You may have noticed the net creeping into more and more of your devices. It’s certainly common knowledge that computers have been making their way into more and more of our everyday objects: Clothing, glasses, gift cards and cars, but those computers are really only a first step, the next naturally being plugged in to our ever growing network infrastructure. With wireless connectivity then comes the ability for those objects to communicate with the outside world, and with this being a security blog, you must know where I’m headed.
Whereas computers have been deeply embedded into cars for 30 some-odd years now, it’s only recently that those computers are able to communicate externally. Now, with Bluetooth and ‘telematics’ (OnStar services) wireless technologies making their way into more and more vehicles, more and more of those vehicles are now prone to remote hack attacks. What’s truly unsettling is that by hijacking a vehicle via these attacks, the attacker is provided a wide array of integral, safety critical car components to manipulate; from steering, to acceleration, to braking, at the click of a button.
Those interested in seeing the attacks in motion can attend or tune into the Defcon hackers conference this coming weekend, where researchers from security firm IOActive will be demonstrating using a 2010 Toyota Prius and Ford Escape. Budgeted with an $80,000 grant from DARPA, the researchers have documented everything required to perform the attacks and what may be necessary to make cars more resistant.
As stated in the researchers’ report, “By examining the CAN [controller area networks] on which the ECUs communicate, it is possible to send proprietary messages to the ECUs in order to cause them to take some action, or even completely reprogram the ECU… ECUs are essentially embedded devices, networked together on the CAN bus. Each is powered and has a number of sensors and actuators attached to them”, it’s revealed that the networks in these vehicles makes no attempt to authenticate the incoming messages, which may or may not contain directives that change the vehicles behavior. This way, the vehicles computers essentially take orders from anyone, regardless of the origin of the signal.
Proper authentication is undoubtedly integral to maintaining safety of all kinds when dealing with network connectivity.