Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Transportation Security

Unpatchable 'Flaw' Affects Most of Today's Modern Cars (bleepingcomputer.com) 226

Catalin Cimpanu, writing for BleepingComputer: A flaw buried deep in the hearts of all modern cars allows an attacker with local or even remote access to a vehicle to shut down various components, including safety systems such as airbags, brakes, parking sensors, and others. The vulnerability affects the CAN (Controller Area Network) protocol that's deployed in modern cars and used to manage communications between a vehicle's internal components. The flaw was discovered by a collaborative effort of Politecnico di Milano, Linklayer Labs, and Trend Micro's Forward-looking Threat Research (FTR) team. Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a CAN standard design choice that makes it unpatchable.
This discussion has been archived. No new comments can be posted.

Unpatchable 'Flaw' Affects Most of Today's Modern Cars

Comments Filter:
  • by captaindomon ( 870655 ) on Thursday August 17, 2017 @03:26PM (#55036161)
    So let me get this straight: If a component on the network starts sending out uncontrolled messaging that looks like a denial of service, or an out of control / perpetually errored state, the network corrects for this problem by disconnecting the component causing chaos. That sounds like the CAN network is doing exactly what it should be doing: maintaining the integrity of the shared network at the expense of disconnecting an infected or malfunctioning node. What am I missing?
    • by JohnFen ( 1641097 ) on Thursday August 17, 2017 @03:30PM (#55036193)

      Maybe what you're missing is that it shouldn't be possible for an attacker to induce this state in the first place.

      • by Anonymous Coward on Thursday August 17, 2017 @03:38PM (#55036281)

        I am so sick of infosec nerds thinking they know more than the engineers at Ford, BMW, etc. About building cars. Coming up with new "vulnerabilities" - "I just need physical access to the car's OBD-II port with a laptop". Stick to Flintstones cars if you feel so insecure, the rest of us will drive fearlessly in luxury.

        • by MachineShedFred ( 621896 ) on Thursday August 17, 2017 @04:31PM (#55036749) Journal

          In fact, this is such a known quantity by anyone that knows what the hell is going on in a modern car that there are products you can buy for some cars that actively edit the CANbus signals going into the ECU to tune the car's engine without invasive and potentially dangerous loading of non-sanctioned firmware. And, this additive hardware adds settings and features that were never available to the car from the manufacturer, such as altering turbo boost based on current octane sensor data and oil temperature data - increasing power when safe to do so, but decreasing if fuel quality is bad, or the engine is too hot. It achieves the desired effect in a safer, better, and more reversible way than an ECU flash with a different boost mapping.

          And this is possible because you can slap a signal processor in between the ECU and the rest of the CANbus, and the ECU will never know it's happening. Something starts to go wrong, and you disable it or remove it completely (unless something goes REALLY wrong, in which case caveat emptor, buddy.)

          Yeah, I'll go ahead and keep the open CANbus instead of some new standard that requires all kinds of lockdown and essentially DRM, and deal with the exactly zero "vulnerability" issues in literally billions of vehicle-miles travelled by CANbus equipped vehicles.

          • ...such as altering turbo boost based on current octane sensor data...

            Is this for real cars, or only for the Knight Industries Two Thousand?

            • by Hylandr ( 813770 )

              You prick, now I have the theme song stuck in my head.

            • Real cars. On my Audi it is a trivial operation to reflash the ECU to bypass less supercharger boost (or turbo boost on turbocharged Audis), which increases power as long as you are using high octane fuel. If you are not using high octane fuel, it will cause detonation which quickly melts pistons. APR is a popular vendor but there are around a dozen competing companies that have developed their own boost maps. An engine rated at 333 HP will put out somewhere around 390 HP with the majority of the increased
        • by DarkOx ( 621550 ) on Thursday August 17, 2017 @05:09PM (#55037027) Journal

          So I am one of those infosec guys and we have been doing CAN bus assessments for the big 3 for some time now. This has to be the stupidest article I have read in some time.

          First off the next gen cars are already implementing 'segmented' CAN buses with a firewall module that allows some devices to send white listed messages from the less privileged body areas to the more privileged engine management and safety buses. So this problem is already being solved.

          Very few existing cars have a path to remotely introduce CAN messages. Some do but those interfaces have by and large been hardened pretty well, the Jeep stuff from some years ago is long fixed.

          So what have here is basically if you are in the car you can do bad stuff by wiring into the can bus. Okay I make the airbag fail too buy yanking it out of the dash board, who cares.

      • by hey! ( 33014 )

        Well, it's always been possible for someone with physical access to the car to sabotage it. There are hundreds of ways you can make a car inoperable, likely to break down, or downright dangerous.

