DaveK’s Embedded Security Blog
Comment
mac_droz
Where does this "connectivity" madness comes from? Why should a toaster me ...
Duane Benson
If we're not careful, we'll end up changing the definition of the wort "smart". ...
Smart Phone + Car = Stupid?
Dave Kleidermacher
7/26/2010 12:08 PM EDT
On Thursday, GM announced the addition of smart phone connectivity to most of its 2011 cars via OnStar. For the first time, engines can now be started and doors locked by ordinary consumers, from anywhere on the planet with a cell signal. Surely this remote network couldn’t be used maliciously, say to disable the brakes while driving?
We have nothing to fear, right? Allow me to remind you of another recent headline in which a team of university researchers commandeered a car’s brakes, engine, and door locks via a diagnostics port. They learned how to bridge from the low security network to the critical systems using fuzzing techniques. The researchers showed admirable determination; practically every major critical subsystem of the car was discovered, learned, and then totally subverted. Brakes and engine were disabled while the car was in motion, demonstrating that the attacks could indeed place passengers in extreme peril. The research paper is fantastic, a must read for embedded security professionals and enthusiasts.
Many articles and blogs have been penned in response to the research, but the overall reaction has been muted, almost soporific. This may be caused by the authors’ diligent attempt to preempt panic:
“We're not interested in taking an alarmist tone.”
“We have no reason to believe this is an issue today"
"Today everyone is focusing on Web security and botnets. We want to make sure that in 5 or 10 years we don't add cars to that list."
Go back to work, nothing to worry about here folks.
Are you @#$%& kidding me? I find the absence of alarm surprising and concerning in and of itself. Are the researchers advocating security by obscurity? They refuse to reveal the hacked car’s make and model and are not releasing their “car shark” tool used to implement the subversions.
OnStar has always provided a remote connection. Attaching to the cellular networks simply opens up more avenues of attack. Some may ask why anyone would want to attack the car network? That’s like asking why anyone would want to attack the power grid. Think about it. What better way to guarantee catastrophe than disabling the brakes on millions of cars, simultaneously? The bad guys have really smart and dedicated researchers too.
We need to take an alarmist tone. The research demonstrates that we have millions of vulnerable cars on the road. We now know attackers are sophisticated enough to disable your brakes while you’re barreling down the highway. The only question is whether attackers are sophisticated enough to find a way in remotely. Once they’re in, game over man, game over.
“In our car we identified no fewer than five kinds of digital radio interfaces accepting outside input, some over only a short range and others over indefinite distance.”
“Taken together, ubiquitous computer control, distributed internal connectivity, and telematics interfaces increasingly combine to provide an application software platform with external network access.”
While the researchers declined to reveal make and model, I matched photos in the research paper to online sales sites, and it appears to be ... you guessed it: a GM car with OnStar! In particular, the 2009 Chevy Impala.
Ironically, OnStar - a safety and security system - may now provide the means for distributed, remote attacks. Passengers want the Internet inside and smart phone apps to control convenience functions, but they never expected these interfaces to be connected to the drivetrain!
“The CLS [Central Locking System] must also be interconnected with safety critical systems such as crash detection to ensure that car locks are disengaged after airbags are deployed to facilitate exit or rescue.”
What the writers aren’t talking about is what we can do about car security TODAY. Most likely small changes could be made to better isolate the network subsystems. Strong cryptographic authentication must be used for all network connections. Trusted platforms and remote attestation must be used to prevent rogue firmware installs from exposing the car network to attackers. ECUs with mixed criticality functionality must employ high assurance partitioning and access control: the rear-view camera must not be affected by iTunes.
Car manufacturers and tier-1 OEMs may not have been thinking a lot about security when they designed the cars hitting roads today, but clearly that must change. Manufacturers must work closely with embedded security specialists early in the design and architecture of in-car electronics and networks. Security as an afterthought never works. But done right, smart phones and cars can be a beautiful combination.
