The news for the motoring public was bad enough a few weeks ago: a team of researchers had demonstrated yet another hackable flaw in connected vehicles – in the Controller Area Network (CAN) bus standard – that could enable a Denial of Service (DoS) attack on safety systems including brakes, airbags and power steering.
Kind of a big deal, since the CAN is essentially the brain of the car – it handles a vehicle’s internal communication system of electronic control units (ECUs) that the researchers noted, “is driven by as much as 100,000,000 lines of code”.
And the news got worse this past week, with word that the flaw – which applies to virtually every modern car, not just a single brand or model – is unfixable. As Bleeping Computer put it, “this flaw is not a vulnerability in the classic meaning of the word … (It) is more of a CAN standard design choice that makes it unpatchable.” To patch it would require “changing how the CAN standard works at its lowest levels”.
To accomplish a redesign that would eliminate the flaw, the researchers concluded in their paper, titled “A Stealth, Selective Link-Layer Denial-of-Service Attack Against Automotive Networks”, would take an entire generation of vehicles.
Which is yet another ominous reminder that security remains an afterthought in too many industries. Instead of “security by design”, the mentality is that it will always be possible to “bolt it on” later. Except, in this case, it’s not possible.
The researchers’ attack worked by overloading the CAN with error messages, to the point where it was
… made to go into the Bus Off state, and thus rendered inert/inoperable. This, in turn, can drastically affect the car’s performance to the point that it becomes dangerous and even fatal, especially when essential systems like the airbag system or the antilock braking system are deactivated.
Of course, the Department of Homeland Security’s ICS-CERT said in an alert about the flaw that the attack requires access to one of the vehicle’s local open ports.
Which has generated a fair amount of mockery about how dangerous this really is. A number of comments on the blog of security expert Bruce Schneier, who noted it this past week, said a hacker getting access to one of the ports in the interior of the car is about as likely as a passenger in the car grabbing the wheel – possible but highly improbable. One called it “a tempest in a thimble”.
But then another, with equal snark, noted that it might not be necessary to gain physical access to the vehicle, “if someone were daft enough to add wifi connectivity to CAN … or digital radio … or a mobile phone. But who would do such a thing?” he concluded, with links to stories here, here and here about all three being done.
Schneier said “we don’t know” whether attackers could get attack remotely or would need physical access, but added, “my bet is on remote”.
One of the researchers, Andrea Palanca, said he and his colleagues believe remote attacks are possible. “Simply the lack of time and budget planned for the project impeded us from trying a remote version,” he said. And he contended that the risks from the CAN bus flaw are vastly more than “a tempest in a thimble”.
There are cars currently circulating on roads capable of safety-critical partially autonomous functionalities which entirely rely over their CAN buses availability, and whose abrupt and, most of all, unexpected disruption could lead to life-threatening situations – let alone should CAN bus be employed as a backbone for completely autonomous vehicles.
The hope of the research is to instill awareness over the important limits that this design-level vulnerability introduces to CAN bus adoption in such high-reliability demanding situations.
Another member of the research team, Federico Maggi, added that a malicious attacker getting physical access to the vehicle is not as far-fetched as it might have been years ago. “With current transportation trends such as ride-sharing, carpooling, and car renting, the scenario where many people can have local access to the same car is now more commonplace,” he wrote, adding, “A paradigm shift in terms of vehicle cybersecurity must happen.”
And if it does, all it will take is a generation to achieve.