The FBI Warns That Car Hacking Is a Real Risk | WIRED

It’s been eight months since a pair of security researchers proved beyond any doubt that car hacking is more than an action movie plot device when they remotely killed the transmission of a 2014 Jeep Cherokee (news also noted in this blog). Now the FBI has caught up with that news, and it’s warning Americans to take the risk of vehicular cybersabotage seriously.

The FBI Warns That Car Hacking Is a Real Risk article at http://www.wired.com/2016/03/fbi-warns-car-hacking-real-risk/ tells that in a public service announcement issued together with the Department of Transportation and the National Highway Traffic and Safety Administration, the FBI on Thursday released a warning to drivers about the threat of over-the-internet attacks on cars and trucks.

We are really entering the era of Internet of Exploits.

The FBI and DOT’s advice includes keeping automotive software up to date and staying aware of any possible recalls that require manual security patches to your car’s code. You should also avoid any unauthorized changes to a vehicle’s software and being careful about plugging insecure gadgets into the car’s network.

 

20 Comments

  1. Tomi Engdahl says:

    Forces Clash over Auto Cyber Security
    In pursuit of evidence-based testing
    http://www.eetimes.com/document.asp?doc_id=1329750

    he computer industry has long known that there is no such thing as a computer that won’t get hacked. If Tesla is a computer on wheels, as many would say, then it’s hackable.

    The attack surfaces of current and future connected cars are myriad (ranging from unprotected buses and communication channels to downloaded apps and firmware updates), offering hackers a million different scenarios to exploit.

    Automotive engineers today “are wide awake” to the potential of cybersecurity, said Mike Ahmadi, global director, critical systems security, Synopsys Software Integrity Group.

    With a growing number connected cars and coming autonomous cars planned for rollout, automakers know they have a bullseye on their back. They know hackers are eager to hack cars. Security researchers like Billy Rios says, “I’d love to do it even if I had to do it free.”

    The question now is how best to deal with this imminent threat.

    A group of 60 engineers — including those at carmakers and tier ones — have banded together and formed a “cybersecurity testing requirements task force,” according to Ahmadi. Two months ago, Ahmadi was invited to chair the group, which is now officially approved and placed under the SAE Vehicle Cybersecurity Systems Engineering Committee.

    They believe the answer lies in testing — testing not just functional safety but also non-functional safety. And they believe in documentations and standards.

    It’s easy to roll your eyes when you hear about yet another industry group drafting industry standards. But when it comes to cybersecurity, Ahmadi believes that the new task force is an essential step in the development of automotive robotics.

    The goal of the new group is “evidence-based testing and evaluation procedures for connected cars,” he explained.

    Reply
  2. Tomi Engdahl says:

    Symantec Wants to Protect Your Car From Zero-Day Attacks
    http://www.securityweek.com/symantec-wants-protect-your-car-zero-day-attacks

    Symantec this week introduced a new IoT security solution specifically designed to protect connected vehicles from zero-day attacks and never-before-seen threats.

    News of Symantec’s undertaking comes just a few months after the FBI released a warning on remotely exploitable cyber vulnerabilities that affect modern motor vehicles.

    Researchers have demonstrated over the past years that vehicles such as the Toyota Prius, Tesla Model S, Jeep Cherokee, and Nissan Leaf are exposed to hacker attacks due to vulnerabilities in connected systems.

    Symantec Expands IoT Security Portfolio to Connected Cars

    Just last week, researchers from the UK discovered that the mobile applications for the Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV) are plagued by vulnerabilities that can be exploited by hackers to remotely control some of the car’s features.

    The new Symantec Anomaly Detection for Automotive leverages machine learning technology to provide “passive in-vehicle security analytics” that monitor all Controller Area Network (CAN) bus traffic without disrupting vehicle operations, learn what normal behavior is and flag anomalous activity that may indicate an attack.

    “Connected cars offer drivers conveniences such as navigation, remote roadside assistance and mobile internet hot spots,” Symantec said. “There will be 220 million connected cars on the road in 2020, according to Gartner. While new technologies promise to enhance the driving experience, these advancements also create avenues of attack for hackers that can endanger drivers and passengers.”

