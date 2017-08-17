Unpatchable 'Flaw' Affects Most of Today's Modern Cars (bleepingcomputer.com) 76
Catalin Cimpanu, writing for BleepingComputer: A flaw buried deep in the hearts of all modern cars allows an attacker with local or even remote access to a vehicle to shut down various components, including safety systems such as airbags, brakes, parking sensors, and others. The vulnerability affects the CAN (Controller Area Network) protocol that's deployed in modern cars and used to manage communications between a vehicle's internal components. The flaw was discovered by a collaborative effort of Politecnico di Milano, Linklayer Labs, and Trend Micro's Forward-looking Threat Research (FTR) team. Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a CAN standard design choice that makes it unpatchable.
Almost all of the older machine control style buses have this exact flaw. NONE of them authenticate. All of them can be MITM very easily. Most IoT systems out there are predicated on the fact that they can do this.
You think it is bad? No, its worse than that. I try not to think about it much.
Doesn't bother me at all. With or without this flaw, people can sabotage your car. In this case, they have to have the technology, knowhow, access and motive to exploit the flaw. Why would they take the difficult path when there are much easier ways to F with your car?
Sounds like good design to me (Score:3)
Maybe what you're missing is that it shouldn't be possible for an attacker to induce this state in the first place.
Oh enough of this shit (Score:2, Insightful)
I am so sick of infosec nerds thinking they know more than the engineers at Ford, BMW, etc. About building cars. Coming up with new "vulnerabilities" - "I just need physical access to the car's OBD-II port with a laptop". Stick to Flintstones cars if you feel so insecure, the rest of us will drive fearlessly in luxury.
Just like this server is totally unsecure all I have to do is swap the hard drive and motherboard and I have root access.
In fact, this is such a known quantity by anyone that knows what the hell is going on in a modern car that there are products you can buy for some cars that actively edit the CANbus signals going into the ECU to tune the car's engine without invasive and potentially dangerous loading of non-sanctioned firmware. And, this additive hardware adds settings and features that were never available to the car from the manufacturer, such as altering turbo boost based on current octane sensor data and oil temperatur
Well, it's always been possible for someone with physical access to the car to sabotage it. There are hundreds of ways you can make a car inoperable, likely to break down, or downright dangerous.
What's different for most cars is that there are more elaborate ways of doing it now.
But if the car is at all manageable OTA or wirelessly, that's a different story; we're not talking about needing physical access any more. You could hack someone's car while it sat in their locked garage, or while they were drivi
That is not a flaw in CAN. It is flaw in the component. Since the "remote access" threat is something the researchers (or the journalist?) just made up, and is supported by no evidence whatsoever, this would require physical access to the component. If a bad guy gets physical access to your engine, then all bets are off. There is no such thing as a secure device in hostile hands.
Agreed, before you just cut the brake lines if you had physical access.
What happens is that the malfunction indicator comes on. Screwing up the anitlock brakes means that the 'antilock' function no longer works, not that the brakes don't work.
Multiple CANs Per Vehicle (Score:2)
That's why you must silence the comms (Score:3)
My approach so far is to avoid buying cars that include communications. Eventually, though, even older used cars will have this crap.
At that point, I'll have to disable the comms. Right now, that appears to be easy to do in almost every car (just locate and remove the antenna). Hopefully, that will get me through the rest of my car-driving years.
A communications disruption can mean only one thing.
Invasion.
This exploit is too subtle. (Score:1)
If one has physical access, I think you will find it is also vulnerable to simple voltage injection, say 110v.
This is easily created using capacitors when a wall outlet is inconvenient.
Why knock out one device when you can kill the whole bus? Am I missing the point? Abs breaks won't work, just time the injection correctly.
This exploit can be done remotely. Physical access is not required.
When I was 14, I was banned from a radio shack for returning charged caps.
I used to see a 1963 Corvette in the parking lot of a highly secure facility that I worked at... Do you suppose that they had to vet this guy so that he could use a non-jammable vehicle?
Just wonderin
Exploit requires access (Score:5, Insightful)
Acccess can be obtained (Score:2)
you must have a device physically connected to the CAN bus.
Which *for now* means a laptop connected on the ODB port.
But which could mean in the future hacking into some component of the car that is on the CAN bus it self (like the infotainment center, which needs to get information about fuel consumption and a few other stuff).
Hack remotely (Bluetooth, some even support Wifi and 3G/4G) that component and then you get full access to the CAN bus.
Expect *high range cars* to have two separate CAN bus and the infotainment only talking on the "public" CAN bus (and all
Same manufacturers for both ends of the market (Score:2)
Its very unlikely the cheap cars will only have 1 network or that it will be segregrated in a different way (for good or bad) than the higher end models. Almost all car manufacturers address nearly the entire spectrum from entry level to super luxury, and tend to favor standardization to control R&D and maintenance costs. The chief differences between 'high end' and 'cheap' are the quality of materials used for upholstery etc., engine performance, more expensive alternatives of some components, space ag
Even on high end cars, the (multiple) CAN busses are usually connected through a gateway device. On my 2006 Jetta, the Engine, Transmission, etc... are on a different bus than the convenience items (locks, windows, sunroof, stereo, etc...) However, I can still access them all through the ODB-II port. Ideally this gateway would act as a firewall to protect the critical systems, the question is how good is it?
THIS!
Seriously, if you have physical access to a vehicle to access the CAN Bus, you can cut a break line or otherwise mess with anything on the car. Safety systems, Security systems, entertainment systems, you name it. Physical access implies all the same risks as this CAN buss "vulnerability" and MORE.
I'm not seeing the huge problem here, at least not for car owners.
