Hack of telematics device lets attackers mess with car’s brakes

Devices used by insurance companies, fleet managers open doors to remote attack.

Read the whole story

 

[xme]

I'd genuinely be shocked to find security is an afterthought in these sorts of devices. Shocked to find out it was a thought at all... Some companies really need to understand the implication of these types of decisions at least well enough to know they aren't capable of handling it in-house.

 

[Wickwick]

And this is what I just don't get about this vector and, e.g. how one hacks into the avionics from the infotainment system on an aircraft. Why don't these devices communicate one-way only?

I can understand that OnStar needs to be able to talk to a subset of things in the car to unlock the door, etc. However, why does my insurance company need to be able to talk to my car, ever? It's monitoring the car's performance. It should not be altering it. Therefore, the I/O lans should only be 'I' and not 'O.'

 

[glarfsquared]

So that little progressive car monitoring dongle, is that affected by this? Was that one that is made by a company that got over the air updates, or is it not known?

 

[TKu]

Great, as the EU wants all new cars to have an device installed that calls emergency after an accident starting from 2018, this will be hacker haven.

To know if you had an accident the thing needs to be on the CANN bus and to call the emergency hotlines it needs a modem.
Hmm how could that idea go wrong?

 

[Xavin]

And this is what I just don't get about this vector and, e.g. how one hacks into the avionics from the infotainment system on an aircraft. Why don't these devices communicate one-way only?

The CAN bus transfers all kinds of information back and forth. Stuff like infotainment systems usually are one-way, but the hacks here have been re-writing the firmware to make them two-way. The system just trusts that anything on the network is supposed to be there. It was designed in the 90s.

I'm not very confident any of the traditional manufacturers will fix this, they can't even make a half-decent mp3 player/navigation unit, so expecting proper network security is like asking a four year old to security audit their iPad. There is a culture of ignorance and aversion to change in the auto industry, and it's more likely new players will take over than the old ones change.

 

[conan77]

TKu[/url]":2xkixubo]Great, as the EU wants all new cars to have an device installed that calls emergency after an accident starting from 2018, this will be hacker haven.

To know if you had an accident the thing needs to be on the CANN bus and to call the emergency hotlines it needs a modem.
Hmm how could that idea go wrong?

Doesn't need to be on the bus. A simple led which illuminates after airbag deployment and a photocell to pick it up on the device that calls emergency is all you need. Make this data diode a one piece device to prevent light leakage and false alarms but each end is electrically separate. The led is output only. If you want to get fancier the led can send digital one way communication.

 

[Dilbert]

Why don't these devices communicate one-way only?

'

There's no such thing in TCP/IP. The moment a networked computer system accepts an arbitrary message from outside, it is vulnerable. The software needs to parse that message, and that makes it possible to use malformed input to hack into it. Edit: this is assuming the system isn't already vulnerable to a boneheaded mistake such as unauthenticated access or hardcoded credentials. Which a lot of embedded systems are.

Car maker could add some sort of basic security in there, as understood by them. But it's naïve from a standpoint of a more sophisticated attacker, and easily circumvented.

 

[zav]

I said it before, I'll say it again and here it is.

To quote an old email from John Carmack to a friend of mine, "Failure in brakes.dll".

Just think of the implications here.

 

[jandrese]

Dilbert[/url]":1agiozn7]

Why don't these devices communicate one-way only?

'

There's no such thing in TCP/IP. The moment a networked computer system accepts an arbitrary message from outside, it is vulnerable. The software needs to parse that message, and that makes it possible to use malformed input to hack into it. Edit: this is assuming the system isn't already vulnerable to a boneheaded mistake such as unauthenticated access or hardcoded credentials. Which a lot of embedded systems are.

Car maker could add some sort of basic security in there, as understood by them. But it's naïve from a standpoint of a more sophisticated attacker, and easily circumvented.

The CAN bus doesn't use TCP/IP though, it has a far more primitive signalling protocol.

It's really no surprise that there are a ton of hacks for the CAN bus. Vehicle manufacturers historically have never had to worry about security on their ECUs, and had no culture of security.

 

[taswyn]

Wickwick[/url]":372vs3nc]And this is what I just don't get about this vector and, e.g. how one hacks into the avionics from the infotainment system on an aircraft. Why don't these devices communicate one-way only?

I can understand that OnStar needs to be able to talk to a subset of things in the car to unlock the door, etc. However, why does my insurance company need to be able to talk to my car, ever? It's monitoring the car's performance. It should not be altering it. Therefore, the I/O lans should only be 'I' and not 'O.'

