Thank the EU for stopping encryption of the CAN bus.
Also need access to the bus to begin with.
Don't worry, I am sure OTA updates will be fine.
Modern connected cars contain security threats, consumer org Which? has said after commissioning analyses of two models, a Ford and a Volkswagen. While Which?'s insistence that the flaws are "serious" is perhaps wide of the mark, the research does highlight the lack of robust security features protecting CAN buses and in- …
An access regime was mandated by the authorities (eg owner keeps the secrets, and/or the manufacturer has a suitably secure process to make them available to the workshops), as well as a level of access that ensures all sensor, heurstics and log data has to be available as it is to the dealer software. (And a maintainable comms protocol/s are published and open-sourced, of course!)
Appropriate level of security controls that supports maintenance, better than networks with none at all.
Given what I have seen on the roads
I think there are some drivers that would fail to notice if there car was sat on by an elephant.
The best one was a car that created its own smokescreen the back was completely covered in soot, or the one where two wheels were flat.
So most people are completely unaware of what there car is doing.
My peugeot regularly tells me I have a flat tyre. Usually after clipping a pothole. You stop and measure all 4 and find they are identical to within .05 bar. The one time I needed it to tell me a tyre was flat, it didn't make a peep. At car park speeds it didn't affect handling but by the time I had stopped (about 35 m), it had completely shredded the tyre inside - the outside still looked ok, just flat. I actually stopped because the noise it made was exactly the same as having previously dragged a small wind blown branch in the wheel arch.
My wife's car has Tire Pressure Monitoring System (TPMS). The sales people made it clear when we bought the car that the system was unreliable and more or less useless. (When was the last time THAT happened to you?) . Time has proved them to have been honest about that at least.
I have long since augmented the TPMS with a $5.00 set of indicating tire valve caps that actually tell me when tires are underinflated and refrain from reporting temperature changes as flat tires.
Only 4 months so far but the TPMS on my car agrees with my pressure gauge to within 0.1 bar. I did read that many of the ones in the US were highly unreliable, and your spelling of "tire" suggests that's where you are. Whether European or Japanese ones are to higher standards I don't know.
As the other poster says, never use indicating valve caps because if the piston leaks your tyre will deflate. Proper screw on metal valve caps with rubber inserts keep the air in. Even the cheap plastic ones are suspect.
My car (of German origin) has a tyre pressure monitoring system that relies on the ABS sensors and looks at comparative differences on wheel rotation - a soft/flat tyre has a smaller circumference and thus will spin quicker.
That struck me as a very clever implementation, but it does mean that you need to drive some distance to get reliable data, because going around corners has a similar effect on rotational speeds.
My experience has shown that it alerts me to a soft tyre at around the same time as I notice it, maybe before. A proper flat however I noticed a long time before it alerted me (I kept going, slowly, another mile because there was nowhere safe to stop on that bit of road)
"Most drivers are probably not capable of noticing if one or more tyres is flat or running on the wheel rim, El Reg suggests"
It's not hard to drive on a flat (maybe not completely flat), for quite some distance on a long straight road such as a motorway without realising it due to modern tyre designs. I drive a lot and am very sensitive to any changes in handling or sounds from the car and I've managed to not notice a near flat until the warning light came on. I do check before I set off, every time too.
Underinflated tires were blamed for a rash of accidents involved Ford SUVs that rolled over. Since then, TPMS is mandatory in US.
I like the system, although it tends to make me obsessive about keeping all the tires properly inflated. I particularly like the ability to flip on the pressure display if I roll over some debris at high speed. This once gave me early warning to exit an Interstate before losing too much pressure in one tire.
My biggest beef is with mechanics who swapped the sensors about carelessly, with subsequent ensuing hilarity as I try to adjust tire pressures.
IIRC the recommended pressure was low to begin with in order to ensure a softer ride and dropping only a few psi to the rollover danger level didn't take long.
That said, I rather like the TPMS sensors on my newer car although they may be better as thermometers than pressure gauges.
Did I read this correctly that their issue with the VW was that the could remove the radar sensor?
Did they least try and do something more interesting like replace it with a malicious one or one that spewed out bad/faulty measurements? Being able to remove a sensor doesn't seem like such a 'leet hack or huge vulnerability.
" ashame the insurance industry won't simply turn around and refuse to cover theft of vehicles vulnerable to replay attacks"
I heard a couple of years ago that it was impossible to get insurance for affected vehicles in certain parts of the M25 parking zone. If it was true (I don't live there or drive an affected vehicle) it doesn't seem to have had the desired effect yet.
This from 2017, but not sure it's a 100% match (solihull's not in the M25 parking zone yet):
https://www.schneier.com/blog/archives/2017/11/man-in-the-midd_8.html
"The lack of robust security features protecting CAN buses" was intentional to make sure any semi-idiot can wire up this engine and that transmission and so-and-so's ABS and eventually come up with a working drivetrain without being a cryptosecurity expert or needing signed keys, licenses, or proprietary tools.
