Vehicle emissions and cyber security
Recently Volkswagen admitted to installing “defeat devices” (software that manipulates the level of emissions of gases such as nitrogen oxide (NOx) from their vehicles during regulatory testing) in millions of its diesel cars. However, excessive levels of NOx are not the only concerning emissions from many of today’s vehicles – as more and more technologies are added to the connected car ecosystem, the number of potential remote wireless entry points for attackers is increasing.
Remote keyless entry
Back in 2012 security researchers (Verdult, Garcia and Ege) from the University of Birmingham and Radboud University Nijmegen in the Netherlands, attempted to publish the results of their research into the Megamos crypto solution that is embedded into the keys of many manufacturers’ vehicles. Volkswagen secured an injunction in the UK high court to prevent its publication, but early this year an agreement was reached to redact some of the information and the research was presented at the annual Usenix Symposium. The researchers described three attacks, which could result in vehicles being stolen.
Tyre pressure sensors
Tyre Pressure Monitoring Systems (TPMS) consist of sensors that are designed to measure the tyre pressures and then wirelessly transmit the data to an ECU within the vehicle. If the pressure measurement drops below a certain threshold then a warning message is displayed to the driver. At the Toorcon in conference an independent security researcher (Jared Boone) showed how to use an inexpensive Software Defined Radio to reverse engineer the TPMS wireless protocol and read the data that is transmitted. It was claimed by the researcher that TPMS is potentially a security risk, as the technology could be used to track cars.
The car whisperer tool, which was developed by the trifinite group, searches for Bluetooth enabled vehicles and attempts to establish a connection where it is prompted to supply a PIN. It then attempts the connection using various default PINs e.g. ‘0000’ and ‘1234’. If the connection is successful, the tool starts sending audio to, and recording audio from the headset. This allows attackers to inject audio data into the car and eavesdrop on conversations within the vehicle.
The GM OnStar service provides telematics functionality to vehicles, including remote lock/unlock and engine start. An independent security researcher (Samy Kamkar) demonstrated that using cheap off-the-self components, a device could be created (dubbed the “OwnStar” attack) that would detect nearby users of the OnStar RemoteLink application on a mobile phone and can then inject packets into the communication stream to the phone, which would reveal the user’s credentials. The credentials could then be used to gain access to the vehicle’s OnStar account and unlock the vehicle.
Mobile network (GSM/3G/4G)
In a report by US TV show “60 Minutes” about DARPA and the Internet of Things, the Department of Defence demonstrated that it could hack the GM OnStar system to remotely control a vehicle. The attack was possible because of backward-compatibility – if a 3G signal was not available, the telematics unit in the car would fall-back to using an old analogue wireless modem. A vulnerability was discovered in the software modem code that processes data sent by modulating a carrier signal in the audio voice channel. The attack could be performed by phoning the TCU and playing it a specially crafted MP3 audio file, which would trigger the software flaw and provide access to the telematics unit, which in turn was connected to the CAN bus on which cyber physical systems such as steering and braking could be controlled.
Frequency Modulated Continuous Wave (FMCW) radar is used by vehicle systems such as adaptive cruise control to determine how far away physical objects are away from the vehicle. Researchers from Utah State University and Virginia Tech (Chauhan, Gerdes and Heaslip) were able to demonstrate a “False data injection attack” using commercially available Software Defined Radios, which resulted in decreasing the apparent object range and by arbitrary amounts with very high probability of success.
Laser ranging (Lidar) systems that most self-driving cars rely on to sense obstacles around them have been targeted by a security researcher from the University of Cork (Jonathan Petit). His attack uses off-the-shelf components costing around $60 to create echoes of phantom objects, such as vehicles, pedestrians or walls and make them appear at arbitrary locations. Using this technique, an attacker could trick a self-driving car into believing something is directly ahead of it, thus forcing it to slow down.
How NCC Group can help
Our Automotive Cyber Security Practice regularly provides assessment services, design advice and best practice guidance to OEMs and their suppliers across the globe. Our research-led approach means that we are constantly developing new assessment tools and techniques to identify security vulnerabilities in both wired and wireless protocols.
Contact us: AutomotiveSecurity@nccgroup.trust
Published date: 14 October 2015
Written by: Andy Davis