You might have seen that frightening episode of the CBS series, Person of Interest, in which a fictional social media company's billionaire founder loses control of his car. From the street, the driver appears to be either a total nutcase (well, in this case, he is) or heavily intoxicated. His car weaves through traffic left and right, crossing lanes willy-nilly and clipping other cars. But inside the car, the driver is helpless. Any control he tries, especially the brakes, is overridden, apparently by the car itself. Unbeknownst to the driver, of course, the car is under remote control.
Inevitably, the car blows up (creating an exciting visual). However, the software genius escapes in the nick of time.
This, of course, is TV drama. It's fiction. A remotely compromised car is a scenario that makes a good thriller and scares the bejesus out of viewers. But possible in real life?
Well, wait a minute.
In March 2011, a team of scholars at the University of Washington joined with colleagues from the University of California-San Diego, in a technical paper entitled "Comprehensive Experimental Analyses of automotive Attack Surfaces." They prepared it for the National Academy of Sciences (NAS) committee on electronic vehicle controls and unintended acceleration.
Dirk Besenbruch, engineer, group leader of Systems & Applications, Automotive, at NXP Semiconductors, recalls the paper as a wakeup call. "It triggered our work at NXP" on automotive security, he said in a recent phone conversation with EE Times.
The academics' point was to debunk automotive industry skepticism about the hackability of on-board electronics. The industry's conventional wisdom was that "to implement an attack, the attacker would need to physically connect attack hardware to the car's internal computer network."
That got the university researchers going. They ran "a systematic and empirical analysis of the remote attack surface of late model mass-production sedan," according to the authors.
The researchers were aware, as they conducted their study, that no serious security automotive security breach -- like the one on the TV show -- has ever compromised the safety of cars and drivers in the real world. The paper's author pointed out, "Traditionally automobiles have not been network-connected and thus manufacturers have not had to anticipate the actions of an external adversary."
In the paper, however, they cautioned: "Our automotive systems now have broad connectivity; millions of cars on the road today can be directly addressed via cellular phones and via Internet."
CAN bus is the crux of the issue?
While noting that the CAN bus is a "good, fault tolerant network" inside a car, NXP's Besenbruch acknowledged that there are a number of ways hackers can worm their way into the internal network and get to the Electronic Control Unit (ECU).
The flexibility of the CAN bus has created a safe and cost-effective network enabling vendors to attach a number of computer control systems (ranging from the window controllers to the locks and critical safety elements such as brakes and engine). But that flexibility also creates the opportunity for new attacks -- including one in which a car's internal network can circumvent all computer control systems including mission-critical functions. Besenbruch acknowledged that it's entirely feasible for someone to remotely turn the car-audio volume ALL THE WAY UP, for example, or worse, stop or start the engine at will.
Asked how exactly a remote attacker could get in, NXP's Besenbruch mentioned "On-board diagnostics (OBD)," to which service personnel have access during routine maintenance for diagnostics and ECU programming. Attackers can also go after the in-car entertainment system, he added, by "introducing false code into MP3 files," for example. By playing the file, a user unknowingly plants malicious input in his in-car entertainment system. That may not seem like a big deal, but many in-car systems today are now CAN bus interconnected. A compromised MP3 or CD player in a car could be the cancer that metastasizes in other automotive components.
The University of Washington and California-San Diego researchers stated in the paper:
"We find we are able to obtain complete control over our car by placing a call into its cell phone number and playing a carefully crafted audio signal (encoding in an iPod) that compromises its embedded telematics unit."
Other attacking scenarios include much more direct physical access via short-range wireless interfaces, such as Bluetooth; WiFi; remote keyless entry; tire pressure monitoring systems and RFID car keys; and long-range wireless interfaces such as broadcast channels including a cellphone interface, GPS, satellite radio, and digital radio.
Of course, in the case of a Bluetooth-based attack, for example, the saboteur would have to place a wireless transmitter in proximity to the car's receiver. Further, the attacker needs to learn the car's Bluetooth MAC address to remotely exploit the car's vulnerability. That does seem like a lot of work.
The researchers, however, concluded: "Our experimental analyses determine that a determined attacker can do so, albeit in exchange for a significant effort in development time and an extended period of proximity to the vehicle."
The scenario for remotely exploiting control of a car via wireless Interface isn't far-fetched, the authors argued. Most surprising to them was that their car's Bluetooth unit responded to pairing requests even without any user interactions.
Open vs. closed system
Indeed, wireless channels open a plethora of vulnerabilities, "allowing attackers to trigger actions remotely on demand, synchronize across multiple vehicles, or interactively controlled," according to the paper's authors.
NXP's Besenbruch concurred. Unlike the financial world where credit cards, pin numbers, and ATM machines are designed to operate in a closed system, he said, "the automotive industry faces particular technical challenges." Car manufacturers have striven to maintain an open system, so that they don't have to reinvent the wheel every time a new control system is introduced into a new model. Today, some cars already have more than 70 control units inside, he added, all of them interconnected.
Junko Yoshida writes for EE Times USA, from where this article is adapted.