One possibility is because some devices on CAN BUS need to be sent diagnostic codes in order for them to reply with specific information for OBD-II. Some information is constantly sent (such as RPM) but not all information. I'm not sure that applies to anything that these devices in question are monitoring, but it's something to keep in mind when it comes to anything that's meant to be a full-fledged OBD-II scanner.

Secondly: most standard/commodity microcontrollers have I/O ports, not just input ports (at least, so far as the digital ports). Most companies buy fairly standard microcontrollers, or even packages based around a standard microcontroller, for a number of reasons. If you can attack the specific microcontroller's firmware, you can make it send. The only way around this is for the hardware itself to be made incapable of sending (someone mentioned something a lot like a piecemeal one-way isolating optocoupler).

I'm not saying this excuses shoddy security. But they are the likely reasons in response to the question you asked. The reality is that CAN and OBD-II were never built around security themselves, so once you're on the bus you basically can do anything you want, short of whatever device you're trying to affect deciding not to comply with the commands you're sending.



Final thoughts: if these are devices all built around the same package, some fleet customers probably want them to be anti-theft capable. In which case they'd need to be able to send on the bus in order to disengage the ignition/etc. Most manufacturers base their design on a single hardware package and then just enable/disable features like that in software/firmware, but the hardware is still capable of the functionality if you can "unlock" it.

 

[RndNum123]

Dilbert[/url]":24okkuw9]

Why don't these devices communicate one-way only?

'

There's no such thing in TCP/IP. The moment a networked computer system accepts an arbitrary message from outside, it is vulnerable. The software needs to parse that message, and that makes it possible to use malformed input to hack into it. Edit: this is assuming the system isn't already vulnerable to a boneheaded mistake such as unauthenticated access or hardcoded credentials. Which a lot of embedded systems are.

Car maker could add some sort of basic security in there, as understood by them. But it's naïve from a standpoint of a more sophisticated attacker, and easily circumvented.

OP is talking about replacing the "direct attachment to the CAN bus" with a one-way connection to the can-bus (some kind of read only firewall (no TCP/IP involved so far ) as I understand. So when your web connected modem gets hacked via TCP/IP the modem itself has no write access to any can bus at all.

The things that the attacker could do in this case, would likely be about suppressing/faking possible warning messages that get send by the modem to the manufacturer/your phone/whatever.

 

[dlux]

It's fast becoming apparent that the CAN bus network—used by cars for the last two decades—can become a real liability once it's connected to the Internet.

Fast becoming apparent?!? Who the hell couldn't see this coming the moment it was even proposed on a whiteboard?


(That was rhetorical. PLENTY of people didn't see this coming, yet they still manage to run R&D departments or entire companies. With bonuses.)

 

[SunnyD]

Mandating more and more safety features and making these "infotainment" systems non-optional while raising the overall cost of vehicles to ridiculous levels, all while putting you in a remote-controlled deathbox. Who could ask for anything more?

 

[ChaoticUnreal]

Wickwick[/url]":2bwwwq5l]And this is what I just don't get about this vector and, e.g. how one hacks into the avionics from the infotainment system on an aircraft. Why don't these devices communicate one-way only?

I can understand that OnStar needs to be able to talk to a subset of things in the car to unlock the door, etc. However, why does my insurance company need to be able to talk to my car, ever? It's monitoring the car's performance. It should not be altering it. Therefore, the I/O lans should only be 'I' and not 'O.'

The article states it was a pay per mile insurance so I suspect they needed to monitor how many miles you drove and since people lie they choose to stick a device on the CANbus.

As for it being one way yes they should update that but the way it currently stands anything on the CAN is trusted and can talk both ways.

 

[Antron Argaiv]

So...if you choose not to pay for the OnStar service...are you still on their network? Can GM/OnStar still do whatever they want to your car, or is there no cellular link (because you haven't paid for it)?

 

[null_interface]

So how much is that dumb "safe driver" discount - contingent upon letting your insurer plug in a connected OBD-II dongle that hoovers up all of your driving habits - worth to you now?

 

[giltwist]

I was actually thinking about getting a Chevy Spark because of it's fuel efficiency, but the OnStar spooks me. I'd need to physically remove the antenna to get privacy

 

[xme]

null_interface[/url]":3gel48hz]So how much is that dumb "safe driver" discount - contingent upon letting your insurer plug in a connected OBD-II dongle that hoovers up all of your driving habits - worth to you now?

Personally I'll just add this to the list of reasons I'll never chose to add something like this to my vehicle. Honestly I'd be shocked to find out that what they qualify as safe driving is in any way congruent with actual safe driving. OBD-II + GPS isn't going to tell you if I'm paying a damned bit of attention, cutting people off left and right, blowing through red lights, or even driving directly towards ongoing traffic...

 

[etronz]

Wow, the auto industry is really calling in he hit pieces. They are scared of the pending "Right to Repair" DMCA exemption. Maybe they can scare us into thinking that little computer box in our car should be protected by the DMCA after all.

I cannot believe copyright is being used to keep us out of the stuff we own. First sale doctrine anyone? It's under attack from the auto industry.

 

[savageleela]

About a decade ago, I worked on a CAN telematics system. There wasn't a huge amount of two way communication; it was mostly the telematics VCU reading stuff off the bus and collecting the information. But that doesn't mean anything, because there wasn't anything stopping you from spoofing messages. We rarely even had a car to work with, let alone one that we were allowed to drive around crashing into things to make the airbag deploy. ;-) It was usually just a simulator sending out a crapload of messages, and there's nothing to check you are who you say you are. You want to write it to the bus? Have fun!

I was a relative peon so I have no idea what higher-ups thought about security but it was not even a consideration at our level.

Removing the antenna would keep a unit from connecting remotely but it's going to still be in there collecting the data for someone to retrieve at the dealer or something. If you're really worried about it, you could disconnect the thing totally but I think it's going to be throwing error codes left and right and you'd never get a clear test from an OBDII system. There's some places that require clean OBD tests to get a car registered. I imagine that would be a problem. You could take advantage of the lack of security and spoof the telematics VCU's outbound messages so the car doesn't know the VCU isn't there, I suppose...

 

[MythBusterJoe]

RndNum123[/url]":2bi0a4xg]
OP is talking about replacing the "direct attachment to the CAN bus" with a one-way connection to the can-bus (some kind of read only firewall (no TCP/IP involved so far ) as I understand. So when your web connected modem gets hacked via TCP/IP the modem itself has no write access to any can bus at all..

Economies of scale.

It does not make financial sense for a silicon vendor to make a read only CAN transceiver when 99% of customers want to both read and write the CAN bus.

 

[xme]

Xavin[/url]":lqy1y6es]

And this is what I just don't get about this vector and, e.g. how one hacks into the avionics from the infotainment system on an aircraft. Why don't these devices communicate one-way only?

The CAN bus transfers all kinds of information back and forth. Stuff like infotainment systems usually are one-way, but the hacks here have been re-writing the firmware to make them two-way. The system just trusts that anything on the network is supposed to be there. It was designed in the 90s.

I'm not very confident any of the traditional manufacturers will fix this, they can't even make a half-decent mp3 player/navigation unit, so expecting proper network security is like asking a four year old to security audit their iPad. There is a culture of ignorance and aversion to change in the auto industry, and it's more likely new players will take over than the old ones change.

I'm sure it's been said 1000 times already, but Tesla seems like they may be the only company with the right attitude towards this sort of security - and they've still had issues. OBD is also in need of another overhaul, but the culture is all wrong there too - all the focus is on more quickly detecting and notifying governing bodies of emissions issues and holding the owner liable rather than actual technical changes.

 

[caldepen]

What I always wanted, and they granted that wish; hackable 'smart' brakes...

 

[Lets all mariachi!]

xme[/url]":t5tj8mut]

Xavin[/url]":t5tj8mut]

And this is what I just don't get about this vector and, e.g. how one hacks into the avionics from the infotainment system on an aircraft. Why don't these devices communicate one-way only?

The CAN bus transfers all kinds of information back and forth. Stuff like infotainment systems usually are one-way, but the hacks here have been re-writing the firmware to make them two-way. The system just trusts that anything on the network is supposed to be there. It was designed in the 90s.

I'm not very confident any of the traditional manufacturers will fix this, they can't even make a half-decent mp3 player/navigation unit, so expecting proper network security is like asking a four year old to security audit their iPad. There is a culture of ignorance and aversion to change in the auto industry, and it's more likely new players will take over than the old ones change.

I'm sure it's been said 1000 times already, but Tesla seems like they may be the only company with the right attitude towards this sort of security - and they've still had issues. OBD is also in need of another overhaul, but the culture is all wrong there too - all the focus is on more quickly detecting and notifying governing bodies of emissions issues and holding the owner liable rather than actual technical changes.

Tesla is in the unique position of being a company run by someone who loves technology as much as they love money. Being able to engineer around problems like this with a non archaic update system isnt just good business for them, its interesting on a personal level for the people messing with it. That and when the CEO is intimately engaged in literal rocket science its much harder to sneak bullshit engineering past him.