A simple denial of service is to pull the fuel pump fuse. Good luck diagnosing that one quicky as the car will start with what is lying in the pipe. You might even get a half a mile before it conks out and you'll think something failed *then* not that you had the problem before you started driving...
okay (Score:5, Insightful)
This is nothing new, anyone who has developed a CAN device before knows this, no "shocking new research" needed. It was never designed to be secure, it was designed to be extremely resistant to noisy environments, and does a damn good job at it.
tl;dr if you are a political target, get an older car without an electric throttle body and electric power steering bullshit.
if you are a political target, get an older car without an electric throttle body and electric power steering bullshit.
Why only if you're a political target? This seems like wise advice for everybody.
"All it takes" (Score:2)
Special device needed to carry out local attacks
The research team says that all it takes is a specially-crafted device that attackers have to connect to the car's CAN bus through local open ports.
So, to be clear, a specially-crafted device, connected directly to an open local port.
"The only current recommendation for protecting against this exploit is to limit access to input ports (specifically OBD-II) on automobiles," said ICS-CERT experts in an alert released last month.
Um... So don't let strangers with car hacking gear ride along with you in your car -- or watch them *very* closely -- check.
Ah, I stand corrected. This isn't so bad, then.
I will continue to avoid buying cars that have wireless communications facilities, though.
I will continue to avoid buying cars that have wireless communications facilities, though.
Agreed. I'm disappointed that most (all?) new higher-level Hondas come with keyless entry and ignition. I get that it lessens their costs in making door and ignition locks, but at our expense of a $$$ and large keyfob. At this point, I'd pay extra for a regular ignition key and door locks, but that won't be an option. Luckily my 2001 Civic EX (120k miles) and 2002 CR-V EX (46k miles) are in excellent shape, except needing a few clear-coat touch-ups.
Another approcah. (Score:2, Funny)
There is another approach. CAN traffic happens over a differential pair. I have a specially-constructed device that can jam CAN traffic. I call it a "paperclip." I bend it and plug it into both data lines on the OBD port and the network is dead.
We need to ban these dangerous hacking paperclips.
Physical access (Score:1)
I dont see any problem with this as long as the CAN bus is not accessible from the outside.
I can also create an DoS attack on my PC if I short pins on the motherboard.
You don't need an arduino to get CAN nodes to get into bus-off state, just short the two CAN bus signals together a couple of times.
If you have physical access then you can also disable Airbags, and ABS brakes with a sidecutter.
Well, you have found the problem: "not accessible from the outside."
Car makers have jumped on the "smart everything" revolution, so they built devices into the cars that can bridge CAN with cell phone networks (On-Star, for example). If you own the On-Star, you can do pretty much whatever you want.
The problem is not with CAN, however. The problem is with the typical crappy security between things that bridge CAN to other data sources.
The one thing to remember about CAN is that it is a SHARED BUS. There i
"I can imagine changes to the PHY to stop the "jabbering idiot" problem, but nothing that would prevent the other attacks."
The Bus-off condition they are generating, IS the "jabbering idiot" protection.
Yes, a PHY could detect continuous transmission by simply having a time-out.
Or clever software could keep on turning transmission on and off to fool the timer.
How would you prevent a device from sending packet of a higher priority or sending packets from a different address to spoof the data? While it might be possible, it would mean putting a LOT more smarts into the PHY -- such as the ability to actually partially decode packets, and all of the configuration that goes with it.
Think of a bank vault -- do
Very dangerous (Score:2)
But plenty of people have access to cars of family members and friends. More than 75% of the homicide victims know their perps. Stranger on stranger murder rate is less than 25%. [quora.com]
So one could sabotage a car of a family member in a manner very difficult to detect using a device plugged into the network, targets the brake system once the car speed is above 75 mph. An average dumb criminal, (all criminals are du
Huh? What do you mean 'targets the brake system'? If the brakes are in any way controlled by the CAN bus, and the default for any component of that failing is anything other than 'apply the brakes', then THAT is a much more serious concern, and much more likely to happen, than this theoretical hack.
Now, it is possible for it to target the antilock brakes, because they do have sensors connected to the bus. But all a failing anitlock brake sensor causes (which is what the hack simulates) is the ANTILOCK fu
So one could sabotage a car of a family member in a manner very difficult to detect using a device plugged into the network, targets the brake system once the car speed is above 75 mph.
There's a reason why brakes are designed as a failsafe design. Even if you took out the ABS controller, the brakes will continue to work. They are still a hydraulic connection between the master cylinder behind the pedal, and the brakes themselves in the wheel. Yes, in hybrid cars with regenerative braking, the first few inches of pedal travel just activate electronics, but once you go beyond that, you still have the tried and true hydraulic brakes.
Are there other ways that you could sabotage a vehicle elec
Remote network access to car == REALLY BAD IDEA (Score:3)
Toyota and the phantom gas pedal signal (Score:2)
Stuck CAN bus signal. From what I've gathered, my first guess when it first hit the news turned out to be the actual problem.
I was involved in writing calibration, diagnostic and simulation tools for GM and their suppliers in the late 90s and early 00s, I saw this problem several times on the low-speed bus, but that wasn't as critical (well, your instrument panel or radio might go wonky, but critical components run a high speed bus)
It depends on what the goal of the attacker is. If your goal is simply to destroy the vehicle or make it immobile, then sure a sledgehammer and a knife will do a better and faster job if you have physical access to the car.
If your goal is to for example assassinate someone and make it look like an accident, then it may be a different story
In other words... (Score:2)
...if you jam a network, it will stop working. Whoever figures out how to avoid that will win a Nobel. And a position of headmaster at Hogwarts.
It's called a human driver. (Score:2)
Yes, there are also several other, less dangerous flaws involving frame droppage, but the human driver is the most dangerous, unpatchable flaw in modern vehicles.