The content of the article
Architecture: CAN bus, ECUs and more
Let's start with the architecture. The on-board computer of a modern car does not really exist as a whole. Instead, we have a collection of electronic control units (ECUs) connected to a network. From the late eighties to the present day, the so-called CAN-bus remains the basic standard of this network. That is, twisted pair pieces to which all ECUs transmit messages of the same format.
In fact, of course, a little more complicated. A bus can be not one, but several – for example, for more important devices with increased speed and for secondary ones. In this case, there is some kind of “bridge” between the tires. And in its platform for electric vehicles MEB, the Volkswagen automaker completely abandons the architecture based on the CAN bus and will use on-board Ethernet instead – and a single Android-based operating system.
So far, it is important for us that, no matter how “smart” a modern car may be, the same tire is at the core. So, its fundamentally unrecoverable vulnerability is still relevant: having gained access to CAN (for example, by connecting to the diagnostic connector or by putting a sniffer on the bus), we gain access to all the transmitted information. With all the ensuing consequences.
And if we can transmit a signal to one of the ECUs, then he will obediently execute the command. If it is an air conditioning control unit, it is not so scary. And what if the brake or engine control unit? In accordance with the principle “Break not build” (or Garbage in, garbage out – “garbage at the entrance, garbage at the exit”), the one and only wrong command received at the moment of overtaking overtaking on the oncoming lane, can lead to sad consequences and loud newspaper headlines.
However, things are not so bad. Manufacturers are not fools and are quite able to integrate security features into each specific ECU. He may refuse to accept the team if it does not have the correct checksum or if it does not meet some additional conditions. Very often you can pretend to be a parking assistant only if the car is backing up and not faster than five kilometers per hour – under other conditions, its signals will be ignored.
In addition, messages on the CAN bus are commands so low-level that they can be compared with machine code. To understand what a sequence of bits means, you will have to read the manufacturer’s technical instructions for a long time or conduct field experiments on a real car – or, on the lack of fish, on separate ECUs.
Scientists join the battle
It turns out an interesting situation: at the theoretical level, hacking a car is very simple, but at the practical level a lot of meticulous preparation will be required. And somehow it turned out that for a long time this was mainly done by people who remained in the shadows and had purely selfish interests – not to gain control over the electronics of the car, but to get the car itself into their own hands.
Only in 2010 they started talking about this topic seriously. At the safety symposium of the Institute of Electrical and Electronics Engineers (IEEE) was presented report computer engineers from the universities of San Diego and Washington.
They described many extremely interesting features of cars as computer systems. Basically, these features stemmed from the fact that the industry pays a lot of attention to safety during regular use and emergency situations, but little protection from a targeted attack on the electronic systems of the car.
For example, in order to prevent the car doors from being locked during an accident, the low-priority network, where the central lock control unit was turned on, had a “bridge” connection with the high-priority network, in which there were state sensors for the entire car and blocks of various systems – “assistant” drivers. And advanced telematics systems collected the readings of many sensors and sent them to service centers via cellular communication – so that the car could tell the owner in advance that it would be time to look into a car service, or call 911 in case of an accident. Moreover, an anti-theft device could also be included in the same system – allowing to block the engine of the machine at a distance.
A couple of lines about architecture: in modern cars there is almost always a special diagnostic connector OBD-II and a special diagnostic mode designed for auto mechanics. And so that in any car service in any backwoods, the specialist had the opportunity to "secure" the car, access to this mode, in fact, is provided … through access to the connector. Yes exactly. Almost root login, password password. Many examples from this article are based on the use of this mode.
What exactly did this team of researchers do? To begin with, they wrote CARSHARK, a flexible tool for analyzing and embedding messages on the CAN bus. Further opportunities open up. Without going into particularly technical details, we can only say that the ECUs in which authentication was built in were protected with only a 16-bit key. This protection can be circumvented by brute force in a few days. After this, you can, for example, “reflash” the ECU – and then do whatever you want.
Significant harm can be done simply by arranging a classic DoS attack: the system overloaded with meaningless messages became inoperative. But it was possible to play the hero of films about hackers. For example, as a simple and vivid demonstration of their strength, the researchers wrote a “self-destruction demovirus”: after it started, the machine displayed a countdown of sixty on the speedometer, blinked turn signals and went off for a few seconds, and then jammed the engine tightly and locked the locks, leaving it on the speedometer PWNED inscription.
An even more insidious approach, which the researchers showed, is loading malicious code into the RAM of the telematics system (inside which there was a full-fledged Unix-based OS). They made the code fire on a trigger (for example, overclocking to a certain speed) and reboot the system after fire, removing itself from there. Ideal crime!
But the researchers did not stop there. The following year, 2011, they presented a new report (Pdf), in which they considered not what the attacker could do with the system after gaining access to it, but how exactly he could gain this access.
Reason to think
In 2011, researchers noted the computers to which automobiles connect to car services as a real attack vector – they use Windows and often need access to the Internet … And as theoretical, possible in the future – equipped at charging stations for electric vehicles “ smart ”charges, which carry not only high current, but also information.
Unlike their previous very specific report, this one reads more like an exciting story about the heights and failures of engineering. What is only a music track in WMA format, which is played on the computer like ordinary music, but on the car player sends malicious packets to the CAN bus. Or discussions about how it is possible to connect to the machine via Bluetooth or through a telematics system with a connection to cellular communication.
In other words, in this report, researchers were more likely to point out potential threats that resemble hacker movie scripts – with the caveat that they really did all this in the laboratory, and not just suggested that such things could happen.
Chris Valasek and Charlie Miller – the legendary duet
They began by meticulously repeating the research of their predecessors – and writing much more detailed and complete report. The conclusions described in it have already been mentioned several times in this article: to successfully break into a car, you need a lot of painstaking preliminary work, which has its pitfalls – for example, if you examine ECUs separately from the car, on a special test bench, they can ( and they will!) behave not quite as in working conditions. But if you are not afraid of all this work, then when you get access to the car, it will be clear what to do, and a lot can be done.
Then they studied a couple of dozen specific car models, paying attention to the details of their network architecture – and especially to the possible remote attack vectors. It was at this stage that they identified the so-called cyberphysical components – all kinds of driver assistance such as cruise control or the LKA unit (Lane Keep Assist, lane keeping assistant). These devices at the same time serve as the most attractive end goal for the hacker – and important milestones on the road to a truly self-driving car.
Valasek and Miller found that, on the one hand, car manufacturers use different components and network architecture, but on the other hand, many entertainment systems use well-known solutions from ordinary consumer electronics to web browsers.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru