Comments

yet another bruce April 11, 2023 10:52 AM

Are they injecting software or just messages in the form of CAN bus packet frames?

Pete April 11, 2023 11:09 AM

What I don’t understand is why the CAN bus wiring is run out to the headlights? What data/signals are there that can’t be relayed on dumb wires back to a spot harder to access?

modem phonemes April 11, 2023 11:44 AM

Is physical connection to wires essential, or is there (currently) some way to perform the attack using wifi signaling ?

Darnell April 11, 2023 12:49 PM

@ Pete,

What data/signals are there that can’t be relayed on dumb wires back to a spot harder to access?

I guess it was simply cheaper and easier to extend the whole bus to the headlights, than to reserve some hood space and install a device to transition from CAN to dumb wires or a separate CAN bus. I doubt they lost many sales before 2023 on account of this decision.

Apparently, they’re using digital communication in order to control things such as bulb dimming—like when switching between “headlights” and daytime running lights. And the communication is bidirectional to allow the car to detect lighting problems. I’ve seen quite a few cars with burnt-out headlights and taillights in recent weeks, so there’s some sense to that.

Last I heard, when I was working in a related business, was that people were trying to push unnecessarily complex methods such as CA-based cryptography to solve problems like this. Of course, the real “problem” being solved would be that of third-party components competing with official and licensed ones. Putting private keys in headlights is neither necessary, nor really sufficient, to prevent such attacks (how secure can you expect that storage to be?—if someone makes device to “glitch” the key out of there, we’ll be back where we started). If the car builders knew how to use cryptography properly, we’d’ve had end-to-end cryptography between the keyfob and the device(s) it’s meant to operate, and nobody would’ve been able to create a valid message to inject.

@ modem phonemes,

Some cars have cellular modems and wi-fi sitting on the same CAN bus as everything else. Probably tire-pressure radio receivers and Bluetooth too. Bruce wrote about an attack last year.

K.S. April 11, 2023 12:53 PM

Based on work Charlie Miller and Chris Valasek published regarding the famous remote Jeep hack, I understand CAN bus as an unauthenticated real time internal automotive network that has all devices dump signals/messages into. Consequently, if you can find a way to inject a CAN bus signal, such as via OBD port or in this case via headlights, then you have effectively gained root access to the car and can do anything/everything, assuming you can reverse engineer or discover codes.

The security fault here is connecting headlights or taillights with write access to CAN bus, not the existence of CAN bus. Probably implementing tail lights monitoring messages.

EvilKiru April 11, 2023 3:31 PM

Some cars do have multiple CAN buses, with no direct way to get from one to the other, but they still have a gateway that allows sending a message to any CAN bus and there’s literally no security anywhere, because car “security” is based on the assumption that nobody is going to dismantle your car just to connect directly to the CAN bus and an over-reliance on the security module to disable your car if someone smashes a window to to connect directly to the OBD port under the dash.

Clive Robinson April 11, 2023 6:49 PM

@ K.S., ALL,

“The security fault here is connecting headlights or taillights with write access to CAN bus, not the existence of CAN bus.”

Err it’s a bit more subtle than that.

1, CANbus is not secure by design.
2, The system engineers will not make it secure as that makes the systems too dificult to design.
3, The physical design engineers do not design the network to be physically secure.

I could go on but lets put it this way,

“Would you run a serial or telnet line from the aithetication server console to a socket not just outside the server room, but out side the building, to say a socket under a window on the ground floor on the public walk way?”

Because that is the equivalent of what the system and design engineers have done to these cars.

It’s a while since I last played with CANbus, and back then I and others were using it to control model railway trains, because it was “cheap and easy” to do…

In many ways it is little more advanced than the I2C bus and similar peripheral control buses designed last century. In all cases security has never been a concern of the designers, who view cryptography and related with horror because of what it does to development time line, costs, and test systems.

Chip designers do not want to build cryptography in as the CPU needs to be rather more than 8bit, and the number of CPU cycles immense which means fast response times are either not possible or the chip needs to suck current like an out of control fire hose does water from the mains. Which has “upstream” knock on effects that means extra or upgraded thus way more expensive “Bill Of Materials”(BOM), as high as a hundred times increase in cost.