 

[BajaPaul]

How many of dongles can you put in a vehicle? Just one? Do they have pass-through ports so you can chain a whole sting of them together? Seem like everyone and your brother are going to want one of these dongles on your vehicle eventually.

Seems like the best way to hack the system is to hack the unit at the dealer or servicer that plugs into it. Those computers probably are always getting online updates for new models and stuff.

Hack the computer updating the dealer and servicer units and then you can hack all the cars in the country that plug into them........

 

[Old_Fogie_Late_Bloomer]

Antron Argaiv[/url]":6i6zgfak]So...if you choose not to pay for the OnStar service...are you still on their network? Can GM/OnStar still do whatever they want to your car, or is there no cellular link (because you haven't paid for it)?

I know for certain that this was true at one point in time for at least one model of vehicle (the one I owned, when I owned it). I would imagine that it is true for all vehicles with OnStar except perhaps any that have lost the connection due to the obsolescence of their cellular equipment. I know because I remember reading that as long as you used the OnStar remote control app to start your car during the trial period, you would continue to be able to use it even if you did not pay for OnStar.

I also remember reading that the Uconnect Jeep hack would work on vehicles that weren’t paying for the service, so there’s that.

 

[Gibborim]

xme[/url]":qmhhos8p]I'd genuinely be shocked to find security is an afterthought in these sorts of devices. Shocked to find out it was a thought at all... Some companies really need to understand the implication of these types of decisions at least well enough to know they aren't capable of handling it in-house.

Very few companies consider the attack surfaces that connecting these kinds of devices to the internet creates.

 

[RndNum123]

MythBusterJoe[/url]":vizo5sba]

RndNum123[/url]":vizo5sba]
OP is talking about replacing the "direct attachment to the CAN bus" with a one-way connection to the can-bus (some kind of read only firewall (no TCP/IP involved so far ) as I understand. So when your web connected modem gets hacked via TCP/IP the modem itself has no write access to any can bus at all..

Economies of scale.

It does not make financial sense for a silicon vendor to make a read only CAN transceiver when 99% of customers want to both read and write the CAN bus.

It isn't that expensive to make a read only can bus yourself (pair a can bus with an optocopler and a SOC/tiny not connected computer).
Economies of scale don't really matter that much, as the car manufacturers have enough scale on their own.

Even if you wouldn't have economies of scale and this part would cost like 50$, safety should well be worth it.

 

[Magius]

xme[/url]":2t1jljcd]I'd genuinely be shocked to find security is an afterthought in these sorts of devices. Shocked to find out it was a thought at all... Some companies really need to understand the implication of these types of decisions at least well enough to know they aren't capable of handling it in-house.

Software/Firmware team: "All right boss, we completed the initial part of the design and usability testing. We are about start deeper security and penetration tests".
Manager: "Wait, did you say everything checked out ok for general use?"
S/FT: "Yes, but we still need to make sure the Bluetooth stack and services are able to withstand common hacks, not to mention there may be a couple of exposed hooks from junior programmers"
Manager: "Ship it"
S/FT: "But sir, while it works, there may be complications if someone were to probe the unit!"
Manager: "So it is just a possibility, you are not positive there IS something"
S/FT: "Well, no, that is why we need to test"
Manager: "Ship it NOW"
S/FT: "But... *sigh* Yes sir"*

*Assuming a competent software team. I have seen plenty of this on both sides. I am getting old...

 

[giltwist]

Antron Argaiv[/url]":2aw1e5x3]So...if you choose not to pay for the OnStar service...are you still on their network? Can GM/OnStar still do whatever they want to your car, or is there no cellular link (because you haven't paid for it)?

They use the feature to enable reposessions, so it's always running even if you don't pay for it.

 

[pastoralchicken]

Antron Argaiv[/url]":xegr65vi]So...if you choose not to pay for the OnStar service...are you still on their network? Can GM/OnStar still do whatever they want to your car, or is there no cellular link (because you haven't paid for it)?

Even if you do not pay, your car still contains a cellular modem which is capable, and does, connect to the network. GM got in trouble a while back for tracking people who weren't subscribers and selling this information off to third parties.

The common method to "disconnect" from the network if you don't want to subscribe to OnStar is to remove the antenna. There is no other good way to disable the device entirely if you want to drive a GM product. Some people have removed the modem, but this invalidates the warranty. The entire shebang is connected to your car's ECU and CAN bus, so it's not generally just an addon box that can be removed.

 

[xeoph]

glarfsquared[/url]":2gmim752]So that little progressive car monitoring dongle, is that affected by this? Was that one that is made by a company that got over the air updates, or is it not known?

