back to article Consumer reviewer Which? finds CAN bus ports on Ford and VW, starts yelling 'Security! We have a problem...'

Modern connected cars contain security threats, consumer org Which? has said after commissioning analyses of two models, a Ford and a Volkswagen. While Which?'s insistence that the flaws are "serious" is perhaps wide of the mark, the research does highlight the lack of robust security features protecting CAN buses and in- …

  1. Oneman2Many Bronze badge

    Thank the EU for stopping encryption of the CAN bus.

    Also need access to the bus to begin with.

    Don't worry, I am sure OTA updates will be fine.

    1. Wellyboot Silver badge

      An encrypted CAN bus would kill non dealer servicing overnight as the manufacturers decide to rent out diagnostic equipment for £000's per month.

      You're spot on with the access though, the car wifi & entertainment has to be air gapped from any safety critical system.

      1. Anonymous Coward
        Anonymous Coward

        but not if...

        An access regime was mandated by the authorities (eg owner keeps the secrets, and/or the manufacturer has a suitably secure process to make them available to the workshops), as well as a level of access that ensures all sensor, heurstics and log data has to be available as it is to the dealer software. (And a maintainable comms protocol/s are published and open-sourced, of course!)

        Appropriate level of security controls that supports maintenance, better than networks with none at all.

  2. Alister

    Most drivers are probably not capable of noticing if one or more tyres is flat or running on the wheel rim, El Reg suggests

    TFTFY

    1. Giles C Silver badge

      Given what I have seen on the roads

      I think there are some drivers that would fail to notice if there car was sat on by an elephant.

      The best one was a car that created its own smokescreen the back was completely covered in soot, or the one where two wheels were flat.

      So most people are completely unaware of what there car is doing.

      1. Aussie Doc
        Coat

        Shirley

        Well, obviously that would depend whether it was an African elephant or an Asian elephant, of course.

        Probably not in my pocket ---------------------->

      2. Alan Brown Silver badge

        "The best one was a car that created its own smokescreen"

        I had a car like that. For about 10 miles (Mk4 Cortina and the body was worse than the engine)

    2. JassMan

      Who needs access to CAN to change tyre status

      My peugeot regularly tells me I have a flat tyre. Usually after clipping a pothole. You stop and measure all 4 and find they are identical to within .05 bar. The one time I needed it to tell me a tyre was flat, it didn't make a peep. At car park speeds it didn't affect handling but by the time I had stopped (about 35 m), it had completely shredded the tyre inside - the outside still looked ok, just flat. I actually stopped because the noise it made was exactly the same as having previously dragged a small wind blown branch in the wheel arch.

      1. vtcodger Silver badge

        Re: Who needs access to CAN to change tyre status

        My wife's car has Tire Pressure Monitoring System (TPMS). The sales people made it clear when we bought the car that the system was unreliable and more or less useless. (When was the last time THAT happened to you?) . Time has proved them to have been honest about that at least.

        I have long since augmented the TPMS with a $5.00 set of indicating tire valve caps that actually tell me when tires are underinflated and refrain from reporting temperature changes as flat tires.

        1. Gene Cash Silver badge

          Re: Who needs access to CAN to change tyre status

          > indicating tire valve caps

          FYI, those have a bad habit of losing seal and suddenly deflating the tire.

        2. Anonymous Coward
          Anonymous Coward

          Re: Who needs access to CAN to change tyre status

          Only 4 months so far but the TPMS on my car agrees with my pressure gauge to within 0.1 bar. I did read that many of the ones in the US were highly unreliable, and your spelling of "tire" suggests that's where you are. Whether European or Japanese ones are to higher standards I don't know.

          As the other poster says, never use indicating valve caps because if the piston leaks your tyre will deflate. Proper screw on metal valve caps with rubber inserts keep the air in. Even the cheap plastic ones are suspect.

      2. Anonymous Coward Silver badge

        Re: Who needs access to CAN to change tyre status

        My car (of German origin) has a tyre pressure monitoring system that relies on the ABS sensors and looks at comparative differences on wheel rotation - a soft/flat tyre has a smaller circumference and thus will spin quicker.

