A vendor-neutral vulnerability affecting the CAN Bus standard can have “dangerous” and “even fatal” consequences for smart car owners.
Discovered by the work of Trend Micro, Linklayer Labs, and Politecnico di Milano, the flaw isn’t a “vulnerability” in the traditional sense of the term. It’s an insecure design choice within the Controller Area Network (CAN) Bus, a vendor-neutral standard which specifies how various systems built into most connected cars communicate with one another.
These systems exchange information by writing a “frame,” or a message encoded with a series of ones and zeroes. Sometimes the actual value of the frame passed along the communication wires doesn’t correspond with the original expected value. In that case, the device writes an “error” message notifying other listening devices to ignore the frame.
Error messages are common enough. But if a device begins producing too many error messages, it could be a sign that the device is malfunctioning. To insulate other systems against this faulty behavior, the CAN Bus standard specifies that the malfunctioning device must enter “Bus-Off” state, which means it can’t read or write data to the CAN. This effectively renders the device in question inoperable.
So what’s the security issue?
The problem is threefold. First, devices don’t need authentication to read and write to the CAN. Second, all data that enters the CAN is automatically trusted, as the standard doesn’t consider the possibility of an attacker gaining unauthorized access to the bus. Third, it’s impossible to analyze a message and determine whether the issuing device is faulty or has been compromised.
Together, these shortcomings spell a load of trouble for smart car owners. Trend Micro researcher Federico Maggi elaborates on this point:
“Our attack triggers this particular feature by inducing enough errors such that a targeted device or system on the CAN is made to go into the Bus Off state, and thus rendered inert/inoperable. This, in turn, can drastically affect the car’s performance to the point that it becomes dangerous and even fatal, especially when essential systems like the airbag system or the antilock braking system are deactivated. All it takes is a specially-crafted attack device, introduced to the car’s CAN through local access, and the reuse of frames already circulating in the CAN rather than injecting new ones (as previous attacks in this manner have done).”
With this type of attack, a bad actor could cause a denial-of-service (DoS) condition in the active safety system, for example, and thereby prevent the car from stopping autonomously as a result hazardous traffic conditions. The attacker could also eliminate the driver’s ability to successfully start the car and/or lock the car doors, at which point in time they can demand a ransom.
A nefarious individual could effect any one of these scenarios remotely by exploiting flaws that allow them to reprogram the firmware of the engine control unit.
These types of vulnerabilities are discovered often enough. In 2015, for example, two researchers abused vulnerabilities in the Uconnect infotainment system to reflash the firmware responsible for the CAN communications in a Chrysler Jeep. They then leveraged that exploit to hijack the vehicle, an attack which three Jeep owners to file a lawsuit against Fiat Chrysler and the Uconnect manufacturer.
Alternatively, an attacker can perpetrate the exploit locally by attaching a malicious device to the car’s OBD-II port.
So how does this issue get fixed?
A patch won’t do it. Essentially, those who crafted the CAN Bus need to redesign the standard. This means a true fix will probably require a whole generation of cars to roll out.
In the meantime, car manufacturers can mitigate the flaw by detecting power drain in the CAN and seeking to identify fake error messages sent by malicious devices.