Hackers could take over a car's control networks with potentially fatal consequences.
A few months ago a report was published in the US that at first glance presented worrying news for the automotive industry. The report detailed experiments carried out by academics at two west coast universities which show that malicious hackers could break into and disrupt or take over a modern car's internal computer control networks - with potentially fatal consequences.
The experiments entailed gaining physical access to two models of the same 2009 unnamed make of car, and hacking into their networks via the On-Board Diagnostics (OBD) port, the SCART-like socket under the dashboard used by service technicians to assess the 'state of health' of the car's various subsystems. It's via this port that any faults and so on are identified when the car undergoes its annual service, for example, and any car these days with some form of electronic control has one.
In the real world, a hacker would first of course have to get past a modern car's access security systems - programmed ignition keys, alarms, immobilisers and so on. Even then there is the moot point of whether it's actually worth the bother of hacking into a single car. But, as the researchers say, 'Someone - such as a mechanic, a valet, a person who rents a car, an ex-friend, a disgruntled family member or the car owner - can, with even momentary access to the vehicle, insert a malicious component into a car's internal network via the OBD port.'
Controller Area Network
The focus of concern here is a modern car's Controller Area Network (CAN), a vehicle bus standard that allows the car's 70 or so electronic control devices to communicate with each other without the need for a host computer, and to which the OBD port is connected.
CAN uses a message-based protocol but, as the researchers point out, it has a number of inherent weaknesses, such as the broadcast nature of CAN packets, enabling malware to be sent to all nodes on the network; its extreme vulnerability to denial-of-service attacks, and the lack of authenticator or even source identifier fields, which means any component can indistinguishably send a packet to any other component. In addition, the CAN variant in the researchers' car uses two separate physical layers - a high-speed bus for the safety-critical powertrain systems, and a low-speed bus for less-demanding systems such as the radio and air conditioning.
The CAN standard defines the high-speed network as the more trusted of the two, and states that gateways between the two networks must only be reprogrammable from this network. But in the researchers' car the telematics unit (see box, right), for one, connects to both networks and yet can only be reprogrammed from the low-speed network. As they say, 'We verified that we could bridge these networks by uploading code to the telematics unit from the low-speed network that, in turn, sent packets on the high-speed network.'
What is worse, they found that many of the car's control units deviate from their own security standards: 'In several cases, our car's protocol standards do prescribe risk-mitigation strategies with which components should comply. However, our experimental findings revealed that not all components in the car always follow these specifications.'
The researchers' findings come as no surprise to some people. Hanns Peter Becker, an automotive expert at PA Consulting, says, 'I'm not surprised by this research because anyone who is familiar with CANbus knows that what few security standards are in place are not being followed. CANbus is inherently unsafe - it has only a 16-bit key length, which is pretty easy to hack, and the key combinations are well known to the hacker community.
'Nevertheless, the car industry should at least implement the security features available, which apparently it has failed to do.'
Even so, the researchers themselves say, 'We believe that car owners should not be overly concerned at this time. It requires significant sophistication to develop the capabilities described in our paper and we are unaware of any attackers who are even targeting automobiles at this time.
'However, we do believe that our work should be read as a wake-up call [and that] it is time to focus squarely on addressing potential automotive security issues to ensure that future cars will be able to offer commensurately strong security guarantees as well.'
But physical access is not their only concern. 'The other vector [of attack] is via the numerous wireless interfaces implemented in the modern automobile. In our car we identified no fewer than five kinds of digital radio interfaces accepting outside input, some over only a short range and others over indefinite distance we wish to be clear that vulnerabilities in such services are not purely theoretical,' they say.
'We have developed the ability to remotely compromise key [control units] in our car via externally-facing vulnerabilities, amplify the impact of these remote compromises and ultimately monitor and control our car remotely over the Internet.'
It is this issue of broader connectivity that's exercising the minds of some experts. As Becker says, 'The key points here are the potential risks posed by consumer electronics such as iPods, and the need to segregate the in-car 'infotainment' systems from the car's safety-critical control network. From a functionality point of view you have some features that are linked to the car's CANbus network, for example your MP3 track listing or cellphone numbers shown in the instrument cluster display, which means using the CAN network.
'So you have to ensure effective barriers between the control systems - particularly those that are safety-critical - and the other on-board systems. This has to be done in a logical system architecture, as it can't be done physically.' he says.
'I think this issue will really become important in, say, the next five to 10 years, and for two main reasons. First, there is the fact that telematics services such as OnStar that include remote car control functionality are very popular in the US, which itself makes it an issue. Second, with regard to plug-in hybrid and electric cars - the second generation of them in particular - features such as 'drive by mile' means they will be on the grid for long hours while charging.'
But to some minds this connectivity will bring positive opportunities. For example, Dr James Marco of Cranfield University's department of automotive engineering says, 'I can see a business model emerging whereby car owners might be able to buy and download features such as cruise control and voice recognition, as well as other infotainment systems, say. I can see an argument for targeting lower-end vehicles here, as these tend to be bought by younger people who are more likely to buy products in this way - they are more used to this world than older people.'
According to both Becker and Dr Marco though, the real question at the moment is what the risk is here, and therefore where it will come from. They and the car makers point out that, in the networked traffic infrastructure of the future - where the security of a myriad of systems is beyond the car makers' control - there's only so much the automotive industry can do to protect cars from hacking; the rest has to be the responsibility of those providing and managing the transport system.
But they all insist that hacking into vehicles and the wider infrastructure will not become an issue, as it has with PCs and the Internet. As Becker says, 'You have to prevent hackers breaking in, in any way and no matter what.'
Yet with international standards for vehicle systems security still being only considered as potential, and computer security companies still largely unfamiliar with the needs of the transport industry, it looks like there's a long and winding road ahead.