        That struck me as a very clever implementation, but it does mean that you need to drive some distance to get reliable data, because going around corners has a similar effect on rotational speeds.

        My experience has shown that it alerts me to a soft tyre at around the same time as I notice it, maybe before. A proper flat however I noticed a long time before it alerted me (I kept going, slowly, another mile because there was nowhere safe to stop on that bit of road)

    3. John Brown (no body) Silver badge

      "Most drivers are probably not capable of noticing if one or more tyres is flat or running on the wheel rim, El Reg suggests"

      It's not hard to drive on a flat (maybe not completely flat), for quite some distance on a long straight road such as a motorway without realising it due to modern tyre designs. I drive a lot and am very sensitive to any changes in handling or sounds from the car and I've managed to not notice a near flat until the warning light came on. I do check before I set off, every time too.

      1. JohnGrantNineTiles

        Clockwise on the M25 between the A3 and M3 feels exactly like a flat tyre.

    4. Bill Michaelson

      Driver awareness

      Underinflated tires were blamed for a rash of accidents involved Ford SUVs that rolled over. Since then, TPMS is mandatory in US.

      I like the system, although it tends to make me obsessive about keeping all the tires properly inflated. I particularly like the ability to flip on the pressure display if I roll over some debris at high speed. This once gave me early warning to exit an Interstate before losing too much pressure in one tire.

      My biggest beef is with mechanics who swapped the sensors about carelessly, with subsequent ensuing hilarity as I try to adjust tire pressures.

      1. Eddy Ito

        Re: Driver awareness

        IIRC the recommended pressure was low to begin with in order to ensure a softer ride and dropping only a few psi to the rollover danger level didn't take long.

        That said, I rather like the TPMS sensors on my newer car although they may be better as thermometers than pressure gauges.

  3. fuzzie

    Did I read this correctly that their issue with the VW was that the could remove the radar sensor?

    Did they least try and do something more interesting like replace it with a malicious one or one that spewed out bad/faulty measurements? Being able to remove a sensor doesn't seem like such a 'leet hack or huge vulnerability.

    1. Paul Shirley

      The not well enough flagged (apparently) issue is you can possibly connect to CAN from it and do it without breaking into the car.

    2. vilemeister

      Its 'reviews' like this that will make the car manufacturers pot the entire engine bay in resin so can't remove something, and then you also have to go to them to get it repaired/a new engine installed.

      1. Alan Brown Silver badge

        "make the car manufacturers pot the entire engine bay in resin"

        It's a shame the insurance industry won't simply turn around and refuse to cover theft of vehicles vulnerable to replay attacks

        The resulting class actions would sort the problem out quickly

        1. Anonymous Coward
          Anonymous Coward

          uninsurable against theft, unless separately secured - 2017ish ?

          " ashame the insurance industry won't simply turn around and refuse to cover theft of vehicles vulnerable to replay attacks"

          I heard a couple of years ago that it was impossible to get insurance for affected vehicles in certain parts of the M25 parking zone. If it was true (I don't live there or drive an affected vehicle) it doesn't seem to have had the desired effect yet.

          This from 2017, but not sure it's a 100% match (solihull's not in the M25 parking zone yet):

          https://www.schneier.com/blog/archives/2017/11/man-in-the-midd_8.html

  4. Sil

    Ford refusing to read the report shows Which is definitely not wrong.

    It's just like the absolute joke of the security of medical equipment: it interests nobody, until some organization will give us a nasty wake-up call.

  5. My other car WAS an IAV Stryker

    CAN + security != CAN and would break things

    "The lack of robust security features protecting CAN buses" was intentional to make sure any semi-idiot can wire up this engine and that transmission and so-and-so's ABS and eventually come up with a working drivetrain without being a cryptosecurity expert or needing signed keys, licenses, or proprietary tools.

    (Yes, SOME proprietary tools are needed, but any CAN transceiver and parsing software built to the published standards should read 90% of CAN busses and all contents not using the Proprietary-flagged data frames. And those Prop frames can still be recorded even if the raw binary/hex is meaningless without further definition.)

