Breaking News
News & Analysis

Car Hacking: NXP Pushes Flexible Security

7/11/2013 01:15 PM EDT
25 comments
NO RATINGS
2 saves
Page 1 / 2 Next >
More Related Links
View Comments: Threaded | Newest First | Oldest First
junko.yoshida
User Rank
Blogger
Need for automotive security
junko.yoshida   7/11/2013 3:14:01 PM
NO RATINGS
I know some of you have found my previous story "How Hackers Can Take Control of Your Car" (http://www.eetimes.com/document.asp?doc_id=1318838&) somewhat an alarmist's view.

Perhaps.

But I'd like to submit to you that there is real-world engineering/development work going on around automotive security.

Hackers may not find their way into the car you have now; but they will eventually -- if your next car is not prepared.

I am talking to a number of experts as I write this. I will be sharing their views in this series. 

boblespam
User Rank
CEO
Re: Need for automotive security
boblespam   7/12/2013 2:54:21 AM
Hi Junko,

I've read the Savage report you mentioned with a lot of interest as it's my job to design such electronics. I designed one of the first MP3 player for car radio in Europe (OEM and aftersale). I can tell you the type of attack (MP3 buffer overvlow)  mentioned in the report is just impossible in that case as the MP3 decoder was hardware. I guess it's possible to do a buffer overflow with a software MP3 decoder but I seriously doubt that it could be used to hack the car itself (maybe the car radio alone, even that would be quite time consuming for poor impact). Was there a real demo of what they could do on an unmodified car with this type of attack ?

What makes me think it's impossible to hack a car from the car radio is: The only network beetween the car radio and the rest of the car controllers is the CAN bus, often through gateways (the body network is physically independent of the engine network). CAN reliability is based on hardware message filtering, this way a controller cannot be overflown by a CAN bus. It's part of the validation process of all good designed controllers to check that it cannot crash because of a CAN bus overflow, not be cause of the fear of hacker's attack but more because of the fact that a controller could go crazy on the bus and overflow it (This kind of bug already happened if real life).

Today I design engine and body controllers for different car manufacturers, we do have security schemes in the bootloaders since about 10 years or more. It's mostly based on encrypted keys to allow calibration changes (it's easy to do a BO attack with a calibration change) and updated software download. There are also CRC checks and stuff like that (not talking about key(less) authentification). I know some people could go around these, mostly because of the weakest link: the garages. We need to have the possibility to update the software for the most important controllers of the car, it's a requirement of the car makers. These updates are done in the car repair stations of the brand and these will always remain the weakest link.

The solution to make the controller chip non reprogrammable (mentioned by Patrick) is not applicable in that case. For the controllers that don't need reprogrammability, we just use OTP (One Time Programmable) microcontrollers wich are cheaper thant Flash µC and physically impossible to recode.

junko.yoshida
User Rank
Blogger
Re: Need for automotive security
junko.yoshida   7/12/2013 8:05:23 AM
NO RATINGS
Thanks @boblespam for your detailed comments. Always great to hear from an engineer who actually does the work -- like you do.

I do understand the existance of two physically indpendent networks in a car, as you pointed out: the body network andf the engine network.

But they are connected through gateways. Is that correct?

Then, is there any possibility that the very gateway could be infected by malicious code?

Curious mind wants to know.

 

ssavage920
User Rank
Rookie
Re: Need for automotive security
ssavage920   7/12/2013 12:53:32 PM
> Was there a real demo of what they could do on an unmodified car with
> this type of attack ?

Yes, we were ablee to achieve arbitrary control of automotive systems via this channel.  In our car (as with an increasing number of modern cars) the entertainment unit was a CAN bus peer and thus haing compromised the CD player our code then used another exploit to compromise the telematics unit, then downloaded more code and was able to control any ECU in the vehicle.  It is quite common that audio parsing is done in software these days to support the plethora of formats demanded by consumers.

We have demonstrating both bridging the explicit CAN gateway and creating an implciit CAN gateway via the telematics unit.  

David.Proffer
User Rank
Rookie
Re: Need for automotive security
David.Proffer   7/12/2013 2:55:10 AM
NO RATINGS
Junko, good for you and EETimes to surface these issues. I have to say, it is so scary to read the comments by some (I am assuming by the fact they are at the EETimes web site) knowledgeable and educated engineers on this article and your other one:

http://www.eetimes.com/document.asp?doc_id=1318838&

 

The ones I refer to are those that are in total denial that cars being developed today are hackable and/or make the arguments that that if the car is hackable, why go to the trouble, just run into it or cut the brake line....

Are none of these engineers aware or following the massive outcry about the security holes in our existing infrustructures? Have they not followed STUXNET ?