I'm wondering the same thing as I just installed my esurance drive sense devices yesterday. I wouldn't think my 05 Silverado would take a command to for it's brakes but I don't know about my 08 caliber...

Edit: yes, the original article mentions progressive and I'm sure esurance is using the same device.

 

[Old_Fogie_Late_Bloomer]

Seems to me the insurance companies should be offering discounts for people who drive cars with no cellular connection to the CAN bus, since they'd be limiting their liability from accidents where the vehicle acted out of the control of the driver. :/

Instead, they hold out the promise of reduced rates if you're willing to add cellular connectivity. I'm curious, do devices record data about cell tower signal strength that could be used to triangulate the location of your car?

 

[Rand]

borzwazie[/url]":24jyua4m]

Antron Argaiv[/url]":24jyua4m]So...if you choose not to pay for the OnStar service...are you still on their network? Can GM/OnStar still do whatever they want to your car, or is there no cellular link (because you haven't paid for it)?

Even if you do not pay, your car still contains a cellular modem which is capable, and does, connect to the network. GM got in trouble a while back for tracking people who weren't subscribers and selling this information off to third parties.

The common method to "disconnect" from the network if you don't want to subscribe to OnStar is to remove the antenna. There is no other good way to disable the device entirely if you want to drive a GM product. Some people have removed the modem, but this invalidates the warranty. The entire shebang is connected to your car's ECU and CAN bus, so it's not generally just an addon box that can be removed.

It connects to the bus, yes. But things that connect to the bus can also be disconnected from the bus. OnStar is a stand-alone unit. Your car will continue to function if it has been disconnected (it's not like Windows with Internet Explorer).

I also doubt that they could void your vehicle's warranty for disconnecting OnStar. Perhaps they could void your warranty on the OnStar unit itself, but even that is questionable since cars were designed to be worked on, which often involves partial disassembly. They can't, for example, void your warranty because you replaced your brake pads, which involves a fair amount of disassembly to do.

 

[giltwist]

Rand[/url]":2ueol8jk]

It connects to the bus, yes. But things that connect to the bus can also be disconnected from the bus. OnStar is a stand-alone unit. Your car will continue to function if it has been disconnected (it's not like Windows with Internet Explorer).

My understanding is that the OnStar is tied into other functions like the hands-free calling. That's why just removing the antenna is preferred to removing the entire box.

 

[grahamwilliams]

Stop fucking connecting things to the accelerators, brakes, and steering of a car. Jesus. Just... stop.

 

[giltwist]

grahamwilliams[/url]":1ps9y0w6]Stop fucking connecting things to the accelerators, brakes, and steering of a car. Jesus. Just... stop.

Counterpoint:

Everyone wants to be Batman.

 

[Dr Gitlin]

etronz[/url]":2stibku6]Wow, the auto industry is really calling in he hit pieces. They are scared of the pending "Right to Repair" DMCA exemption. Maybe they can scare us into thinking that little computer box in our car should be protected by the DMCA after all.

I cannot believe copyright is being used to keep us out of the stuff we own. First sale doctrine anyone? It's under attack from the auto industry.

What does this have to do with someone working out that a third-party OBD2 dongle was susceptible to SMS hacking?

 

[Zi8]

xme[/url]":28g0jlu9]

null_interface[/url]":28g0jlu9]So how much is that dumb "safe driver" discount - contingent upon letting your insurer plug in a connected OBD-II dongle that hoovers up all of your driving habits - worth to you now?

Personally I'll just add this to the list of reasons I'll never chose to add something like this to my vehicle. Honestly I'd be shocked to find out that what they qualify as safe driving is in any way congruent with actual safe driving. OBD-II + GPS isn't going to tell you if I'm paying a damned bit of attention, cutting people off left and right, blowing through red lights, or even driving directly towards ongoing traffic...

Actually there's plenty of data to make the connection between the OBD2 data and safety. Generally only large insurers (e.g. Progressive) have detailed telematics programs. These large insurers have tens of millions of driver-years of data and the associated accidents, and use sophisticated algorithms to connect them (e.g. see the Kaggle competitions for insurance data). They also have every incentive to raise your rate if they think you're going to get into an accident. At least in the US, the insurance industry is very competitive---most people can choose between a dozen insurers---and getting this stuff right can make a big difference. Companies aren't giving "good" drivers a 25% discount because they're generous.

Your message lists a few things that OBD2 doesn't tell you directly, but it totally misses all the stuff that it OBD2 does tell you, such as how much a person drives, where they drive, how quickly they accelerate and break, etc.