How safe is your luxury car? – An automotive IT security analysis

22 06 2012

You have a new luxury car, which is the talk of your street. Your car boasts of features like new age infotainment, ABS, Heat controlled seats, Electronic steering controls, theft deterrent system, obviously the airbags and what not. You feel yourself at heaven whenever you are inside the car. After the first free service, you are on top, used to he car, suddenly when driving back home, probably in mid 60’s speed, one of your wheel brakes automatically without your command and the engine stops, what would happen to you? Even if you try to sue the car company, will you recover your loss (more like a permanently damaged joint for example)?

This is what the attacker can do to your car. The attackers won’t hack a system always for money. It could be for fame or to just carry on a sociopathic habit. I do not want to believe the next sentence. “It is really possible and highly probable”. It is not due to the technical build quality of the car. It is due to the “hacking” of the electronic parts (electronic control units – ECUs) that causes the totally shocking incident.

By 2010, the number of ECUs in a high end luxury car was around seventy and contributed to a huge chunk (around 40%) of the manufacturing of the whole unit. All the boasting features that I mentioned earlier are provided by these ECUs. ECUs are the computers that cater to a specific functionality by implementing tens of thousands of lines of code of software. These units are generally interconnected by some variation of the most popular vehicle network – the Controller Area Network (CAN). All ECUs are diagnosed by a federally mandated On Board Diagnostics (OBD) protocol. This is carried out through a mandatory OBD-2 port present generally just under the dash. The service personnel are provided with the test tools to connect to the port. This is the door for an attacker. An attacker can just fix a component for some time or permanently to gain control over the ECUs. ECU states can be modified by strong functions called Device control functions which are built on CAN. If the attacker device can record the device control patterns and the communication patterns between the ECUs, the evil has the “Genie”.

The companies permit select service stations (only) to upgrade the firmware of the ECU outside of the company after a simple seed-key access control mechanism, similar to the “what is your mother’s maiden name?”  kind of authentication. The problem is, these values of seed and the key, are both sixteen bits length and annoyingly permanent. It is easy for a hacking enthusiast to crack the access codes. None of the companies have employed encrypted or digitally signed software till now. This is the point where the attacker can inject malicious code to corrupt the system and gain control over your car. Technically, the car company’s confidential software, communication protocols, and data are stolen; along with a possible injection of “virus” into the whole electronic system. The computer system is thus hacked!!!

                  There are different techniques of attacking:

Through messages: The CAN messages are “sniffed” for a long period of time to get the communication pattern of the ECUs. The attacker can just insert the malicious “bits” into the communication lines with the known patterns.

Through device control: Device control functions are mainly used by the manufacturers to change the ECU variables/states. For example, a device control function is used to write the odometer value on to the instrument panel cluster display. If the attacker is able to get hold of the function, the service personnel could be fooled by writing a small data always before servicing, which is a financial loss to the car manufacturer.

Reverse Engineering: The ECU memory contents are hacked. Then the binary is reverse engineered to get the code and functionality of the ECU software.

Definitely there are a number of ways to counter the attack. Some of them are to be followed by the manufacturer and some by users, few are

  1.  Instead of using a fixed length – permanent seed-key access control, use a mechanism which changes the access control codes at each request for the access. This will shut down many vulnerable doors
  2. Encrypt the CAN messages, which are so predictable due to its wide use; these messages are so decodable that even without the access codes, ECUs can be tampered by sending tampered CAN messages. The encryption denies the attacker to read the pattern of communication between ECUs.
  3. Device control functions must be digitally signed by the manufacturer. These functions are too powerful and only the authenticated functions must be used
  4. Always use digitally signed, encrypted software. This will prevent hackers from reverse engineering the ECU software
  5. The most important thing, educate the users. Users should be aware of the potential threat they are buying. After all, the car is life critical system. Users should be fully trained first hand (not by just providing a user manual) about the OBD-2 port and the possible ways of attacking

Let us hope that the car companies using the software to control the features consider the security of ECUs as a high priority in the immediate future and further and the potential buyers know what they are buying from the inside and well equipped to fight the ECU security attacks.


Book – Security in computing by Charles p. Pfleeger, 2nd edition




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: