Thank the EU for stopping encryption of the CAN bus.
Also need access to the bus to begin with.
Don't worry, I am sure OTA updates will be fine.
Consumer reviewer Which? finds CAN bus ports on Ford and VW, starts yelling 'Security! We have a problem...'
Modern connected cars contain security threats, consumer org Which? has said after commissioning analyses of two models, a Ford and a Volkswagen. While Which?'s insistence that the flaws are "serious" is perhaps wide of the mark, the research does highlight the lack of robust security features protecting CAN buses and in- …
-
-
-
Sunday 12th April 2020 09:49 GMT Anonymous Coward
but not if...
An access regime was mandated by the authorities (eg owner keeps the secrets, and/or the manufacturer has a suitably secure process to make them available to the workshops), as well as a level of access that ensures all sensor, heurstics and log data has to be available as it is to the dealer software. (And a maintainable comms protocol/s are published and open-sourced, of course!)
Appropriate level of security controls that supports maintenance, better than networks with none at all.
-
-
-
-
Thursday 9th April 2020 15:45 GMT Giles C
Given what I have seen on the roads
I think there are some drivers that would fail to notice if there car was sat on by an elephant.
The best one was a car that created its own smokescreen the back was completely covered in soot, or the one where two wheels were flat.
So most people are completely unaware of what there car is doing.
-
Thursday 9th April 2020 20:07 GMT JassMan
Who needs access to CAN to change tyre status
My peugeot regularly tells me I have a flat tyre. Usually after clipping a pothole. You stop and measure all 4 and find they are identical to within .05 bar. The one time I needed it to tell me a tyre was flat, it didn't make a peep. At car park speeds it didn't affect handling but by the time I had stopped (about 35 m), it had completely shredded the tyre inside - the outside still looked ok, just flat. I actually stopped because the noise it made was exactly the same as having previously dragged a small wind blown branch in the wheel arch.
-
Thursday 9th April 2020 21:42 GMT vtcodger
Re: Who needs access to CAN to change tyre status
My wife's car has Tire Pressure Monitoring System (TPMS). The sales people made it clear when we bought the car that the system was unreliable and more or less useless. (When was the last time THAT happened to you?) . Time has proved them to have been honest about that at least.
I have long since augmented the TPMS with a $5.00 set of indicating tire valve caps that actually tell me when tires are underinflated and refrain from reporting temperature changes as flat tires.
-
-
Saturday 11th April 2020 10:16 GMT Anonymous Coward
Re: Who needs access to CAN to change tyre status
Only 4 months so far but the TPMS on my car agrees with my pressure gauge to within 0.1 bar. I did read that many of the ones in the US were highly unreliable, and your spelling of "tire" suggests that's where you are. Whether European or Japanese ones are to higher standards I don't know.
As the other poster says, never use indicating valve caps because if the piston leaks your tyre will deflate. Proper screw on metal valve caps with rubber inserts keep the air in. Even the cheap plastic ones are suspect.
-
-
Tuesday 14th April 2020 09:00 GMT Anonymous Coward
Re: Who needs access to CAN to change tyre status
My car (of German origin) has a tyre pressure monitoring system that relies on the ABS sensors and looks at comparative differences on wheel rotation - a soft/flat tyre has a smaller circumference and thus will spin quicker.
That struck me as a very clever implementation, but it does mean that you need to drive some distance to get reliable data, because going around corners has a similar effect on rotational speeds.
My experience has shown that it alerts me to a soft tyre at around the same time as I notice it, maybe before. A proper flat however I noticed a long time before it alerted me (I kept going, slowly, another mile because there was nowhere safe to stop on that bit of road)
-
-
Thursday 9th April 2020 23:51 GMT John Brown (no body)
"Most drivers are probably not capable of noticing if one or more tyres is flat or running on the wheel rim, El Reg suggests"
It's not hard to drive on a flat (maybe not completely flat), for quite some distance on a long straight road such as a motorway without realising it due to modern tyre designs. I drive a lot and am very sensitive to any changes in handling or sounds from the car and I've managed to not notice a near flat until the warning light came on. I do check before I set off, every time too.
-
Friday 10th April 2020 13:16 GMT Bill Michaelson
Driver awareness
Underinflated tires were blamed for a rash of accidents involved Ford SUVs that rolled over. Since then, TPMS is mandatory in US.
I like the system, although it tends to make me obsessive about keeping all the tires properly inflated. I particularly like the ability to flip on the pressure display if I roll over some debris at high speed. This once gave me early warning to exit an Interstate before losing too much pressure in one tire.
My biggest beef is with mechanics who swapped the sensors about carelessly, with subsequent ensuing hilarity as I try to adjust tire pressures.
