The keynote presentation at the #EIC17 by Stephan Gerhager1 was an intriguing one. It amply told us that the security model around cars is really scary. I do not feel good driving a connected car after hearing it. It is a pity that neither video nor presentation is available, but here are my notes.
You can also go to http://twilog.org/_nat_en/date-170510/allasc to see my tweets.
Followings are the collation of these tweets.
#eic17 pic.twitter.com/XohdfF18Az
— Nat Sakimura (@_nat_en) May 10, 2017
Allianz Deutschland is doing research into securing cars as insurance companies are pretty much the only party who is concerned. He began his talk with the episode about Siri telling the location of your car and then started to look into the issues. Apparently, there are 100+ ECUs in a modern car. The scary part is that there is no authentication, authorization, encryption, filtering involved because it has to be fast. This is a big challenge. Inserting the 5th wheel sensor completely changes the things. As Ian Glazer tweeted, sacrificing a trust fabric in the name of performance never ends well.
Sacrificing a trust fabric in the name of performance… never ends well #eic17
— Ian Glazer (@iglazer) May 10, 2017
There are like 20M lines of codes in a car. 2 Imagine how many bugs are there… and there is no patching mechanism.
Adding onto that, CAN BUS is a challenge. It is a broadcast BUS. DoS is really easy. There is no authenticator field and the access control is weak because it is using a shared secret. This indicates that internal attacks are pretty easy by sniffing CAN with Wireshark with an OBD2 dongle. Sniff the commands, then reply the command. It took only 1 day for two graduate students to crack the car.
The attack is really easy when you are on CAN Bus. Because CAN Bus is a broadcast network, launching a DoS attack is also very easy. Consider something like
frame = can.Frame(id=0)
frame.dic = 8
while True:
dev.send(frame)#eic17— Nat Sakimura (@_nat_en) May 10, 2017
frame = can.Frame (id=0)
dev.send(frame)
DDOS on CAN bus in a tweet https://t.co/EyLhP75nxB
— Ian Glazer (@iglazer) May 10, 2017
The car completely locks up. Imagine if it was launched while you are driving on a highway. Pretty scary.
There were cases of a mass steal of cars earlier. The method was as follows.
- Break the rear window.
- Put an OBD2 dongle.
- Steal a sunglass or something.
- Then the owner will bring the car to a garage.
- The attacker drives out of the garage car park to an eastern European destination where it will be sold.
There are car body shell attacks playing with 2.4GHz radio as well. Jamming the radio and capturing the signal, replay. No trace.
Breaking WPA2 password is easy using VIN indicated on the windshield.
Cherokee has a single network. German cars two networks separated by a firewall. Did firewall work on the internet? No.
Problems is: need change ground up and then start auditing etc. ground up.
Tesla is far ahead. More or less like Apple all internal. OTA Patch management etc. are available.