Since two security researchers showed they could hijack a moving Jeep on a highway three years ago, both automakers and the cybersecurity industry have accepted that connected cars are as vulnerable to hacking as anything else linked to the internet. But one new car-hacking trick illustrates that while awareness helps, protection can be extremely complex. They’ve uncovered a vulnerability in vehicular internal networks that’s not only near-universal, but also can be exploited while bypassing the auto industry’s first attempts at anti-hacking mechanisms.
Security firm Trend Micro on Wednesday published a blog post highlighting a little-noticed automotive hacking technique it presented at the DIVMA security conference in Bonn, Germany last month, along with researchers at LinkLayer Labs and the Polytechnic University of Milan. Their work points to a fundamental security issue in the CAN protocol that car components use to communicate and send commands to one another within the car’s network, one that would allow a hacker who accesses the car’s internals to shut off key automated components, including safety mechanisms.
“You could disable the air bags, the anti-lock brakes, or the door locks, and steal the car,” says Federico Maggi, one of the Trend Micro researchers who authored the paper. Maggi says the attack is stealthier than previous attempts, foiling even the few intrusion detection systems some hardware makers like Argus and NNG have promoted as a way to head off car hacking threats. “It’s practically impossible to detect at the moment with current technology,” he says.
The researchers’ attack is far from a practical threat to cars on the road today. It’s a “denial of service” attack that turns off components, not one that hijacks them to take over basic driving functions like accelerating, braking, or steering as the Jeep hackers did in 2015, or Chinese hackers working for Tencent more recently achieved with a Tesla. And it’s not a fully “remote” attack: It requires the hacker to already have initial access to the car’s network—say, via another vulnerability in its infotainment system’s Wi-Fi or cellular connection, or via an insecure gadget plugged into the OBD port under its dashboard.
Instead, the attack represents an incremental advance in the still-theoretical cat-and-mouse game between the automotive industry and vehicle hackers. “It doesn’t depend on a specific vulnerability in some piece of software,” says Maggi. “It’s a vulnerability in the design of the CAN standard itself.”
That CAN vulnerability works a bit like an autoimmune disease that causes a human body to attack its own organs. Unlike previous car-hacking techniques, the researchers’ attack doesn’t take over components on a car’s internal network and then use it to spoof entirely new “frames,” the basic units of communication sent among parts of a car’s CAN network. Instead, it waits for a target component to send one of those frames, and then sends its own at the same time with a single corrupted bit that overrides the correct bit in the original frame. When the target component sees that it’s sent an incorrect bit, the CAN protocol requires that it issue an error message “recalling” that faulty message. Repeat the attack enough times—car components tend to frequently exchange messages—and those repeated error message trick the component into telling the rest of the network that it’s defective, and cutting itself off from further communication.
That autoimmune attack, the researchers say, is far harder to detect, and easily circumvents existing intrusion detection systems that look for the anomalous frames that represent malicious communication within a car’s network. Automotive security researcher Charlie Miller, who along with fellow researcher Chris Valasek hacked a Jeep in 2015 and designed an intrusion detection module they say would have prevented their own attack, acknowledged on Twitter Wednesday that the attack does represent a new advance in defeating car hacking defenses. “If you are designing CAN bus IDS…this is something that you need to plan for now.” He added, though, that an intrusion detection system written by someone who knows about the researchers’ trick could defeat it. “It is hard to defend against, but is certainly detectable.”
But even if an IDS looked for error messages as a sign of an attack, Maggi says, an attacker could randomize the pattern of error messages to make that detection more difficult. And those errors are also tough to distinguish from actual malfunctioning components, he warns. “IDSes will really have to change how they work,” says Miller, who recently joined GM’s autonomous vehicle startup Cruise. “And in the end, I’m not really sure they’ll be able to distinguish between an attack and a faulty component.” He suggests that carmakers’ best defense instead is to segment their networks to isolate critical safety components from ones that might be accessible to hackers, and even to consider adding a layer of encryption to the CAN protocol to make messages more difficult to mimic.
Miles To Go
WIRED reached out to both Argus and NGG, whose defense tools the researchers’ write they could bypass with their attack. Neither company immediately responded to a request for comment.
Don’t expect any real-world hackers to implement the researchers’ IDS-bypassing attack any time soon. Beyond vehicle thefts, hackers haven’t set their sights on cars in any known attacks yet. And even Miller, who has repeatedly warned of the risks of automotive hacking, writes he’d “be surprised to see this in practice.” The Department of Homeland Security’s Computer Emergency Response Team issued an alert about the vulnerability late last month, but noted that it required “extensive knowledge of CAN” to pull off.
But as cars become more connected and automated, car hacking becomes an increasingly realistic and serious threat. And before it does, attacks like Trend Micro’s hint at how deeply automakers may need to rework their cars’ innards in order to protect them.