With the summer’s big security conferences over, now is a good time to take a look back on automotive security. With talks about attacks on Chrysler, GM and Tesla, and a whole new Car Hacking village at DEF CON, it’s becoming clear that autosec is a theme that isn’t going away.
Up until this year, the main theme of autosec has been the in-vehicle network. This is the connection between the controllers that run your engine, pulse your anti-lock brakes, fire your airbags, and play your tunes. In most vehicles, they communicate over a protocol called Controller Area Network (CAN).
An early paper on this research [PDF] was published back in 2010 by The Center for Automotive Embedded Systems Security,a joint research effort between University of California San Diego and the University of Washington. They showed a number of vulnerabilities that could be exploited with physical access to a vehicle’s networks.
A number of talks were given on in-vehicle network security, which revealed a common theme: access to the internal network gives control of the vehicle. We even had a series about it here on Hackaday.
The response from the automotive industry was a collective “yeah, we already knew that.” These networks were never designed to be secure, but focused on providing reliable, real-time data transfer between controllers. With data transfer as the main design goal, it was inevitable there would be a few interesting exploits.
Infotainment and Telematics
Automotive companies are working hard on integrating new features in to distinguish their products and create new revenue streams. Want a concierge service? You can pay for GM’s OnStar. Need an in-car WiFi hotspot? Chrysler has that built into uConnect for $35 a month. Want to control every aspect of your vehicle from a touch screen? Maybe the Tesla Model S is for you.
There are two main features that are leading to more connected vehicles: infotainment and telematics. Infotainment systems are the in-vehicle computers that let you play music, get vehicle information, navigate, and more. Telematics systems provide vehicle data to third parties for safety, diagnostics, and management.
In order to provide these features, connections between controllers are necessary. For example, OnStar needs to know when your airbags deploy in order to call for help. For that reason, it is networked to the airbag controller.
Regulators are helping speed up the process. Due to the eCall initiative, all new vehicles sold in Europe after 2018 must provide voice communication and a “minimum set of data” in the event of an accident. This means vehicle will be required by law to have a cellular connection, supporting voice and data.
As vehicle get connected to radios, remote bridges to the in-vehicle network are created. The assumption that physical access to a vehicle is required for access to the in-vehicle network no longer holds true.
The Chrysler hack took advantage of a vulnerability that anyone familiar with network security would consider trivial: an open port running an insecure service. If you want to know the details of the hack, [Chris] and [Charlie] have published a detailed paper that’s definitely worth a read.
The crux of the vulnerability relied on an assumption made by Chrysler. Their telematics unit had two processors, one connected to the in-vehicle network and one connected to the internet. The assumption was that the airgap between these devices prevented remote access to the in-vehicle network.
Unfortunately, their airgap was made of copper. It was a SPI connection between the two processors, which allows for a variety of commands to be executed, including a firmware update. With rogue firmware running on the in-vehicle network, we’re back to the five-year old issue of in-vehicle networks being insecure.
I had the chance to talk to some Chrysler folks at DEF CON, and they continued to refer to this as an “airgapped system.” The truth is, we’ll never see a new car with a true airgap between the in-vehicle network and the cellular network. New features and regulations demand this level of connectivity.
The Supply Chain
[Chris] and [Charlie] decided to focus on a Chrysler Jeep Cherokee, but let’s not place all the blame on Chrysler. The uConnect device running the vulnerable service was actually made by Harman. Harman is the largest manufacturer of automotive audio and infotainment systems. You’ll find their devices in vehicles from Audi, BMW, Land Rover, Mercedes-Benz, Volvo, Buick, and others.
This is how the automotive industry tends to work nowadays. An OEM, like Chrysler, integrates parts from a variety of “Tier One” suppliers. The Tier One suppliers source parts from “Tier Two” suppliers. It’s up to Chrysler to choose these parts, then stick them all together into a vehicle.
When buying from a range of suppliers, security is a hard problem. As an engineer, you’re stuck with integrating parts that were chosen based on a range of criteria, and security isn’t at the forefront of purchasing decisions. OEMs do not always have the resources to evaluate the security of the products they are purchasing, and instead rely on the suppliers to build secure products.
The other issue with suppliers is that fixes happen slowly. Chrysler could not patch this issue themselves, but instead needed to wait for the supplier to do it. After the patch was complete, they likely needed to perform testing and validation of the patch before releasing. This all takes time.
Outside of the security industry, people have been hacking cars for years. Tuners charge money for “chipping” cars to improve performance, remove limiters, and alter settings. The term “chipping” comes from the process of desoldering and replacing an EEPROM chip on old ECUs to change calibration values.
This type of work has good intentions, people pay for modifications to their vehicle. The security industry is more focused on nefarious motives. We’ve seen a few hacks that involve stealing cars by attacking the key fobs, but these type of attacks still require physical access to the vehicle.
Imagine this: your car starts up, and cannot shift out of park. A message appears on the infotainment display telling you to transfer Bitcoins to a specified address to unlock your vehicle. You’ve been targeted by automotive ransomware. Fortunately, we haven’t seen such an attack yet, but with the issues that have been demonstrated, it’s becoming plausible.
Vehicles are also becoming more automated. Advanced Driver Assistance Systems (ADAS) improve safety by giving computers control of the vehicles steering, throttle, and brakes. However, these systems also provide an additional threat to a compromised system.
Another concern is privacy. Infotainment systems have access to location data, microphones, and vehicle information. In regards to eCall, the European Union says “Do you have any concerns for your privacy? You shouldn’t.” We probably should. The good news is that people are trying to protect drivers. DEF CON’s new Car Hacking Village, run by Parsons and CANBusHack, had a strong showing of employees of OEMs and tier one suppliers. Car companies are starting to pay attention.