rs
Dagobah Resident
There is a new paper out of the Department of Computer Science and Engineering University of Washington titled "Experimental Security Analysis of a Modern Automobile". The full paper can be found at http://www.autosec.org/pubs/cars-oakland2010.pdf.
Here is the abstract:
In this context "ecosystem" means the overall business interconnection of companies which design, develop, manufacture and distribute components to the automobile industry as a whole. For example, both Mercedes Benz and BMW produce high-end luxury vehicles with anti-lock brakes, however both companies use components supplied by Bosch GmbH, a manufacturer of (among other things) various components of automobiles such as anti-lock brake systems, collision avoidance systems, engine control computer modules, etc. The design and support of such components and the overall regulatory environment in which all automobile companies operate world-wide make it essentially impossible for companies to produce their own parts, even for large multi-national companies such as Mercedes Benz and Bavarian Motor Works.
Continuing with the paper, the introduction provides some interesting background. Emphasis in the quote is mine.
The paper goes on to describe how the researchers were able to take total control over the target automobile's functions, even to the point of forcing false readings on the instrument panel for speed as well as printing a "hacked" message to the information display. The degree to which the researchers were able to take control over the vehicle is disturbing, to say the least.
The attacks mounted in the paper required physical access to the automobile, at least temporarily, so they could communicate directly with the automobile systems over the government mandated OBD-II connector. By way of example, US regulations require compliance with air pollution regulations and a periodic inspection regimen to verify that any given automobile is within the allowed limits. It used to be the case that the inspector would stick a probe into the exhaust system and physically measure the results, but this has been replaced by a computer that connects to the OBD-II connector and in essence asks the automobile "Are you within limits?". Pass or fail for the pollution test is determined by the automobile itself.
Consider how pervasive such new features such as General Motors OnStar system have become. These systems are no longer restricted to luxury vehicles, but are now supplied across the product spectrum. GM even advertises how the OnStar system can be used to remotely disable a stolen vehicle. Obviously this goes way beyond simple activation of the locking system. The inter-connectivity of the various components and systems on the modern automobile is almost total.
OnStar is (technically) a subscription based service which requires "activation" but in practice, the system is essentially on all of the time, regardless of the subscription state. The OnStar system consists of a two-way cell phone transceiver and telemetry unit connected to the automobile systems. Obviously to activate remote unlock or stolen car deactivation, the automobile does not, nor can it, stop the OnStar system from interacting with the cell phone network.
Many computer hacking attacks are based on a knowledge of subtle features of various software components. Some hacking attacks are as simple as a malicious attacker posing as a IT professional calling someone on the phone and simply asking for the password.
Other hacking attacks are based on a deep understanding of the way in which software is designed and constructed. The most common example of this is the buffer overflow attack. Most software today is written in a common language, either "C" or "C++". The semantics of C support statically defined storage for information, i.e. storage in the computer memory that is fixed and its location is known or can be known. There are two basic kinds of storage, scalar variables and arrays of scalar variables. An example of a scalar variable is an integer used to count things. An example of an array of scalar variables would be a text string consisting of some number of characters. The semantics of "C" do not directly support "array bounds checking" which means that if the software chooses to try and access array location 1001 of an array consisting of 1000 units, there is nothing to stop it. Obviously array location 1001 does not contain what the program expects to be in the array, but instead contains "something else". That something else is knowable.
Computer programs are composed of three pieces, code or instructions for the computer, statically declared storage for information (which may or may not be transient) and dynamically allocated storage. The buffer overflow specifically targets the interaction of code and static storage. Compiler programs which convert "C" text into computer binary code will place instructions and static storage together in adjacent parts of the computer memory. If the computer program either accidentally or if can be made to overwrite static arrays which are out of the defined bounds, the "data" written there necessarily replaces the expected computer code.
Most computer communication is based on some kind of standard, and it is often assumed by a programmer that the communication according to the standard follows the rules. A buffer overflow attack is based on a communication where the source of the communication deliberately violates the defined standard for the purpose of creating a situation where the computer program will overwrite its own instructions with the instructions supplied by the attack.
