Modern vehicles pack a considerable amount of processing power, and with self-driving vehicles on the horizon, they are only going to get “smarter” in the near future. There’s been talk of security vulnerabilities with modern computerized vehicles in the past, but they’ve largely been theoretical or specifically targeted a make and model of car that the security researchers had spent time poring over.
But recent research has shown serious security flaws in commonly used OBD (On-Board Diagnostics) devices which are used by millions of drivers to report on their vehicle health and driving habits. It would be rather complex to perform in the wild, and not all vehicles with the devices onboard would be vulnerable, but this still represents one of the most broadly applicable and realistic vehicle cyber attacks presented so far.
Hacking the Zubie
The most detailed research so far has been conducted by Argus Cyber Security on the Zubie, an ODBII device which contains a cellular modem and automatically collects data about fuel economy, engine status, and even the vehicle’s location via GPS.
Cracking the Zubie started with connecting up to the device’s built-in diagnostic port, which turned out to be nothing more than a standard serial UART. After connecting the serial up to their computer, the researchers were presented with a common AT command interface that allowed them to download all the files stored on the device. After decompiling the Python files that make up the Zubie’s executable programs, the researchers got the original source code and could see what the device was doing.
The researchers were able to figure out that the Zubie didn’t use any kind of encryption or authentication for its firmware updates; it would simply download and install any file it was given over the cell network. The designers clearly didn’t think authentication was required since the Zubie would only be connecting over the supposedly secure cellular network; but unfortunately for them, rogue cell sites are now very much a reality with advancements in software defined radio (SDR).
By setting up a rogue cell site and a DNS server with false records, the researchers were able to get the Zubie to happily download a Trojan firmware update that allowed remote command of the vehicle’s CAN bus. The more advanced the vehicle, the more of its functions are tied into the CAN bus; being able to access it remotely could give an attacker access to everything from remotely unlocking doors to shutting down the engine.
A completely separate investigation was conducted by Corey Thuen against the Progressive Insurance Snapshot and was presented at the S4x15 Security Conference. Thuen’s research found the Snapshot suffered from exactly the same issues as the Zubie: lack of authentication or encryption on firmware updates and susceptibility to rogue cellular sites. While Thuen didn’t go as far as proving the vulnerability of the SnapShot in the wild like Argus did with the Zubie, it stands to reason that if it works on one it will work on the other.
Both cases are a classic example of the “Security through obscurity” myth, where it is assumed that simply hiding the mechanism by which something works is the same thing as properly securing it. It was assumed that since cellular communications are relatively difficult to eavesdrop on, that there was no need to bother checking if the server the devices were communicating with was actually what it claimed to be.
Remote Controlled Cars
Both attacks result in the same thing: GPS enabled vehicles that can be remotely commanded from anywhere in the world over the cell network. An attacker could locate the car, unlock its doors from his or her smartphone, and never be detected. Or, the attacker could completely shut down traffic by killing the engines on all infected cars on the same street. It may sound like something out of a movie and in truth, it’s probably pushing feasibility. However, it is possible.
As vehicles become increasingly computerized, the cars we drive will start to become just as important to secure as the computers we use at work and at home.