Update on Car Network security

[rich.carroll]

Engadget today posted an interesting article, detailing the efforts of a pair if Spanish security experts.
 http://www.engadget.com/2014/02/06/your-car-s-computer-system-can-be-compromised-with-off-the-shelf/?ncid=rss_truncated
Obviously these researchers intend to present at next month's Black Hat Conference, where security experts share technologies.  Most security experts employ hacking as a means of testing their systems, and this group has demonstrated a module that can be surreptitiously installed in a couple of minutes and was built from easily available components for under $20.

[ted.lowe]

Sounds like the problem will get worse before it gets better (especially with advertising from engadget).

i think it will take the industry quite a while to properly deploy a good solution... wow what a fluffy sentence!

'quite a while': ~ multiple years
'properly deploy': built-in design quality (not a hacked recall)
'good solution':
       - a solid proven OS, like android (possibly with real time tweaks necessary for vehicle safety)
       - hardware (chips) authentication at the OS and device endpoints
               - device (eg, brakes module) needs to verify that a valid OS has given a valid command
               - OS needs to verify that a valid device has sent it valid sensor data

Thanks for keeping us updated Rich!

[rich.carroll]

Unfortunately, several SEVERE obstacles stand in the way of any one good solution.
1) The CanBUS was well designed for vehiclular use.  It was designed at a time when SAE desgners did nor forsee all the wireless appendages to the system.)
2) There does appear to be any way to patch in some security module(s) as there is no commanding central processor.
3) It now appears there many different ways to compromise the system.

• Cell phone connections to the bus to allow OnStar and others to shut down the system remotely after a crash
• Wi-Fi connections in the car
• Bluetooth modules both in the radio and outside
• The ability to add a tiny PCB onto an existing 12V+ line and yield access to whoever
• Fraudulent replacement parts that appear innocuous and are slightly cheaper than the known brand

4) Any new system would require a significant turnover in tech time, reeducation, and further investment by automotive technicians in a new diagnostic machine.  Most of the SAE certified mechanics and technicians have several thousand dollars in equipment to diagnose and monitor the current system. 

The current equipment would slide toward obsolescence as fewer and fewer 1996-2016 (?) cars would be on the road each year.
5)


I have a couple of friends and they tell me that the original development of a good CanBUS standard took several years.  A replacement standard would take at least as long, as people would try to integrate with current hardware.  I do understand that the SAE has several groups working on this, but there has not been any announcements yet. 

[ted.lowe]

Hi Rich, Tonight's 60 Minutes episode included a good segment on 'car hacking' (part of topic of Internet security).  You warned us of this issue almost 1 year ago.  The segment said just about any new car can be hacked, but only 2 of 14 car manufacturers can detect or fix such problems currently.

[rich.carroll]

Interesting.  I do know some manufacturers have tried to introduce authentication protocols on the CANbus, which could help solve the problem.  I's sorry I missed 60 minutes, but just got back from celebrating birthdays.  My best friend has a birthday on Feb 6, and mine is on Feb 7, so we went out to dinner with family and world's best neighbors.

Rich

[ted.lowe]

Happy Belated Birthday Rich!

i just received a totally relevant email with this link:

http://www.cargroup.org/?module=Page&sID=2015-february-cybersecurity-breakfast-briefing

[rich.carroll]

Ted's Link took us to an article about how the Car Industry is Replying.  Very interesting.  Perhaps frightfully, my morning news has a report that a 14 year old (Likely precocious) armed with under $15 and a soldering iron is able to wirelessly connect to an OBDII vehicle, and issue commands. 
http://jalopnik.com/how-a-14-year-old-hacked-a-car-with-15-worth-of-radio-1686620075?utm_campaign=socialflow_jalopnik_facebook&utm_source=jalopnik_facebook&utm_medium=socialflow

And if you feel good because the 14 yr old's source of supply (RadioShack) is closing, you are pretty naive about how easy it is to obtain electronics parts from DigiKey, Jameco, Mouser, and about a half dozen more.

