Schneier on Security
A blog covering security and security technology.
« Breaking into a Garage |
| Crypto 2010 Proceedings »
August 17, 2010
Hacking Cars Through Wireless Tire-Pressure Sensors
Still minor, but this kind of thing is only going to get worse:
The new research shows that other systems in the vehicle are similarly insecure. The tire pressure monitors are notable because they're wireless, allowing attacks to be made from adjacent vehicles. The researchers used equipment costing $1,500, including radio sensors and special software, to eavesdrop on, and interfere with, two different tire pressure monitoring systems.
The pressure sensors contain unique IDs, so merely eavesdropping enabled the researchers to identify and track vehicles remotely. Beyond this, they could alter and forge the readings to cause warning lights on the dashboard to turn on, or even crash the ECU completely.
Now, Ishtiaq Rouf at the USC and other researchers have found a vulnerability in the data transfer mechanisms between CANbus controllers and wireless tyre pressure monitoring sensors which allows misleading data to be injected into a vehicle's system and allows remote recording of the movement profiles of a specific vehicle. The sensors, which are compulsory for new cars in the US (and probably soon in the EU), each communicate individually with the vehicle's on-board electronics. Although a loss of pressure can also be detected via differences in the rotational speed of fully inflated and partially inflated tyres on the same axle, such indirect methods are now prohibited in the US.
Paper here. This is a previous paper on automobile computer security.
EDITED TO ADD (8/25): This is a better article.
Posted on August 17, 2010 at 6:42 AM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I wonder what initiatives like AutoSAR will bring in terms of security to the whole automotive industry. Maybe assurance levels like they use in avionics would be useful ? Maybe it already exists but does not evaluate risks induced by onboard electronics.
As for the EU, It seems mandatory TPMS are scheduled for 2012.
Like more traditional forensics like DNA and fingerprints people are starting to leave behind an increasing amount of wireless evidence that will probably start being captured in the near future. Forget about video security cameras, but wireless monitoring systems that capture the wireless packets for real time or post fact audit.
The "remote recording of the movement profiles of a specific vehicle" part does quite sound like "it's not a bug, it's a feature" to me, especially when connected to the word "compulsory".
All the rest may just be side effects of this feature.
My car tracks the rotational speeds of each wheel and is able to monitor tyre pressure *delta*.
Which in my mind is the relevant info here
No need for this wireless comms and yet another useless gauge on the dashboard...
This sounds great for building cheap automated speed traps. With so many towns and cities in budget trouble, tire-tracking speed traps are probably going to be everywhere in a few years, especially if they can concentrate on routes used by out of town residents.
But then the problem is: how long does the Police Dept. keep the logs on non-speeding cars?
Rotation delta based sensing (which is what my car has too) won't satisfy the requirements of the TREAD Act in the USA, because it cannot tell if two tires (say both the front tires) are underinflated.
Although the Audi A9 has a new rotation based system that supposedly will work.
Remind me again why tire pressure monitoring is compulsory?
@Leolo - it's ostensibly a safety and fuel efficiency requirement: properly inflated tires are better at both.
However, there are no provisions for /over/-inflation, which is just as dangerous and damaging (in that it increases tire wear, causing earlier replacement of tires).
In other words, the nanny state is forcing upon us expensive and insecure systems that aren't as effective as a human being just doing what he's supposed to, but we should just think of the children we're "protecting" with this misguided effort.
Tire pressure sensors aren't the only thing that is mandatory, so is giving a name and address. I asked a dealer why I needed to give my name and address to buy a pair of tires with cash and was told they needed that so they could send me recall notices. He was helpful in that he said he wouldn't question whatever name and address I gave him. But since they installed the tires, I think my license plate or VIN ended up in their records anyway.
I doubt that speed traps will switch to wireless as pictures make better evidence in court.
The ability to check that tire pressure isn't too low on the dashboard is useful. I've caught slow leaks that way that would have gone a lot longer before I noticed them. (No, I don't check the tire pressure constantly, and neither, I suspect, do 98% of US drivers.) Overinflation isn't the same sort of hazard, since tires do not slowly increase their pressure to dangerous levels without human action.
So, this is a tradeoff. Whether it's a good tradeoff or not is arguable, but the government does have a vital interest in making sure our cars are safe. Of the machines we use, they're unusually likely to injure or kill others if something goes wrong.
Obviously, there's things wrong with the system. It should not be possible to crash any of my computer systems without physical contact with the car. The possibility of monitoring is troubling, but that may be acceptable, considering how many of us go around with a turned-on cell phone.
What worries me is that you can get access to the CANbuss, this has some very significant implications depending on at what level.
It can take very little to turn a working and safe system that has passed many safety tests to be turned into a non working or unsafe system.
For instance in some "Real Time" programing systems the CPU time is divided up into time slots and each action is tested to see it stays within it's allotted time slot. Just creating data errors in a certain sequence may well cause a time slot to be either exceeded or the data it is working on to become out of step with other time slots. Unless the system designers have taken this into account (and why should they) it could well end up with things like traction control or braking failing in unexpected ways.
