Welcome to the inaugural blog.
On Thursday, GM announced the addition of smart phone connectivity to most of its 2011 cars via OnStar. For the first time, engines can now be started and doors locked by ordinary consumers, from anywhere on the planet with a cell signal. Surely this remote network couldn’t be used maliciously, say to disable the brakes while driving?
We have nothing to fear, right? Allow me to remind you of another recent headline in which a team of university researchers commandeered a car’s brakes, engine, and door locks via a diagnostics port. They learned how to bridge from the low security network to the critical systems using fuzzing techniques. The researchers showed admirable determination; practically every major critical subsystem of the car was discovered, learned, and then totally subverted. Brakes and engine were disabled while the car was in motion, demonstrating that the attacks could indeed place passengers in extreme peril. The research paper is fantastic, a must read for embedded security professionals and enthusiasts.
“We're not interested in taking an alarmist tone.”
“We have no reason to believe this is an issue today”
“Today everyone is focusing on Web security and botnets. We want to make sure that in 5 or 10 years we don't add cars to that list.”
Go back to work, nothing to worry about here folks.
Are you @#$%& kidding me? I find the absence of alarm surprising and concerning in and of itself. Are the researchers advocating security by obscurity? They refuse to reveal the hacked car’s make and model and are not releasing their “car shark” tool used to implement the subversions.
OnStar has always provided a remote connection. Attaching to the cellular networks simply opens up more avenues of attack. Some may ask why anyone would want to attack the car network? That’s like asking why anyone would want to attack the power grid. Think about it. What better way to guarantee catastrophe than disabling the brakes on millions of cars, simultaneously? The bad guys have really smart and dedicated researchers too.
We need to take an alarmist tone. The research demonstrates that we have millions of vulnerable cars on the road. We now know attackers are sophisticated enough to disable your brakes while you’re barreling down the highway. The only question is whether attackers are sophisticated enough to find a way in remotely. Once they’re in, game over man, game over.
“In our car we identified no fewer than five kinds of digital radio interfaces accepting outside input, some over only a short range and others over indefinite distance.”
“Taken together, ubiquitous computer control, distributed internal connectivity, and telematics interfaces increasingly combine to provide an application software platform with external network access.”
While the researchers declined to reveal make and model, I matched photos in the research paper to online sales sites, and it appears to be … you guessed it: a GM car with OnStar! In particular, the 2009 Chevy Impala.
Ironically, OnStar – a safety and security system – may now provide the means for distributed, remote attacks. Passengers want the Internet inside and smart phone apps to control convenience functions, but they never expected these interfaces to be connected to the drivetrain!
“The CLS [Central Locking System] must also be interconnected with safety critical systems such as crash detection to ensure that car locks are disengaged after airbags are deployed to facilitate exit or rescue.”
What the writers aren’t talking about is what we can do about car security TODAY.Most likely small changes could be made to better isolate the network subsystems. Strong cryptographic authentication must be used for all network connections. Trusted platforms and remote attestation must be used to prevent rogue firmware installs from exposing the car network to attackers. ECUs with mixed criticality functionality must employ high assurance partitioning and access control: the rear-view camera must not be affected by iTunes.
Car manufacturers and tier-1 OEMs may not have been thinking a lot about security when they designed the cars hitting roads today, but clearly that must change. Manufacturers must work closely with embedded security specialists early in the design and architecture of in-car electronics and networks. Security as an afterthought never works. But done right, smart phones and cars can be a beautiful combination.
Dave Kleidermacher has been developing systems software for high criticality embedded systems for more than 20 years and is one of the original developers of the INTEGRITY operating system, the first software technology certified to EAL 6+ High Robustness , the highest Common Criteria security level ever achieved for software. He managed INTEGRITYʼs development for a decade and now serves as the chief technology officer at Green Hills Software This is his personal blog; opinions expressed are not necessarily those of GHS.