What does this have to do with OnStar and automobiles? Well the cellular communication which allows these sophisticated remote control features over an automobile is based on standard communication protocols. If these protocols can be violated in specific ways, one could easily mount the equivalent of a buffer overflow attack on an automobile. Moreover, this may very well be possible over the current cell phone network meaning that it would not require someone to create a unique radio signal, but simply make a specific kind of phone call.
If OnStar can be used to contact remote call centers to establish communication in the event of an emergency, and if OnStar can be used to take remote control over a vehicle, the implication is that it should not be particularly difficult to use the OnStar system to establish a silent connection to any given automobile for the purpose of eavesdropping. Many new automobiles now contain video cameras, sometimes many video cameras. This means that the OnStar system might be used to silently implement a remote controlled total surveillance system. If a buffer overflow attack can be mounted over the cell phone system, based on the researchers results in the above paper, it may very well also be possible to take almost total control over an automobile in real time, remotely, over the cell phone network to almost any automobile. Also based on the results of the research, it seems unlikely that the designers of the overall communication system behind OnStar considered anything beyond the ability to control the communication securely for the purposes defined by the OnStar system and for the purposes of insuring payment compliance. In other words, it is not likely that OnStar has been specifically "hardened" against a malicious attack.
Recently Toyota has received tremendous press because of large recalls of their electronic control systems. There have been many reports of "unintended acceleration" on various vehicles, and while Toyota has implemented various modifications to both to the mechanical as well as electronic systems, they insist that these cases of unintended acceleration cannot have come about because of the natural operation of their control systems. They base this on their knowledge of the underlying implementation of these systems and the protections they put in place to prevent such occurrences. They almost certainly base this conclusion also on the fact that the components which make up these automobiles are not in fact unique to these automobiles, and may not be even unique to Toyota. However, it seems not likely they considered malicious or deliberate attack scenarios.
Consider the possibility that some of these unintended acceleration scenarios were an attempt by somebody to demonstrate the ability to remote control a vehicle, and also consider who might be behind such a demonstration in "the real world". The conspiracy theorist in me suggests a few "usual suspects".
The bottom line here is that we should prepare to witness the transition into an environment where the objects we use on a daily basis and take for granted become the tools for war in a silent and almost untraceable way. We will need to collectively prepare for the day when Osama Bin Laden can take control over any automobile from the safety of his cave in Afghanistan to mount attacks anywhere, anytime. Its going to be a Brave New World...
Here is the abstract:
In this context "ecosystem" means the overall business interconnection of companies which design, develop, manufacture and distribute components to the automobile industry as a whole. For example, both Mercedes Benz and BMW produce high-end luxury vehicles with anti-lock brakes, however both companies use components supplied by Bosch GmbH, a manufacturer of (among other things) various components of automobiles such as anti-lock brake systems, collision avoidance systems, engine control computer modules, etc. The design and support of such components and the overall regulatory environment in which all automobile companies operate world-wide make it essentially impossible for companies to produce their own parts, even for large multi-national companies such as Mercedes Benz and Bavarian Motor Works.
Continuing with the paper, the introduction provides some interesting background. Emphasis in the quote is mine.
The paper goes on to describe how the researchers were able to take total control over the target automobile's functions, even to the point of forcing false readings on the instrument panel for speed as well as printing a "hacked" message to the information display. The degree to which the researchers were able to take control over the vehicle is disturbing, to say the least.
The attacks mounted in the paper required physical access to the automobile, at least temporarily, so they could communicate directly with the automobile systems over the government mandated OBD-II connector. By way of example, US regulations require compliance with air pollution regulations and a periodic inspection regimen to verify that any given automobile is within the allowed limits. It used to be the case that the inspector would stick a probe into the exhaust system and physically measure the results, but this has been replaced by a computer that connects to the OBD-II connector and in essence asks the automobile "Are you within limits?". Pass or fail for the pollution test is determined by the automobile itself.
Consider how pervasive such new features such as General Motors OnStar system have become. These systems are no longer restricted to luxury vehicles, but are now supplied across the product spectrum. GM even advertises how the OnStar system can be used to remotely disable a stolen vehicle. Obviously this goes way beyond simple activation of the locking system. The inter-connectivity of the various components and systems on the modern automobile is almost total.
