Network security in smart cars

[davor1]

Hello everybody!

First I hope that i didn't miss forum topic to post next question. The thing is that I'm finishing my BSc studies and for my thesis work theme I've decided to analyze security issues in smart cars in higher price rank like Bmw, Audi, Mercedes and some 'boutique' examples such as Bugati. All cars mentioned above use common system known as Infotainment which offer review of some important traffic informations data (traffic jams, speed limits etc...) and of course fun for passangers.

 

All data mentioned above and data from car itself are stored and processed in car's internal computer (ECU) and for transmission of these data's between car controllers (ECU's) is responsible CAN (Controler Area Network) protocol which operates on link layer of ISO/OSI model without security component. All mentioned above represent vulnerability in sense that attacker for example could drive behind us and on a certain way (GSM, WiFi) connects to a car and activate airbags, brakes, etc... Now I want to know if anyone would tell me where I can get general specifications about what protocols and technologies are used in domain of security in smart cars and what systems/protocols are used by specific car manufacturers i.e. BMW, Audi, Mercedes etc. for let say comparision.

 

Are this public accessable informations or should I for it contact car manufacturer itself. I have last one question: Is there something as emulator where could I simulate operation of smart car and connectivity of possible attacker on it.

Thanks for all constructive advices!

 

Best regards, Davor

[sc302 Veteran]

The only way that you could possibly get into any of this is through the bluetooth enabled in the car or a bluetooth enabled device that would be hooked up to the data port (although some manufactures have bluetooth enabled for diagnostics). 

 

The issue is that the devices need to be paired with your hacking device. 

 

That really isn't the issue.  The issue is what if your phone is infected?  What will get passed to the infotainment system, what will get to the CAN, if anything?  I would think that the infotainment is read only as you cannot perform any tasks other than view and reset the mileage counters.  

 

If you are talking hacking things like onstar, that would be interesting to do and to see.  Pop locks, roll down windows, not sure what else they have access to though..maybe remote start? 

 

Perhaps you should look into how the dealer mechanics interact with a car before you go down the path of what ifs that aren't there.  Their systems have access to a lot of things that the average person, and sometimes the best garages, don't have access to.  They have better things than your average diagnostic tools.  There are a lot of computerized things that tie a car together, to my knowledge it is all handled on a extremely local level (what do I know, I tinker with cars in my spare time, I will even help tune a car...none of the tools available are a direct wireless connect to the ecu/can systems, all must be done through the diag port or obdII port...even my newest 2014.5 Toyota Camry, the ECU/CAN is accessed by the diag port...the software on the radio can be updated via bluetooth or a direct usb connection, which makes me think that the infotainment is read only).

[goretsky Supervisor]

Hello,

 

You might want to contact Eric Evenchick, a former Tesla intern who sells a kit to hack cars via the ODB-II port at http://cantact.io/.

 

Regards,

 

Aryeh Goretsky

[davor1]

Thank you both for replying to my question.

Sc302 you mentioned Bluetooth connectivity to infotainment system, but its range worries me - it's about 3-5 meters... I also found a study which shows for example cellular/ telematics connectivity on Toyota Prius and some other models of cars. Here's the link, if you have time I would be very grateful if you go through it and tell me if it's ok: http://illmatics.com/remote%20attack%20surfaces.pdf

[sc302 Veteran]

So I read through that, briefly. I will probably print out and read through again though.

What I got out of my reading is that they theorize on vectors of attack, not really proving that an attack is possible.

As Aryeh points to, and what I hinted to, was that to "hack" cars is possibly through the physical diagnostic port because that gives you direct access to the ECU/CAN. I do not believe that this is the case through the infotainment system, if it were there would be no need for an odb port as all troubleshooting and diagnostics would and could be done wirelessly.

They touch on gm's onstar, but they don't know enough about it or the capabilities of it...onstar works when there is no cell signal, onstar does not work when you are under a bridge or in a tunnel (tunnels have cell repeaters in them, at least around here)....it is for the same reason that satellite radio fails in the same location, they use satellite communications between the car and the onstar system. Toyota may use 3g/4g to communicate to their cars, but it isn't the same between manufacturers. There isn't that much pubic information that can be had easily regarding automotive systems, partially because it is very proprietary.

I will touch a little on bmw, on their older, mid to late 00's, they used windows ce as their os in their infotainment on their cars (friends with a bmw high level service engineer who had to constantly reflash them due to crashing and updates). That system is probably very susceptible to attack, provided you can get to it. I don't know/rembember what exchanges they had with bluetooth devices, could be cell phone and address book only. If that is the case it probably is read only from the phone.

The ability to write anything to infotainment is limited and ram only. Very little is stored from the phone to the infotainment, if anything at all. But if your phone has an app that communicates with your in car system, and that phone has been infected with something that can piggy back on that app, there is a possibility that it could get to your infotainment system and an even more remote possibility that it could use the conduit between that and the ecu to get to the can system. The issue is that the ECU and CAN system are very safe guarded...but as more and more things get integrated the possibility increases more and more. If you ask me, that is the angle you should take in your paper... Perhaps looking at more luxury systems that the guys in the paper did not look at, the systems that they looked at do not have the integration that the higher end cars do. Newer Lexus, BMW, Infiniti, etc, everything is controlled through the infotainment system (locks, windows, radio, hvac just about everything that you are used to having separate buttons/controls for). I wouldn't worry too much about the ECU and CAN, they will keep those systems pretty secure (at least for the time being)...lots of proprietary coding and os go into those pieces (I can't take a ford tuner and plug it into a toyota and tune it, coding/os is completely different, but I can take a diagnostic code reader and read codes and get information from multiple makes as the device has the programming to understand all of the different cars/somewhat public information needed for private garages to operate).

As I said, you need to fully understand how and where you can access these systems. The best people to talk to is senior automotive techs and tuners as they have a very good understanding as to what can and can't be done. They go through constant training regarding these systems and have a direct link to the manufacturer (they aren't guessing how these things work or making uneducated assumptions).