Automotive security researchers Charlie Miller and Chris Valasek have demonstrated how a rogue CAN message allows attackers to physically seize control of the braking, steering, and acceleration systems in a vehicle.

In last year’s hack, which led to Chrysler’s recall for 1.4 million vehicles, Miller and Valasek focused on pulling off “wireless attack” on the Jeep.

EETI car hack 01 Figure 1: Car hackers Charlie Miller (right) and Chris Valasek (Source: Black Hat Events)

The two at that time exploited a Harman “head unit,” which offers a Wi-Fi hot spot—in a 2014 Jeep Cherokee—to get into the vehicle’s network. Later the hackers invaded the car through its cellular connection, via Sprint’s wireless network.

This year, the security experts turned their attention to injecting rogue messages into a vehicle’s CAN bus, which resulted in a full-speed attack on the Jeep’s steering and acceleration.

Instead of getting into the guts of a car wirelessly, Miller and Valasek this year used a laptop directly plugged into the Jeep’s CAN network through a port under its dashboard. They confirmed that they used the patched Jeep for this hacking.

In prior to the duo’s presentation at Blackhat, Wired first posted a story detailing Miller and Valasek's latest Jeep hack.

Asked about Miller/Valesek research, Chrysler’s parent company Fiat Chrysler Automobiles (FCA) asserted that the duo's attack could not have been performed remotely.

The company responded in a statement stressing, “This demonstration required a computer to be physically connected into the vehicle’s onboard diagnostic (OBD) port and present in the vehicle.” It added, “While we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles.”

Chrysler also added: “It is highly unlikely that this exploit could be possible through the USB port, if the vehicle software were still at the latest level.”

Chrysler couldn’t have been more wrong.

Whether Miller and Valasek’s car attack was done wirelessly or via OBD-II port is beside the point. Although Chrysler created a patch for the Jeep last year, it did not by any means close all avenues to wireless car attacks.

When EE Times inquired David Uze, CEO of Trillium in Tokyo about this, he said, “What the second Jeep attack proved this year is that there are a large number of vehicles out there still unprotected.”

Chrysler’s patch is a firewall for the Jeep’s infotainment system, the attack surface Miller and Valasek exploited last year.

But “it’s absolutely wrong” for carmakers to think there won’t other ways to penetrate that firewall, Uze explained.

“For example, when you bring your car to a repair shop and leave it for a little while, there is always a chance that an independent access could be made to your vehicle, with someone leaving a hard-to-spot, small device attached to the OBD-II port.”

Uze cited, as an example, a hack performed by a 14-year-old who built an electronic remote auto communications device with ₹1,013.51 ($15) worth of Radio Shack parts.

This took place at the Battelle CyberAuto Challenge in the summer of 2014.

The teenager’s wireless device created an ad hoc wireless connection which, through a wireless SIM card, served as a backdoor to CAN networks inside a vehicle, Uze explained.

Layered approach needed

The lack of security solutions for ECU networks poses a real safety problem, he said, because CAN networks are directly tied to a vehicle’s actuation—brakes, steering, etc. By his count, “85% of actuation occurs on the CAN networks.”

Without authentication, encryption or cryptographic key management, the CAN network is the weakest link in the entire security chain, he stressed.

EETI car hack 02 Figure 2: 15 of the most hackable and exposed attack surfaces on a connected car. (Source: Intel)

To protect cars from hackers, the automotive industry needs a layered approach, noted Uze.

First, if authentication is done on the network, it allows only a legitimate member to participate in CAN bus communications, said Uze.

Second, by adding encryption to a CAN bus, a rogue message, in order to be recognised as legitimate, would have to emulate everything from encryption to key exchange and authentication code.

The third element is an asymmetric solution for key exchange. When all legitimate members on the network–50 ECUs, for example—are white-listed, then when the 51st pops up, “you know it isn’t legitimate.”

Trillium, a 2-year-old start-up founded by Uze in Japan, has developed a technology called SecureCAN—“a CAN bus encryption and key management system for protecting payloads less than 8bytes.”

Historically, the assumption among automakers and tier ones was that protecting the CAN bus is impossible, due to limits in the ECU’s processing power and in-vehicle bandwidth.

With SecureCAN, Trillium claims it can offer authentication, encryption or cryptographic key management to the CAN bus. No other technology company is offering this yet.

However, this isn’t the panacea. In order to protect the CAN bus and cars at large, Uze said, “You also need intrusion detection and prevention system (IDS/IPS) that can create a feedback loop to detect anomalous traffic on the bus, and secure OTA software update solutions.” Trillium’s goal is a range of security technologies developed “under one roof with a unified API.”

Meanwhile, companies like Harman, Augus Cyber Security, Symantec and Intel are running a fierce race to add different pieces of technology to automotive security. The finish line is not in sight.

Even FCA doesn't believe their work is over with the patch they developed last year for the hacked Jeep. After we posted this story, the carmaker sent an email to EE Times emphasising, "Our statement does not imply that there is no other way to penetrate a vehicle’s cybersecurity system."