Very sad and scary! Shows how much education or quick retirement needs to be done NOW.

williams_deusm
User Rank
Rookie
Re: Need for automotive security
williams_deusm   7/15/2013 6:52:24 PM
NO RATINGS
test

David.Proffer
User Rank
Rookie
Re: Need for automotive security
David.Proffer   7/23/2013 2:21:02 AM
NO RATINGS
There are two talks coming up at DEFCon 21 and BlackHAT in the next couple weeks on car hacking. Both should really help to get people understanding the risks and possibilities in this area and why addressing security should be as important as it is for all other control systems. 

I ran across this short YouTube video published recently by one of the speakers, he demos control of steering:

 

http://www.youtube.com/watch?v=ws8lSobe-sk

 

krisi
User Rank
CEO
threat
krisi   7/11/2013 6:48:35 PM
NO RATINGS
Looking forward to these security enhacements...the risk has to be put in context, someone can just drive into you creating more damage than any hackers could

junko.yoshida
User Rank
Blogger
Re: threat
junko.yoshida   7/11/2013 6:50:53 PM
NO RATINGS
True. There is always that trade-off between reliability and security.

patrick.mannion
User Rank
Staff
Securing MCUs
patrick.mannion   7/11/2013 9:36:12 PM
NO RATINGS
I came across an interesting company recently that may offer a solution - albeit a bit extreme - for securing that automotive IC supply chain, Junko, particular in the context of the MCU.

I was talking with Olek Cymbalski, owner of OPC Technologies (www.opct.com). He described their service which secures the supply chain by taking in the MCUs to be used in a particular design, programming them here in the US using the required code, removing the ability to recode (securing them) then shipping them to the production line -- anywhere in the world. This, according to Cymbalski, takes the programming details out of the engineers hands, while at the same time ensuring the ICs aren't tampered with along the way from the MCU manufacturer to the production line.

A bit extreme, but I'm sure Olek can comment more on it.

Don't you miss the days when automobile security meant buying The Club? Can you believe they still sell the original on Amazon? http://www.amazon.com/Original-Club-Steering-Wheel-Lock/dp/B0000CBILL

Only $39.99 - but wait, there's more!!:)

daleste
User Rank
CEO
Hard to believe it is an issue
daleste   7/11/2013 10:39:29 PM
NO RATINGS
There aren't many ways someone could connect to your car... actually, none.  The only way to hack your car is if you do it yourself or have someone do it for you since you would have to physically modify it.  It looks like the real issue here is that the car companies don't want you to be able to make modifications to your car.  Reminds me of when I was waiting for some friends after work at a brew pub in Austin in 1999.  It was crowded and some women offered to share their table with me.  One of them was explaining that she quit her job and started a company to fix the year 2000 issue with cars.  She was convinced that cars would stop working on 1/1/2000.  She said it was the microcontrollers.  I was a design manager for microcontrollers in the automotive division at the time.  I told her that there was only one microcontoller in the car that knew what time it was and it didn't know if it was am or pm much less what year it was.  She wouldn't listen to me so I moved to another table.  I wonder how her company did.

junko.yoshida
User Rank
Blogger
Re: Hard to believe it is an issue
junko.yoshida   7/12/2013 7:47:47 AM
NO RATINGS
ha ha. Your Austin bar story is pretty funny!

But here's the thing. I have been told that there are instances that users try to modify their own cars (or in the case of car sharing, shared cars) to change mileage, Some people also change engine parameters (say, manupilate it from 100 horse power to 120 horse power engine).

Such manipulation on engine parameterscan be done by software, according to my source. And such actions could directly affect reliability of a car, for example. 

daleste
User Rank
CEO
Re: Hard to believe it is an issue
daleste   7/12/2013 8:08:10 AM
NO RATINGS
Yes, that makes sense.  The automotive companies have always worried about their vehicles being modified.  They have made it harder for us to work on our own cars.  Making a modification should void the warranty, but they worry about the liability if something happens due to the modification.

Tom Murphy
User Rank
Blogger
Re: Hard to believe it is an issue
Tom Murphy   7/12/2013 12:23:12 PM
NO RATINGS
If electronics don't make a car safer and more efficient (in that order), then why would we want to add them?

As I read this, I'm thinking of a much cruder crime problem today: there are car burglars wandering the streets of America now with cheap, hand-help boxes that pop the automatic locks on cars as they pass by.  Not exactly rocket science, but another example of how an unnecessary convenience is turning into a problem.

Question: Would you buy a safe, efficient car with minimal electronic gadgets (no hands-free audio controls, no power windows or doorlocks), if it were half the price of the standard model with all the extras?  

ssavage920
User Rank
Rookie
Re: Hard to believe it is an issue
ssavage920   7/12/2013 12:48:42 PM
> There aren't many ways someone could connect to your car... actually, none.