My dad (who received his degree from Allegheny Tech in "Electricity" in 1913) maintained to his dying day that "Electricity is better than Electronics."  Up until now, i had that statement filed as "out of touch." As usual, given some time, I find that dad was right.

[ted.lowe]

Interesting Rich and an exceptionally big picture view with an assist from your Dad :-)

[rich.carroll]

From today's mail:  Chrysler seems to have a serious security flaw in 500,000 of their cars.  Their new U-Connect system will connect to a cell network and get an IP address.  Every computer that is connected to the internet has at least one IP address, but the CanBUS system in vehicles does not use IP addresses.  This IP address functionality was added by Chrysler.  You can collect the IP  address of the vehicle by a cell phone next to the vehicle.  Once the IP address is known, hackers from anywhere in the world can send commands to the vehicle involved.  The hackers do not have to be next to the vehicle, all they need is the IP address 

Some reading is in order.  Suggested articles:
http://gizmodo.com/hackers-have-the-power-to-remotely-hijack-half-a-millio-1719233440
http://gizmodo.com/how-to-hack-a-car-and-control-it-from-1500-miles-away-1583834410

Two good, somewhat technical articles are at:
http://www.autosec.org/publications.html

Walt Kelly, who used to draw a comic strip abut a possum who lived in a swamp, called Pogo got it VERY, VERY right in his Earth Day comic for 1971.  "We have met the enemy and he is us."

[jeffrey.miller]

If the bad guy has a Sprint based phone he/she can scan the entire Sprint network looking for vulnerable vehicles.  In theory once they compromise one vehicle they can use it to search for more vehicles.  This would work like a classical internet worm.  If the attacker then set up a simple command and control he/she could then disable all of the vehicles at a particular date and time.  More likely he/she would force you to pay money to use your car again.  It will be like video game where you have to put in money to keep driving.  The bad news is it won't be a quarter of a dollar...

Also VERY interesting is that you don't need to compromise the vehicle to constantly monitor it's location.  If someone was motivated they could sue Chrysler on that detail alone.  Hopefully Chrysler fixes that along with the rest of these issues. 

The bad news here is that Chrysler won't be the last to be found with massive problems like this.  They just made the front page because it was only two guys and they picked that car.  They had that level of success with the first car they picked (which is scary).  They picked it based on knowledge but the fact remains there is not a shortage of issues in this space across most manufacturers.  I would hope that GM is a little better off in this space than the others as they have been doing this for the longest but that is no guarantee. 

[rich.carroll]

My brother from another mother, Paul Brian does a radio show on WLS 890 AM on Saturday mornings from 8 AM to 9 AM.  The show is called Drive Chicago, and features news and discussions of things automotive.

Paul and I have been discussing Automotive Hacking for over a year now, but there has been an enormous amount of publicity since Wired Magazine showed it was possible to overtake a vehicle while being driven, and even to send it into a ditch against the control of the driver.  http://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/
  They have also showed the reactions http://www.wired.com/2015/07/gadget-hacks-gm-cars-locate-unlock-start/ in associated stories.  http://www.wired.com/2015/07/patch-gm-onstar-ios-app-avoid-wireless-car-hack/ and even http://www.wired.com/2015/07/hackers-heist-semis-exploiting-satellite-flaw/

Then the hacking story broke in Wired Magazine, and we started to discuss this on 7/25  http://www.stationcaster.com/player_skinned.php?s=1201&c=5781&f=4644083 and 8/1  http://www.stationcaster.com/player_skinned.php?s=1201&c=5781&f=4670043.   

While automobiles are simply one of a list of possibly internet connected devices, it is a very visible part of American lives, and one that, if compromised, causes strong reactions. There is little concern if you mention that your toaster can be hacked from a third world nation, but a lot of concern if that hacker can put your Jeep into a ditch.  BTW, have you looked at upscale stoves, refrigerators, appliances of all kind, to see what a connected Internet of Things (IoT) is becomming today?