        What's different for most cars is that there are more elaborate ways of doing it now.

        But if the car is at all manageable OTA or wirelessly, that's a different story; we're not talking about needing physical access any more. You could hack someone's car while it sat in their locked garage, or while they were drivi

        • Well, it's always been possible for someone with physical access to the car to sabotage it.

          When I was a teenager one of my friends saw a beaten up old car with no windows on sale for $250 and on the sign it said "runs." My friend only had $40. So he popped the hood, (no windows) and removed the ignition rotor. Then he went and asked about the car. In the end he bought it for $40.

          These car-hack stories are so weak. If you're inside my car, instead of fiddling with the electronics, you might just steal it. That would be way worse. If terrorists want to hold your car hostage by controlling the brake

      • Maybe what you're missing is that it shouldn't be possible for an attacker to induce this state in the first place.

        That is not a flaw in CAN. It is flaw in the component. Since the "remote access" threat is something the researchers (or the journalist?) just made up, and is supported by no evidence whatsoever, this would require physical access to the component. If a bad guy gets physical access to your engine, then all bets are off. There is no such thing as a secure device in hostile hands.

        • Agreed, before you just cut the brake lines if you had physical access.

        • That's why they put the word "or" in there strategically, so that the scary part could be complete bullshit and they could still claim their sentence was true.

      • by MachineShedFred ( 621896 ) on Thursday August 17, 2017 @04:44PM (#55036837) Journal

        That's like saying that it shouldn't be possible for an "attacker" to "hack" your brake lines with a hacksaw.

        If you have physical access to the vehicle and want to do someone harm, there are far easier ways than a laptop plugged into the ODB2 connector. And, the most obvious way that an auto manufacturer would "fix" this "flaw" is to engage in some scheme reminiscent of DRM, further locking down anyone from being able to repair the car themselves.

        Oh, you want to replace the stereo? Fuck you, the security controller for the door locks is in the back, and it all has to have our special firmware on it to talk. You can get the $300 upgrade the stereo at the dealership for $2000.

        No thanks, I'll stick with the "flawed" CANbus.

        • Plenty of CANBUS modules already require a trip to the dealer for coding before they will function on the network after being replaced. Typical charge is an hour of labor, around $150. Google "component protection"
      • Maybe what you're missing is that it shouldn't be possible for an attacker to induce this state in the first place.

        It isn't, because it requires local access. If you already have installed hardware in the car, you don't need other tricks, you could have done all of the same things by physical manipulation.

    • What am I missing?

      Try it while waving your hands in the air and modulating your voice rapidly up and down, and see if you don't feel a little more freaked out by the FUD.

  • Most vehicles have at least two CANs. A public one, that is accessed through the OBD port shown in TFA. They also have a "private" CAN. That network should be used for vital communications between modules, and the messages are largely proprietary.
  • My approach so far is to avoid buying cars that include communications. Eventually, though, even older used cars will have this crap.

    At that point, I'll have to disable the comms. Right now, that appears to be easy to do in almost every car (just locate and remove the antenna). Hopefully, that will get me through the rest of my car-driving years.

    • A communications disruption can mean only one thing.

      Invasion.

    • What are you going to do when the antenna is embedded in a window?

      • I'd either pass on buying the car outright, or count the cost of replacing the window as part of the purchase price and see if it's still worth it to me.

        • (Or, now that I think of it -- the antenna has to make the jump from the window to the circuit board somewhere. Probably with a wire. Snip, snip.)

        • Just become like this guy [mgaguru.com], who, based on his comments, travelled about 40,000 miles in his 55 year old car last year.

  • by klossner ( 733867 ) on Thursday August 17, 2017 @03:37PM (#55036275)
    To perform this DOS attack, you must have a device physically connected to the CAN bus. If an attacker has that kind of access to your car, a DOS attack is not your biggest problem. The attacker could just as easily pump 120 volts into the bus and fry every component. Or leave a time bomb on the driver's seat.
    • you must have a device physically connected to the CAN bus.

      Which *for now* means a laptop connected on the ODB port.

      But which could mean in the future hacking into some component of the car that is on the CAN bus it self (like the infotainment center, which needs to get information about fuel consumption and a few other stuff).
      Hack remotely (Bluetooth, some even support Wifi and 3G/4G) that component and then you get full access to the CAN bus.

