Car hacking – myth, fantasy or reality?
I was recently asked by an investigative reporter if there were any cars that were safe from hacking and apart from suggesting an old Volvo 142 I wasn’t able to give him a simple answer because I haven’t really researched this area properly. We’ve all seen reports in media how some cars are/were vulnerable to mostly physical attacks, but in a few rare cases there were a few successful remote attacks. Although I try to keep up-to-date with computers and embedded electronics, I have to admit that I don’t read much about cars. I’m not even interested in cars any longer. They should just work and that’s the only thing that’s important to me! (and they should be comfortable and able to handle well in snow, hence why I drive a Range Rover)
Anyhow, back to car hacking then.
My vague knowledge about cars and electronics is that I have tinkered with CAN bus in the past via the OBD-II interface. This is a serial communication bus that handles all data that a car require to run. Everything from sending the commands to the stereo from the remote control on the steering wheel to collecting sensor data from all the sensors throughout the engine and the rest of the car. All such messages are fed into one serial bus which can be read by all microcontrollers that need to access this. This is pretty basic stuff and has been around since the early 80’s, but the first implementation of on-board computer in a car was by Volkswagen in 1968, for their fuel-injected Type 3 models. Today pretty much EVERYTHING regarding signalling in the car is sent over the CAM bus, which can be accessed via the OBD-II port. Accessing the cars electronics via the OBD-II port isn’t really hacking if we’re talking about vulnerabilities because it requires physical access to the inside of the car.
Many cars today, and for some time, have been equipped with immobilisers which purpose is to render the car inoperable if stolen and/or if started with a non-coded key by controlling the ECU and not letting fuel to flow and ignition to take place. The more advanced ones uses GSM in order to be “locked down” via operator if the car has been stolen – but not whilst the car is moving for obvious reasons… The most common immobiliser use the Megamos-chip, which has been cracked on several occasions. Bypassing the immobiliser, or the ECU, isn’t strictly “hacking” either in this context, but it has to be mentioned.
The thing that makes me really worried is V2V – Vehicle to vehicle communication, or V2I – Vehicle to infrastructure, protocol. The fundamental idea behind V2V and V2I is to communicate safety and traffic warnings. The US Department of Transportation really loved this idea so much that they in 2014 suggested that it was to become a mandatory feature in ALL new cars!
Luckily V2V is the first automotive protocol to consider computer security and hacking from the beginning, but due to complexity between interoperability between countries, and the lack of a fixed industry standard, there’s bound to be vulnerabilities to be found – and abused.
V2V communicates either via short-range communication protocol (DSRC) or via GSM. There’s also a hybrid approach that combines cellular networks with DSRC, WiFi, satelite etc etc, and I guess any future wireless protocol.
The DSRC protocol operates in 5.85 to 5.925 GHz band which is reserved for V2V and V2I. DSRC is based on 802.11p and 1609.x protocols. The messages are sent using the IEEE 1609.3 specification (WAVE) and they are sent as single packets, max 1500 bytes but normally less than 500 bytes. WAVE packets can easily be sniffed with Wireshark. In Japan they are planning to use a 760 MHz band for crash detection/avoidance. The Japanese 5.8 GHz channels don’t use 802.11p but they should support the 1609.2 V2V security framework.
Here are the WAVE standards.
802.11p Defines the 5.9 GHz WAVE protocol (a modification of the Wi-Fi standard); also has random local MAC addressing
1609.2 Security services
1609.3 UDP/TCP IPv6 and LLC support
1609.4 Defines channel usage
1609.5 Communication manager
1609.11 Over-the-air electronic payment and data exchange protocol
1609.12 WAVE identifier
Typical features in the DSRC implementation are Car sharing, points of interest, diagnostics & maintenance, driving profiles (for insurance purposes), electronic toll notification, fleet management and parking information.
DSRC is meant to be used for warnings about emergency vehicles approaching, hazardous locations, other vehicles approaching, road works, stationary/broken down vehicles and stolen vehicle recovery. United States are a big driving force behind these items.
V2V is as far as I know not finished and there’s still a lot to be done. I assume they are going to implement a PKI model like the SSL, but for cars, but certificates can be hacked and there’s no chance in hell they’ll be tested as hard as our public computer systems so there’s bound to be many bugs and vulnerabilities. Also I’m concerned how firmware update is going to work with these cars, and who’s responsible for what, when and how – and if you can fake a forced update of the cars firmware then you’re looking at a huge problem…
I’m not going to go into too many details regarding the implementation or the protocols, but as soon as you add a wireless interface to the cars, with ability to both read – but also modify – data, you can be sure it’s a huge risk for vulnerabilities!!! Just imagine you spoof DSRC packets and broadcast them to cars in your area, telling every car that they are about to crash… Catastrofic foobar.
Honestly, even with my knowledge about wireless communication and penetration testing I didn’t think they’d gone and implemented such a stupid thing like V2V and V2I, but in hindsight I’m not surprised that the car is becoming more and more a computer – for good and for worse.
What I initially thought were overreactions on technology that wasn’t really there. I’m now convinced that our modern cars are vulnerable and that they eventually will be cracked, and although the way the protagonists in Watch Dogs 1&2 hack cars via their mobile phones through the CTOS – this isn’t as far from reality after all…?!
I’ve now discovered enough to dig deeper into this. I’ve got a car that’s got almost all features available and although it’s easy to secure a car by turning off all wireless receivers but newer cars might not. In fact they might rely on this to work at all? Perhaps hacking my own car will teach me more, or leave it in a broken state…? Car hacking is reality and if things progress like some think we will soon have a whole fleet of self-driving cars. Who’s to blame when one of those are hacked and there’s an accident? I’m sure the insurance companies are having a serious think about this because if there’s no driver behind the wheel, who do you prosecute when there’s an accident? The car manufacturer? The “driver”, who’s actually just a passenger… I don’t know. I do know that just because you can connect a piece of hardware to the internet it doesn’t mean you should by default.
I’ve found a really good book on the subject and it’s called The Car Hacker’s Handbook – A Guide for the Penetration Tester by Craig Smith.