Almost every passenger car made in the past two decades can be quietly hacked, with vital systems such as the brakes, steering or transmission cut off in the middle of driving. Modern car-network-security systems won't catch the attacks, and there's no fix available except to wait for a new generation of cars — or to pick up a '69 Volkswagen or an '82 Buick.
That's the sobering conclusion of a report released this month by Tokyo-based information-security firm Trend Micro. The U.S. government's Computer Emergency Response Team (US-CERT) supported the report's assertions with an alert it issued in late July.
"The only current recommendation for protecting against this exploit is to limit access to input ports (specifically OBD-II) on automobiles," the US-CERT alert said. An OBD-II port is an on-board diagnostics connection that gives car owners and car mechanics alike access to the computer systems on most cars.
"To completely resolve it would require broad, sweeping changes in standards and the ways in-vehicle networks and devices are made," the report's author said. "Realistically, it would take an entire generation of vehicles for such a vulnerability to be resolved, not just a recall or an OTA ([over]-the-air) upgrade."
Led by researcher Federico Maggi, a team from Trend Micro, Linklayer Labs and Maggi's alma mater, the Polytechnic of Milan, discovered that the Controller Area Network (CAN) protocol used in most modern cars can be made to automatically cut off entire systems while in use.
"Any device on the CAN bus can craft messages such that any other one would be cut off from any communication," the report says. "This is like a selective denial-of-service (DoS) attack."
The CAN protocol makes sure that computerized auto parts — technically known as electronic control units (ECUs) — made by many different manufacturers can "talk" to each other over the car's internal network, or "bus." CAN was developed in the mid-1980s, debuted on high-end BMWs in 1988, was standardized in 1993 and is now used on almost all cars worldwide.
In older cars, it's up to the driver to coordinate the brakes, engine, steering and transmission. In newer cars, CAN lets these various systems communicate. If your engine shuts off when you're stopped at a traffic light, or the doors lock when the engine starts, that's the CAN bus at work.
Getting up close helps, but isn't necessary
In most cases, an attacker would need physical access to a car's OBD port, and a specially crafted device plugged into the port, to affect the car's CAN bus. The researchers' own device was an Arduino mini-computer with wires running into the OBD port of (in a nod to their Milanese heritage) an Alfa Romeo Giulietta hatchback.
The possibilities of a physical attack might seem rare, but as Maggi pointed out in a Trend Micro blog posting, people today have access to many more cars than they used to.
"With current transportation trends such as ride-sharing, carpooling, and car renting, the scenario where many people can have local access to the same car is now more commonplace," he said.
A remote, i.e. wireless, attack is not impossible. Many consumer-grade OBD scanners are Bluetooth-enabled and can be controlled from smartphones. For even longer range, a specially crafted radio signal could alter the car's entertainment system and thus get into the CAN bus, as was demonstrated in the famous Jeep hack of 2015.
"Our attack can be enabled with any remotely exploitable vulnerability that allows the attacker to reprogram the firmware of an ECU (e.g., the infotainment system)," Maggi wrote.
The attack can also evade the OBD port. A rogue mechanic, for example, could install replacement parts that had been infected with malicious software.
Turning the CAN on itself
CAN is a "broadcast" protocol: Every device on the CAN bus gets every message put out by every other device. But if all the devices talk at once, it can get pretty overwhelming. And with so many electronic devices operating in a hot, dirty environment, there are a lot of faulty messages.
So to minimize distraction, the CAN protocol simply ignores faulty messages. If a device starts putting out a lot of faulty messages, it gets temporarily cut off from the network.
And that's the weak spot. Using a specially crafted device plugged into a car's OBD port, or by sending specially crafted messages to a wireless OBD port reader, a hacker could create faulty messages that looked like they were coming from a specific ECU. The CAN would then "fix" the problem by cutting that ECU off from the CAN bus.
Car-security software already guards against fake CAN messages by checking them against real ones. But the Trend Micro attack evades this detection by simply modifying existing messages, then building up enough of them so that an ECU gets cut off from the network.
"It’s not the car manufacturers’ fault, and it’s not a problem introduced by them," Maggi wrote. "The security issue that we leveraged in our research lies in the standard that specifies how the car device network (i.e., CAN) works. ... To eliminate the risk entirely, an updated CAN standard should be proposed, adopted, and implemented."