    “Automotive security threats have gone from theory to reality,” said Shankar Somasundaram, senior director of product management and engineering at Symantec. “The infrastructure and technology that already helps protect billions of devices and trillions of dollars now protects the car.”

    Symantec currently protects more than 1 billion connected IoT devices through its portfolio of IoT security offerings.

    In August 2014, a group of security researchers called upon automobile manufacturers to build cyber-security safeguards inside the software systems powering various features in modern cars.

    Reply
  3. Tomi Engdahl says:

    Why you should wrap your keys in aluminum foil
    http://www.foxnews.com/tech/2015/10/24/why-should-wrap-your-keys-in-aluminum-foil.html

    Your car is always listening. Not for your voice, like the Amazon Echo or Siri, but for an electronic signal, such as the coded “unlock” signal from your electronic key fob. If it’s a newer car model, you might not have to press any buttons; just approach your car and the doors will unlock automatically. In some cars, the engine will even turn on.

    Wirelessly unlocking your car is convenient, but it comes at a price. Criminals can easily intercept the key fob’s signal and open your car without setting off any alarms. If you have a true keyless car model, they might be able to just drive away. Let’s look at how criminals pull this off and what you can do to keep your car safe.

    A key fob uses a computer chip to create a unique code that it sends to your car’s security system. The car also has a chip that uses the same algorithm to generate codes. If the codes match up, the car opens. There’s a bit more to it, but those are the basics.

    Since each key fob/car security pair is unique, and each one can create billions of codes, hackers shouldn’t stand a chance. But it turns out that a popular system from Megamos Crypto isn’t as secure everyone thought.

    Researchers at Radboud University in the Netherlands and the University of Birmingham found that by intercepting the wireless signal just twice, they could narrow down the possible combinations from billions to just 200,000. After that, a computer can figure out the code in just half an hour and unlock the car.

    In a real-world application, a thief could sit on a street and gather wireless signals as car owners enter and exit their vehicles. Then overnight they could steal a number of cars.

    Still, it takes a skilled car thief or hacker to carry out this kind of attack, so the odds of it happening to you are slim.

    Always-on key fobs present a serious weakness in your car’s security. As long as your keys are in range, anyone can open the car and the system will think it’s you. That’s why newer car models won’t unlock until the key fob is within a foot of them.

    But for less than $100, criminals can get an amplifier that detects key fob signals from up to 300 feet away and then transmits them to your car. In other words, your keys could be in your house, and criminals could walk up to your car and open it. This isn’t just a theory; it’s actually happening.

    Fortunately, there are some simple steps you can take to keep hackers from stealing your signal. You can buy a signal-blocking pouch that can hold your keys

    If you don’t want to spend any money, you can stick your key fob into the refrigerator or freezer. The multiple layers of metal will block your key fob’s signal.

    If you’re not hot on freezing your key fob, you can do the same thing with your microwave oven. (Hint: Don’t turn it on.)

    You should also be aware that this kind of signal stealing isn’t a problem just for car key fobs. Newer passports and other I.D. cards contain radio frequency identification chips

    Reply
  4. Tomi Engdahl says:

    ‘Unhackable’ car security system takes just half an hour to crack
    http://www.komando.com/happening-now/329328/unhackable-car-security-system-takes-just-half-an-hour-to-crack

    Remote keyless entry was once a luxury, but today it’s rare to find a car that doesn’t have it. Given that it’s everywhere, you would expect that any possible kinks have been worked out, but you’d be wrong.

    In fact, a popular model of keyless entry that uses a Megamos Crypto transponder turns out to be not as secure as car makers thought. It leaves Volkswagen, Chevy, Audi, Fiat, Honda, Volvo, Porsche, Cadillac and other car brands vulnerable to thieves.

    The problem lies in the way the transponder and fob exchange the code that tells the system to unlock. The system is supposed to have billions of possible code combinations, which make it impossible to crack.

    However, researchers at Radboud University in the Netherlands and the University of Birmingham found that by intercepting the wireless signal just twice, they could narrow it down to 200,000 combinations. From there, it only takes half an hour for a computer to find the right one and unlock the car.

    Reply
  5. Tomi Engdahl says:

    Car thieves’ scary new tool
    http://www.komando.com/happening-now/304689/car-thieves-scary-new-tool

    The days of using a key to open your car door and start the engine are just about done. Even “old” cars have wireless entry with a button press on a key fob, and on newer cars you don’t even need to press a button.

