The Anti-virus Times

Friday, January 19, 2024

In our issues of the Anti-virus Times, we often talk about the various cyberthreats that target users of home computers and other devices that have become an integral part of modern life. The digital infrastructure around us includes a huge number of devices — personal computers, smartphones, smart TVs, and other gadgets, as well as network equipment, storages, networks, and servers. All this is managed by countless programs, using various protocols and algorithms; most often this work is completely invisible to the ordinary user.

Our readers know that this sophisticated but complex digital system of interactions has a fundamental problem — a security problem. Malicious code can affect almost all levels of information exchange, starting with the exploitation of low-level vulnerabilities and ending with trivial online fraud. Therefore, with the development of digital technologies and the widespread use of smart devices, the issue of security not only does not lose relevance, but, on the contrary, becomes the cornerstone of the entire industry. And in today's issue, we want to talk about cars.

“Wait, what cars? On the pages of the Anti-virus Times, we’re usually always talking about computers”, you probably thought. No, you heard us right: cars. In this issue, we suggest looking at the car from a slightly different angle: namely, to look at it not as a means of transport but as a real computer. After all, the more complex a device, program, or system is, the more vulnerable it is. Let's try to figure out whether a modern car can become a target for cybercriminals.

The automotive industry owes a great deal to the development of digital technologies. For most of its century-long history, the car incorporated a very simple electrical part. A starter for starting the engine, ignition and power systems, several analog sensors, lighting and, perhaps, that's it. By the way, even the starter and the electric fuel pump did not appear in cars right away. Over time, the equipment was improved and various auxiliary mechanisms that increased the comfort and safety of drivers and passengers appeared, but, in general, until the early 1980s, production cars remained mostly motorized vehicles. Thus, electronic control systems began to be introduced en masse — first, for the most important units, and then for auxiliary devices. Thus, electronic control systems began to be massively introduced — first, by the most important units, and then by auxiliary devices. This was a significant technological breakthrough, as the use of electronics made it possible to increase engine efficiency and significantly reduce harmful emissions.

A modern car is a computer on wheels. More precisely, a system of computers called ECUs (electronic control units). For example, the fuel-air mixture supply, ignition, variable valve timing, intake airflow and other power unit operation processes are controlled by the engine ECU. For the motor to function properly, the computer constantly collects and processes information received from numerous sensors and gives commands to the actuators. Other important automotive systems are also equipped with their own units — the computer controls gear shifting, brake operation, torque transmission to different axles in all-wheel drive cars, and much, much more. But that's just the tip of the iceberg. Whether the door is open or closed, whether the ceiling light works, how much quality air is in the cabin — all this is "known" by the car's electronics.

In order for everything to work properly, blocks of different systems must be able to exchange information with each other. To that end, a digital data bus, the so-called CAN bus (Controller Area Network), was invented in the early 1980s. It serves as a communication channel between digital control units for the transmission of all signals and commands. As mentioned above, digital control was first implemented in the units responsible for the functioning of the most important nodes of a car. Then, secondary systems — comfort control systems, multimedia and telemetry — were also connected to a single bus. From a physical point of view, the CAN bus is a twisted pair of conductors for the passage of an electric current. Defined voltage levels correspond to logic 0 or logic 1. We will not go into the details of bus operation; however, it is worth mentioning that in such a system, units can communicate with each other sequentially and in order of priority; all this happens very quickly and in real time.

Of course, car control units are not very similar to personal computers, and data transmission in the CAN bus is not organised in the same way as in the usual TCP/IP model. However, there are interfaces for connecting to the CAN externally for diagnostics and control. And here we come to the issue of digital security.

We've already seen that in a modern car, the computer takes control of almost all the nodes. In recent years, active safety systems have undergone serious development — premium models incorporate many electronic "assistants", which not only signal the driver about dangerous situations, but can interfere with braking and even steering. Therefore, the fault tolerance of electronic systems is a priority for car manufacturers. Automotive control units are very promising; they are designed to perform simple and similar tasks. Data transmission over the CAN bus is protected from electromagnetic interference thanks to the twisted pair and the use of checksums in each frame of a message. After all, if the electronic unit takes an incorrect value and sends the wrong command to some actuator, this can lead to a very dangerous situation on the road.

Is there any malware that can take control of a car? Can an attacker control a car from the outside via the car’s built-in electronics?

It is worth noting that 40 years ago, the developers of CAN bus were primarily thinking about the fault tolerance of equipment, but not about cybersecurity and anti-hacking protection. If we draw analogies with computer networks, the digital network of the car was considered extremely isolated until recently. Let's highlight a number of key features of data transmission in such a network.

1. Vehicle units (let's call them nodes) sequentially broadcast their messages to one bus in order.
2. All nodes are equal; any of them can be both a sender and a receiver.
3. The right to send data to the bus is given to the node whose message has the highest priority.
4. The message sent is available to all nodes on the network at once.
5. The CAN bus architecture does not support encryption; all data is transmitted unencrypted.
6. Also, the CAN bus architecture does not support the authentication of messages and the communicating nodes.