Clive Robinson April 11, 2023 7:26 PM

@ ALL,

Re : Wiring Harnesses.

Unless you’ve had to design a wiring harness for a complex three dimensional shape, especially one like a Vehicle monocoque. Where it has to go through bulkheads and firewalls, as well as having to survive a full crumple zone T-Bone / side swipe or similar accident and still give full control to the essential systems such as brakes and similar… You might under estimate the task and cost/risk involved.

Multiple wires “laced together” add a stiffness thus flex failure increase, and a single fault makes the entire very expensive harness worthless. It’s one of the reasons the way more complex “multidrop networks” on a single cable / channel were even considered. Not because they increased potential features, or decreased weight and bulk, but because they significantly decreased the manufacturing risk and cost.

Further, if post manufacture upgrades are required, all that is needed is an “Insulation Displacment Connector”(IDC) be “punched down” onto the existing cables thus significantly easing the task and reducing the risk. Thus “three wire” and “four wire” multidrop networking especially “multi master” systems are very desirable for such tasks.

Without going into the electrical interfacing specifics, such systems can be effectively AC coupled thus galvanically issolated, such that “hard fail” faults do not lock up the network nor do “earth loop” faults arise. In fact bi-phase systems can have a secondary “phantom channel” that can be used for some types of “master / all node signalling”.

WB April 11, 2023 10:46 PM

@Clive Robinson
Blah Blah Blah. People have known this day was coming since at least 2007. https://www.sae.org/publications/technical-papers/content/952586/
That was a quick and nasty-googling too. It’s all impressive and an engineering marvel, but what good is a dam when you know it’s too small, have 2 years before you know a flood is coming and don’t do jack. All this time and what have they wrought but another way to steal every bit of information about you that they can.

crab April 12, 2023 6:49 AM

Modern headlights have various different lightening modes so you need them to connect to a CAN bus. And once you have physical access you can also write to this bus (it’s just two wires). However, you can isolate different CAN-Buses through a gateway and require secure CAN messages for certain commands like unlock and start. There is an Autosar standard for secure (authentic and data integrity): https://www.autosar.org/fileadmin/standards/R22-11/CP/AUTOSAR_SRS_SecureOnboardCommunication.pdf

Ken Tindell April 12, 2023 7:33 AM

Most of these comments I’ve heard before, from people who talk about CAN ‘packets’ and a ‘PHY’ and ‘addresses’ and say car makers are “dumb” for not using [insert fashionable backend protocol]. There is more in Heaven and Earth than Ethernet, Horatio.

Cars have hugely long product cycles: it takes about 4 years to design a car platform, and cars can be manufactured on a platform for 10 years. The RAV4 has just gone out of production, so likely was conceived around 2009. That’s not long after the iPhone first existed. Jeeps were but a twinkle in the eye of Charlie Miller and Chris Valasek. Even the seminal Checkoway et al paper wasn’t published. The world was a different place then.

The comment about wiring harnesses is spot on. Cars are not phones on wheels, they are distributed safety critical mechatronics systems on wheels. With sky high expectations of reliability. And margins as low as $500. That imposes a set of constraints that those outside the industry can’t imagine.

As to why headlights need to be on CAN, just think about it. Headlights are more than lights. Turn indicators. Washer pumps. Wiper blade motors. Self-levelling controls. Corner-following beam steering. Beam matrix control. And diagnostics for all that to tell what’s broken. A headlight is not a school project light bulb powered by a potato. And it’s not just a case of a wire: these functions are hard real-time control functions that require short guaranteed message latencies (which is not the same thing as bandwidth, Horatio). And that doesn’t come without a communications protocol designed for short latencies with atomic broadcast features (two headlights, remember?).

And the notion that CAN bus is not secure by design? Well which fieldbus is at the hardware protocol level? What security-by-design does 10BASE-T1S have, Horatio?

