Posted on August 17, 2017 at 1:39 PM
On Wednesday, a security firm Trend Micro wrote a blog post in which it explained an overlooked hacking technique the firm had presented in collaboration with the researchers at LinkLayer Labs and the Polytechnic University of Milan at the DIVMA security conference last month in Boon, Germany. Their work highlights a certain security issue in the CAN protocol that car components use for communication and sending commands to one another in the car’s network – the one that could allow a hacker to shut off key automated components such as safety mechanisms once he accesses car’s internals.
Frederico Maggi, Trend Micro researcher, says that this hacking technique is stealthier than others since it can bypass current security systems easily. It stays undetected by the contemporary intrusion detection systems such as those from Argus and NNG and can disable the air bags, the anti-lock brakes or the door locks and steal the car.
This attack isn’t a threat to cars on the road since it doesn’t take over the basic driving functions like steering, braking or accelerating like the research hacks have done in the past. This is more of a “denial of service” type of attack that turns off components, and it isn’t completely remote due to the fact a hacker needs to have initial access to the car’s network. A vulnerability of the wi-fi or cellular connection is needed, or an insecure gadget to be plugged into the OBD port in the car.
The CAN vulnerability works in such a way that it waits for a target component to send frames, the basic units of communication sent amongst parts of a car’s CAN network, and then sends its own at the same time with a single corrupted bit that overrides the correct bit in the original frame. When the target component sees that it’s sent an incorrect bit, the CAN protocol requires that it issue an error message “recalling” that faulty message. If you repeat this move enough times, the repeated error message will make the component tell the rest of the network that it is defective and cut itself off from any further communication.
This attack is harder to detect, according to researchers. The intrusion detection module made off of the research from a hacked Jeep back in 2015 doesn’t cover this type of attack, and researchers say that is something it should be worked on.
But another difficulty that could happen is due to the attacker being able to randomize the pattern of error messages, Maggi says.
We reached out to the hardware makers whose defense tools were bypassed by the researchers, Argus and NGG. NGG didn’t immediately respond, but Argus issued a written statement that read that Argus was aware of the researchers’ attack, adding that the company’s IDS system was designed to detect many types of attacks, and their ability has been proven in multiple studies with vehicle manufacturers, their suppliers, and third-party research centers.
So if you are designing CAN bus IDS/IPS, this is something that you need to plan for now.
— Charlie Miller (@0xcharlie) August 16, 2017
However, don’t expect actual, non-research hackers to use this IDS-bypassing system in the near future. Hackers haven’t really tried to attack cars yet if you don’t count actual vehicle thefts.
The Department of Homeland Security’s Computer Emergency Response Team put out an alert about the vulnerability late last month but noted that it required extensive knowledge of CAN to pull off.
Still, as cars turn more connected and automated, this threat becomes more realistic and serious. And these types of planned attacks like the one Trend Micro did just shine a light on how hard the car manufacturers need to work on the security of their systems.