Wednesday, July 29, 2015

Much maligned diagnostic connector and protocols (e.g. CAN)

There has been a lot in the press recently about "car hacking" (there always seems to be a spike just before the black hat conferences).

I read a lot of car security articles and there are some basic premises put forward in many that are not fully accurate, and that annoy me. So I thought I would write down a rebuttal:

Diagnostic protocols (e.g. CAN messages) can be used to attack your car...

Yes they can (sic.). That is really the whole point of the controllers and the network of them. They control stuff!... mainly stuff in your car. If you send them messages they will control stuff differently. The more electronic controls you have (and the trend is more and more on each new vehicle) - the more aspects of the car you can control with these messages.

These networks are also designed to allow a technician in a garage, using a tester connected to this network, to control aspects of the vehicle - to test everything works as expected. 

So if you plug a computer into the diagnostic connector (and make it part of the car control network) you can do all sorts of crazy stuff.

There are fairly limited security measures in place on the network to ensure the tester is "genuine" (seed/key challenges to enable certain, more dangerous features). But these are almost trivial to crack, and the easiest way to compromise them is to compromise some software that contains the algorithm, such as:
  • Application layer code on a trusted controller on the network
  • Diagnostic software installed on a tester (typically a PC)
But the key security measure here is the physical security of the diagnostic connector (and the controller network). To hack a car this way - you need to be "plugged in". The diagnostic connector is normally inside the dashboard area. So if a would-be attacker, can gain physical access to your dashboard - hacking CAN messages is the least of your problems... they may as well just disconnect the brakes?

The thing that has changed here is that controllers on the network are now connected to other networks (e.g. WiFi, Bluetooth, or cellular) and/or certain controllers can be exposed to malicious content via physical media (USB, Flash sticks etc). The chain is only as strong as the weakest link...

It is the security of those other connections that needs to be "bullet proof"; or at least as secure as the physical security of the car. (Why not trigger the car alarm/immobiliser if attacks are detected on these connections?)

Those "other networks" are the problem, they let you get inside the car, without being inside the car... the weakness has nothing to do with CAN network or diagnostics. We can and we should improve the security of diagnostic protocols (see earlier), but they are not really the main problem and neither is the diagnostic connector. 

The problem is the lack of security around this new way to get inside your car... 

No comments: