Not surprised. I built automotive test benches for some time. The moment you have something that can remote-access the CAN-bus, you have a problem.
There are typically only a few busses in a car. In many cases, there is a LIN bus for entertainment / radio / lights etc that is physically separated from the main CAN bus. This one is mostly harmless.
But if you can somehow talk to the main bus... There are like 5 critical ECUs that have to communicate "I'm OK" (engine, breaks etc) - otherwise nothing works. Those communicate with some minor encryption, and that communication is somewhat validated (they send counters to each other etc).
But it doesn't matter. First of all, the protocols and databases are similar for different models, and known to A LOT of people who had jobs similar to mine. In order to test or build any ECU, you have to simulate the correct communication, otherwise the ECU won't start up.. Second, just sending nonsense with the right identifier could probably shut down the car or at least make it think there is a major problem. Third, there are messages that simulate power-cycling the bus..
Scary stuff. We connected light bulbs to the internet so people could turn them on and off with their phones, and they were hacked and turned into a botnet[1]. Okay, fine, maybe your "smart" bulbs blink or burn out, and you replace them with "dumb" bulbs.
Why, exactly, do people think it's a good idea to connect cars' engines to the internet? If something is exposed to hostile input, it will eventually be hacked, and if there are 100,000 identical things out there, they will all be hacked at once. Unfortunately, I think it will take something like all Teslas accelerating uncontrollably off the road, because some teenager was bored, for people to get it.
My guess is that in a decade you’ll be using an OBD device for time and distance based metering, or pay a heavy surcharge for LPR based location only systems.
Transponder systems like EZPass have a business model too expensive to scale.
If the LIN bus can access lights, and is bundled up with IMHO unrelated systems like radio/entertainment then that seems wrong by design. I say this as if somebody can remotely control your lights on a car, that in itself at the wrong time could and would prove dangerous.
Was introduced as a cheaper alternative to CAN, and to be used for non-critical aspects of cars (intended). Though seat controls are listed as common use for it. Which with some occupants and cars with the seatbelt - would enable the seat to pull the driver away from the controls. So whilst not directly deemed critical - certainly a vector of concern in some permutations of seat/driver position (thinking large 4x4's driven by small people who end up having the seat fully forward and raised, as an example).
My initial concern was the main lights, though as you cleared that up to just internal lighting - that again could prove a problem as dark roads, a sudden change in internal lighting would from internal glare reduce visibility.
Biggest take away is that the LIN bus has no form of encryption and the only verification would be checksums upon the data packet.
I'm sure we will read more about LIN over the years as the ability for car makers to cut-corners is not unheard of and as LIN is cheaper to implement than CAM, can see how that may well play out.
>Though seat controls are listed as common use for it. Which with some occupants and cars with the seatbelt - would enable the seat to pull the driver away from the controls. So whilst not directly deemed critical - certainly a vector of concern in some permutations of seat/driver position (thinking large 4x4's driven by small people who end up having the seat fully forward and raised, as an example).
Combine seat adjustment with GPS position reporting and you could devise a way to make a targeted person lose control, without taking control of "critical" systems, exactly as they're crossing a bridge.
I work in one of the big 3's there is significant push to physically isolate all the CAN buses.
The guys that hacked into Jeep were ex-NSA and worked on the hack for more than a year to get it to work. I'm not saying cars are 100% secure, but this sort of attack will take crazy effort and maybe physical access to the car.
Hey that's interesting, most of these devices IIRC work via the OBD port with an additional cutoff wiring. I haven't looked but I'm assuming the OBD port is somewhat restricted?
Really depends on the vehicle. Some will have broadcast traffic that is easier to spoof, and ride on CAN addresses that aren't reserved for OBD. OBD quite often rides on the main CAN network, and without a gateway any ECU can be queried. The secondary CAN network (if the vehicle has one) is also on the OBD plug but on different pins.
Yip. And if you can query any ECU, and know what you are doing/have more information on the system, you can get higher level security access (and that information, is again, not THAT hard to find).
This allows you to call functions that modify the parameters and probably restart it as well..
Precisely. It's also interesting to see what you can do with vehicles where the broadcast traffic 'leaks' out the OBD port. A lot of makes use the same ECU across models for common parts.