      Expect *high range cars* to have two separate CAN bus and the infotainment only talking on the "public" CAN bus (and all

      • Its very unlikely the cheap cars will only have 1 network or that it will be segregrated in a different way (for good or bad) than the higher end models. Almost all car manufacturers address nearly the entire spectrum from entry level to super luxury, and tend to favor standardization to control R&D and maintenance costs. The chief differences between 'high end' and 'cheap' are the quality of materials used for upholstery etc., engine performance, more expensive alternatives of some components, space ag

      • by Strider- ( 39683 )

        Even on high end cars, the (multiple) CAN busses are usually connected through a gateway device. On my 2006 Jetta, the Engine, Transmission, etc... are on a different bus than the convenience items (locks, windows, sunroof, stereo, etc...) However, I can still access them all through the ODB-II port. Ideally this gateway would act as a firewall to protect the critical systems, the question is how good is it?

        • by nhtshot ( 198470 )

          It's very good. It has rules in it for every packet that it can possibly see and where that packet is allowed to go.

          Spam error packets like these jackasses are using would be silently eaten by the gateway resulting in 0 ill effects to the car.

    • THIS!

      Seriously, if you have physical access to a vehicle to access the CAN Bus, you can cut a break line or otherwise mess with anything on the car. Safety systems, Security systems, entertainment systems, you name it. Physical access implies all the same risks as this CAN buss "vulnerability" and MORE.

      I'm not seeing the huge problem here, at least not for car owners.

    • To perform this DOS attack, you must have a device physically connected to the CAN bus. If an attacker has that kind of access to your car, a DOS attack is not your biggest problem. The attacker could just as easily pump 120 volts into the bus and fry every component. Or leave a time bomb on the driver's seat.

      Bomb under the car is a wellknown security issue with cars. It has been known for years. OMG!!! When will they solve it???

  • okay (Score:5, Insightful)

    by ArylAkamov ( 4036877 ) on Thursday August 17, 2017 @03:38PM (#55036279)

    This is nothing new, anyone who has developed a CAN device before knows this, no "shocking new research" needed. It was never designed to be secure, it was designed to be extremely resistant to noisy environments, and does a damn good job at it.
    tl;dr if you are a political target, get an older car without an electric throttle body and electric power steering bullshit.

    • tl;dr if you are a political target, get an older car without an electric throttle body and electric power steering bullshit.

      Such a car will be hopelessly outclassed by anything modern. It's not a good plan for security, either.

  • From TFA:

    Special device needed to carry out local attacks
    The research team says that all it takes is a specially-crafted device that attackers have to connect to the car's CAN bus through local open ports.

    So, to be clear, a specially-crafted device, connected directly to an open local port.

    "The only current recommendation for protecting against this exploit is to limit access to input ports (specifically OBD-II) on automobiles," said ICS-CERT experts in an alert released last month.

    Um... So don't let strangers with car hacking gear ride along with you in your car -- or watch them *very* closely -- check.

    • Ah, I stand corrected. This isn't so bad, then.

      I will continue to avoid buying cars that have wireless communications facilities, though.

      • I will continue to avoid buying cars that have wireless communications facilities, though.

        Agreed. I'm disappointed that most (all?) new higher-level Hondas come with keyless entry and ignition. I get that it lessens their costs in making door and ignition locks, but at our expense of a $$$ and large keyfob. At this point, I'd pay extra for a regular ignition key and door locks, but that won't be an option. Luckily my 2001 Civic EX (120k miles) and 2002 CR-V EX (46k miles) are in excellent shape, except needing a few clear-coat touch-ups.

        • In most places you can probably just go to an auto locksmith and get third party ignition installed. They already install third-party systems that have both keyed and keyless access, just upgrade to one of those and turn off the keyless part.

  • by harrkev ( 623093 ) <kfmsd@@@harrelsonfamily...org> on Thursday August 17, 2017 @03:45PM (#55036341) Homepage

    There is another approach. CAN traffic happens over a differential pair. I have a specially-constructed device that can jam CAN traffic. I call it a "paperclip." I bend it and plug it into both data lines on the OBD port and the network is dead.

    We need to ban these dangerous hacking paperclips.

  • Most of us would just dismiss it as some hype, because it requires physical access to the cars.

    But plenty of people have access to cars of family members and friends. More than 75% of the homicide victims know their perps. Stranger on stranger murder rate is less than 25%. [quora.com]

    So one could sabotage a car of a family member in a manner very difficult to detect using a device plugged into the network, targets the brake system once the car speed is above 75 mph. An average dumb criminal, (all criminals are du

    • by bws111 ( 1216812 )

      Huh? What do you mean 'targets the brake system'? If the brakes are in any way controlled by the CAN bus, and the default for any component of that failing is anything other than 'apply the brakes', then THAT is a much more serious concern, and much more likely to happen, than this theoretical hack.