-
Saturday 11th April 2020 19:29 GMT Eddy Ito
Re: Driver awareness
IIRC the recommended pressure was low to begin with in order to ensure a softer ride and dropping only a few psi to the rollover danger level didn't take long.
That said, I rather like the TPMS sensors on my newer car although they may be better as thermometers than pressure gauges.
-
-
-
Thursday 9th April 2020 15:28 GMT fuzzie
Did I read this correctly that their issue with the VW was that the could remove the radar sensor?
Did they least try and do something more interesting like replace it with a malicious one or one that spewed out bad/faulty measurements? Being able to remove a sensor doesn't seem like such a 'leet hack or huge vulnerability.
-
-
-
Sunday 12th April 2020 14:40 GMT Anonymous Coward
uninsurable against theft, unless separately secured - 2017ish ?
" ashame the insurance industry won't simply turn around and refuse to cover theft of vehicles vulnerable to replay attacks"
I heard a couple of years ago that it was impossible to get insurance for affected vehicles in certain parts of the M25 parking zone. If it was true (I don't live there or drive an affected vehicle) it doesn't seem to have had the desired effect yet.
This from 2017, but not sure it's a 100% match (solihull's not in the M25 parking zone yet):
https://www.schneier.com/blog/archives/2017/11/man-in-the-midd_8.html
-
-
-
Thursday 9th April 2020 15:55 GMT My other car WAS an IAV Stryker
CAN + security != CAN and would break things
"The lack of robust security features protecting CAN buses" was intentional to make sure any semi-idiot can wire up this engine and that transmission and so-and-so's ABS and eventually come up with a working drivetrain without being a cryptosecurity expert or needing signed keys, licenses, or proprietary tools.
(Yes, SOME proprietary tools are needed, but any CAN transceiver and parsing software built to the published standards should read 90% of CAN busses and all contents not using the Proprietary-flagged data frames. And those Prop frames can still be recorded even if the raw binary/hex is meaningless without further definition.)
"Nonetheless, a criminal with time, knowledge and physical access to the target network (the car) is a very real infosec threat." Physical access is ALWAYS the discriminator when it comes to CAN. There is no issue as long as the air-gap is maintained.
Do there need to be improvements within the industry? YES.
Does it need to be a multi-corporate effort? Absolutely.
Would it increase processing overhead within every single device on the bus and increase power consumption and device cost? You betcha. Every bus, every device, and every message would have to be strongly encrypted. Any bus-connected device that can be forced into non-encrypted mode is a vulnerability. Any tool that can do that for maintainers/technicians becomes a tool for criminals also. Any decryption must happen internal to the device/tool.
But... Any all-access keys used for the tools are essentially a backdoor that can and will be eventually leaked. And if the devices make keys randomly on every power-up and/or after certain time intervals (which can also be randomized), then the tools will be broken and can't parse bus traffic.
I don't know the solution, but so many vehicles--passenger, commercial, and "other"--are currently vulnerable.
-
Thursday 9th April 2020 16:13 GMT Bogbody
Re: CAN + security != CAN and would break things
Encryping the canbus data leads to one thing - the vehicle is eventualy not repairable. A wonderful piece of planned obselesance.
I point the reader in the direction of Vauxhaul/opel following the PSA takeover.
How long before the relevant servers become unavailable and the canbus cant be read, decrypted or modified. Several modules on the Astra (for example) cant be serviced/replaced without access to the central server.
Indeed updates for the infotainment/satnav system have allready dried up.
No update is available that shows the new A14 around Huntingdon ( yes, yes read the f@$king roadsigns). What other module have or will develop a bug that needs an update (well the auto lights on function for a start!)
Cars made before about 2005 can be fixed with mechanical and electrical skills.
Todays cars would also need a crypro and software engineer.
-
Thursday 9th April 2020 17:49 GMT Anonymous Coward
Re: CAN + security != CAN and would break things
"Todays cars would also need a crypro and sodtware engineer."
Unfortunately the manufacturers are simply giving idiots all the Shiny Shiny toys that they want. Why anyone wants all the bells in whistles in a car beyond a basic ICE when a phone can do all the same functions better beats me, but there we are. For now I'm sticking with my 12 year old car with analogue dials, a radio, CD player and nowt else.
-
-
Thursday 9th April 2020 17:06 GMT Anonymous Coward
Re: CAN + security != CAN and would break things
Couple notes;
* encryption doesn't have to be an all or nothing affair, even on a given CAN bus. At least one manufacturer does a mix of completely clear coms, encrypted coms, and communication with secure checksums (so data is easy to read but hard to forge... secure data is also timestamped to defeat replay attacks).
