The 30-year-old protocol used by vehicle sensors to communicate may have to be rewritten following a proof-of-concept attack that can disable airbags, parking sensors and safety systems.
The research, first reported by Wired on Wednesday, was developed by Trend Micro, Politecnico di Milano and Linklayer Labs. It was presented in early July at the Detection of Intrusions and Malware & Vulnerability Assessment conference in Bonn, Germany.
The denial-of-service attack causes critical systems to shut down. It's undetectable to current security systems designed for vehicles. Vulnerable vehicles are those that use the Controller Area Network bus protocol; most recently manufactured vehicles use CAN.
Such an attack "can drastically affect the car's performance to the point that it becomes dangerous and even fatal, especially when essential systems like the airbag system or the anti-lock braking system are deactivated," writes Federico Maggi, a senior threat researcher with Trend Micro, in a blog post.
The findings are significant enough that ICS-CERT, the Industrial Control Systems Cyber Emergency Response Team, issued an advisory on July 28.
"ICS-CERT has notified some affected vendors, primarily auto manufacturers and entities within the healthcare industry, about the report to confirm the vulnerability and to identify mitigations," it says.
The research shows again that the complicated systems underlying modern vehicles are far from secure. It adds to a growing body of research into how software and vulnerabilities and design flaws could put drivers and passengers at risk.
The CAN bus protocol uses messages that are sent in "frames." If a device or sensor sends too many error messages through CAN, the device goes into a "BUS off" state and no longer works, Maggi writes.
Errors are not uncommon, either due to natural causes or a result of multiple devices trying to write to the CAN bus, according to the full research paper. When a device creates a frame, it is double-checked to ensure there are no errors. If an erroneous frame is released, a device sends a recall message to the CAN.
For the attack demonstration, the researchers created a custom device that connects to the CAN via an input such as the On-Board Diagnostics II port on a vehicle, which is usually located under the driver's side dashboard. They took legitimate frames circulating on the CAN bus but modifyied a frame by one bit. Generating enough erroneous frames - via a so-called "error flooding" attack - can cause a system to shut down.
Frame-injection attacks have been discussed for several years. The famous hack of a Jeep Cherokee in 2015 by Charlie Miller and Chris Valasek used frame injection to manipulate the vehicles' brakes and hijacked the steering wheel. But while automotive security products would now detect the aberrant frames used in the Jeep demonstration, the researchers say their new attack is undetectable.
"Even under the assumption that a state-of-the-art IDS/IPS is monitoring the CAN bus, our attack is undetectable," they write.
Error-Flooding Attack Mitigation
Mitigating the attack may be difficult without rewriting the CAN bus protocol, Maggi writes. The underlying problems can't be patched by an over-the-air upgrade or a product recall. After the Jeep findings, Fiat-Chrysler recalled 1.4 million vehicles.
The CAN protocol has numerous weaknesses. There are no access or authentication controls, so any device attached to the network can read and write. Thus, all CAN bus data is trusted. "Effectively detecting and blocking our attack would require changes in the standard, major architectural changes in the network topology and the redesign of in-vehicle networks," the researchers write.
The solutions include segmentation of CAN frames, a special hardware key for OBD-II ports, authentication of OBD-II data traffic and encryption of CAN frame ID fields, the researchers say.
The attack is most easily accomplished with physical access to a vehicle, which is how the researchers conducted the attack demonstration. But Maggi warns the fact they had physical access should not undermine their findings, given how transportation scenarios are changing, including car- and ride-sharing.
The attack could also work remotely by exploiting a vulnerability in, for example, an infotainment system, which was the initial foothold for the Jeep Cherokee attack. That enabled access to the local network and for interference with CAN communication.
"Without remotely exploitable vulnerabilities, neither our attack nor the Jeep hack would be possible," the researchers write.