So, that’s the past. What about now? Pretty much every car platform under development or recently finished includes some form of cryptographic messaging. AUTOSAR defines SecOC which uses the functions of on-chip SHE HSMs. It’s not perfect (it doesn’t include encryption of payloads, for example) and no cryptographic protocol is going to stop availability attacks. But it stops CAN frame spoofing of the type these thieves are using. The first cars using SecOC have been on the road for a two or three years now, and if you track back in time to the inception of the platforms you’ll see that they come from around the time of the famous Jeep hack. That’s when the industry as a whole started to take this stuff seriously and stopped dismissing anyone who warned about it as Chicken Licken.

Fixing problems after manufacturing is a weak spot in the industry. A software fix is possible but proper car makers don’t just throw it out there after a weekend of testing. And a cryptographic solution requires a heck of a lot more than just the firmware: there is a whole key management infrastructure needed, right down to workshop tools to allow a new part to be provisioned securely or re-provisioned to be moved between vehicles. The question now
is: how much effort are car makers going make in order to fix these problems for the millions of cars on the road, some of which are almost new and will be around for a long time?

Clive Robinson April 12, 2023 5:43 PM

@ WB,

Since you adressed,

“Blah Blah Blah. People have known this day was coming since at least 2007.”

At me…

It was longer actually, way way longer, you will note I said “last century” above, and compared it to an attack some security folks were protecting against in the 1960’s (by the likes of “physical measures” such as pressurized conduiting with alarms driven by pressure sensors and similar).

Back when these IO buses came into existance the 8bit CPU as a control engine (See PIC controlers[1]) were the way to do “system IO” in “Control Systems” (and in many cases still are with newer parts in the PIC line up).

Whilst they accomplished many things, such microcontroler chips could not even do “DES” and earlier crypto, they just did not have the resources.

And this has always been the issue,

“Security needs high end resource computing just to do standard encryption algorithms.”

Even microcontrolers with “security built in” such as for automotive industry door locks were often based on “rolling codes” (effectively “poorman’s stream ciphers” built on “Linear Feedback Shift Registers”(LFSR) designs).

Likewise in modern 32bit microcontrolers based,around MIPS CPU core “silicon macros” AES generally requires “silicon real estate” that is unavailable in low power microcontrolers used in control systems. Thus Public Key and similar is effectively beyond most microcontroller based designs even now so “physical security” measures are required still…

[1] The “Peripheral Interface Controller”(PIC) was originally developed by the Microelectronics Division of “General Instruments” back in the mid 1970’s. It was little more than a 8bit CPU with 12bit instructions to act as a “sequence controller” to replace large amounts of TTL and similar control circuits. It was the 1970’s that saw the birth of another 4bit “calculator chip” the 4004 from Intel that gave rise to the 8bit 8080 and Z80, with other 8bit chips like the 6502 –which is still in production as a licenced macro– giving birth to the home and business “Personal Computers”. The PIC however never realy made it out of the “IO control” field, and ended up being one of the most used “out of sight” microcontrolers in embedded systems.

Clive Robinson April 13, 2023 6:30 PM

@ modem phonemes,

Re : Use of Radio to unlock

“[I]s there (currently) some way to perform the attack using wifi signaling ?”

Certainly something similar, you might want to have a look at,

https://m.youtube.com/shorts/QM9YBAHypDQ

And the earlier videos with regards the device and accessing a vehicle by use of a SDR type radio transmitter.

CommandKey-Period April 16, 2023 9:32 PM

security issue one, please let me introduce you to security issue two:

So, I wrote a HyperCard script to explain the current national security risk:

on mouseDown
ask “What do you think is going to happen now?” with “holy crap! this is not acceptable!”
put (it) into RealityCheck
repeat until mouse()=”up”
mass shootings via ballistic weapons behavioral epidemic (actual, not “covid”); too many gun deaths
ballistic weapons stored in parked vehicles in various public and private areas
hackable parked vehicle doors
if RealityCheck = “holy crap! this is not acceptable!” then
exit to HyperCard
else
play “Dying Civilization”
end if
end repeat
— this is why I have the feeling that America got taken over by sadistic, malevolent, insane, violent, idiots
end mouseDown

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.