Sorry, but this is factully not true for most modern automotbiles.  If you read our work, you'll see that we accompmlished remote wireless connection and compromise of our cars via two different channels (and compromise via two other non-wireless channels that did not require direct physical access by the advertsary).  I recommend you read our 2011 paper at autosec.org to undewrstand the breadth of the automotive attack surface.

junko.yoshida
User Rank
Blogger
Re: Hard to believe it is an issue
junko.yoshida   7/12/2013 1:01:26 PM
NO RATINGS
@ssavage920, wow, I am glad that one of the authors of the acclaimed report ( I promise we won't call it "savage report" any more ) responded to this messageboard. Thank you.

Now, this gives us an opportunity to hear the facts from the horse's mouth.

The 2011 paper, written by Mr. Savage, et al, and quoted in this story, can be downloaded here:

http://www.autosec.org/pubs/cars-usenixsec2011.pdf  

daleste
User Rank
CEO
Re: Hard to believe it is an issue
daleste   7/12/2013 10:50:53 PM
NO RATINGS
Okay, I concede.  Interesting paper.  I don't think car thieves would have the ability to do the reverse engineering that you did and I don't think engineers would sell that information to the thieves, so we are relatively safe.  I expect the automotive manufacturers to take notice and improve their security.  Thank you for the education.

prabhakar_deosthali
User Rank
CEO
Re: Hard to believe it is an issue
prabhakar_deosthali   7/15/2013 7:37:42 AM
NO RATINGS
@Deleste

You cannot always be sure that an engineer in your company will not pass on the technical information to some unscrupulous elements.

A disgruntled engineer may himself misuse such information disrupt the security features .

The idea of having two separate networks in the car is good. And as per my knowledge these two networks need not be connected as they will be handling mutually exclusive functions

ssavage920
User Rank
Rookie
Autosec report
ssavage920   7/12/2013 12:45:04 PM
NO RATINGS
So I'm the aofrementioned Stefan Savage.  I wanted to make a plea to please not call  this the "Savage" report.  It could also be called the Kohno report after my co-PI Yoshi Kohno from the University of Washington.  But this too would be wrong.  The two of us provided the context, funding and encouragement for doing this work, but all the credit is due to the amazing group of students at UW and UCSD who pulled off the impossible again and again to complete this research.  Call it the Checkoway report, or the Koscher report, or the Rosener report or the McCoy report or the Czeskis report if you must (or, more concisely the "Autosec report", after the site autosec.org where we've made our papers available).   There is a tendency to fetishize faculty and agreandize their contributions, but I can tell you that you could have locked Yoshi and I in a room with those cars for five years and we would not have pull this off.

Kinnar
User Rank
CEO
Security but on the other hand dependability
Kinnar   7/14/2013 4:36:45 PM
NO RATINGS
The article is very nicely discussing about the security requirement, and the electronic component manufacturing companies are also trying hard ot implement better securities. But equally on the other side it is turning out that the customers will have to be dependent only on the OEMs. The entire business of spares will be getting centred around Original Manufacturers. This also leads to unavailability of the parts in the distant region globally. 

junko.yoshida
User Rank
Blogger
Re: Security but on the other hand dependability
junko.yoshida   7/15/2013 9:49:51 AM
NO RATINGS
The chain of custody of those codes and chipsis going to be more important than ever before.

LarryM99
User Rank
CEO
Re: Security but on the other hand dependability
LarryM99   7/15/2013 6:35:45 PM
NO RATINGS
I am not so sure that I am comfortable with a trust element buried deep inside the car. Personally, I would prefer to have it accessible and removable or even remotely accessed. A paradigm where my authorizations were in my cell phone might even be attractive. Yes, it opens up other issues, but at least I can loan or sell my car without worrying about giving away my credit card numbers in the process.

At a minimum it needs two-factor authentication. Biometric identification built into the car could be useful along those lines, given that cars gain from personalization anyway. There also needs to be secure wipe and authorization lock in the system.

junko.yoshida
User Rank
Blogger
Re: Security but on the other hand dependability
junko.yoshida   7/15/2013 8:04:37 PM
NO RATINGS
That's a really good point, LarryM99. You wrote"

...at least I can loan or sell my car without worrying about giving away my credit card numbers in the process.


I wonder if this could be even remotely possible. I'd check.

 

Charles.Desassure
User Rank
Manager
Get things right the first time
Charles.Desassure   7/14/2013 11:39:56 PM
NO RATINGS
Thanks for this article, but I think it is a neat idea to start talking about auto security.  Why do we have to always experienced any real-life disasters as a result of car hacking?   Yes, we need to keep in mind the Edwards Deming Theory, try to get things right the first time.

junko.yoshida
User Rank
Blogger
Re: Get things right the first time
junko.yoshida   7/15/2013 9:41:16 AM
NO RATINGS
Getting things right the first time is harder... Anticipating security holes is, I think, the hardest part for many engineers. It needs a different mindset.

Radio
NEXT UPCOMING BROADCAST
EE Times Senior Technical Editor Martin Rowe will interview EMC engineer Kenneth Wyatt.
Top Comments of the Week
Like Us on Facebook

Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)
EE Times on Twitter
EE Times Twitter Feed
Flash Poll