This implies that after gaining access to the CAN bus, an attacker can perform various actions with the car by sending false messages to the control units. The receiving block cannot identify a false message and filter it, since there are no such protective mechanisms in the CAN protocol’s implementation. The above-mentioned application of checksums provides protection against interference but not against the substitution or interception of messages. Also, an attacker can conduct something akin to a DoS attack on a certain block, as a result of which the latter will cease communicating. In addition, since the data is transmitted unencrypted, after gaining access to the bus, cybercriminals can listen to the transmitted messages using a sniffer and match the codes with the executed commands. Here we can draw a complete analogy with the analysis of traffic in TCP/IP networks.

Since the network of those who communicate over the CAN bus of nodes is isolated, physical access to the bus or node is required to compromise it. Almost all the cars churned out over the past 30 years have a special connector for connecting diagnostic equipment — the so-called OBD port (On-Board Diagnostics). The control units have a self-diagnostic mechanism and can record error codes that occur when there are certain car malfunctions. Thus, a connection via a diagnostic interface can be a potential entry point for an attack on a CAN bus. Of course, for a successful attack, cybercriminals need first to deploy equipment into the vehicle; second, to have the appropriate software; and, finally, to be in close proximity to the car. All this makes such an attack scenario improbable, but there is a practical vulnerability worth mentioning. Some car owners purchase diagnostic adapters for their personal use and leave them permanently connected to their car. In this case, after being powered on, the adapter is in standby mode with a wireless connection to the control program — Wi-Fi or Bluetooth. Of course, the risk of someone passing by that car in order to connect to it is small. And even if connected, an uninvited guest is unlikely to block the brakes or, say, disable the alarms. Everything will depend on which control program is used and what restrictions the diagnostic adapter itself applies. However, as noted above, a vulnerability can be found, so you should not provide a potential attacker with a loophole for gaining physical access via the diagnostic connector. By the way, in a similar way, operators track carsharing vehicles.

And here we arrive at the most interesting part. The automotive industry, like many other industries, has long been immersed in the concept of the Internet of Things. A vehicle with access to the global network is no longer a fantasy, but quite an ordinary phenomenon. Modern machines use various telemetry systems and can track their own location and transmit any of the parameters from the CAN bus to the manufacturer, exchange data with nearby cars to prevent crashes, update their internal software, and much more. This was made possible primarily due to the rapid development of wireless networks. The implementation of these undoubtedly useful functions imposes completely different requirements on embedded digital security systems. After all, a potential attacker no longer needs physical access to a car. Exploiting one or a number of vulnerabilities to bypass standard protection will allow them to gain access to the internal system of a car with all the ensuing consequences.

Today, more and more car manufacturers offer as an option the ability to control individual functions of the car with the help of a smartphone. Hyundai's Mobikey and JLR's InControl monitoring systems are typical examples. In the mobile application, the car owner can track the location of their car, open or close it, start the engine, control the climate control systems and multimedia, and more. As convenient as this functionality is, the potential vulnerability of such an approach should be taken into account. To implement remote control, each such vehicle is equipped with a telemetry system. Control algorithms can vary, but in one way or another, they involve both the car’s electronics and the automakers’ servers. For example, this might look as follows. By giving the command to unlock the driver's door, your mobile application sends a request via the Internet to the car manufacturer’s remote server. The server authenticates the request and sends the unlock codes back to one of your car’s electronic units which is responsible for central locking and the anti-theft system. All these connections over the Internet should include strong encryption, party authentication, protection against various types of attacks, and other security mechanisms. Errors made when implementing remote control algorithms can lead to the connection being vulnerable, and an attacker will be able to, for example, send an unlock request, which will be accepted as legitimate, or intercept responses from the server for later use. Do not forget that the telemetry unit is in any case connected by a common bus with the other vehicle units, including critical ones. Unfortunately, such scenarios exist not only on paper. For example, in 2015, researchers managed to gain almost complete control over Jeep cars by exploiting a vulnerability in the UConnect telemetry system.

By the way, according to the concept of the Internet of Things, a car may not be the final target of an attack but only an intermediate link. For example, the synchronisation of a car's and a smartphone's multimedia system is already a familiar function. Therefore, to reach, for example, the list of your contacts, photos and other sensitive information, or another device that is part of your ecosystem, an attacker may exploit a vulnerability in your smart car as an entry point.

Smart cars that incorporate a telemetry system, which lets car manufacturers know literally everything about your driving style are not widespread. But owners of simpler, but still modern, car models should also be mindful of the digital nature of their vehicles. Thus, the potential danger from the point of view of information security is represented by tape recorders based on the "clean" Android OS. First, at their core, these are ordinary Android-powered devices; therefore, the corresponding malware can be launched and run on it. Second, as a rule, they have a connection to the car’s CAN bus. The issue is not massive, but from a practical point of view, nothing prevents a malicious APK file with a trojan on such a vulnerable device from being accidently launched — that will compromise the car network. It should be noted that standard parent units from car manufacturers, if they are running Android, usually do not allow you to run third-party software.