      Now, it is possible for it to target the antilock brakes, because they do have sensors connected to the bus. But all a failing anitlock brake sensor causes (which is what the hack simulates) is the ANTILOCK fu

    • by Strider- ( 39683 )

      So one could sabotage a car of a family member in a manner very difficult to detect using a device plugged into the network, targets the brake system once the car speed is above 75 mph.

      There's a reason why brakes are designed as a failsafe design. Even if you took out the ABS controller, the brakes will continue to work. They are still a hydraulic connection between the master cylinder behind the pedal, and the brakes themselves in the wheel. Yes, in hybrid cars with regenerative braking, the first few inches of pedal travel just activate electronics, but once you go beyond that, you still have the tried and true hydraulic brakes.

      Are there other ways that you could sabotage a vehicle elec

    • >Most of us would just dismiss it as some hype, because it requires physical access to the cars.

      Yep. Because someone with physical access can do all sorts of things, including putting a tracker on it, cutting a brake line, or attaching a bomb.

      Nobody I know habitually checks their vehicles for those kinds of modifications before driving, and I doubt anyone's going to start checking their CAN bus integrity either.

    • Most of us would just dismiss it as some hype, because it requires physical access to the cars.

      That's about the size of it.

      So one could sabotage a car of a family member in a manner very difficult to detect using a device plugged into the network, targets the brake system once the car speed is above 75 mph. An average dumb criminal, (all criminals are dumb) would lack the technical knowledge to do it. But now a days I see kits being sold on Amazon for USB sticks that will fry the mother board if plugged in. So it wouldn't be long before such devices make it to the market. Yes, eventually the police will catch one and then it would become standard protocol to look for this. But till then ...

      This and a zillion other things anyone who has physical access and is bored can dream up.

  • So glad I did not go for the remote network accessibility option in my new car. Seemed like such a bad idea; yep!
    • Yeah, but the CAN bus isn't remote. It is the local backbone between the various computers in a car. I had always been under the impression it was not secure it was assumed any hardware on it was trusted.

  • Stuck CAN bus signal. From what I've gathered, my first guess when it first hit the news turned out to be the actual problem.

    I was involved in writing calibration, diagnostic and simulation tools for GM and their suppliers in the late 90s and early 00s, I saw this problem several times on the low-speed bus, but that wasn't as critical (well, your instrument panel or radio might go wonky, but critical components run a high speed bus)

  • ...if you jam a network, it will stop working. Whoever figures out how to avoid that will win a Nobel. And a position of headmaster at Hogwarts.

  • Yes, there are also several other, less dangerous flaws involving frame droppage, but the human driver is the most dangerous, unpatchable flaw in modern vehicles.

    • Interestingly, in other news that might be patched soon by self-driving cars. And civilians in many cases might eventually be limited to small, light vehicles for manual control.

  • If someone has access to the CAN bus, you are already pwned. It is not much of a flaw, except don't let hostile applications or hardware have direct access to the CAN bus. This is like saying PCs have a flaw, because something plugged in the PCIe bus can do bad things.

    • But it IS an unpatchable flat that affects most of todays modern computers!

      Simply connecting a device to the PCIe bus exposes your entire memory contents!

      All you need to do to remotely access that is find a vulnerability in the kernel!

  • There is no such things as an unfixable flaw in a car. It all has to do with how much money you have and how much of it you are willing to spend to fix the issue.

  • by dicobalt ( 1536225 ) on Thursday August 17, 2017 @07:34PM (#55037843)
    Stop it, just stop. Stop connecting networked systems to the ECU, it's fuggin stupid. Stop being stupid.
  • I have a car with a CAN network (two networks actually, with the gauge cluster acting as a gateway between the fast and slow networks)

    The only thing the ABS control use uses the CAN bus for is to illuminate the warning lights on the gauge cluster.
    The control unit is directly connected to the wheel speed sensors and valves.

    The engine ECU and transmission ECU are actually the same thing, so there is no issue with that. If it wasn't auto-transmissions go in to limp home mode if they detect failure and still wo

  • There are a few older and more popular options for attackers with local access to disable your brakes. The most popular uses a knife.

    Remotely? Well, connecting a local control bus to the internet certainly is a flaw.

  • CAN is not a secure bus. And it was never meant to be one. CAN, when it was invented, was to be a lightweight bus system that connects internal car systems. And as such it works perfectly. At its conception, there was neither any kind of provision to make it "user space safe" nor was any form of wireless connection to it foreseen.

    And if you use it as such it is a great bus system and does its job. Of course if you let marketing run amok, well, you get what you get when you let marketing amok. I highly doubt

Lo! Men have become the tool of their tools. -- Henry David Thoreau

Working...