Skip to content
Naked Security Naked Security

Hackable flaw in connected cars is ‘unpatchable’, warn researchers

Potentially fatal flaw could take a generation of cars to eliminate - but is this a 'tempest in a thimble'?

The news for the motoring public was bad enough a few weeks ago: a team of researchers had demonstrated yet another hackable flaw in connected vehicles – in the Controller Area Network (CAN) bus standard – that could enable a Denial of Service (DoS) attack on safety systems including brakes, airbags and power steering.

Kind of a big deal, since the CAN is essentially the brain of the car – it handles a vehicle’s internal communication system of electronic control units (ECUs) that the researchers noted, “is driven by as much as 100,000,000 lines of code”.

And the news got worse this past week, with word that the flaw – which applies to virtually every modern car, not just a single brand or model – is unfixable. As Bleeping Computer put it, “this flaw is not a vulnerability in the classic meaning of the word … (It) is more of a CAN standard design choice that makes it unpatchable.” To patch it would require “changing how the CAN standard works at its lowest levels”.

To accomplish a redesign that would eliminate the flaw, the researchers concluded in their paper, titled “A Stealth, Selective Link-Layer Denial-of-Service Attack Against Automotive Networks”, would take an entire generation of vehicles.

Which is yet another ominous reminder that security remains an afterthought in too many industries. Instead of “security by design”, the mentality is that it will always be possible to “bolt it on” later. Except, in this case, it’s not possible.

The researchers’ attack worked by overloading the CAN with error messages, to the point where it was

… made to go into the Bus Off state, and thus rendered inert/inoperable. This, in turn, can drastically affect the car’s performance to the point that it becomes dangerous and even fatal, especially when essential systems like the airbag system or the antilock braking system are deactivated.

Of course, the Department of Homeland Security’s ICS-CERT said in an alert about the flaw that the attack requires access to one of the vehicle’s local open ports.

Which has generated a fair amount of mockery about how dangerous this really is. A number of comments on the blog of security expert Bruce Schneier, who noted it this past week, said a hacker getting access to one of the ports in the interior of the car is about as likely as a passenger in the car grabbing the wheel – possible but highly improbable. One called it “a tempest in a thimble”.

But then another, with equal snark, noted that it might not be necessary to gain physical access to the vehicle, “if someone were daft enough to add wifi connectivity to CAN … or digital radio … or a mobile phone. But who would do such a thing?” he concluded, with links to stories here, here and here about all three being done.

Schneier said “we don’t know” whether attackers could get attack remotely or would need physical access, but added, “my bet is on remote”.

One of the researchers, Andrea Palanca, said he and his colleagues believe remote attacks are possible. “Simply the lack of time and budget planned for the project impeded us from trying a remote version,” he said. And he contended that the risks from the CAN bus flaw are vastly more than “a tempest in a thimble”.

There are cars currently circulating on roads capable of safety-critical partially autonomous functionalities which entirely rely over their CAN buses availability, and whose abrupt and, most of all, unexpected disruption could lead to life-threatening situations – let alone should CAN bus be employed as a backbone for completely autonomous vehicles.

The hope of the research is to instill awareness over the important limits that this design-level vulnerability introduces to CAN bus adoption in such high-reliability demanding situations.

Another member of the research team, Federico Maggi, added that a malicious attacker getting physical access to the vehicle is not as far-fetched as it might have been years ago. “With current transportation trends such as ride-sharing, carpooling, and car renting, the scenario where many people can have local access to the same car is now more commonplace,” he wrote, adding, “A paradigm shift in terms of vehicle cybersecurity must happen.”

And if it does, all it will take is a generation to achieve.


8 Comments

wouldn’t one of those insurance safe driving fobs be a vector to introduce malware? Corrupt one, plug it in (a la poisoned USB fobs)…

And what of 3rd party devices that plug into that port for vehicle diagnostics, insurance purposes, or a device that make a dumb car into a ‘smart car’? If the device were ‘modified’ by a bad actor and sold to the car owner, access wouldn’t be a problem.

The OBD II (On-Board Diagnostics version II) port below the steering wheel in every vehicle built after 1995 provides limited access to the CAN bus. WiFi devices which plug into the OBD II port are available from major sources like Amazon for $10-15. Bluetooth devices which provide the same access are available from as little as $3-4 from eBay but have limited range.

In computer security there’s the notion of limiting physical access. The assumption is made that if the black-hat gets into the server room all bets are off.

The same applies to these OBD II devices. If someone gets into your car and plugs one of these devices into your OBD II port and you don’t notice it, all bets are off. To suggest otherwise is unreasonable.

Getting access to one of the open ports is nearly impossible? Are people sure? I have just had Mercedes.me fitted to my car – as far as I can tell this plugs straight into the bus ports. The car is now talking to my mobile phone app exchanging data periodically. Now obviously this could be replaced by a more secure connection, but the idea that things are safe because of the requirement to access a local port is maybe a bit complacent. How do I know when I drive a rental car that there is not a malware infected dongle plugged into the bus. Do the rental companies check for things like this when cars are returned? I suspect not?

Er, isn’t every Tesla DESIGNED to do this as a means to update vehicle operating characteristics? If so, is this a case that it’s been too trivial a target to bother hacking, as was the case for Apple computers vs PCs some years ago, or are we just waiting for the other shoe to drop?

This flaw is complete nonsense and a non-issue. The access required is physical and if you can access the wiring harness enough to add devices to the OBD or Canbus you could just as easily plant any other kind of hazardous device.

TPMS (Tire Pressure Monitoring System) equipped vehicles, and vehicles with key-less entry systems are already using radio communication on standard frequencies with standard protocols, which all can be compromised. And these communications go directly to the heart of the ECU. And smartphone access to cars is on the rise. Remember that funny commercial: “Honey, have you closed the windows of our Buick?” [solved with a button-press on the phone…]

Its misleading to say, it is impossible to get physical access; there are several ways.
But the right question to ask is “what is the probability of you getting attacked” and “why would any attacker target you”?
As a IT Security person and my knowledge i would like to add couple of points:
1. Automotive system are designed in such a way that even if CAN communication fails or line breaks, vehicle has a fail safe mechanism which can bring the vehicle to stop state safety (using Mechanical components provide warning and gradually reduce the speed). OEMs are continuously working to control these scenarios by adding Intrusion Detection and Prevention Systems.
2. Its responsibility of vehicle owners also, to take our security and safety serious; ensuring to buy geniune and verified products (be it Insurance / Internet / Mobile control dongle, etc.). Don’t buy the cheap, china make devices available on the sheft.
Note: Researchers keep on posting new material on things / findings to get attention, personal benefits without suggesting concrete solutions and consequences on general people (normal people get scared).

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?