    When you get an always-on key fob in range of a newer car, the fob and car connect wirelessly, which unlocks the car and even lets you start the engine with the push of a button.

    The risk being that a thief could amplify the signal between the key fob and the car, and the drive off with it while you’re at home or in the grocery store.

    Reply
  6. Tomi Engdahl says:

    Yes, You Should be Hacking Your Car’s Data System
    http://hackaday.com/2016/07/27/yes-you-should-be-hacking-your-cars-data-system/

    If you own a car, I would wager it’s the most complex device you own. Within you find locomotion, safety systems, and an entertainment system that may be using technology from several decades ago (but that’s a rant for a different article). Jalopy or Sweet Hotness, your ride has an underlying data network that is a ton of fun to hack, and something of a security dinosaur. Both were discussed by Craig Smith and Erik Evenchick during their talk on Car Hacking tools at Hope XI.

    You should recognize both of these names. Eric Evenchick is a Hackaday contributor who has been traveling the world presenting talks and workshops on his open source car hacking hardware called CANtact.

    CANtact
    The Open Source Car Tool
    http://linklayer.github.io/cantact/

    Reply
  7. Tomi Engdahl says:

    Do Automakers Still See Hackers as a Hoax?
    http://www.eetimes.com/document.asp?doc_id=1330684&

    Earlier this week, when the federal government’s automotive safety regulator laid out cybersecurity guidelines for carmakers, U.S. Transportation Secretary Anthony Foxx said that cybersecurity is “a safety issue and a top priority at the department.”

    Clearly, the government’s agency hopes to get ahead of potential attacks on vehicles, well before cybersecurity blows up in the face of connected cars. There is fear among regulators that a cybersecurity failure could irreparably damage the future of highly automated vehicles.

    But never mind the fed’s concerns.

    As it turns out, some of the best minds in the automotive industry don’t believe hackers are interested in cars.

    This perception is clear in survey results released Thursday by Ponemon Institute, the leading independent security research organization.

    U.S. DOT issues Federal guidance to the automotive industry for improving motor vehicle cybersecurity

    http://www.nhtsa.gov/About-NHTSA/Press-Releases/nhtsa_cybersecurity_best_practices_10242016

    Guidance covers cybersecurity best practices for all motor vehicles, individuals and organizations manufacturing and designing vehicle systems and software

    Reply
  8. Tomi Engdahl says:

    Save Big by Hacking Your Car Keys
    http://hackaday.com/2017/03/29/save-big-by-hacking-your-car-keys/

    Three hundred bucks for a new car key? Nonsense! When you lose your keys or want to have an extra made for that new teen driver, don’t let the stealership lighten your wallet. Just pull the ECU and hack some hex to add the new keys.

    The video below is a whirlwind tour of the process [speedkar9] uses to reprogram Toyota ECUs to allow new keys to pass the security test on your new(er) car. Since the early 2000s or so, most manufacturers have included RFID chips in their keys so that only known keys will start a car. In Toyotas, this is done by an RFID reader in the steering column that passes the inserted key’s code to the engine control unit. If the 8-byte key code matches one of three values stored in the ECU, the car will start.

    DIY: Immobilizer Hacking for Lost Keys or Swapped ECU
    http://www.instructables.com/id/DIY-Immobilizer-Hacking-for-Lost-Keys-or-Swapped-E/

    DIY: Immobilizer
    Hacking for Lost Keys or Swapped ECU

    Here’s how to reprogram your car’s engine immobilizer to program new keys in the invent of lost keys or a swapped ECU.

    Reply
  9. Tomi Engdahl says:

    Car Security Experts Dump All Their Research and Vulnerabilities Online
    http://hackaday.com/2017/05/14/car-security-experts-dump-all-their-research-and-vulnerabilities-online/

    [Charlie Miller] and [Chris Valasek] Have just released all their research including (but not limited to) how they hacked a Jeep Cherokee after the newest firmware updates which were rolled out in response to their Hacking of a Cherokee in 2015.