    "Nonetheless, a criminal with time, knowledge and physical access to the target network (the car) is a very real infosec threat." Physical access is ALWAYS the discriminator when it comes to CAN. There is no issue as long as the air-gap is maintained.

    Do there need to be improvements within the industry? YES.

    Does it need to be a multi-corporate effort? Absolutely.

    Would it increase processing overhead within every single device on the bus and increase power consumption and device cost? You betcha. Every bus, every device, and every message would have to be strongly encrypted. Any bus-connected device that can be forced into non-encrypted mode is a vulnerability. Any tool that can do that for maintainers/technicians becomes a tool for criminals also. Any decryption must happen internal to the device/tool.

    But... Any all-access keys used for the tools are essentially a backdoor that can and will be eventually leaked. And if the devices make keys randomly on every power-up and/or after certain time intervals (which can also be randomized), then the tools will be broken and can't parse bus traffic.

    I don't know the solution, but so many vehicles--passenger, commercial, and "other"--are currently vulnerable.

    1. Bogbody

      Re: CAN + security != CAN and would break things

      Encryping the canbus data leads to one thing - the vehicle is eventualy not repairable. A wonderful piece of planned obselesance.

      I point the reader in the direction of Vauxhaul/opel following the PSA takeover.

      How long before the relevant servers become unavailable and the canbus cant be read, decrypted or modified. Several modules on the Astra (for example) cant be serviced/replaced without access to the central server.

      Indeed updates for the infotainment/satnav system have allready dried up.

      No update is available that shows the new A14 around Huntingdon ( yes, yes read the f@$king roadsigns). What other module have or will develop a bug that needs an update (well the auto lights on function for a start!)

      Cars made before about 2005 can be fixed with mechanical and electrical skills.

      Todays cars would also need a crypro and software engineer.

      1. Anonymous Coward
        Anonymous Coward

        Re: CAN + security != CAN and would break things

        "Todays cars would also need a crypro and sodtware engineer."

        Unfortunately the manufacturers are simply giving idiots all the Shiny Shiny toys that they want. Why anyone wants all the bells in whistles in a car beyond a basic ICE when a phone can do all the same functions better beats me, but there we are. For now I'm sticking with my 12 year old car with analogue dials, a radio, CD player and nowt else.

    2. Anonymous Coward
      Anonymous Coward

      Re: CAN + security != CAN and would break things

      Couple notes;

      * encryption doesn't have to be an all or nothing affair, even on a given CAN bus. At least one manufacturer does a mix of completely clear coms, encrypted coms, and communication with secure checksums (so data is easy to read but hard to forge... secure data is also timestamped to defeat replay attacks).

      * symmetric encryption keys that are unique to a given vehicle work. Keys are stored at a central repository maintained by the manufacturer so that diagnostic tools can update replacent parts (obvious weakpoint, but much better than a single master key).

      * there are industry standard tools to manage all of this. See AUTOSAR for one example. Automotive ECU software is hugely modular and model driven (essentialle nobody "writes code" in automotive as much as you write specs, build models, and let the tools build the software).

      As mentioned, physical access eventually wins.

      Source: I make a living speaking CAN to modules that don't always come with documentation. Job includes making a given part think its going down the highway in a vehicle even though it's sitting on a tester.

      1. Anonymous Coward
        Anonymous Coward

        Re: CAN + security != CAN and would break things

        "essentialle nobody "writes code" in automotive as much as you write specs, build models, and let the tools build the software"

        Is that view of the world shared by the people at MISRA, or is MISRA a bit last-century by now?

        "I make a living speaking CAN to modules that don't always come with documentation."

        Understood. Embedded systems are like that sometimes, even before the supplier in question goes out of business (or gets taken over).

        "Job includes making a given part think its going down the highway in a vehicle even though it's sitting on a tester."

        Hmmm, there's a certain 21st-century familiarity to that description.

        Sprechen Sie VW?

        If only everything in life were as reliable as a Softing CANBus implementation.

  6. Mike 16

    a known issue for years?

    "Keyless entry" has been a thing for _decades_, and I recall that handy capture/replay devices were available to thieves within months.

