Boston — Chances are, your car is newer than my "younger" car, which is 16 years old. Although my cars have some electronic hardware and software under the hood, they have far less than today's new vehicles. Thus, I don't have to worry about wireless software updates, bugs, or hackers causing "crashes." Today's vehicles rely heavily on electronic control units (ECUs) that need software updates. But as we've seen, wherever there's software, there's a hacker looking for weaknesses to exploit. Security is a big issue, which may be one reason that I hang onto my old car.
We've already seen software hacks in vehicles, as Junko Yoshida reported in Auto Security Demands All-Over Answer. Recognizing the problem, a group of researchers, students, and developers from New York University, the University of Michigan, and the Southwest Research Institute have developed a software architecture designed to combat intrusions during ECU firmware updates.
NYU Prof. Justin Cappos leads the Uptane design project.
Called Uptane, the architecture is intended as an open platform in which software developers, mathematicians, and cryptographers can participate in its development and testing. The Uptane working group revealed its design at a meeting with auto makers and their suppliers on January 17th in Ann Arbor, Mich. The following day, I spoke with project leader Justin Cappos, professor of computer science at NYU's Tandon School of Engineering, about how this technology will be tested.
In the video below, NYU PhD student Trishank Karthik Kuppusamy describes the problem and the Uptane architecture. Because the Uptane concept is open to the public, you can read the 27-page Design Overview. The details reside in the Uptane Implementation Specification.
Updating software involves a complex system of transferring software images and metadata stored in repositories and delivered to ECUs. During the process, updates must be verified for authenticity and proper delivery. The verification uses software keys that identify genuine images stored in a repository, and those key codes can expire. Security software needs to keep those keys out of hackers' hands.
15 of the most hackable and exposed attack surfaces on a connected car. (Source: Intel)
A key aspect of the Uptane design is the addition of a director role on the server side, as opposed to the client side. The Design Overview explains how the director identifies updates in its database and uses a vehicle's VIN to verifiy the vehicle to receive the update because each ECU has a unique serial number. Once all are verified, download and installation instructions are invoked and updates can begin. Of course, there's a lot more information needed for security, such as timestamps. The documents linked here explain those details.
"There are three issues," said Cappos in our telephone interview:
How do you know if the design is good?
How do you know if the implementation of the design meets the goals of the design?
How do you know that the way it's used in practice still has the desired properties?
As with any design, Uptane needs testing and verification. With security products, you don't know how well security software does its job unless it fails. Because Uptane is an open design, its creators have invited the software community to try to crack it and provide feedback.
"We apply best practices used in computer science to test security code," said Cappos. "We will write our test procedures so that anyone can implement them with test code written in any language."
Why invite others to try to hack a system? "It's possible that we missed something," said Cappos. Software companies regularly invite others to evaluate and comment on designs. That's why software developers release alpha and beta versions; they want public comment. "The software you use today has been evaluated by programmers, mathematicians, and cryptographers," explained Cappos. "We want smart people to try to break the code. Evaluations by hundreds, and perhaps thousands, of experts can find many flaws." Cappos noted that he's already received emails from people reviewing the Uptane design. At this point, the feedback is bringing in questions rather than pinpointing errors. That will surely come, but it will take time, and those findings should result in a more secure design prior to implementation.
Could a reviewer find a flaw, recommend a change, and then exploit it? Cappo responded by saying that the review community is asked to publicly comment on design changes, which lets others review suggested changes.
If the Uptame concept proves successful, it could find its way into applications beyond cars. Hopefully, software developers will be able to take advantage of it, especially in IoT and Industrial IoT, which I really fear could open many doors to hackers if not implemented properly.
I've been working with computer based OBD II scan tools. But only investigating the actual ECM available mods for my vehicle. Due to medical issues I haven't persued re-chipping and/or flashing my vehicle's computer yet.
I have read headlines that caught me eye, about newer vehicle's onboard computers that are unnerving.
1. Vehicle owner doesn't own and/or control access to their own property:
There is too much consumers DON'T KNOW about their new cars, in regards to the computer controlled boxes the cars now contain.
a. First, according to state laws, access to these boxes is not the owner's.
(I think I read years ago that only 1 state ruled that the ecm in a vehicle owner's vehicle was the OWNER'S property. I thought it was Kansas, but I don't readily recall)
(also, in the case of an RV, if parked at the time, might be SAFE from ecm data-seizure if it met the status of a domicile. Protected against unlawful search and seizure, like a house would be)
The vehicle owners in the other 49 states apparently do NOT own nor control access to, their car's computer assemblies.
So their vehicle's "black boxes" could be accessed without their permission nor consent!?
Most likely time this would happen is after an accident.
b. To find out just WHAT DATA is logged, that investigators can connect to, download and discover from your vehicle's ecm units, just google terms like:
In any case, an ever growing amount of the vehicle owner's driving data and possibly personal ddata, since gps, cell phones and wifi are now onboard.
So theoretically your vehicle's black boxes could be used to testify against you in court perhaps? (Unless vehicles are also equipped with driver's angle/view cameras, the black box data is only PART of the story. The sensor's story).
What about calibration? How accurate is the gps? +/- 10 feet? 20 feet?
In any accident, if it is off even just a few feet, that could implicate vehicles that shouldn't be implicated.
2. vehicle buyers have no say:
How many vehicles are out there these days that offer the same options you had in your old vehicle? Perhaps you had just: 4-wheels, engine and 1 basic ecm box? None.
Can you even order your vehicle w/o the stuff you do not want, like [examples] no wifi, no cellphone connection, no bluetooth, no multimedia, etc? Doubtful as these extras are now becoming more and more standard.
3. remote access: It's been 10-15 years ago, but the technology existed, and car deaers install/used it, to remotely DISABLE a car.
I remember one TV expose that slammed the car dealer that DISABLED some single parent's vehicle "remotely", as they were driving their infant or small child to receive medical care.
4. Car makers won't disclose what is inside:
Label things "proprietery secrets" and you don't have to tell consumers, and apparently 3rd party scan tool makers, what's going on.
a. bring profits back to dealerships that HAVE the diagnostic tools needed to fix your vehicles.
b. stiffles 3rd party testing tools for small father and son garages that can't afford
new scan tools and/or annual access to software/firmware from the vehicle maker.
c. Stops the shade tree mechanic from doing anything but perhaps replace their own oil and filters.
5. wifi jacking - what about those sick folks that feel someone has wronged them, so they spoof an authorized connection into their target's wifi. Then text or email threats to [whoever]. Then because the wifi traced bck to a specific vehicle, police could obtain gps data of said veehicle and deploy SWAT?
What if the target has their whole family inside said vehicle, then are suddenly surrounded ? Or worse, harmed?
I have been in the IT world for over 25 years and taken digital forensics for computers.
None of this is far fetched.
Vehicle's today are now becoming MOBILE DATACENTERS: internet accessable, cell phone accessable, gps enabled, "commuter enclosures" that can travel on streets and highways.
As a car enthusiast who has aftermarket software used to reprogram their ECM for performance modification, this sounds like a chilling end to my freedom!
There was a legal battle over who owns the software a few years ago, where the manufacturers tried to use the DMCA to prevent users from modifying their software, but the end users won. With these changes, we won't be able to modify our software.