* symmetric encryption keys that are unique to a given vehicle work. Keys are stored at a central repository maintained by the manufacturer so that diagnostic tools can update replacent parts (obvious weakpoint, but much better than a single master key).
* there are industry standard tools to manage all of this. See AUTOSAR for one example. Automotive ECU software is hugely modular and model driven (essentialle nobody "writes code" in automotive as much as you write specs, build models, and let the tools build the software).
As mentioned, physical access eventually wins.
Source: I make a living speaking CAN to modules that don't always come with documentation. Job includes making a given part think its going down the highway in a vehicle even though it's sitting on a tester.
-
Friday 10th April 2020 20:28 GMT Anonymous Coward
Re: CAN + security != CAN and would break things
"essentialle nobody "writes code" in automotive as much as you write specs, build models, and let the tools build the software"
Is that view of the world shared by the people at MISRA, or is MISRA a bit last-century by now?
"I make a living speaking CAN to modules that don't always come with documentation."
Understood. Embedded systems are like that sometimes, even before the supplier in question goes out of business (or gets taken over).
"Job includes making a given part think its going down the highway in a vehicle even though it's sitting on a tester."
Hmmm, there's a certain 21st-century familiarity to that description.
Sprechen Sie VW?
If only everything in life were as reliable as a Softing CANBus implementation.
-
-
-
Thursday 9th April 2020 16:55 GMT Mike 16
a known issue for years?
"Keyless entry" has been a thing for _decades_, and I recall that handy capture/replay devices were available to thieves within months.
Meanwhile, the advice to not pair ones Bluetooth devices to random rental cars is good, but ignores that some modern cars (I refrain from naming the maker, as I suspect my new car is snooping all my comms :-) will pair with a device (such as my iPhone) without asking for or getting permission.
-
Friday 10th April 2020 00:00 GMT John Brown (no body)
Re: a known issue for years?
"will pair with a device (such as my iPhone) without asking for or getting permission."
Isn't that as much of an Apple issue as a a car issue? Do iPhones routinely connect to any random Bluetooth device without asking permission or is that a setting you have changed yourself?
-
Friday 10th April 2020 15:18 GMT Mike 16
Re: a known issue for years?
@John Brown
---
Isn't that as much of an Apple issue as a a car issue? Do iPhones routinely connect to any random Bluetooth device without asking permission or is that a setting you have changed yourself?
---
Almost certainly at least partially an Apple issue. There was no reason for me to faff with BT settings, as I do not enable BT at all. Then again, I also try my best to disable iCloud, but Apple gets more clever about stealth re-enables with every "upgrade". I will say that the Apple computers (i.e. MacOS rather than iOS) have some of the same annoying iCloud behavior, but so far have paired with BT mice and keyboards only as and when explicitly directed to do so. Of course, "Tomorrow is another day"
It is the whole ecosystem of cars, phones, appliances, dustbins, dog-collars etc. that gets me wondering if Douglas Adams was a time traveller.
-
Friday 10th April 2020 16:02 GMT zuckzuckgo
Re: a known issue for years?
>that gets me wondering if Douglas Adams was a time traveller.
There is documented evidence that he only travelled back in time to record TV shows he had missed. He found it easier to solve the time travel problem than program a 1980's VCR to automatically record.
-
-
-
Thursday 9th April 2020 19:26 GMT Anonymous Coward
"Ford and VW"
The article doesn't make clear if Which tested any other vehicles and found them secure or if they just tested Ford and VW. I suspect the latter.
Also the superficiality of the testing without any tested examples of exploits that the vulnerability would allow is problematic.
Bad? Yes. How bad? Nobody knows.
-
Friday 10th April 2020 16:04 GMT Starace
Re: "Ford and VW"
Somewhere around here is a post I made which is somehow approved but hidden.
Basically good luck fiddling the buses from the Ford infotainment, the hardware is partitioned and the QNX bit has no access to CAN, it goes via datapool in shared memory to another board that can explicitly only read and write specific messages.
And you can't fiddle the infotainment software without either getting straight to the eMMC or having the correct certificate to sign any file you want to upload via the USB. But reading what's built into the factory image is easy because it's all in the upgrade packages you can freely download. There is/was a discoverable root password but the production image has no way to connect a debug console (doesn't try to start the ethernet dongle) so that's pretty useless too.
And funnily enough the CAN is all partitioned so you can't just wander around trivially, and some of the critical control buses are physically isolated. You can get around the general access security (though not the stuff needing privileged access) by reverse engineering the workshop tool protocols but that doesn't gain you much beyond what the workshop tool already does, except the ability to accidentally brick the modules.