It is only a few months ago a major automobile manufacturer had to recall for "rework" many cars at great expense over a very minor mechanical part issue that criticaly effected the brakes under ertain rare conditions.
The ability to remotly inject faults into a particular make and model of car could be exploited for financial gain in many ways.
I expect the issue of using wireless communications on a car to increase (ie get worse) simply because now the technology has been designed it's usage will expand as the price drops and the cost of wiring systems within a vehical chassis increases.
"The pressure sensors contain unique IDs, so merely eavesdropping enabled the researchers to identify and track vehicles remotely."..." from adjacent vehicles"
Wow, they can now track our vehicles by driving next to us. That evil big brother!
Next they'll require us to put tracking devices on our cars that are human (or machine) readable and tie that to a vehicle identification number that is tied to the owner's personally identifiable ID. Then they'll really be able to track us!
Oh and there are other reasons to worry about car electronics or so Eric Hannah of Intel thinks,
He pointed out something that has been largly ignored since the 1970's that cosmic rays can bit flip logic gates and can thus cause significant events, and he chose vehical electronics to highlight it.
"Overinflation isn't the same sort of hazard, since tires do not slowly increase their pressure to dangerous levels without human action."
As tires are driven on they heat up, causing the pressure to increase. If they are already overinflated this can cause a blowout.
If you care about your safety and security, you must cover your entire car, as well as your tires with an aluminum safety shield.
If you really care about your safety and security, please look into our lead shielding options.
Is the trackability issue really all that big of a deal. An increasing percentage of the population carry around bluetooth capable phones (which thanks to hands-free phone laws are quite likely to be enabled when driving). It's probably more interesting to track who is in the car, than the car itself.
Kia might have steering issues. Another seat belt recall for GM. This might be a problem down the road. You never needed steel belts in tires or lead in fuel. Operate your brain.
I wonder if the President's new limo contains TPMS sensors?
Some background: the limousine used by the last several American Presidents was replaced for President Obama. Said limousine has traditionally been supplied by a particular american OEM.
During part of my work at an auto supplier, I had to do on-site support for the car company that makes Presidential limousines. During that time, one of the OEM engineers told me that he'd worked on electronic equipment that ended up in Obama's new limousine.
He couldn't tell me any details of hardware or software, but everyone in the company who was familiar with the production models could probably guess at what software and hardware had been used in the Presidential model.
The engineers involved did comment that many systems on the car had been built to run under certain kinds of duress (like electromagnetic-flux events) that normal cars won't survive.
But I never learned if the limousine would still run if the BCM (or Engine Control Module) were to crash or reset.
Suddenly, I wonder if anyone has tested that car for hack attempts like this TPMS-based attack.
@wiredog: Sure, that can happen. However, if a tire is inflated to the proper pressure at some point, it's unlikely to get too high a pressure even when warmed up. It is far more likely to get a small puncture (in my last case, a nail that caused the loss of 1-2 psi per day) and become underinflated.
You said "If they are already overinflated", implying that somebody overinflated the tire earlier. Protecting against stupidity is nice, but there's a lot more negligence than outright stupidity out there, and given a choice I'd like to protect against that.
Overpressure and a blowout with properly inflated tyres can happen if a brake locks. If you get symmetric locked brakes (frozen handbrake, for instance), you might not notice it. That said, I do not think it is a significant risk.
As far as the POTUS limo is concerned, I've heard the tires are solid rubber, so they can't be deflated by any sort of road hazard, or 'projectile'.
I've heard that under-inflated tires were more prone to blowouts because there was not enough air in them to absorb/dissipate the heat generated during driving. I would think that overinflated tires would fall into the 'stupid/safety-factor' that allows 10% more air in the tires than is printed on the sidewall, and be less likely to blow-out than under-inflated ones.
Well, I have a nice new (ordered early and got it June '09) 2010 Camaro SS that has this. It has the huge diameter wheels and low aspect tires.
It warned me last winter that pressure was low, and this car is a bit picky about that, so I put them back at the nominal 36 psi.
Later, they got above 44 psi -- the limit on the sidewall, and the car got squirrely as a result, no warning, but it did show correctly on the dash when I checked. Almost went off the road due to it -- would have been fatal, and nothing changed but weather! No human intervention at all other than responding to the warning about cold making the pressure low, and correcting that.
For what it's worth, with the tiny airspace in these fat tires with low aspect pressure changes a lot with weather and of course how long at speed.
And in this car, it really matters to handling and safety as the tires are way on the wide side for the weight. Off pressure either way makes a large difference. Just a little too high and you're on bicycle tires, just the middle touching, too low and it's the usual situation where they overheat and are sloppy. On such a fast car, either is a very, very big deal.
"What worries me is that you can get access to the CANbuss, this has some very significant implications depending on at what level."
I'm a little skeptical about this. These tire monitoring systems are meant to be as cheap as possible. To my knowledge, they use ultra cheap 318 MHz or similar RF modules. They are in no way any kind of gateway/bridge to something like a CAN bus other than that some device is receiving VERY simple messages at Layer 7 and sending out an independent message to the vehicle databus. I'm not saying it isn't possible, just that my questions weren't really answered by the paper.
