Car information security is a complete wreck — here's why


Sean Gallagher's long, comprehensive article on the state of automotive infosec is a must-read for people struggling to make sense of the summer's season of showstopper exploits for car automation, culminating in a share-price-shredding 1.4M unit recall from Chrysler, whose cars could be steered and braked by attackers over the Internet.

All complex systems have bugs. Even well-audited systems have bugs lurking in them (cough openssl cough). Mission-critical systems whose failings can be weaponized by attackers to wreak incredible mischief are deeply, widely studied, meaning that the bugs in the stuff you depend on are likely being discovered by people who want to hurt you, right now, and turned into weapons that can be used against you. Yes, you, personally, Ms/Mr Nothing To Hide, because you might be the target of opportunity that the attacker's broad scan of IP addresses hit on first, and the software your attacker wrote is interested in pwning everything, regardless of who owns it.

The only defense is to have those bugs discovered by people who want to help you, and who then report them to manufacturers. But manufacturers often view bugs that aren't publicly understood as unimportant, because it costs something to patch those bugs, and nothing to ignore them, even if those bugs are exploited by bad guys, because the bad guys are going to do everything they can to keep the exploit secret so they can milk it for as long as possible, meaning that even if your car is crashed (or bank account is drained) by someone exploiting a bug that the manufacturer has been informed about, you may never know about it. There is a sociopathic economic rationality to silencing researchers who come forward with bugs.

In the computer world, the manufacturers have largely figured out that threatening researchers just makes their claims more widely know (the big exceptions are Oracle and Cisco, but everyone knows they're shitty companies run by assholes).

The car industry is nearly entirely run by Oracle-grade assholes. GM, for example, says that your car is a copyrighted work and that researching its bugs is a felony form of piracy. Chrysler was repeatedly informed about its showstopper, 1.4M-car-recalling bug, and did nothing about it until it was front-page news. Volkswagen sued security researchers and technical organizations over disclosure of major bugs in VW's keyless entry system. Ford claims that its cars are designed with security in mind, so we don't have to worry our pretty little heads about them (because openssl was not designed with security in mind?).

None of this stops bad guys from learning about the bugs in these systems — it just stops you, the poor sucker behind the wheel, making payments on a remote-controllable deathmobile, from learning about them.

Tesla, at least, has a bug-bounty program and a commitment to transparency. But the bugs that researchers found are pretty heinous and difficult to comprehensively mitigate.

Gallagher's article explains in eye-watering detail the dumb technological decisions the car-makers made that got us into this mess, but more importantly (and less prominently), the culture of the car-makers that has allowed this situation to come to pass. Even if the technological boondoggles can be fixed, we're still in a lot of trouble unless we can sort out their culture.

The "attack surfaces" of cars that get the most attention are the ones designed to keep people from driving away with cars they don't own—electronic keyless entry systems or locks, and vehicle immobilizers that use low-power radio to detect the presence of a valid car key before allowing a car to start for example. Both of those types of systems, which use cryptographic keys transmitted by radio from a key or key fob, have been targeted by researchers. Engine immobilizers for a number of luxury brands were successfully attacked as part of a study by researchers at Radboud University (that was suppressed by Volkswagen's lawyers for two years). Remote keyless entry systems have also been targeted in a number of ways, including signal amplification attacks and brute-force crypto breaking (as detailed in research by Qualys' Silvio Cesare).

There are still areas of potential radio hacking that haven't been fully explored. For example, tire pressure monitoring systems use radio communications to alert low tire pressure. Some commercial vehicles use remote automatic tire inflation systems, activated by pressure sensors, that communicate wirelessly. These systems could be targeted by hijackers to potentially fool a driver into pulling off the road or to blow out the tires on a trailer if an attacker successfully fooled them. (Though because of the design of some of these systems, a blow-out seems unlikely.)

Three of the exploits discussed at conferences this month were focused on simply gaining access to vehicles. As Ars reported last week, Dutch researchers finally were able to present the (almost) full findings of their research on defeating engine immobilizer systems used in cars from Volkswagen and its luxury brands as well as other automakers at USENIX Security in Washington. At DEF CON, Samy Kamkar unveiled two potential attacks on auto security. One, called "RollJam," targeted remote keyless entry systems on cars by performing a type of man-in-the-middle attack against the rolling keys used by the systems. By jamming the reception of the signal by the vehicle's receiver, the RollJam device could record the attempts made by the keyfob to authenticate and then rebroadcast the first of them to the car to unlock it.


Highway to hack: why we're just at the beginning of the auto-hacking era [Sean Gallagher/Ars Technica]