Literally: I have successfully sent CAN messages that were understandable to ECUs with an Arduino while waiting for a delivery of real hardware. There are Arduino-GSM shields that are super easy to use and would be remote-accessible.
Such a device would be dead easy to build even for someone who has almost no experience in electronics.
> By reverse engineering ProTrack and iTrack’s Android apps, L&M said he realized that all customers are given a default password of 123456 when they sign up.
people in this thread have a crazy assumption of in-car network security.
leave this thread with one single knowledge: cars have a single canbus network, with zero security. your radio, turn signal, engine intake computer, are all talking in the open over a single data wire.
anything you plug to that network can listen /talk to anything, and instead of security you have a priority bit (or a few of bits, don't remember) that is completely self regulated by each device.
Single network? All manufactures i've worked with in recent times have tons of internal networks and buses. Some are more isolated than others, eg connected infotainment and OBD often being behind some kind of secure gateway to not have direct access to engine network. If anyone is aware of manufacturers that don't do this please shout out.
But yeah, otherwise the data buses are kindof assumed to be internal and only contain trusted input, only recently some cars are now also starting to have cryptographically signed packets. It's really not such a big deal until you mix connected ecus with secure ecus or install cheap third party stuff yourself on same network, if someone could physically access the data bus there are other more dangerous things they could do anyway.
Did you look at the white hat presentation about Tesla from years ago? It's not that hard to take over the Tesla entertainment system, but the security was based on the command translator chip instead of securing the entertainment system.
Really depends on how throughout the investigation is/what hardware survives the crash.
Depending on the surrounding circumstances of the incident, it would probably not even be considered a possibility because fatal car crashes are so common that "just another accident" is the most probable, and thus most usual answer.
That's also the reason why Michael Hastings death is so controversial to this day [0].
Nope. ECUs have something called a "fault memory" where the last n detected errors are stored, and that can be recovered. This is actually what workshops use for diagnosing a car.
This can give lots of information about what happened (faults could be "didn't receive message xyz" "sensor xyz gave signal out of tolerance").
But there is definitely no system trace for the communication - too many messages to really store them I guess.
Just want confirm that vehicle security is a trash fire.
The CAN bus [1] has no security, you just put packets on it and read packets off it. Like "tell me the speedometer reading" or "activate the brakes" and CAN bus does it. You and I might think, gosh those are radically different things. Well the CAN bus disagrees.
Did I mention that there is no encryption? There isn't. To the CAN bus, the packets from the GPS tracker that say "tell me the speedometer reading" and the packets from the manufacturer created by pressing the brake are treated with the same authority.
Does vehicle electronics firmware use a weird 20 year old non ANSI version of C? Well of course it does. Does it require signed firmware? Hah!
Do most vehicle electronics suppliers not have the top quality security people they need? They do not. Do they have management support for making security conscious decisions? They don't.
Anything that can put packets on the CAN bus can completely control the car. So anything that connects the the CAN bus, through bluetooth, wifi, cell service, or a plug needs to be completely secure.
I'm a little distrustful of On Star and the like, because I don't think GM is security conscious enough to manage it perfectly. I'd be very distrustful of a company that let you keep a default password for your GPS tracker. Instead purchase the GPS tracker that does NOT read info about the vehicle, the only plug should be for power.
Here's a story about hacking Chrysler's Uconnect, with good details.
If you are writing software/firmware that will control a vehicle, you should hard code the packets it can write and never include dangerous ones. Even though it might seem cool to be able to "stop the vehicle" in an "emergency". If you want to use dangerous commands, you need to level up your security org to google/facebook levels. If you are talking to management that means spending $50 million a year just on security.
These are not attacks that require state level NSA/Chinese/Russian attackers. This is well within the reach of an advanced individual. It is very lucky indeed that there is no monetary or other advantage to this, if actuating brakes in cars produced social security numbers we'd have hundreds of excess deaths a year.
Yeah, firmware is another issue. You read and flash firmware or parameters often directly over that CAN bus. There is nothing to validate that, for one manufacturer, I needed passwords (casually handed out to every supplier, the same for every unit), for one, the "encryption" was a XOR with the same number that had been used for every model for years. I didn't know why they even bothered. One of the manufacturers at least stopped you from flashing new software to an ECU more than 3 times.