    FCA, the Corp that owns Jeep had to recall 1.5 million Cherokee’s to deal with the 2015 hack, issuing them all a patch. However the patch wasn’t all that great it actually gave [Charlie] and [Chris] even more control of the car than they had in the first place once exploited. The papers they have released are a goldmine for anyone interesting in hacking or even just messing around with cars via the CAN bus.

    We anticipate seeing an increasing number of security related releases and buzz as summer approaches. It is, after all, Network Security Theatre season.

    http://illmatics.com/carhacking.html

    Instead of buying books or paying exorbitant amount of money to learn about car hacking, we (Charlie Miller and Chris Valasek) decided to publish all our tools, data, research notes, and papers to everyone for FREE!

    Reply
  10. Tomi Engdahl says:

    Tesla Model X Hacked by Chinese Experts
    http://www.securityweek.com/tesla-model-x-hacked-chinese-experts

    Security researchers from China-based tech company Tencent have once again demonstrated that they can remotely hack a Tesla. The vulnerabilities they leveraged were quickly patched by the carmaker.

    Tencent’s Keen Security Lab published a video last year showing how they could hack a Tesla Model S, both while it was parked and on the move. They took control of the sunroof, turn signals, displays, door locks, windshield wipers, mirrors, the trunk and even the brakes.

    At the time, Tesla patched the vulnerabilities within 10 days, but claimed that the vulnerabilities were not as easy to exploit as it appeared from the video published by Keen Security Lab researchers.

    In a new video and blog post published this week, the researchers claim they’ve once again managed to hack a Tesla, this time a Model X, via a Controller Area Network (CAN bus) and Electronic Control Unit (ECU) attack.

    New Car Hacking Research: 2017, Remote Attack Tesla Motors Again
    http://keenlab.tencent.com/en/2017/07/27/New-Car-Hacking-Research-2017-Remote-Attack-Tesla-Motors-Again/

    Reply
  11. Tomi Engdahl says:

    ICS-CERT Warns of CAN Bus Vulnerability
    http://www.securityweek.com/ics-cert-warns-can-bus-vulnerability

    The United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert on Friday to warn relevant industries about a vulnerability affecting the Controller Area Network (CAN) bus standard.

    CAN is a high-reliability serial bus communications standard. It’s present in most modern cars – it allows various components of a vehicle to communicate with each other – and it’s also used in the healthcare and other sectors.

    A team of Italian researchers published a paper last year describing various CAN weaknesses and an attack method that can be leveraged for denial-of-service (DoS) attacks. They also published a proof-of-concept (PoC) exploit and a video showing how they managed to exploit the flaw to disable the parking sensors on a 2012 Alfa Romeo Giulietta.

    A Stealth, Selective, Link-layer Denial-of-Service Attack Against Automotive Networks
    https://www.politesi.polimi.it/bitstream/10589/126393/1/tesi_palanca.pdf

    Reply
  12. Tomi Engdahl says:

    Auto Security: Do Feds Have Our Back?
    http://www.eetimes.com/author.asp?section_id=36&doc_id=1332154

    Government agencies in the U.S. and the U.K. are working to get ahead of the curve and let the public know that they are concerned about vehicle cybersecurity.

    Consumers should be aware of the possibility of a hacker attack on their cars. We now know that what used to be considered a movie scenario — remote hacking — could be done.

    The current reality is that, while a variety of connectivity technologies have been transfused into cars, the equal and opposite security measures are yet to be deployed.

    Surely, car hacking is the last thing automakers want to mention as they push the connected cars into the vast consumer disconnect. But government watchdogs in both the U.S. and the U.K. are working to get ahead of the curve and let the public know that they are concerned.

    “Whether we’re turning vehicles into WiFi-connected hotspots or equipping them with millions of lines of code to become fully automated, it is important that they are protected against cyber-attacks,” said Martin Callanan, a minister in the Department for Transport at the British government.

    He said this last week when the U.K. agency issued new guidelines, requiring manufacturers of Internet-connected vehicles to put in place tougher cyber protections to ensure a stronger shield against hackers.

    It isn’t just the U.K. The National Highway Traffic Safety Administration (NHTSA) in the United States also issued last fall the federal guidance to the automotive industry for improving motor vehicle cybersecurity.

    Questions that come to my mind include:
    1. Do the guidelines issued by NHTSA and British Department of Transportation have any teeth for security enforcement?
    2. More important, have they gone far enough to suggest effective cybersecurity measures for cars?
    3. What are the differences in the proposals of the two separate governments?