(Yes, SOME proprietary tools are needed, but any CAN transceiver and parsing software built to the published standards should read 90% of CAN busses and all contents not using the Proprietary-flagged data frames. And those Prop frames can still be recorded even if the raw binary/hex is meaningless without further definition.)
"Nonetheless, a criminal with time, knowledge and physical access to the target network (the car) is a very real infosec threat." Physical access is ALWAYS the discriminator when it comes to CAN. There is no issue as long as the air-gap is maintained.
Do there need to be improvements within the industry? YES.
Does it need to be a multi-corporate effort? Absolutely.
Would it increase processing overhead within every single device on the bus and increase power consumption and device cost? You betcha. Every bus, every device, and every message would have to be strongly encrypted. Any bus-connected device that can be forced into non-encrypted mode is a vulnerability. Any tool that can do that for maintainers/technicians becomes a tool for criminals also. Any decryption must happen internal to the device/tool.
But... Any all-access keys used for the tools are essentially a backdoor that can and will be eventually leaked. And if the devices make keys randomly on every power-up and/or after certain time intervals (which can also be randomized), then the tools will be broken and can't parse bus traffic.
I don't know the solution, but so many vehicles--passenger, commercial, and "other"--are currently vulnerable.
Encryping the canbus data leads to one thing - the vehicle is eventualy not repairable. A wonderful piece of planned obselesance.
I point the reader in the direction of Vauxhaul/opel following the PSA takeover.
How long before the relevant servers become unavailable and the canbus cant be read, decrypted or modified. Several modules on the Astra (for example) cant be serviced/replaced without access to the central server.
Indeed updates for the infotainment/satnav system have allready dried up.
No update is available that shows the new A14 around Huntingdon ( yes, yes read the f@$king roadsigns). What other module have or will develop a bug that needs an update (well the auto lights on function for a start!)
Cars made before about 2005 can be fixed with mechanical and electrical skills.
Todays cars would also need a crypro and software engineer.
"Todays cars would also need a crypro and sodtware engineer."
Unfortunately the manufacturers are simply giving idiots all the Shiny Shiny toys that they want. Why anyone wants all the bells in whistles in a car beyond a basic ICE when a phone can do all the same functions better beats me, but there we are. For now I'm sticking with my 12 year old car with analogue dials, a radio, CD player and nowt else.
Couple notes;
* encryption doesn't have to be an all or nothing affair, even on a given CAN bus. At least one manufacturer does a mix of completely clear coms, encrypted coms, and communication with secure checksums (so data is easy to read but hard to forge... secure data is also timestamped to defeat replay attacks).
* symmetric encryption keys that are unique to a given vehicle work. Keys are stored at a central repository maintained by the manufacturer so that diagnostic tools can update replacent parts (obvious weakpoint, but much better than a single master key).
* there are industry standard tools to manage all of this. See AUTOSAR for one example. Automotive ECU software is hugely modular and model driven (essentialle nobody "writes code" in automotive as much as you write specs, build models, and let the tools build the software).
As mentioned, physical access eventually wins.
Source: I make a living speaking CAN to modules that don't always come with documentation. Job includes making a given part think its going down the highway in a vehicle even though it's sitting on a tester.
"essentialle nobody "writes code" in automotive as much as you write specs, build models, and let the tools build the software"
Is that view of the world shared by the people at MISRA, or is MISRA a bit last-century by now?
"I make a living speaking CAN to modules that don't always come with documentation."
Understood. Embedded systems are like that sometimes, even before the supplier in question goes out of business (or gets taken over).
"Job includes making a given part think its going down the highway in a vehicle even though it's sitting on a tester."
Hmmm, there's a certain 21st-century familiarity to that description.
Sprechen Sie VW?
If only everything in life were as reliable as a Softing CANBus implementation.
"Keyless entry" has been a thing for _decades_, and I recall that handy capture/replay devices were available to thieves within months.
Meanwhile, the advice to not pair ones Bluetooth devices to random rental cars is good, but ignores that some modern cars (I refrain from naming the maker, as I suspect my new car is snooping all my comms :-) will pair with a device (such as my iPhone) without asking for or getting permission.
"will pair with a device (such as my iPhone) without asking for or getting permission."
Isn't that as much of an Apple issue as a a car issue? Do iPhones routinely connect to any random Bluetooth device without asking permission or is that a setting you have changed yourself?
@John Brown
---
Isn't that as much of an Apple issue as a a car issue? Do iPhones routinely connect to any random Bluetooth device without asking permission or is that a setting you have changed yourself?
---
Almost certainly at least partially an Apple issue. There was no reason for me to faff with BT settings, as I do not enable BT at all. Then again, I also try my best to disable iCloud, but Apple gets more clever about stealth re-enables with every "upgrade". I will say that the Apple computers (i.e. MacOS rather than iOS) have some of the same annoying iCloud behavior, but so far have paired with BT mice and keyboards only as and when explicitly directed to do so. Of course, "Tomorrow is another day"
It is the whole ecosystem of cars, phones, appliances, dustbins, dog-collars etc. that gets me wondering if Douglas Adams was a time traveller.
>that gets me wondering if Douglas Adams was a time traveller.
