Asked how exactly a remote attacker could get in, NXP's Besenbruch mentioned "On-board diagnostics (OBD)," to which service personnel have access during routine maintenance for diagnostics and ECU programming. Attackers can also go after the in-car entertainment system, he added, by "introducing false code into MP3 files," for example. By playing the file, a user unknowingly plants malicious input in his in-car entertainment system. That may not seem like a big deal, but many in-car systems today are now CAN bus interconnected. A compromised MP3 or CD player in a car could be the cancer that metastasizes in other automotive components.
The University of Washington and California-San Diego researchers stated in the paper:
We find we are able to obtain complete control over our car by placing a call into its cell phone number and playing a carefully crafted audio signal (encoding in an iPod) that compromises its embedded telematics unit."
Other attacking scenarios include much more direct physical access via short-range wireless interfaces, such as Bluetooth; WiFi; remote keyless entry; tire pressure monitoring systems and RFID car keys; and long-range wireless interfaces such as broadcast channels including a cellphone interface, GPS, satellite radio, and digital radio.
Of course, in the case of a Bluetooth-based attack, for example, the saboteur would have to place a wireless transmitter in proximity to the car's receiver. Further, the attacker needs to learn the car's Bluetooth MAC address to remotely exploit the car's vulnerability. That does seem like a lot of work.
The researchers, however, concluded: "Our experimental analyses determine that a determined attacker can do so, albeit in exchange for a significant effort in development time and an extended period of proximity to the vehicle."
The scenario for remotely exploiting control of a car via wireless interface isn't far-fetched, the authors argued. Most surprising to them was that their car's Bluetooth unit responded to pairing requests even without any user interactions.
Open vs. closed system
Indeed, wireless channels open a plethora of vulnerabilities, "allowing attackers to trigger actions remotely on demand, synchronize across multiple vehicles, or interactively controlled," according to the paper's authors.
NXP's Besenbruch concurred. Unlike the financial world where credit cards, pin numbers, and ATM machines are designed to operate in a closed system, he said, "the automotive industry faces particular technical challenges." Car manufacturers have striven to maintain an open system, so that they don't have to reinvent the wheel every time a new control system is introduced into a new model. Today, some cars already have more than 70 control units inside, he added, all of them interconnected.
EE Times' Automotive Designline will examine how the automotive industry and chip suppliers are planning to address such issues in the coming series of articles.