    A few experts, including Carter, pointed out that the U.K.’s guidance does not go far enough in the area of software updates after a vulnerability is discovered.

    Carter said, “The guidance merely states ‘organizations plan for how to maintain security over the lifetime of their systems.’”

    In his view, “Over The Air (OTA) updates should be a requirement for automobiles. It is impossible for a manufacturer to create a car that is free of vulnerabilities throughout the 10-20 year life of a car. Without OTA, automakers are relying on car owners to bring their cars into a repair show every time a new vulnerability is discovered. This will leave many cars exposed to known attacks, while OTA would allow the fix to be pushed to the at-risk vehicles immediately.”

    Of course, car makers “will save a lot of money in recalls by offering OTA, so it is likely they will move to that technology on their own,” said Carter. Still, “I would have preferred the UK specify its use and not leave it so ambiguous.”

    Meanwhile, David Barzilai, chairman and co-founder of automotive cybersecurity firm Karamba Security, weighed in on the U.K. government’s guidance. While applauding pre-emptive action they might take, he pointed out that there is one area “we don’t feel these guidelines go far enough toward effectively preventing car hacking,” he said.

    Reply
  13. Tomi Engdahl says:

    Auto Security: Do Feds Have Our Back?
    http://eetimes.com/author.asp?section_id=36&doc_id=1332154

    Government agencies in the U.S. and the U.K. are working to get ahead of the curve and let the public know that they are concerned about vehicle cybersecurity.

    Consumers should be aware of the possibility of a hacker attack on their cars. We now know that what used to be considered a movie scenario — remote hacking — could be done.

    The current reality is that, while a variety of connectivity technologies have been transfused into cars, the equal and opposite security measures are yet to be deployed.

    Surely, car hacking is the last thing automakers want to mention as they push the connected cars into the vast consumer disconnect. But government watchdogs in both the U.S. and the U.K. are working to get ahead of the curve and let the public know that they are concerned.

    “Whether we’re turning vehicles into WiFi-connected hotspots or equipping them with millions of lines of code to become fully automated, it is important that they are protected against cyber-attacks,” said Martin Callanan, a minister in the Department for Transport at the British government.

    Reply
  14. Tomi Engdahl says:

    Unpatchable ‘Flaw’ Affects Most of Today’s Modern Cars
    https://tech.slashdot.org/story/17/08/17/1825227/unpatchable-flaw-affects-most-of-todays-modern-cars

    A flaw buried deep in the hearts of all modern cars allows an attacker with local or even remote access to a vehicle to shut down various components, including safety systems such as airbags, brakes, parking sensors, and others. The vulnerability affects the CAN (Controller Area Network) protocol that’s deployed in modern cars and used to manage communications between a vehicle’s internal components.

    Unpatchable Flaw Affects Most of Today’s Modern Cars
    https://www.bleepingcomputer.com/news/security/unpatchable-flaw-affects-most-of-todays-modern-cars/

    A flaw buried deep in the hearts of all modern cars allows an attacker with local or even remote access to a vehicle to shut down various components, including safety systems such as airbags, brakes, parking sensors, and others.

    The vulnerability affects the CAN (Controller Area Network) protocol that’s deployed in modern cars and used to manage communications between a vehicle’s internal components.
    It will take a new generation of cars to patch the flaw

    The flaw was discovered by a collaborative effort of Politecnico di Milano, Linklayer Labs, and Trend Micro’s Forward-looking Threat Research (FTR) team.

    Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a CAN standard design choice that makes it unpatchable.

    Patching the issue means changing how the CAN standard works at its lowest levels. Researchers say car manufacturers can only mitigate the vulnerability via specific network countermeasures, but cannot eliminate it entirely.

    “To eliminate the risk entirely, an updated CAN standard should be proposed, adopted, and implemented,” researchers say. “Realistically, it would take an entire generation of vehicles for such a vulnerability to be resolved, not just a recall or an OTA (on-the-air) upgrade.”

    Flaw leads to shutdown of various car components

    Special device needed to carry out local attacks

    The research team says that all it takes is a specially-crafted device that attackers have to connect to the car’s CAN bus through local open ports. The device reuses frames already circulating in the CAN rather than injecting new ones, generating errors and causing a denial-of-service in various car components.

