Window stickers on new cars offer a lot of information: cost, options, warranties, fuel economy, countries of origin for the parts. There’s even the government 5-Star Safety Rating for crashes. What you won’t see, though, are hacker ratings about how vulnerable the particular model is to attempts to unlock, track, or disable a safety system or to spy on the vehicle’s occupants.
Craig Smith, author of the recently published The Car Hacker’s Handbook from No Starch Press, begins his thorough, and sometimes unnerving, examination of vulnerabilities with a quote from Robert N. Charette’s report This Car Runs on Code. Charette explains that “as of 2009, vehicles have typically been built with over 100 micro-processors, 50 electronic control units, 5 miles of wiring, and 100 million lines of code.” And all that code is running on not one, but several operating systems. Like your phone and laptop, those systems can be hacked.
The threats can come from outside or within the car. The external threat surfaces include cellular, Wi-Fi, and Bluetooth inputs, the tire pressure-monitoring system, and the key fob. Internal surfaces include the infotainment/navigation console, USB inputs, and the CAN (Computer Area Network) bus systems, which control how the vehicle behaves mechanically and how the packets of information determine what the network knows.
DREAD RATING SYSTEM
Smith provides a blueprint for creating a threat-rating system that maps out the risks, sorts them in a table of rating categories, and assigns numerical values for comparison. Instead of the threat-rating systems used by the automotive industry and the government (ISO 26262 ASIL and MIL-STD-882E), which mainly focus on safety failures, Smith suggests a DREAD rating system. His model would measure: Damage potential, Reproducibility (how easy is it to reproduce), Exploitability, Affected users (how many), and Discoverability (how easy is it to find). The resulting document, he says, would “define the current product security posture, any countermeasure currently in place, and a task list of high-priority items that still need to be addressed.” Sounds like something you might want to see next to the window sticker on a new car.
According to Smith, the touchscreen interface in a car’s center console offers more remote attack surfaces than any other vehicle component. “These systems hold a lot of code and are the most powerful electronic systems in a vehicle.” Called the IVI (in-vehicle infotainment system), it’s typically rich with physical and wireless inputs (CD-ROM, DVD, USB, Bluetooth, Wi-Fi, GPS, XM Radio) and connects out to the vehicle’s network. One way in for the hacker is to first discover what kind of software it’s running, then look for the way the IVI updates or loads its operating system. There are several methods to gain control over the updates. Once that’s accomplished, you have a path in and a route to search further for vulnerabilities. Those might provide access to the door locks, temperature controls, even functions like steering, braking, and the engine.
ATTACKING WIRELESS SYSTEMS
Besides the programming flowing through the five miles of wiring, there are radio-controlled wireless systems also talking to the ECU (electronic control unit). These depend on short-range signals as their only security, Smith writes, typically with no checks from the ECU to validate the data outside of the signal. To hack these signals, you need an SDR (software-defined radio), which can be as cheap as $20, and software that’s available online. The wireless radio signals send binary data, the 0s and 1s of the software instructions, by controlling the signal modulation, and the hacker does the same with his radio rig—intercepting, jamming, eavesdropping, and spoofing the signals.
One of these systems is the TPMS (tire pressure monitor sensor), which sits inside the tires. It relays information about tire pressure, wheel rotation, and temperature. Some run on Bluetooth, but most use a radio. Academic researchers have demonstrated an ability to eavesdrop on these systems from as far away as 130 feet. Once in, you might track a vehicle and trigger events as innocuous as opening a garage door or as dangerous as detonating a roadside explosive. You could send forged packets of information that would disrupt the pressure and temperature readings, and you could flood the sensor with activation requests that would drain the car’s battery even while it’s turned off.
Smith also explains several hacks for key fobs and keyless system attacks, which he reminds us “are one of the main hacks used in [auto] thefts.”
The Car Hacker’s Handbook has pages of programming and technical information for tinkerers (i.e., hackers). But it also provides a public service as the first work of its kind to analyze computer-based systems that make them vulnerable to attack and exploitation. If your company has a fleet, you might want to check it out.