Both the traditional media and the social kind have a history of getting over-excited about anything to do with computer hacking. Scary headlines bring in readers and complicated explanations of technical issues will (they feel) scare them away. Recently there has been a spate of stories about car on-board electronics being hacked, but they all refer to demonstrations of what is possible, and there are currently no examples of real-life harm. Here at Diesel Car we think our readers can handle a bit of technical explanation, so we went looking for the real story.
Technology evolves, no single person or even company ever comes up with a totally new idea and implements it so perfectly that it works for ever. Nowhere is that more true than in car electrical systems. Initially there were just power supplies for the lights, horn, fuel pump, radio and so on, but in the 1980s things started to get more complicated.
Engine Control Units (ECU) and Anti-lock Braking Systems (ABS) appeared on expensive models, then spread throughout the market. Initially each was quite simple and separate, with discrete sensors for each device, but ABS works better if each wheel knows what the others are doing. ECUs are better if linked to the transmission, to sensors in the air intake, exhaust, turbocharger, and so on. Add in active suspension, power steering, torque vectoring, pollution controls, remote locking, proximity sensing, navigation systems, guidance and parking assistants and infotainment systems, and itís not surprising that a modern car can have 50 to 100 connected control units, each one a small computer.
The Controller Area Network bus (CAN Bus) was developed initially by Bosch as a means of linking together all the electronics in a vehicle, and adopted as a standard by the Society of Associated Engineers (SAE) in 1986. CAN was designed to prioritise important information, such as ABS, and get it to the right place quickly, though no-one actually gave any thought as to making it a secure system. The Internet was in its infancy, the World Wide Web was three years in the future and first generation mobile phones were analogue devices that didnít work well with computers. The only way into CAN was via the Onboard Diagnostic port (OBD), and only respectable main dealers had the gear that plugged into that, and so itís a classic example of what the IT world calls security through obscurity. But it never lasts, and now anyone can buy an OBD lead and plug it into a laptop and things are a whole lot more vulnerable.
Detailed analysis by researchers at the universities of California and Washington revealed three major ways that vehicle systems can be compromised:
Indirect physical access. The risk of using a standard laptop with ODB software is that the laptop gets used for other things and could quite easily be infected with an ODB virus. Such a virus could infect millions of computers that donít use ODB without anyone noticing, but when it finds ODB software it goes into action. This is the method demonstrated against an Audi TT by researchers at CrySys Lab and Budapest University of Technology.
Entertainment systems, CD players, USB and other phone connections can be exploited in a similar fashion. An MP3 file, for example, can be encoded with malicious software (malware) that spreads from the audio system via the CAN Bus.
Short-range radio. Indirect physical access enables targeting of a class of vehicles, but is hard to target on a specific vehicle. Short range radio systems, such as Bluetooth, remote locking, tyre pressure monitoring, in-car WiFi and Radio-frequency identification (RFID) keys are used in almost all vehicles and all are vulnerable. A wireless device placed in a car park, for example, could enable an attacker to target a particular vehicle. Researchers in Birmingham and Germany have demonstrated that Volkswagen keyless entry systems are vulnerable.
Long-range radio, including broadcast digital radio, GPS (navigation) and manufacturersí own telemetry or telematics systems. These are not ideal for attacking a specific vehicle, but could be used to trigger dormant malware previously installed by indirect physical access methods.
Reasons for hacking IT systems, like crime in general, are many and various, but high on any list are personal gain, glory and spite. Terrorism is another, as is hacktivism whereby a group of hackers try to influence government or industry policy and practice by threatening some important IT system.
The appeal of compromised keyless entry systems to car thieves is pretty obvious, but it is probably the least serious in the long term. Already some drivers have reverted to physical security devices, such as steering wheel locks.
Ransomware is already a problem in many industries, where some miscreant installs malware on a company IT system and threatens to bring it to a standstill unless a fee is paid. It is probably a bigger problem than is generally realised because it appears that many companies will pay what they consider to be ëreasonableí sums, rather than risk losing business and reputation. Now imagine someone releasing malware that targets the brakes of a particular model. How much would the target manufacturer pay to stop that one being activated?
In the IT world, many companies pay a bounty to anyone who can demonstrate a security flaw in their software, while sometimes the ethical hacker provides a patch to fix the problem and collects another bounty. The car industry is just starting to wake up to this, but faces several real problems. First, cars take a long time to develop, stay in production for years, and then are on the road for a decade or more. A 2017 model will very likely have software in it from 2010 and be on the road until 2027. Secondly, unlike conventional computers (and phones and tablets), the embedded devices in cars lack screens and keyboards, and even if security patches are available they can’t pop up a message telling you to upgrade. In this respect cars have the same problem as the Internet of Things devices such as fridges, smart lightbulbs and thermostats that can all be hacked.
Finally, if the manufacturers use an in-car operating system to control all the devices and their upgrades, something like Automotive Grade Linux, for example, who do you trust to run the upgrade, and when? A mobile phone provider can force upgrades when it suits them, but you wouldnít want that while the vehicle is in use. They could, like Microsoft, nag users to upgrade and most drivers probably would, but how would they know if it had worked properly? A failed upgrade can brick a phone or leave you with an unbootable PC, but will roadside breakdown cover sort it out if it happens to your car?
Keyless entry aside, all the hacks demonstrated so far have been created by white hats, computer science academics or employees of IT security specialists. So far, all the hacks have needed a lot of work and expertise and the bad guys haven’t managed to emulate them. Hopefully now the car makers are aware of the security risks they run, they will manage to stay one step ahead of the troublemakers.