There is documented evidence that he only travelled back in time to record TV shows he had missed. He found it easier to solve the time travel problem than program a 1980's VCR to automatically record.
The article doesn't make clear if Which tested any other vehicles and found them secure or if they just tested Ford and VW. I suspect the latter.
Also the superficiality of the testing without any tested examples of exploits that the vulnerability would allow is problematic.
Bad? Yes. How bad? Nobody knows.
Somewhere around here is a post I made which is somehow approved but hidden.
Basically good luck fiddling the buses from the Ford infotainment, the hardware is partitioned and the QNX bit has no access to CAN, it goes via datapool in shared memory to another board that can explicitly only read and write specific messages.
And you can't fiddle the infotainment software without either getting straight to the eMMC or having the correct certificate to sign any file you want to upload via the USB. But reading what's built into the factory image is easy because it's all in the upgrade packages you can freely download. There is/was a discoverable root password but the production image has no way to connect a debug console (doesn't try to start the ethernet dongle) so that's pretty useless too.
And funnily enough the CAN is all partitioned so you can't just wander around trivially, and some of the critical control buses are physically isolated. You can get around the general access security (though not the stuff needing privileged access) by reverse engineering the workshop tool protocols but that doesn't gain you much beyond what the workshop tool already does, except the ability to accidentally brick the modules.
Hur hur we canz hack it isn't quite as simple as it appears when it comes to actual exploits.
> "simply lifting the VW badge on the front of the car gave access to the front radar module, which could potentially allow a hacker to tamper with the collision-warning system."
OMG. And, simply lifting the bonnet gives access to the engine which could potentially allow a hacker to completely disable your car or disable vital safety systems!!!111!!1
"Nonetheless, a criminal with time, knowledge and physical access to the target network (the car) is a very real infosec threat."
A criminal that gets physical access to my car gets my laptop, or if I'm at the beach or something where I don't want to carry those, my cellphone and wallet.
THAT, my friends, would be a problem, who cares about my (barely functional) entertainment/bluetooth systems.
The little woman used to insist in always taking her business laptop inside buildings, never leaving it in the car, be it we're going for groceries or a doctor's appointment. Now less of an issue of course, between not commuting to the office any more, and actually being furloughed and reduced to hourly work, hip hip...
Late 1990s Saabs had 3 CAN buses. One for the ABS, one for the Engine/Transmission systems and a third for everything else. The speed of the car is determined by using the ABS sensors so as long as one wheel is rotating, it have a very good idea of of the speed and it took me about an hour on an icy parking lot to trick it. The thing is the radio needs to know how fast the car is going so it can make slight adjustments to the volume depending speed so I wonder just how isolated the busses are.
A friend made the comment that a rental BMW wasn't true to its heritage when its traction control system complained after it was briefly airborne. That message was of course displayed on the integrated console.
> The thing is the radio needs to know how fast the car is going so it can make slight adjustments to the volume depending speed
Are you serious? Considering how quiet current cars are? That wasn't an issue even in my '82 Toyota.
Just how coddled and lazy ARE we these days?
that researchers have proven they can access a car's auto park system remotely without physical access or permission, and invoke anything the car is capable of. Just imagine if they could over rule safeties and tell the vehicle to auto park while you are going 70 mph?!! No one has proven they can't as of yet. The police would simply list the accident as "driver lost control" and that would be it - no one the wiser. And you know they aren't going to check either.
Yeah right.
It's one thing to emulate a button being pressed over the bus, it's quite another to make a module do something it's explicitly designed not to do - you'd have to replace the firmware with something utterly different and that's a whole other game.
If you're going to enter into the realm of fantasy there are easier ways to achieve the same result.
my regular method of choice is to cut brake pipes and then watch the mark frantically try to avoid the unavoidable, i.e. 300ft drop (as you do). That said, in minor altercations, slashing a tyre of two does the trick, while those of lighter disposition favour good old banana (non-standard, straight), up the exhaust pipe. Pulling the radar sensor out, pah!
Revoke access when selling your car. This may require going through the manufacturer's website. You may again also want to delete any data from the website so that data isn't available to the next user or the manufacturer.
Good luck with that when you have a Mercedes, at least in Belgium. It took months of repeated requests before I finally stopped receiving junkmail on the alias I had set up for their remote app (I do this to track who is distributing my details wider than they are permitted), despite having properly asked the garage to be disassociated with the VIN of a company lease vehicle the very day I resigned and requested my details to be removed. I would have shopped them to the government privacy watchdog if I had been less busy at the time.
Now I am not going to say that is the reason I won't touch a Merc with a barge pole*, but it didn't exactly help.
Incidentally, check that you have wiped contact details and Bluetooth authorisation from the entertainment system too.
As for the CAN bus problems, they're a tad late IMHO to screech loudly. When the proper problems were found with fun things such as the ability to disable your brakes on remote it was nary given a mention. I don't know about you, but someone setting a different channel on my radio strikes me as a tad less worrying.
* It was more being generally unimpressed with the price/vehicle ratio, but I acknowledge that may be personal preference or prior exposure to, well, IMHO better brands..