I wonder whether all this wireless crap will be mandatory for government cars, too. Not a presidential one, that's for sure, but some middle range.
Would be a wonderful way for some psycopathic nerd to, how shall I put this, express his feelings about some elected official by hijacking his car and direct it into some solid object at appropriate speed.
Good movie threat plot, too. Already seeing Billy Idol writing new version of his "Speed" for a remake.
The mere possibility of an underinflated tire somewhere? Oh, GOD! Quick, let's pass another law! Let's have penalties!
And FINES! Think of the benefits for everyone when we create the Tire Pressure Police!
DROP THE PRESSURE GAUGE AND STEP AWAY FROM THE VALVESTEM, SCUMBAG!!!
Run flat tires, started this legal monitoring stuff.
You are right, this is only going to get worse, considering that wireless sensors are getting more and more prevalent. So little added value, but potentially giving so much troubles to drivers or users. Are they unnecessary problems created as a result of capitalism I wonder?
Guys, TPMS became mandatory because of public backlash after the Firestone/Ford Explorer debacle. The public saw cars flipping over on TV and called up Congress and demanded that they "do something!"
@ Vic Hitler,
"And FINES! Think of the benefits for everyone when we create the Tire Pressure Police!"
Yup now so many people are unemployed and businesses have "off shored" to tax havens one way or another and neither group is paying taxes, the Politicos have a significant short fall in income needed to bribe the voters so they can stay in power.
So the solution invent crmes with on the spot fines so the money keeps on rolling in...
Mind you it could be worse...
The SciFi author Larry Niven came up with his "organ legger" series ("Gil Hamilton long arm of the law" etc) about a future society where some crimes where punished by "breaking up" and the body parts given to those honest citizens in need of transplants.
One side effect was that due to the shortage of criminals each year the crimes that incured breaking up as the sentance became more minor to the point people where broken up for minor traffic violations...
Now the US tends to regard money as the nations life blood, but a sensible person will realise it is the people that are the nation and thus the real life blood.
Thus you might ask yourself the question about the wealthy being able to purchase the transplant organs they need for longevity from other countries (such as India and China)...
It appears from a number of sources that te Chinese Government has been "breaking up" condemed criminals since the early 80's and last year indirectly admitted it,
However the number of tra.nsplant organs has risen since then, thus another source of supply must be being exploited. It appears to be from people of a faith (Falun Gong) the Government does not approve off...
Tyre monitors only need a few serial numbers and not unique numbers. The system would work perfectly well with 100 numbers to choose from. The system would check what numbers were consistently present during the first few rotations and identify these are fitted to the car. From then on you become your own small footprint set of numbers. Job done, with NO chance of being uniquely identified, as tyre 46 would be fitted to hundreds of cars passing that day. Of course "Set Identification" would be possible, but impossible to prove and use as evidence.
Tyre sensing can easily be used for ID tracking at every few traffic lights with the current system.
"Tyre monitors only need a few serial numbers and not unique numbers. The system would work perfectly well with 100 numbers to choose from."
In most cases yes it would work with less depending on the sensor range which is the critical issue.
If the TX-RX range is 1 metre and somewhat directional then there would be little or no issue other than requiring one RX sensor per wheel arch.
However if as is likley to happen the TX-RX range is 10-40metre that would alow auto manufactures to use only one conveniantly (to them) placed sensor per vehicle and a lot less expensive wiring.
I will give you one guess which will happen...
Thus your observation about "set identification" does become significant even with 20 numbers you get 116280 (20*19*18*17) identifiers which would be quite sufficient in the vast majority of cases for vehical identification when you have sensors embedded in the road etc.
With a hundred numbers the you would have just under 94.11 million set identifiers which most judges and juries would be happy with.
But... the chances are the actual TX sensors will have their "sensor" number visable when sold otherwise you'ld get two with the same number on a vehical around 1 car in 7 with 20 numbers and 1 in 33 with 100 numbers.
Which means that if I know your four sensor numbers then I can go shopping for the same numbers with little difficulty.
The question is then how often will these TX sensors need replacing. If they are battery powered then possibly more frequently than the tyres on low mileage vehicles or at every annual service.
I can just see certain vehicle manufactures making these sensors "dealer only" just to create a nice little "tied market place" (think about the lucrative mobile phone battery market or the equaly as profitable ink jet or laser tonner cartridge market).
This is good for stealing cars... You get close, deflate the tiers, take people out, re-inflate and leave.
From New Zealand, 16 September:
"A man arranged for a device to be planted in his former wife's car that tracked her location and allowed him to shut her engine down remotely.
"The court was told that during the past few months the women's engines had stopped running for no apparent reason.
The mechanic "...located the GPS device that tracked the vehicle and could stop feeding fuel to the engine when the man called it on a cellphone. He could call the device again to switch the electronic petrol pump back on, hiding the fault."
Not a tyre, but an over-inflated ex under pressure.
Make me wonder about those high end Toytas that went crazy and accelerated on there own. could this have been induced by some hacking or government test gone bad?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.