Talk: Patching Vehicle Insecurity
The good old car has turned into a high-tech computing device. Researchers of the Freie Universität Berlin have recently tested a car without a driver. Scientists sat in the back seat while the car travelled 80 km in total on roads through Berlin and Brandenburg. An advertisement of a car company proudly touts:
The road is not exactly a place of intelligence.…This is why we engineered a car that analyzes real-time information, reads your handwriting, and makes 2,000 decisions every second.
With 2,000 decisions per second there’s no way a human can cancel or correct decisions in time. Modern cars heavily rely on self-contained embedded controllers interfacing with an array of sensors. These controllers are connected to diagnostic systems, throttle, transmission, brakes, speedometer, climate and lighting controls, external lights, entertainment systems, navigation subsystem, and others. The automotive technology has come a long way from electronic fuel injection and O2 sensors to immobilisers using cryptographic keys. The controllers and sensors are connected in order to exchange data. In July 2010 we have written an article about a study published by researchers from the Center for Automotive Embedded Systems Security (CAESS). The paper titled Experimental Security Analysis of a Modern Automobile analyses the interaction of components via the Controller Area Network (CAN) bus and threats to the internal network. The researchers have published a second study in August where they investigate attack vectors on automobiles stemming from external sources. Their findings are quite scary.
The „avionics“ of automobiles are exposed by Wi-Fi, Bluetooth and cellular network interfaces. Furthermore you can access the entertainment system by CD-ROMs or USB ports, and you have RF-based remote keyless entry (RKE) systems to remotely open doors, flash lights or start the ignition. The immobiliser might also read RFID chips in the vicinity to look for the correct code (the corresponding RFID chip is usually embedded in the physical key of the car). The researcher were able to find and exploit the following attack vectors.
- Send arbitrary CAN packets by burning a modified WMA file on CD.
- Attacking pass-thru devices; possibility to automatically attack and own a vehicle by a service centre Wi-Fi network.
- Attack the Bluetooth interface by a Trojan Horse running on an HTC Android phone (can be run on iPhone, too).
- Attack the Bluetooth pairing process and pair a device with the car in 13.5, 12.5 and 0.25 hours.
- Reverse engineering of the proprietary aqLink protocol used for communication over the cellular network.
- Identifying potential buffer overflows in the aqLink protocol processing code.
- Authentication vulnerabilities in the aqLink protocol implementation; this led to the compromise of the car by an 3G uplink and offered a vector for injecting payload.
- Installing an IRC client via the 3G capabilities – this enables attackers to create a command and control channel for your car after compromise (think Zombie cars). The researchers managed to compromise two cars being 1,000 miles apart and let their IRC clients join a IRC channel.
The list is impressive. Given the access to the 3G network you can easily exfiltrate data or post location updates to a web site. You can even „war dial“ and attack cars indiscriminately.
It seems that last year’s prophecy came true and that the automotive industry does repeat the mistakes of networked applications as seen with Internet-enabled software. Constantinos Patsakis and Kleanthis Dellios of the University of Piraeus speak about Patching Vehicle Insecurity at DeepSec 2011. They will discuss the various vulnerabilities, give a tour through modern cars’ digital structure and will propose measure to mitigate threats. Their talk is highly recommended to designer, developers, security professionals, and everyone who has to secure platforms similar to the ones used in the automotive industry.