For novel ideas about building embedded systems (both hardware and firmware), join the 27,000+ engineers who subscribe to The Embedded Muse, a free biweekly newsletter. The Muse has no hype and no vendor PR. It takes just a few seconds (just enter your email, which is shared with absolutely no one) to subscribe.
By Jack Ganssle
Summary: Hacking a car sounds farfetched, but it's possible today.
Toyota's unintended acceleration woes seem to have faded into the background lately. To my knowledge we still know little about the root cause or causes of the problem, but that didn't stop the punditry from rampant uninformed speculation. A fascinating new paper ("Experimental Security Analysis of a Modern Automobile" by a cast of thousands, available here: http://www.autosec.org/pubs/cars-oakland2010.pdf) demonstrates that at least some modern cars can be attacked with quite devastating results.
Today's cars are basically some mechanical bits that support a huge array of electronics. The latter is composed of Electronic Control Units (ECUs) that are unsurprisingly all interconnected by one or more busses. What is amazing is how deeply these units interact. For instance, in some vehicles the doors are unlocked and seatbelts pretensioned just before a crash. Others use the radio to generate all of the clicks, beeps and groans that alert the driver to various conditions.
Communications between ECUs is over CAN busses, with a low-speed bus to handle relatively unimportant functions (e.g., door locks) and a high speed bus for safety-critical functions like braking. Some ECUs require both busses, creating a bridge between them that can have unintentional vulnerabilities.
In the paper the authors talk little about attack entry points; they refer vaguely to one wireless threat uncovered during their experiments, but mostly used the OBD-II under-dash connector to monitor inter-ECU communications and inject their own bits of nastiness. But they seem to have little doubt that networking capabilities like OnStar and the coming Interneting of the highways will provide plenty of entry points for the bad guys to exploit. Aftermarket add-ons that connect to the OBD-II or counterfeit ECUs could also create openings into the busses.
One might think that CAN would provide some authentication, but the paper shows that those supported by the standard are often modified or disabled by the ECU designers. And, CAN is very subject to DoS attacks, which can so flood traffic that important messages never get through.
One gets the feeling that they had a lot of fun running the experiments; for instance, they could pop the trunk, honk the horn, display messages on the dashboard (like a count-down to destruction accompanied by increasingly threatening noises over the radio), change all of the lighting, and continuously squirt windshield wiper fluid. More perilously, at speed it wasn't hard to lock a single front brake, or even disable braking entirely. An alarming quote: "we were able to release the brakes and actually prevent our driver from braking; no amount of pressure on the brake pedal was able to activate the brakes."
I found two takeaway messages from the paper. First, security needs to be Job One for automotive engineers. And second, all of us in the embedded world should start thinking very hard about our products. Are they compromisable? Does it matter? For many the answer to the latter is "no," but I think one should be wary of a glib "no."
Published May 22, 2010