OnStar is (technically) a subscription based service which requires "activation" but in practice, the system is essentially on all of the time, regardless of the subscription state. The OnStar system consists of a two-way cell phone transceiver and telemetry unit connected to the automobile systems. Obviously to activate remote unlock or stolen car deactivation, the automobile does not, nor can it, stop the OnStar system from interacting with the cell phone network.
Many computer hacking attacks are based on a knowledge of subtle features of various software components. Some hacking attacks are as simple as a malicious attacker posing as a IT professional calling someone on the phone and simply asking for the password.
Other hacking attacks are based on a deep understanding of the way in which software is designed and constructed. The most common example of this is the buffer overflow attack. Most software today is written in a common language, either "C" or "C++". The semantics of C support statically defined storage for information, i.e. storage in the computer memory that is fixed and its location is known or can be known. There are two basic kinds of storage, scalar variables and arrays of scalar variables. An example of a scalar variable is an integer used to count things. An example of an array of scalar variables would be a text string consisting of some number of characters. The semantics of "C" do not directly support "array bounds checking" which means that if the software chooses to try and access array location 1001 of an array consisting of 1000 units, there is nothing to stop it. Obviously array location 1001 does not contain what the program expects to be in the array, but instead contains "something else". That something else is knowable.
Computer programs are composed of three pieces, code or instructions for the computer, statically declared storage for information (which may or may not be transient) and dynamically allocated storage. The buffer overflow specifically targets the interaction of code and static storage. Compiler programs which convert "C" text into computer binary code will place instructions and static storage together in adjacent parts of the computer memory. If the computer program either accidentally or if can be made to overwrite static arrays which are out of the defined bounds, the "data" written there necessarily replaces the expected computer code.
Most computer communication is based on some kind of standard, and it is often assumed by a programmer that the communication according to the standard follows the rules. A buffer overflow attack is based on a communication where the source of the communication deliberately violates the defined standard for the purpose of creating a situation where the computer program will overwrite its own instructions with the instructions supplied by the attack.
What does this have to do with OnStar and automobiles? Well the cellular communication which allows these sophisticated remote control features over an automobile is based on standard communication protocols. If these protocols can be violated in specific ways, one could easily mount the equivalent of a buffer overflow attack on an automobile. Moreover, this may very well be possible over the current cell phone network meaning that it would not require someone to create a unique radio signal, but simply make a specific kind of phone call.
If OnStar can be used to contact remote call centers to establish communication in the event of an emergency, and if OnStar can be used to take remote control over a vehicle, the implication is that it should not be particularly difficult to use the OnStar system to establish a silent connection to any given automobile for the purpose of eavesdropping. Many new automobiles now contain video cameras, sometimes many video cameras. This means that the OnStar system might be used to silently implement a remote controlled total surveillance system. If a buffer overflow attack can be mounted over the cell phone system, based on the researchers results in the above paper, it may very well also be possible to take almost total control over an automobile in real time, remotely, over the cell phone network to almost any automobile. Also based on the results of the research, it seems unlikely that the designers of the overall communication system behind OnStar considered anything beyond the ability to control the communication securely for the purposes defined by the OnStar system and for the purposes of insuring payment compliance. In other words, it is not likely that OnStar has been specifically "hardened" against a malicious attack.
Recently Toyota has received tremendous press because of large recalls of their electronic control systems. There have been many reports of "unintended acceleration" on various vehicles, and while Toyota has implemented various modifications to both to the mechanical as well as electronic systems, they insist that these cases of unintended acceleration cannot have come about because of the natural operation of their control systems. They base this on their knowledge of the underlying implementation of these systems and the protections they put in place to prevent such occurrences. They almost certainly base this conclusion also on the fact that the components which make up these automobiles are not in fact unique to these automobiles, and may not be even unique to Toyota. However, it seems not likely they considered malicious or deliberate attack scenarios.
Consider the possibility that some of these unintended acceleration scenarios were an attempt by somebody to demonstrate the ability to remote control a vehicle, and also consider who might be behind such a demonstration in "the real world". The conspiracy theorist in me suggests a few "usual suspects".
The bottom line here is that we should prepare to witness the transition into an environment where the objects we use on a daily basis and take for granted become the tools for war in a silent and almost untraceable way. We will need to collectively prepare for the day when Osama Bin Laden can take control over any automobile from the safety of his cave in Afghanistan to mount attacks anywhere, anytime. Its going to be a Brave New World...
