A security flaw that could affect millions of cars has been identified, with researchers warning that there may be no fix available to protect susceptible vehicles. The exploit works by overloading the so-called CAN, or “car device network”, which connects all of the different aspects of modern vehicles together. With the right code, essential parts of the car’s safety features – such as the airbags or antilock brakes – could be forced offline.
The CAN was adopted as a standard for road vehicles by the ISO back in 1993, though it was developed back in 1983 by Bosch. It’s effectively the nervous system through which different components and technologies in the car communicate, spanning everything from comfort and convenience features like the HVAC system and infotainment, through to vital tech like the engine control module and the power steering.
Each section communicates via messages known as “frames”, and it’s designed to be a self-policing system when it comes to errors. Should a bad frame be issued, a device attached to the CAN is able to order its recall. If a device issues too many frames with errors, it’s forced into a “Bus Off” state where it’s pushed offline and effectively switched off.
This newly-identified exploit, the handiwork of Politecnico di Milano, Linklayer Labs, and Trend Labs‘ Forward-looking Threat Research (FTR) team, takes advantage of that behavior. Rather than trying to sneak an error-filled frame through the system, it instead floods the CAN with such messages. After a certain point, reusing frames already circulating within the CAN, different systems can be forced offline.
“This, in turn, can drastically affect the car’s performance to the point that it becomes dangerous and even fatal,” the researchers explain, “especially when essential systems like the airbag system or the antilock braking system are deactivated.”
The specific vulnerability of an individual vehicle varies according to a number of factors. It’s theoretically possible, the researchers say, that a remote hack could take place, if the firmware of any part of the ECU supported remote reprogramming. For instance, if a car manufacturer has enabled support for adding new features to the infotainment system, that could also provide a backdoor for hackers to introduce frame flooding.
Even if that’s not possible, a local attack is. The OBD-II diagnostic port, a mandated socket on all cars since the 90s, is already being used by numerous companies to unlock driving metrics and elucidate exactly what the mysterious “check engine” light really means. However, someone with more nefarious intentions could use it to modify the CAN, assuming they had physical access.
“Traditionally, the scenario in which an attacker could access a car that way is not only rare, but is also very risky to the attacker,” the researchers point out. “This may have been true back then, but with current transportation trends such as ride-sharing, carpooling, and car renting, the scenario where many people can have local access to the same car is now more commonplace.”
Unfortunately, while the US/ICS-CERT regulator has been notified, and issued a security bulletin, the core nature of the CAN means that there’s no easy fix. Some automakers may be able to update their software to minimize the impact of frame flooding, but many will not. Indeed, the simplest way of addressing the possibility might come down to securing the ODB port with some sort of locking cover.
The best fix, it’s suggested, is for an overhaul to the CAN system itself so that future vehicles won’t be so vulnerable. That will undoubtedly take a lot of work, and time, and there’s no way that existing vehicles on the road will be retrofitted with the new system.