    Meanwhile, the advice to not pair ones Bluetooth devices to random rental cars is good, but ignores that some modern cars (I refrain from naming the maker, as I suspect my new car is snooping all my comms :-) will pair with a device (such as my iPhone) without asking for or getting permission.

    1. vtcodger Silver badge

      Re: a known issue for years?

      An inexpensive keyless entry device known as a "brick" has been available to (and actually used by) car thieves for about a century.

      1. IGotOut Silver badge

        Re: a known issue for years?

        Pretty hard to start a car with a brick. It's not the 80's anymore.

    2. John Brown (no body) Silver badge

      Re: a known issue for years?

      "will pair with a device (such as my iPhone) without asking for or getting permission."

      Isn't that as much of an Apple issue as a a car issue? Do iPhones routinely connect to any random Bluetooth device without asking permission or is that a setting you have changed yourself?

      1. Mike 16

        Re: a known issue for years?

        @John Brown

        ---

        Isn't that as much of an Apple issue as a a car issue? Do iPhones routinely connect to any random Bluetooth device without asking permission or is that a setting you have changed yourself?

        ---

        Almost certainly at least partially an Apple issue. There was no reason for me to faff with BT settings, as I do not enable BT at all. Then again, I also try my best to disable iCloud, but Apple gets more clever about stealth re-enables with every "upgrade". I will say that the Apple computers (i.e. MacOS rather than iOS) have some of the same annoying iCloud behavior, but so far have paired with BT mice and keyboards only as and when explicitly directed to do so. Of course, "Tomorrow is another day"

        It is the whole ecosystem of cars, phones, appliances, dustbins, dog-collars etc. that gets me wondering if Douglas Adams was a time traveller.

        1. zuckzuckgo

          Re: a known issue for years?

          >that gets me wondering if Douglas Adams was a time traveller.

          There is documented evidence that he only travelled back in time to record TV shows he had missed. He found it easier to solve the time travel problem than program a 1980's VCR to automatically record.

  7. Anonymous Coward
    Facepalm

    "Ford and VW"

    The article doesn't make clear if Which tested any other vehicles and found them secure or if they just tested Ford and VW. I suspect the latter.

    Also the superficiality of the testing without any tested examples of exploits that the vulnerability would allow is problematic.

    Bad? Yes. How bad? Nobody knows.

    1. Starace
      Alert

      Re: "Ford and VW"

      Somewhere around here is a post I made which is somehow approved but hidden.

      Basically good luck fiddling the buses from the Ford infotainment, the hardware is partitioned and the QNX bit has no access to CAN, it goes via datapool in shared memory to another board that can explicitly only read and write specific messages.

      And you can't fiddle the infotainment software without either getting straight to the eMMC or having the correct certificate to sign any file you want to upload via the USB. But reading what's built into the factory image is easy because it's all in the upgrade packages you can freely download. There is/was a discoverable root password but the production image has no way to connect a debug console (doesn't try to start the ethernet dongle) so that's pretty useless too.

      And funnily enough the CAN is all partitioned so you can't just wander around trivially, and some of the critical control buses are physically isolated. You can get around the general access security (though not the stuff needing privileged access) by reverse engineering the workshop tool protocols but that doesn't gain you much beyond what the workshop tool already does, except the ability to accidentally brick the modules.

      Hur hur we canz hack it isn't quite as simple as it appears when it comes to actual exploits.

  8. Irongut Silver badge
    Mushroom

    > "simply lifting the VW badge on the front of the car gave access to the front radar module, which could potentially allow a hacker to tamper with the collision-warning system."

    OMG. And, simply lifting the bonnet gives access to the engine which could potentially allow a hacker to completely disable your car or disable vital safety systems!!!111!!1

  9. mevets

    Hype

    "That is, someone malicious could pull the radar sensor out."

    I just discovered that I can paint the windscreen of most cars without even physically touching them. A painted windscreen is likely to impair the drivers ability to see road hazards, other vehicles or pedestrians.

  10. A-nonCoward
    Facepalm

    Access to the car?

    "Nonetheless, a criminal with time, knowledge and physical access to the target network (the car) is a very real infosec threat."