Dave Kleidermacher has been developing systems software for high criticality embedded systems for more than 20 years and is one of the original developers of the INTEGRITY operating system, the first software technology certified to EAL 6+ High Robustness , the highest Common Criteria security level ever achieved for software. He managed INTEGRITYʼs development for a decade and now serves as the chief technology officer at Green Hills Software This is his personal blog; opinions expressed are not necessarily those of GHS.
|
|
|
|
|
Yehudit
7/27/2010 10:26 PM EDT
This is truly an amazing article!!Personally, I love the smart key to my Prius. However, I never imagined that this technology could be susceptible to fuzzing techniques. As a professional, you have raised awareness about the technology-that we as consumers take for granted everyday. Great job! I would be interested in a follow up to this article somewhere "down the road." :)
Sign in to Reply
Rich Krajewski
7/28/2010 4:33 AM EDT
Don't worry. They'll put Windows in it. Then you'll be able to buy McAfee for Chevys. Or, you can just keep fixing that '89 Ford Festiva. You know, the one designed by Mazda, built by Kia, and sold by Ford. It got 50 miles to the gallon. (Ford wouldn't admit it, but every Festiva owner I knew, including me, got 45 to 50 miles per gallon. Ford insisted it wouldn't get more than 29 mpg.) Not a single Festiva could be remotely hacked. No, it didn't run Linux. It ran on cheap mechanical points that were housed in a distributor, that ignited fuel that was fed into the cylinders via an old-fashioned carburetor. "Hello, OnStar? I'm passing yet another gas station!" "This is OnStar. Get that car off the road, and go buy one that we can control remotely. And don't worry, it will be safe. Just like Windows."
Sign in to Reply
ahshabazz
7/29/2010 5:59 AM EDT
@Dave.Kleidermacher by mentioning the make and model you are allowing disingenuous defense lawyers to quote you; you may have opened your company up to libel.
Sign in to Reply
IqbalSingh.Josan
8/9/2010 5:29 PM EDT
Great article! It highlights the importance of security for embedded systems. Network connectivity of all consumer devices and equipment, from cars to refrigerators and air conditioners, is inevitable. And with that, like a double edged sword, comes the risk of exposure to the "network cloud". The only antidote is to design and build embedded systems, from the ground up, with built in, strong network security function, that is robust enough to withstand hacker attcaks. A multi-level approach will probably need to be implemented at the SoC level, equipment level, network level, service provider level, user level and so on...
My Blog: www.uspurtek.com
Sign in to Reply
Duane Benson
8/13/2010 11:39 AM EDT
If we're not careful, we'll end up changing the definition of the wort "smart". "Smart" = dumb enough to be cracked and hacked. We'll have this issue with smart phones, smart cars, the smart grid, smart appliances, not to mention our regular computers.
This speaks to our propensity to not completely design things. Cars were first designed without seat belts. Seat belts and other restraints were designed in after enough people flew out of their cars or crunched into windows. They didn't become ubiquitous until government mandate.
I suppose you could say that with the first cars, designers didn't think about people falling off - people fell off horses all the time and rarely got seriously injured. With the first PCs, I suppose it must have been hard to imagine the virus problems we have now.
But, come on. At this point, we all know that security is a massive issue and will only get more so. The first car designers and early PC designers had an excuse. We don't now. Designing a future car without serious security is tantamount to designing a car today without seat belts. It will lead to serious problems. Not "may lead to", it will. It should simply be a hard and fast requirement. And if we don't know how to do it right, then research needs to be put into new types of security in the same way that research is now going into new types of batteries.
Sign in to Reply
mac_droz
3/25/2011 6:00 AM EDT
Where does this "connectivity" madness comes from? Why should a toaster me connected to the net? Can't it just make toasts? Why should electrical grid use Internet for communication and not internal network with optical fibers being part of the power wires so NO ONE could access them? And why is it so important to have your car connected? To start it remotely? You have to be inside to use it DUMB!
There is a whole new hype being pushed - cloud computing - do not own your data just lease it. People do not realise that then the system will decide if you have access to your data or not - it may "cut you off" if it stops liking you... The other side is that with the companies using cloud (the owner of my company thinks it’s the next BIG thing) there is no need for industrial espionage anymore because you DON'T own your data anymore - it's owned by.... Google? Yahoo?? Whoever... with their powerful computers searching for the phrases in your documents as you type it.
There is just one word for all that: STUPID!
Sign in to Reply