Did I mention that we had incredibly high fluctuation (at least production line test benches - brutal deadlines and 2am deployments, working in loud production halls, lots of travel, no technical innovation,..). We basically hired anyone who was alive and somewhat skilled. I don't think anybody ever talked to me about security - ever.
What these articles are showing, is amateurs' work. I'm terrified by the idea of what a disgruntled / crazy / .. person with experience in the field could do.
Sounds like another ’Boeing software bug’ is likely to hit the smart cars business.
From working with military computer security I know that nothing directly connected to the Internet should be considered safe. Sounds like a bad design decision
Correct; usually the installer instructions will say to wire the hardware so it disables the starter motor. This means that the engine won’t stop, but rather be prevented from starting.
Some of the cheaper (AliExpress) hardware installation instructions say that the relay should be wired to the fuel pump.
I wonder if the starter vs. fuel pump is a regional difference? Perhaps in countries where vehicle theft is more prevalent/violent installers would lean towards cutting the fuel pump?
On a car with a manual transmission, killing the starter doesn't do much as you can bump start the car (get the engine spinning by driving the engine via the transmission rather than the starter).
Unless my car can drive itself, I will always disconnect any of this "IoT writ large" bullshit. I have my phone for navigation. My car does not need a cellular transceiver or a GPS antenna and I will happily rip both of them out by the wires.
You can only go so far with it. Fundamentally it scares me that I no longer have a mechanical connection between myself and the brakes, or other drivetrain components.
You should be able to pump the breaks with a pedal in the case of a power breaking failure. That doesn't mean the car can engage the break via other means.
What gets me is electronic parking breaks, as that feels like it goes against the while purpose of the parking break.
Well, what a complete and total surprise that adding this kind of functionality to an automobile would result in it being so insecure that it can be hacked into.
First of all, many manufacturers market remote engine kill as a subscription service.
Second, many cars use CAN busses and connect the radio to it. That makes it very easy for the radio to interfere with crucial functions, like braking.
The CAN bus uses realtime time multiplexing for congestion control, so it is very easy to target traffic from a particular device subsystem, even accidentally.
Sources: search for “can bus vulnerabilities”. Also, a ~2012 GMC I used to own had a bug in the radio firmware that caused the ABS system to stay on when the engine was off, which ran down the battery overnight.
On my current Dodge, there is a recall where the head unit firmware leads to confusing semantics around “park” on the transmission, and a separate firmware update where it refuses to disengage cruise control.
On recent Ford mustangs, the radio can display all sorts of engine statistics, and tune the engine in real time.
European luxury cars are even more integrated on this front, and have sport modes where the radio changes the response curves for the engine, steering, transmission and suspension.
The first generation Prius had the engine control computer physically inside the radio.
That covers the major car manufacturers across three continents.
This isn't about GPS navigation systems in your in-dash screen. This is about hacking into a service linked to a device specifically designed to do what he did with it.
From the article:
>The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use to monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, including South Africa, Morocco, India, and the Philippines. On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower, according to the manufacturer of certain GPS tracking devices.
Must we use that many ecus? They are horrifically expensive - why not auosar separated squeeze them all together and we hope that row hammer never existed.
That's what the industry is moving towards. Fewer but higher powered ECUs running either with a SOC that provides isolation of the cores in hardware or a hypervisor to enable running safety critical applications in isolation.
I tried searching for keywords on Google and Twitter and couldn't find anything to suggest this was the case. Do you have a source that you can suggest for this?
There are typically only a few busses in a car. In many cases, there is a LIN bus for entertainment / radio / lights etc that is physically separated from the main CAN bus. This one is mostly harmless.
But if you can somehow talk to the main bus... There are like 5 critical ECUs that have to communicate "I'm OK" (engine, breaks etc) - otherwise nothing works. Those communicate with some minor encryption, and that communication is somewhat validated (they send counters to each other etc). But it doesn't matter. First of all, the protocols and databases are similar for different models, and known to A LOT of people who had jobs similar to mine. In order to test or build any ECU, you have to simulate the correct communication, otherwise the ECU won't start up.. Second, just sending nonsense with the right identifier could probably shut down the car or at least make it think there is a major problem. Third, there are messages that simulate power-cycling the bus..