Hackers in the automotive world - expect an impact on the design and development
- Aug. 11, 2015
- Marcel Romijn
Recent news messages showed that car hacking has now come to the point that cars with internet connectivity can be hacked completely remote. Several OEM's quickly had to roll-out software updates to close the leaks.
In the meantime the US senator Ed Markey had launched investigations in automotive data security; in terms of safety and privacy. Unsatisfied with the responses from the OEM's he recently released a proposed Act to the Congress that could become legislation. Goal is to make vehicle's safe in terms of data security.
Senator Markey calls for isolation
A part of the proposal mentions the isolation of safety critical and non-safety critical parts. That seems to be a very natural response to the hacks showed by investigators where they were able to influence for example the brake systems of cars.
However beyond these investigators the most likely hacking attempts would perhaps not target the safety-critical zone. The coupling of the infotainment system to payment systems for example is a more likely attack target. A more worrying item could be the exposure to malware or viruses and how they may start impacting the safety-critical zones as well. An earlier BRACE blog already brought this topic up:
A call for isolation still makes sense therefore. The infotainment systems of vehicles are exposed to so many connections and tampering attempts that some of these would be hacked or infected.
At BRACE a thought experiment was held to see how the safety-critical zone could be attacked via the infotainment CAN-bus connection to the rest of the vehicle.
Breaking in into the Safety-Critical zone via the CAN-bus
A CAN message is placed on the bus by a sending CAN node. The message that is placed on the bus contains an ID (Identifier) and data. The data can be a single bit that gives a command to engage the electric Parking Brake (an on/off or TRUE/FALSE type). The ID is there to make sure that listening CAN nodes know what to look for. Also the ID is used to prioritize CAN messages in case the CAN-bus gets very busy. The ID does not contain information about who the sender was nor does it contain information on who the addressee is.
A CAN message is placed on the bus for any interested CAN node to read it off the bus. It is broadcasted. Therefore only one CAN node needs to place information or a command on the bus and all listeners than have access to it.
It gets a bit strange if multiple sending CAN nodes are placing the same message on the CAN-bus.The receivers would however not notice the difference. Within a typical standard CAN-bus therefore there is no way for the receiver to check the source of the data. And normally there is no need for the receiver to know the source.
If someone however wants to hack into the CAN-bus there can be multiple sources. Simple design decisions to send all data and commands at frequent intervals can however quickly eliminate false information or false commands. With the Parking Brake command the brake may be engaged for some milliseconds at best before a new update of the justified sender gives the proper command again.
If it is however possible to make the justified sender to shut up it is possible to takeover controls. There is for example a possibility to use a command from the Diagnostics & Programming. Many control units in the car can be approached with a diagnostic message that tells them to shut up. This is used to reserve the CAN-bus entirely for programming of other control units.
A more drastic approach could be to take over completely the justified sender. This requires a hack that can alter the CAN messages that it sends.
If this happens to be already the infotainment system (the most likely entry point for hacking) than there is not too much effort involved. It could be possible that the infotainment system is justified to engage the Parking Brake; perhaps as part of a remote shutdown system that is designed to respond to car theft.
If however the entry point is not the justified controller than by reprogramming the justified controller (making the entry point mimic a diagnostic tool) with modified software it can be modfied so that it is always "shut up".
We are not there yet
As seen above there are some ways possible in which a false command can be given to a system such as the Parking Brake. It takes a bit more effort if the infotainment (or any other hacking entry point) is not the justified sender since that would give a multiple sender scenario.
The “easiest” is when the justified controller is the entry point for hacking as well. The interaction that the infotainment system has with the safety-critical zone is therefore the largest security risk.
The call for isolation is understandable from security standpoint but would go against the trend and the information hunger of the more recent inventions applied to the automotive. In many trucks for example the infotainment system holds the GPS information and together with 3D map data the Cruise Control function can take into account the road ahead. When there is a lot of uphill and downhill driving the Cruise Control can be predictive and as such improve fuel economy. And that’s just one of many examples.
So there is still a lot of work to be done to be able to isolate the critical from the non-critical without losing all the newly gained functionalities and the functionalities in the future that will be needed for autonomous driving. Making vehicles safe in terms of data security will have its effect on the design and the development. Beyond the existing analysis for failure modes at system and component levels now also malicious activity analysis will be needed.