The Center for Automotive Embedded Systems Security (CAESS), a collaboration between the University of California San Diego and the University of Washington, has exposed a weakness in modern automobile engineering.
Their analysis was done by connecting to an ODB-II (a federally-madated On-Board Diagnotics port in almost every car) that gives access to a vehicle’s controller area network (CAN), also known as the CAN-bus. It turns out that someone who simply plugs into the ODB-II is granted open control of every other device in the car. Very simple tests revealed the lack of security.
While the automotive industry has always considered safety a critical engineering concern (indeed, much of this new software has been introduced specifically to increase safety, e.g., Anti-lock Brake Systems) it is not clear whether vehicle manufacturers have anticipated in their designs the possibility of an adversary.
One worst-case scenario suggested by the research team is that malformed traffic on an automobile’s CAN-bus can cause a life-threatening malfunction. Random packets sent to a brake, for example, caused a wheel to lock. This type of failure could be related to another system failing on the CAN-bus and not necessarily a targeted attack.
Another consideration is that all the new user-upgradable systems for audio and communications interface with the CAN-bus and emphasize wireless connectivity. Easy to imagine one of these devices or a “tuner” upgrade malfunctioning, as they tend to do already, and causing far more widespread impact by being integrated into the telematics platform of an automobile.
They study intentionally avoids discussion of the threats. They only mention physical and wireless access as areas for future research.
Clearly this is an area ripe for discussion as very few people (outside the engineers who build the systems and hope threats do not emerge) understand the extent to which a new car can be remotely monitored and controlled via the Internet. This calls out the notion that developers, often trusted to do the right thing and develop a secure system, may instead use on a thin veneer of obscurity and hope no one is looking.
Anyone who believes the automobile companies will rise to the security challenge and fix issues without independent assessments and regulation has not read the latest update on the Ford Explorer roll-over crisis. Ford actually lowered the strength ratio to a minimum federal requirement (1.5 times the weight) while the standard was being raised (3.0 times the weight), all the while claiming that the car design was good but the tires were entirely at fault. They are just now being forced to admit the Explorer design was also to blame.
Steve Forrest conducted several drop tests showing the performance of the production and reinforced UN150 Ford Explorer. He was able to establish through that testing that the strength of the Explorer roof could have been tripled for a cost of approximately $40. His testing showed that a reinforced roof in Ms. Parker’s wreck would have crushed approximately two inches instead of ten inches.
We also proved that the seat belt system in the 1999 Explorer was defective and failed to retain Ms. Parker in the vehicle during the rollover sequence. The evidence presented showed that slack could be introduced into the belt system when the B pillar was crushed inward. Plaintiff’s expert, Steve Meyer, testified that due to the poor roof design, the seat belt system should have included a cinching latch plate or been integrated into the seat back instead of being mounted to the B pillar. Mr. Meyer also testified that performance of the seat belt could be improved if the roof was strengthened.
Ford fought this for many years. Only in Argentina did they admit dangerous weaknesses in the Explorer design, but they characterized it as a response to the different “driving style” in that country.
This is like a car company claiming that the threat of wireless attack is only a risk in Argentina, or that a rogue device on the CAN-bus will only happen in Argentina. Does that sound like reasonable threat modeling?
Allowing the company to dismiss or weigh risk decisions entirely on vulnerability tests, and without realistic threat modeling, is not an acceptable gamble. Ford is one of the companies pushing hard for cars to adopt a new telematics platform, which could even allow third-party applications to be installed. A system such as this must address security properly in terms of threats as well as vulnerabilities. The CAESS is thus doing a great service with the report, helping the automobile industry see better how to protect their most valuable assets on and off the road.