Can You Trust Your Car?

Wireless systems are being integrated into modern automobile. However, the security and privacy implication of those systems are not well understood as many of their communication protocols are proprietary.  New anti-theft technologies have made today’s cars much harder to steal, but the growing tangle of computer equipment under the modern hood is creating new security risks that carmakers are just beginning to understand.

In the last few years, researchers have identified a range of new, unexpected security flaws that could potentially affect large numbers of new cars. Given the specialized programming knowledge required to exploit these flaws, however, carmakers are still trying to gauge if these issues present a meaningful risk to ordinary drivers. Tadayoshi Kohno of the University of Washington and Stefan Savage of the University of California-San Diego explored whether they could compromise the onboard computer diagnostics port, a U.S. government-mandated feature in most modern cars. By inserting malicious code into the diagnostic software commonly found in auto repair shops and plugging a computer into the car’s diagnostic port, they were able to stop the car’s engine, lock the doors, and disable the brakes. Also, they managed to remotely control a car by means of on-board Bluetooth or cellular services, thus demonstrating that a car could be controlled purely through wireless mechanisms.

pkes 2“To improve security one really desires a holistic view of all the components within the automobile,” says Kohno, “but because of outsourced components it’s hard for even the manufacturer to have that holistic view.” Despite the inherent difficulty of pinpointing security exposures in complex automotive systems, Kohno and Savage’s work points to one conspicuous weak link: the onboard computer diagnostics port.

“Manufacturers could take steps to limit what someone might be able to do if they connect to the diagnostics port,” says Kohno. He acknowledges, however, that the onboard port plays a crucial role in many cars. “One key challenge is to preserve the benefits but minimize the risks,” he says.

Don Bailey, a senior consultant with iSEC Partners, gave a demonstration of his hacking ability at the Black Hat security and hacking conference in Las Vegas. Although, Bailey refused to reveal which cars are susceptible to his hack, and warned that the same hacking trick can be used to attack phones, cash machines and even industrial systems such as water and power supplies. “It’s cool. It’s sexy. But the same system is used to control phone, power, traffic systems. I think that’s the real threat,” he stated.

At the University of South Carolina, assistant professor Wenyuan Xu discovered that she could track the movement of cars by tapping into the RFID data stored in modern tire pressure monitoring systems from up to a distance of 40 meters.

Xu’s team explored the proprietary communication protocols typically used to connect tire pressure sensors to onboard computers, and discovered that they could “listen” to the tire pressure sensors and use them to establish a connection with the onboard computers.

By capturing and decoding the tire sensor signals, the team was able to track the car’s movements. They also established that they could send fake signals to trick the car computer into lighting up the low tire pressure warning light, regardless of the tire pressure. They were also able to inflict permanent damage to the tire pressure monitoring systems.

“An increasing number of wireless systems are installed in modern cars,” notes Xu. “Wireless networks are known to be vulnerable to eavesdropping and packet injection.”

“The future will bring an increased reliance on networked information systems with the associated security risks. Whether we can counter these risks or not depends on our commitment to expanding our science base in information security” According to Dr Srdjan Capkun, Associate Professor in the Department of Computer Science, ETH Zurich. He demonstrated a ‘Passive Keyless Entry and Start Systems deployed by all major car manufacturers. The results depicted the vulnerabilities of cars.  He advised that immediate countermeasures should be the ability for the car owners to always shield the car key and if possible remove the battery from the key when not in use. The longer countermeasures is for the manufacturers to build a new system that securely verifies proximity.

PKESAssistant professor Wenyuan Xu work describes Securing In-Car Sensor Networks. Using a Tire Pressure Monitoring Systems (TPMS) to monitor air pressure inside tires and trigger dashboard warnings wirelessly if a tire’s pressure happens to drop. Through their reverse-engineering effort, they have shown that TPMS wireless transmissions lack security protection common in basic computer networking, such as input validation, data encryption, or authentication. TPMS wireless signals can be intercepted 40 meters away using a simple receiver, which makes it feasible to track drivers’ locations. They also demonstrated that a transmitter that  “spoofs” the sensor signal can easily send false readings and trigger a car’s dashboard warning display. They are currently working on hardware and software solutions to secure TPMS and other in-car sensor networks.

While the practical risks may seem limited, nonetheless the automotive industry bears the ultimate responsibility—and potential legal liability—for ensuring the safety and security of its vehicles.

On the 18th of March, 2013, Wenyuan Xu will be presenting a seminar on ‘Can You Trust Your Car? Security and Privacy Vulnerabilities of In-Car Wireless Sensor Networks’ at Pittsburgh. In the talk, she will present a case study analyzing the first mandated in-car sensor networks, the tire pressure monitoring system (TPMS), using GNU Radio in conjunction with the Universal Software Radio Peripheral (USRP), a low-cost out-of-shelf software radio platform.  They have evaluated the security and privacy risks associated with TPMS using both laboratory experiments with isolated tire pressure sensor modules and experiments with a complete vehicle system.

They have also shown that eavesdropping is easily possible at a distance of roughly 40m from a passing vehicle using cheap antennas. Furthermore, reverse-engineering of the underlying protocols revealed static 32 bit identifiers and that messages can be easily triggered remotely, which raises privacy concerns as vehicles can be tracked through these identifiers. The issue is that current protocols do not employ authentication and vehicle implementations do not perform basic input validation, thereby allowing for remote spoofing of sensor messages.

They have validated this experimentally by triggering tire pressure warning messages in a moving vehicle from their software radio attack platform located in a nearby vehicle. Finally, the talk will conclude with a set of recommendations for improving the privacy and security of tire pressure monitoring systems and other forthcoming consumer wireless networks.


Communications of the ACM

Cylab, Carnegie Mellon University

Tech Beats