    The Department of Homeland Security’s ICS-CERT has issued an alert regarding this flaw, albeit there is little to be done on the side of car makers.

    “The only current recommendation for protecting against this exploit is to limit access to input ports (specifically OBD-II) on automobiles,” said ICS-CERT experts in an alert released last month.

    Reply
  15. Tomi Engdahl says:

    Alert (ICS-ALERT-17-209-01)
    CAN Bus Standard Vulnerability
    https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-209-01

    SUMMARY

    NCCIC/ICS-CERT is aware of a public report of a vulnerability in the Controller Area Network (CAN) Bus standard with proof-of-concept (PoC) exploit code affecting CAN Bus, a broadcast based network standard. According to the public report, which was coordinated with ICS-CERT prior to its public release, researchers Andrea Palanca, Eric Evenchick, Federico Maggi, and Stefano Zanero identified a vulnerability exploiting a weakness in the CAN protocol that allows an attacker to perform a denial-of-service (DoS) attack.

    ICS-CERT has notified some affected vendors, primarily auto manufacturers and entities within the healthcare industry, about the report to confirm the vulnerability and to identify mitigations. ICS-CERT is issuing this alert to provide notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

    The report included vulnerability details and PoC exploit code for the following vulnerability:

    Vulnerability Type Remotely Exploitable Impact
    Resource Exhaustion Automobile exploit; requires physical access Denial of Service

    CAN is widely used throughout the Critical Manufacturing, Healthcare and Public Health, and Transportation Systems sectors.

    Successful exploitation of the vulnerability on an automobile may allow an attacker with physical access and extensive knowledge of CAN to reverse engineer network traffic to perform a DoS attack disrupting the availability of arbitrary functions of the targeted device.

    The severity of the attack varies depending on how the CAN is implemented on a system and how easily an input port (typically OBD-II) can be accessed by a potential attacker. This attack differs from previously reported frame-based attacks, which are typically detected by IDS/IPS systems. The exploit focuses on recessive and dominant bits to cause malfunctions in CAN nodes rather than complete frames.

    The only current recommendation for protecting against this exploit is to limit access to input ports (specifically OBD-II) on automobiles. ICS-CERT is currently coordinating with vendors and security researchers to identify mitigations.

    Reply
  16. Tomi Engdahl says:

    Federico Maggi / TrendLabs Security Intelligence Blog:
    Researchers find indefensible vulnerability in CAN protocol that controls airbags and sensors including antilock brakes in all modern vehicles — In many instances, researchers and engineers have found ways to hack into modern, internet-capable cars, as has been documented and reported several times.

    The Crisis of Connected Cars: When Vulnerabilities Affect the CAN Standard
    http://blog.trendmicro.com/trendlabs-security-intelligence/connected-car-hack/

    In many instances, researchers and engineers have found ways to hack into modern, internet-capable cars, as has been documented and reported several times. One famous example is the Chrysler Jeep hack that researchers Charlie Miller and Chris Valasek discovered. This hack and those that have come before it have mostly been reliant on specific vulnerabilities in specific makes and/or brands of cars. And once reported, these vulnerabilities were quickly resolved. But what should the security industry’s response be when a hack is found that is not only successful in being able to drastically affect the performance and function of the c

    We’ve anticipated initial questions you might have and provide answers below.

    Another “car hacking” proof of concept? What’s new about it?

    What’s new is that it’s an attack that disables a device (e.g., airbag, parking sensors, active safety systems) connected to the car’s device network in a way that is invisible to state-of-the-art security mechanisms.

    What is the main takeaway from this research?

    Gaining access to someone else’s vehicle has become a common situation, with many legitimate use cases. It is time that standardization bodies, decision makers, and car manufacturers take this change into account, and revise the design of the cyber-physical systems that govern future automobiles in order to secure them.

    Is my car affected?

    Likely, yes. Our attack is vendor neutral. However, specific vendors may take non-standard countermeasures to make the attack more difficult to carry out.

    Wasn’t the “Jeep hack” the most advanced attack so far?

