I went to the 2011 USENIX security conference… admittedly not expecting much, but wietse was going to be there, and I must say a really, really fine show. Yes, this is ancient history now… but so am I!
Most of us spend a fair bit of time encased in two tons of steel, glass, rubber and more, zipping along at high speeds without a care in the world. In the last half of the 20th century more people in the US have died from traffic accidents than guns, yet we routinely resist safety measures and drive dangerously or in dangerous conditions.
According to the authors of “Comprehensive Experimental Analyses of Automotive Attack Surfaces” (Checkoway et al) not only are modern cars changing rapidly on an ongoing basis, adding new features and becoming more and more pervasively computerized, but they have real networks inside and a plethora of system interfaces to boot. Despite this threat model research has been reluctant to keep up with the Joneses, as it were (I also learned after looking at various resources that there is a Center for Automotive Embedded Systems Security. You learn something new every day.)
A whole lotta lines of code make up the distributed network that lives under the hood, and last year the same researchers demonstrated that once in, it’s over – all computer and control systems are compromised – including the engine, breaks, locks, you name it. This is due to a lack of any sort of control or security architecture inside.
Modern cars are controlled by a loosely coupled set of digital components called Electronic Control Units (ECUs), which are in charge of the pretty much everything you care about – the engine, drive train, brakes, stereo, and the like. An article claimed that there are up to 100 ECUs in your typical car with perhaps 100 million lines of code. That’s a lot of code. To put that in perspective, a brand new Airbus 380 jetliner has about the same number of ECUs (including the entertainment system), and our current jet fighter, the F22 raptor, has “only” 1.7 million lines. Automobile manufacturers have clearly embraced computerization in a big way. As we know from operating system and application security, there is just no hope in trying to secure that much code.
It is somewhat analogous to computer networks and applications that we build, which are all too often binary. And while once on a computer network you’re really into a lot of resources by default, but at least on computer networks we have some monitoring, logging, and auditing going on (in theory ;)) The older attacks required physical access, however, to plug into the car’s bloodstream and inject the attacks. Critics of their previous paper said that you could get similar results by simply cutting or mucking with the brake line, for instance.
So the researchers started to get nasty. What ways can a car communicate with the outside world? There’s actually quite a few, including radio (digital and analogue), remote key fobs, CD/media players, cell phones (things like OnStar actually work by placing a GPS and cell phone imbedded in your dash), Bluetooth… even your tires get into the action, with TPMS (Tire-Pressure Monitoring System, mandated for all US cars since 2007), which relays data in real time back to the rest of the car.
These all are run by software; you might guess what comes next. The little bits of software listening on these ports in the air get attacked; buffer overflows, protocol errors, fuzzing, all kinds of attacks. They took a couple of cars and tried to break various systems – the ones that proved most fruitful were CD, Bluetooth, and cellular:
Reading between the lines it seems that just about all entry points could be broken – again, they’re just software, and not particularly hardened against attack. After reading the paper and listening to the talk I started to suspect that they could bend the car to their will just by staring at it, but they decided not to publish that bit for fear of mass hysteria (or were stopped by various three-letter agencies.)
To me one of the most interesting things here was that systems that had vulnerabilities that you’d never think were connected to anything else (a CD player? Tires, for goodness sake?) could and were able to take over the entire vehicle. To quote the paper – “for every vulnerability we demonstrate, we are able to obtain complete control over the vehicle’s systems.”)
I’ll inject a few more visceral notes of interest. After exploiting the cell phone and CD players the researchers made a audio recording of an attack, so that they could either slip a CD into the player or remotely phone the car the malicious sounds would force the system to execute an exploit and take over.
In addition to all the car problems they looked at a diagnostic tool used by mechanics called a PassThru device, which turns out to be a little Linux box that can connect to the car’s OBD-II port (a standard auto diagnostic port) along with WiFi. It turns out that if PassThru is plugged into a car you can easily compromise the PassThru box itself (amusing anecdotes of this in the paper, including a summary of a proof-of-concept they did to do just this) and take over the car yet again – so if a mechanic is working on your local service station and I happen to be driving by, I’m now in charge.
Of course the PassThru device itself requires no authentication to control a car when plugged into it and talks standard UDP/TCP over IP. So if you have one of those it might make an interesting attack box. The PassThru itself can be infected and continue to infect cars as they’re plugged into it… a kind of repeat of the ol’ floppy attack of yore.
So what’s the big deal, you might say… it’s just a car, what can be done? It looks like at least 3 basic results of such attacks; I’d note too that any of these could be done in real time or store code in the car for the right moment in time to spring to life (is this a new market for Symantec? Car anti-viruses!):
1) Surveillance. You can watch the GPS and record any sound in a car and send this all out in real time or in batches. Good for generic spying, amoral parents with unruly (and driving) kids, abusive or spying spouses, etc.
2) Theft. The video they produced was really wonderful, but I can’t find it online. In it they do a simple enactment of a crime – a man walks up to a car and a remote operator unlocks the doors, starts up the engine, disables the security system, and he drives off. There are a lot of potential ideas here… combined with war-dialing (mass dialing of blocks of phone numbers) or other surreptitious ways of gaining car phone numbers (or simply drive around like Google and record all the data you get from listening to the airwaves) you could develop a database of vulnerable cars that are out there as well as various other bits of information such as location… and act as a broker to car thieves (“oh, you want to know where all the 2015 Mustang Cobras in LA are?”) I suppose police might want to do this to… always use for information if you have access to it.
3) Destruction or worse. I can only imagine what would happen as you’re driving along highway 1 and someone disables your breaks and hits the accelerator (on the bright side you might be able to slow down the person tailgating you!)
You might imagine attacks such as these being extended to planes, trains, and military vehicles.
Certainly if you look at how the automobile manufacturers build a car, I don’t see any solution on the horizon. Ford, Honda, and others don’t build all those ECU components themselves, the massively farm out and distribute the work to thousands of contractors and subcontractors who bid and build things on spec. The car makers get back black boxes that just work (or not), and don’t typically get the source code, nor do they have the resources or desire to audit and do pen testing on your CD player.
Watching the researchers set up an IRC channel that would register cars as they were compromised and allow real time was very redolent of the early days of massive distributed bot attacks. Are our formally trustworthy cars next?
To be fair, they do say in a FAQ:
We believe that car owners today should not be overly concerned at this time. It requires significant sophistication to develop the capabilities described in our papers and we are unaware of any attackers who are even targeting automobiles at this time.
It’s been my experience, however, that relying on the stupidity of attackers is not always the most strategic position to take. We shall see.
 “On Motor Vehicle Accidents and Prevention”, A. R. Wilcock, 1981. Guns, er, gun down surprising amounts of people, esp by suicide, but cars do rack up the kills.
 “This Car Runs on Code”, Robert N. Charette, 2/91, IEEE Spectrum. A sample quote from this fairly non-technical article:
For today’s premium cars, ”the cost of software and electronics can reach 35 to 40 percent of the cost of a car,” states Broy, with software development contributing about 13 to 15 percent of that cost. He says that if it costs US $10 a line for developed software—a cost he says is low—for a premium car, its software alone represents about a billion dollars’ worth of investment.
IBM claims that about 50% of car warranty costs are software related.