    A criminal that gets physical access to my car gets my laptop, or if I'm at the beach or something where I don't want to carry those, my cellphone and wallet.

    THAT, my friends, would be a problem, who cares about my (barely functional) entertainment/bluetooth systems.

    The little woman used to insist in always taking her business laptop inside buildings, never leaving it in the car, be it we're going for groceries or a doctor's appointment. Now less of an issue of course, between not commuting to the office any more, and actually being furloughed and reduced to hourly work, hip hip...

  11. Anonymous Coward
    Anonymous Coward

    Why not set your "Home" address to that of your local nick

  12. -tim
    Boffin

    Separate but still connected?

    Late 1990s Saabs had 3 CAN buses. One for the ABS, one for the Engine/Transmission systems and a third for everything else. The speed of the car is determined by using the ABS sensors so as long as one wheel is rotating, it have a very good idea of of the speed and it took me about an hour on an icy parking lot to trick it. The thing is the radio needs to know how fast the car is going so it can make slight adjustments to the volume depending speed so I wonder just how isolated the busses are.

    A friend made the comment that a rental BMW wasn't true to its heritage when its traction control system complained after it was briefly airborne. That message was of course displayed on the integrated console.

    1. Gene Cash Silver badge

      Re: Separate but still connected?

      > The thing is the radio needs to know how fast the car is going so it can make slight adjustments to the volume depending speed

      Are you serious? Considering how quiet current cars are? That wasn't an issue even in my '82 Toyota.

      Just how coddled and lazy ARE we these days?

  13. JCitizen
    FAIL

    Just a reminder here...

    that researchers have proven they can access a car's auto park system remotely without physical access or permission, and invoke anything the car is capable of. Just imagine if they could over rule safeties and tell the vehicle to auto park while you are going 70 mph?!! No one has proven they can't as of yet. The police would simply list the accident as "driver lost control" and that would be it - no one the wiser. And you know they aren't going to check either.

    1. Chloe Cresswell Silver badge

      Re: Just a reminder here...

      My original thought on that when autoparking systems were first being sold was "What if you could tell the system left is right?". Would anyone have the strength to over power it, esp as more turning left would make the car try to go harder right?

    2. Starace
      Alert

      Re: Just a reminder here...

      Yeah right.

      It's one thing to emulate a button being pressed over the bus, it's quite another to make a module do something it's explicitly designed not to do - you'd have to replace the firmware with something utterly different and that's a whole other game.

      If you're going to enter into the realm of fantasy there are easier ways to achieve the same result.

  14. Anonymous Coward
    Anonymous Coward

    someone malicious could pull the radar sensor out

    my regular method of choice is to cut brake pipes and then watch the mark frantically try to avoid the unavoidable, i.e. 300ft drop (as you do). That said, in minor altercations, slashing a tyre of two does the trick, while those of lighter disposition favour good old banana (non-standard, straight), up the exhaust pipe. Pulling the radar sensor out, pah!

  15. Anonymous Coward
    Anonymous Coward

    Fat chance

    Revoke access when selling your car. This may require going through the manufacturer's website. You may again also want to delete any data from the website so that data isn't available to the next user or the manufacturer.

    Good luck with that when you have a Mercedes, at least in Belgium. It took months of repeated requests before I finally stopped receiving junkmail on the alias I had set up for their remote app (I do this to track who is distributing my details wider than they are permitted), despite having properly asked the garage to be disassociated with the VIN of a company lease vehicle the very day I resigned and requested my details to be removed. I would have shopped them to the government privacy watchdog if I had been less busy at the time.

    Now I am not going to say that is the reason I won't touch a Merc with a barge pole*, but it didn't exactly help.

    Incidentally, check that you have wiped contact details and Bluetooth authorisation from the entertainment system too.

    As for the CAN bus problems, they're a tad late IMHO to screech loudly. When the proper problems were found with fun things such as the ability to disable your brakes on remote it was nary given a mention. I don't know about you, but someone setting a different channel on my radio strikes me as a tad less worrying.

    * It was more being generally unimpressed with the price/vehicle ratio, but I acknowledge that may be personal preference or prior exposure to, well, IMHO better brands..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon