Infecting a vehicle with a virus?

Question

Referring to the security experts who demonstrated taking control of two popular vehicle models using a laptops connected to ECUs (http://www.bbc.co.uk/news/technology-23443215), what are the possibilities that there can be malware/trojans etc. written to infect vehicles?

I don't even drive yet, so I'm no expert when it comes to understanding the way cars work, but since they use the on-board diagnostics port used by mechanics to identify faults, doesn't that technically mean that they have full access to all sensors etc. located in the vehicle?

In the article is says they written software to send signals to the car, to do certain instructions which they desired. If they were capable of doing that, imagine what black hats would have in mind? (Obviously, at the moment the only way this is possible is physical access to the vehicle)

Considering nowadays modern vehicles are almost fully incorporated with a desktop computer, such as having in-built touch screens running some OS, video & audio players, image viewers, and so much more, don't you think it is possible for your average driver to place an infected thumb-drive into his car, with the intention of listening to the latest tunes or watching a movie, only to have a trojan (which made it's way onto his storage device from his PC) in the background being executed by the vehicle, which can lead to destruction?

What are your thoughts?

Edit:

I have found this article which explains some researchers burned a trojan to a music CD, which allowed them to change the car's music player's firmware to get access to other components of the car.

Answer 1

A virus or a trojan are pieces of code which automate an attack, and propagate more or less automatically (the terminology is a bit sloppy). First there must be a vulnerability which can be exploited to run malicious code on the target. There are many kinds of vulnerabilities, including a gullible user who will "open executable attachments" (the core principle of many a trojan), but there must be some. Then, the virus/trojan/malware brings it up to a higher level through automation.

With a vulnerability, the attacker gains some control on one car. Most attackers will stop there, because they are car thieves and don't want to take the control of any other car than the one they are standing next to. Even more so, they don't want to steal a car which is "too much damaged", be it mechanically or logically.

A car virus, "infecting" a lot of cars, would allow for large-scale heists, e.g. plunging a whole car-loving country into pedestrian chaos, or blackmailing authorities with the prospect of killing random drivers (gee, when I write that, I almost hear the voice of Bruce Willis cracking jokes while shooting villains). While this would be a great Hollywood scenario, I expect massive car-stealing to occur first. We will get warnings.

A redeeming property of cars is that they are not electronically centralized, not in the same was as a smartphone. An iPhone has a single big CPU which does everything. A car has dozens of small CPU, each responsible for one or two tasks. Though they are linked together, they still have a lot of autonomy. A remote exploit on a car would probably allow for shutting it down, or blinking lights, but not override everything. Car manufacturing regulations are also adamant: come what may, the driver must still be able to brake by heavily pushing on the pedal, even in case of a total collapse of electronics, e.g. after having been hit by lightning. The hand-brake, also, is supposed to be entirely mechanical, with no electrical part. As long as these properties are maintained, you cannot be abducted by your own car, even if it has "automatic driving" abilities.

Answer 2

To be honest I'm not worried only about malware/virus but also about the possible bugs inside all the electronics of the car/vehicle.

During "Hack in the Box" conference in Amsterdam, a security researcher Hugo Teso demonstrates how to take control of the electronic system of an air plane with an Android application (http://conference.hitb.org/hitbsecconf2013ams/hugo-teso/).

Our role, the role of community in this way is to research and to inform/share our results to avoid that someone use this information in a bad way. It's an important role but is the unique way that I know to do all the best for the others.

Answer 3

Modern cars are built from dozens (or even hundreds) of interconnected computer systems, so there is certainly no reason they can't be susceptible to malware; you've already noted the recent example of hackers playing with a car while a reporter drives it.

Are there technical measures being taken to reduce the possibility? Some. Many of those systems are located on factory-baked ROMs that can't be reprogrammed, or that have very limited amounts of RAM, and therefore can't host a malware infection. But in general, the entire CAN bus architecture was designed a long time ago without security in mind, and the whole vehicle must be treated as a single trusted entity.

You noted physical access above, but that gap is widening as carmakers try to provide more integrated "features" for consumers. My car provides no less than twenty-three entry points that are available to both me and to potential attackers!

Safely locked inside the cabin there is a USB port and a CD/DVD drive that directly interfaces with the stereo; there is also the OBD-II jack. Unless the attacker is already inside my car, (such as a 'friend' with a thumb drive,) those are fairly safe.

Externally, there are three short-range RFID readers available, at the trunk, driver's door, and inside the cabin. There are four RF based short-range tire pressure sensors and receivers. There is a Bluetooth system interfacing with the stereo that has at least a ten meter range outside the vehicle. There is an RF based remote keyless entry transceiver that works from several dozen meters. And there is an independent RF based remote starter that works from 500 meters away. Finally, the stereo receives both terrestrial HD-Radio and satellite data streams for music, traffic, weather, news, and other types of data.

Any of those offer some kind of access into my car's electronic system, and I can only trust that the automaker has secured them all.

In addition to the data-based interfaces above, there are other entry points into the car that are connected to the bus. There is a rear-facing camera on the trunk, and a forward facing camera for a driver safety system. Is it possible they have a library that can read and parse barcodes for some legitimate reason? If so, can a barcode be used to inject an attack into them? There is also a radar transceiver, four ultrasonic range sensors, and the nav system has a GPS receiver. While I have no idea how an attacker might use any of those to gain some kind of access, and I would categorize them as a very low risk, that doesn't discount the fact that very clever people have attacked all kinds of systems before.

Finally, there is another non-obvious area of vulnerability -- the side mirrors. My mirrors have at least three electronic functions: remote X-Y movement, dimming courtesy lights, and a "blind spot occupied" warning light. To handle all this activity, I can only assume that the CAN bus is extended into the mirror housing, meaning a thief with a screwdriver is probably only a small piece of plastic away from interfacing with my electronics from outside my car. From there, he could tell the doors to unlock, clip in his own malicious device, or do whatever he wants.

This car is also three years old. Newer cars include WiFi access points and GSM transceivers, providing ever more accessible connectivity options for the would-be attacker. Features are definitely expanding faster than security.

Answer 4

I have written the bootloader of a navigation system for a modern car. (Not naming brands here, but you can Google and guess). We were absolutely aware of the risk, even years before the "Hack in the Box" which @fdicarlo mentioned. To make things even trickier, we had to boot Linux, play by the GPL rules, and still be safe.

Yes, that means that a suitable USB stick could start the installation of a new Linux version. It wouldn't be very subtle, though: we would hand off the installation procedure to a subroutine which would make very clear to the user what was going to happen, including the loss of guarantee when our digital signature was missing. That's a sufficiently scary dialog on hardware in excess of EUR 10,000. And to clarify: that dialog would come from the bootloader, not the old nor the new Linux kernel.

A second line of defense was also based on that digital signature. Sure, the GPL allows you to replace the Linux kernel. We'd boot an unsigned kernel. That doesn't mean that the rest of the car will talk to that kernel. If you want to run a videoplayer, feel free, but you can't show the current car speed. That defense runs down to the hardware level. The CAN bus controller simply wouldn't start up if the correct signature was missing.

And even that wasn't the last level of security. To prevent the car against bugs, the CAN bus itself was physically split in two, with a "packet valve" copying packets from the core engine control to observation systems but not vice versa. The On-Board Diagnostics port is on the control side, since it may start self-test routines. That's why the "hackers" can show such "dangerous hacks". Your keyboard is insecure when people can insert physical keyloggers, your car is insecure if people have hardware access too.

So, in summary, cars introduce not a single new security risk, and professional car companies have had quite good security quite early on.

Answer 5

I was recently part of an OEM which delivers a very well know Infotainment system. You have to understand that most of the ECUs in the car are custom software that require special interfaces and security keys to be flash. First and foremost, current vehicles usually need to be physically accessed to be able to perform some of this hacks, in some cases voiding your warranty. In the future this will become a bigger challenge as OEM will like to deliver software to any vehicle ECU over the air (i.e. Tesla S)

At the infotainment system level, I can tell you that the architecture of the system was design so that the Operating system (being a Windows variant) was completely untrusted. A extra layer of security (you can think of it as a firewall) was added to the SOC hosting a real time operating system that is in charge of managing external CAN signals. The existance of a "Whitelist" on this firewall allows the control of proper signals to reach the OS. Anything else is pretty much blacklisted. This extra layer of security does add the ability to add CAN signals to the whitelist but requires OEM specific security (including telematics & back end server messages) to be able to do so.

Answer 6

Researching on a related topic, I found this thread, and also this paper.

The most interesting thing is the fact that many of the security protocols...just didn't work. One of the more scary things in this paper was the fact that they got access to the brake controllers, and could disable, or enable them at will. Although you would need physical access to the car to be able to do this, I don't see why a custom built hardware module couldn't be developed to attach to an OBD2 port and cause chaos, either by taking remote commands or by using preloaded triggers (when at x speed, send packet x, etc).

As stated in other answers, the redeeming qualities of most cars is the decentralization of important systems, and on older vehicles the lack of connectivity also helps to narrow the attack surface. A virus would realistically have to be tailored to a specific vehicle, and would have to be distributed by some device that connects to it physically, like a mechanics code reader etc.