    The “Jeep hack” was indeed very advanced and effective. However, currently available in-car cybersecurity technology (e.g., an aftermarket IDS/IPS) could detect such an attack because it requires frame-injection capability. In addition, car manufacturers could simply upgrade the software running on a car device to patch the vulnerabilities exploited by that attack.

    How long will it take for the car manufacturers to solve this problem?

    It’s not the car manufacturers’ fault, and it’s not a problem introduced by them. The security issue that we leveraged in our research lies in the standard that specifies how the car device network (i.e., CAN) works. Car manufacturers can only mitigate the attack we demonstrated by adopting specific network countermeasures, but cannot eliminate it entirely. To eliminate the risk entirely, an updated CAN standard should be proposed, adopted, and implemented. This whole process would likely require another generation of vehicles.

    Reply
  17. Tomi Engdahl says:

    Watch An ‘Indefensible’ Car Hack Disable An Alfa Romeo’s Safety Systems
    https://www.forbes.com/sites/thomasbrewster/2017/08/17/alfa-romeo-car-hack-is-indefensible/#4c1106a95f96

    Car hacks are old hat nowadays, from a research perspective at least, but an attack that may affect pretty much every car manufacturer on the planet could be real cause for concern. It allows a hacker to disable vehicle safety systems, according to a report, and the researchers say it’s almost “indefensible” in many cases.

    Showcased by Politecnico di Milano, Linklayer Labs and Trend Micro staff, the attack is effectively a denial of service (DoS) on the car’s network, rendering features unusable. The hack worked by abusing the car’s network, known as the Controller Area Network (CAN) bus, which is responsible for communications between the vehicle’s various electronic control units (ECUs). By forcing enough errors on a particular system, it would simply shut down.

    What makes the attack particularly stealthy is that there’s no need for them to inject malicious data, an action that would likely trigger security systems looking out for anomalies. Instead, all the hackers had to do, after researching the various components of a vehicle, was determine how to trigger an error mechanism on the CAN bus by flipping a single bit (from 1 to 0). “It’s a carefully chosen bit, you have to know the right bit to flip,” explained researcher Federico Maggi. “Once you can fool the network to think a component is sending out too many errors, even though it isn’t really sending out errors, after a while it will get isolated so it can’t send or receive messages.”

    the hackers exploited an Alfa Romeo Giulietta to make the parking sensors unusable, having obvious ramifications for the safety of the driver.

    They’ve also released proof-of-concept code and a paper to prove the attacks work.

    A Vulnerability in Modern Automotive Standards and How We Exploited It
    https://documents.trendmicro.com/assets/A-Vulnerability-in-Modern-Automotive-Standards-and-How-We-Exploited-It.pdf

    Reply
  18. Tomi Engdahl says:

    Federico Maggi / TrendLabs Security Intelligence Blog:
    Researchers find indefensible vulnerability in CAN protocol that controls airbags and sensors including antilock brakes in all modern vehicles — In many instances, researchers and engineers have found ways to hack into modern, internet-capable cars, as has been documented and reported several times.

    The Crisis of Connected Cars: When Vulnerabilities Affect the CAN Standard
    http://blog.trendmicro.com/trendlabs-security-intelligence/connected-car-hack/

    Reply
  19. Tomi Engdahl says:

    Vehicle Cybersecurity: Where Rubber Meets Code
    http://www.eetimes.com/author.asp?section_id=36&doc_id=1332183&

    Take a recent example of Fiat Chrysler’s recall of 1.3 million pickups due to a software bug. Imagine if hackers found that code first and began exploiting it.

    When it comes to vehicle cybersecurity, forget the old adage about safety in numbers. Just the opposite, for two reasons.

    First, as the number of connected vehicles soars, so does their attractiveness to hackers, simply because it’s a bigger pool of potential victims. Second, the amount of telematics hardware and software in each vehicle also is growing, which means more potential vulnerabilities for hackers to exploit.

    Today’s vehicles have an average of 100 million lines of code and 60 control units. That’s largely because automotive manufacturers are continually adding safety, entertainment, navigation and autonomous driving features. Another reason is the growing selection and usage of fleet telematics tools, which enable trucking companies, taxi services and other businesses to monitor their vehicles’ performance, driver behavior and cargo condition.

    The amount of code in each vehicle will continue to grow exponentially as automakers and aftermarket providers develop even more applications.