Hur hur we canz hack it isn't quite as simple as it appears when it comes to actual exploits.
-
-
Thursday 9th April 2020 20:17 GMT Irongut
> "simply lifting the VW badge on the front of the car gave access to the front radar module, which could potentially allow a hacker to tamper with the collision-warning system."
OMG. And, simply lifting the bonnet gives access to the engine which could potentially allow a hacker to completely disable your car or disable vital safety systems!!!111!!1
-
Thursday 9th April 2020 21:22 GMT A-nonCoward
Access to the car?
"Nonetheless, a criminal with time, knowledge and physical access to the target network (the car) is a very real infosec threat."
A criminal that gets physical access to my car gets my laptop, or if I'm at the beach or something where I don't want to carry those, my cellphone and wallet.
THAT, my friends, would be a problem, who cares about my (barely functional) entertainment/bluetooth systems.
The little woman used to insist in always taking her business laptop inside buildings, never leaving it in the car, be it we're going for groceries or a doctor's appointment. Now less of an issue of course, between not commuting to the office any more, and actually being furloughed and reduced to hourly work, hip hip...
-
Friday 10th April 2020 01:21 GMT -tim
Separate but still connected?
Late 1990s Saabs had 3 CAN buses. One for the ABS, one for the Engine/Transmission systems and a third for everything else. The speed of the car is determined by using the ABS sensors so as long as one wheel is rotating, it have a very good idea of of the speed and it took me about an hour on an icy parking lot to trick it. The thing is the radio needs to know how fast the car is going so it can make slight adjustments to the volume depending speed so I wonder just how isolated the busses are.
A friend made the comment that a rental BMW wasn't true to its heritage when its traction control system complained after it was briefly airborne. That message was of course displayed on the integrated console.
-
Friday 10th April 2020 08:41 GMT Gene Cash
Re: Separate but still connected?
> The thing is the radio needs to know how fast the car is going so it can make slight adjustments to the volume depending speed
Are you serious? Considering how quiet current cars are? That wasn't an issue even in my '82 Toyota.
Just how coddled and lazy ARE we these days?
-
-
Friday 10th April 2020 03:49 GMT JCitizen
Just a reminder here...
that researchers have proven they can access a car's auto park system remotely without physical access or permission, and invoke anything the car is capable of. Just imagine if they could over rule safeties and tell the vehicle to auto park while you are going 70 mph?!! No one has proven they can't as of yet. The police would simply list the accident as "driver lost control" and that would be it - no one the wiser. And you know they aren't going to check either.
-
Friday 10th April 2020 16:04 GMT Starace
Re: Just a reminder here...
Yeah right.
It's one thing to emulate a button being pressed over the bus, it's quite another to make a module do something it's explicitly designed not to do - you'd have to replace the firmware with something utterly different and that's a whole other game.
If you're going to enter into the realm of fantasy there are easier ways to achieve the same result.
-
Friday 10th April 2020 20:38 GMT Anonymous Coward
someone malicious could pull the radar sensor out
my regular method of choice is to cut brake pipes and then watch the mark frantically try to avoid the unavoidable, i.e. 300ft drop (as you do). That said, in minor altercations, slashing a tyre of two does the trick, while those of lighter disposition favour good old banana (non-standard, straight), up the exhaust pipe. Pulling the radar sensor out, pah!
-
Sunday 12th April 2020 23:13 GMT Anonymous Coward
Fat chance
Revoke access when selling your car. This may require going through the manufacturer's website. You may again also want to delete any data from the website so that data isn't available to the next user or the manufacturer.
Good luck with that when you have a Mercedes, at least in Belgium. It took months of repeated requests before I finally stopped receiving junkmail on the alias I had set up for their remote app (I do this to track who is distributing my details wider than they are permitted), despite having properly asked the garage to be disassociated with the VIN of a company lease vehicle the very day I resigned and requested my details to be removed. I would have shopped them to the government privacy watchdog if I had been less busy at the time.
Now I am not going to say that is the reason I won't touch a Merc with a barge pole*, but it didn't exactly help.
Incidentally, check that you have wiped contact details and Bluetooth authorisation from the entertainment system too.
As for the CAN bus problems, they're a tad late IMHO to screech loudly. When the proper problems were found with fun things such as the ability to disable your brakes on remote it was nary given a mention. I don't know about you, but someone setting a different channel on my radio strikes me as a tad less worrying.
* It was more being generally unimpressed with the price/vehicle ratio, but I acknowledge that may be personal preference or prior exposure to, well, IMHO better brands..
Biting the hand that feeds IT
