that... It's called segmentation and encrypted traffic. A number of American and Japanese manufacturers don't really protect their CAN bus traffic at all, but European manufacturers have generally been doing this for well over a decade. Segmenting the CAN bus network is something specially the Germans started doing a long time ago, thou less as an anti-sabotage measure and more as an anti-theft measure when they found that eastern European car thieves were opening doors by connecting the side view mirror's CAN bus port and getting the ignition going by connecting to the CAN bus port in the front passenger footwell. Encryption is a specialty of Volvo's as they tend to have all the data going in the CAN bus encrypted and it's a long and complicated process to get the system to renew the encryption keys whenever you need to replace something that needs to communicate over the CAN bus. Seriously thou, reading this feels like reading an article from a few years ago when people went crazy over the Jeep hack.