    Imagine if hackers found that code first and began exploiting it, such as by triggering airbags to deploy when the trucks hit highway speeds. Imagine if they did that to an entire fleet of vehicles, such as every van of a certain make and model owned by a major package delivery company. Or imagine if they used other code to enable a ransomware attack on the drivetrain, where the consumers and fleet owners with that model have to pay up to get their vehicles running again.

    Many of these and similar scenarios aren’t hypothetical, either. For example, in a proof-of-concept attack involving a Ford Escape and Toyota Prius, hackers remotely disabled the brakes and commandeered the steering wheel. That was four years ago. Since then, vehicles have added even more telematics software and hardware, creating even more potential vulnerabilities.

    Many vehicle cybersecurity challenges and attack vectors aren’t new. Instead, they’re retreads of ones that have plagued PCs, servers and other traditional IT systems.

    Scaling up risk
    To tap the widest possible market, telematics hardware needs to be inexpensive. Automakers and their enterprise customers scrutinize every penny when they’re assessing the business case for adding a telematics product to their vehicles.

    This situation creates cybersecurity risks. For example, “low-cost” often means just enough processing power and memory to perform core tasks, with little or nothing left over for handling security.

    A related issue is the hacker’s ultimate goal. It could be something totally unrelated to telematics, such as corporate servers that house product development information or employee Social Security numbers. In those cases, telematics is just a means to an end. But in others, telematics data is the target. For example, a hacker might want to learn about routes to facilitate hijacking of high-value cargo.

    Yet another scenario involves the emerging field of vehicle-to-vehicle (V2V) communications, where cars and trucks communicate with others nearby to, for example, avoid collisions. By 2022, half of new vehicles sold will be equipped with V2V, Juniper Research predicts. That’s 35 million vehicles, or about 2.7 percent of the market—still enough to be an attractive target for some hackers.

    One potential attack vector is to infect a few V2V-equipped vehicles with malware and then use them to spread it to every one they interact with. Remember the aforementioned scenario of consumers being unaware of their vehicles’ telematics systems? Those are an obvious place for hackers to target first.

    According to Juniper, “in order for V2V to be successful, OEMs must include cellular connectivity to provide OTA (Over-The-Air) firmware updates.” This strategy has potential advantages and disadvantages. It could increase security if, for example, automakers or third-party vendors automatically push out those updates, such as part of a managed service contract, rather than leaving fleet owners and consumers to download them. But it could undermine security if hackers capture those patches and updates OTA, and then use them to identify the vulnerability. Nearly a decade ago (2008), David Brumley’s team at Carnegie Mellon University demonstrated the automated generation of exploits from software patches.

    These are just a few examples of how, why and where the potential threat vectors for vehicle cyber attacks are rapidly expanding.

    Regular servicing allows the software to be kept up to date as patches or recalls are released. The National Highway Traffic Safety Administration (NHTSA) maintains a web site where people can sign up to receive recall notices on their vehicles.

    Reply
  20. Tomi Engdahl says:

    Automotive Security in a CAN
    http://www.electronicdesign.com/automotive/automotive-security-can?NL=ED-004&Issue=ED-004_20170919_ED-004_64&sfvc4enews=42&cl=article_1_b&utm_rid=CPG05000002750211&utm_campaign=13035&utm_medium=email&elq2=8912711b09b4433abec4fedeab8a624a

    With car safety issues extrapolating due to the rapid increase in electronics, the automotive security market has been forced to immediately transition from effectively no security to robust security implementations.

    The automotive security market is at a clear inflection point—safety issues are forcing the industry to move from effectively no security to robust security implementations almost instantaneously. Many powerful market drivers and fast changing dynamics are putting security into the driver seat, especially when the driver isn’t a human.

    When any embedded system, especially a vehicle, becomes connected, the first thought should be “how secure is it?” For connected vehicles, until recently, security has been an afterthought at best. That fortunately is changing, which is important because vehicles are becoming largely defined by software as they evolve toward connected autonomous drive.

    As entrepreneur and software engineer Marc Andreessen famously said, “Software is eating the world.” If that is true, the next course will be served on wheels. It should be clear to any observer by now that software is already becoming the basis of automotive competition for automakers. Statistics show that software will become the main driver of an automaker’s profitability.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*