As car security has advanced, the world of auto theft has quickly melded with the world of hacking. The advent of high-tech car keys means that hotwiring is out and methods like relay attacks are the new way to gain unauthorized access to a vehicle. Now, however, it seems that attackers have found a new way to entirely bypass the electronic security on modern cars: A method called CAN injection.
[...] The attack relies on a vehicle's CAN bus, the internal computer network that keeps everything running. If you've ever wondered how your car's engine, body control module, and all the little controllers scattered around the car all communicate, CAN bus is the answer. The system is universal in modern cars, and even aftermarket ECU manufacturers now build CAN integration into their products.
The attack method Tindell lays out relies on physical access to the car's CAN bus, meaning an attacker needs to get to the data wires that run through your car. By tapping into these wires, a thief can inject malicious commands into the network — allowing the thief to wake up the car's computer controllers, falsify the presence of the car key, and drive off. [...]
[...] This attack isn't the easiest to pull off, given that it requires a thief to partially disassemble the target car, but it's powerful when done correctly — entirely bypassing the car's key, unlike relay attacks that simply extend the key's radio range. Tindell lists multiple solutions that automakers can implement, most notably the "zero trust" approach — wherein every device, even within a car's internal CAN bus, needs to verify itself during any communication.
(Score: 4, Informative) by Anonymous Coward on Sunday April 09, @10:38PM (8 children)
Our older cars (2014 and earlier) all have keys that lock the steering column mechanically. No CAN bus injection is going to release that--you'll have to use a dent puller (slide hammer) to break it. Or, if the thief has any real skill at all they could pick the lock, but that's probably too much to ask of kids these days.
(Score: 4, Interesting) by JoeMerchant on Sunday April 09, @10:47PM (7 children)
Several models using mechanical locks up through at least the 1990s are vulnerable to the brick and screwdriver attack:
Break left rear window with brick, reach in and unlock left front door. Using screwdriver as a chisel, and brick as a hammer, break off steering column lock. Stick screwdriver in key hole and twist to start - apparently after breaking off the steering column lock the ignition lock doesn't need a key to turn anymore.
We had a Buick stolen this way, just after the internet allowed world wide distribution of instructions for how to do it. Apparently a gang initiation, performed around 3am in a heavy downpour which masked the noise of breaking glass.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 0) by Anonymous Coward on Sunday April 09, @11:46PM (1 child)
Sounds like someone did you a favor . . .
(Score: 2) by JoeMerchant on Monday April 10, @12:09AM
It's replacement was indeed much cooler: ex-police Ford Taurus V6.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 0) by Anonymous Coward on Monday April 10, @02:50AM
> break off steering column lock.
Yeah I remember that style, the outer part of the lock was accessible at the top of a little "pillar". The newer ones are buried in the column, thus the dent puller (screw in key hole, slide hammer pulls out).
(Score: 2) by sjames on Monday April 10, @02:59AM
There was a video on how to do that in the '80s only using the butt of a rifle. It was called "The Terminator".
(Score: 2) by RS3 on Monday April 10, @03:51AM (2 children)
My '02 Chevy includes the "chip" in the key. I don't know much about it, but the PCM (engine computer) will let you crank and crank and crank, but not start the engine unless it sees the correct key signal. You can "teach" it a new key, but it's a pretty involved procedure. Maybe thieves do that? I don't know.
(Score: 2) by JoeMerchant on Monday April 10, @11:36AM (1 child)
Sounds like a fuel cut, if that's at the injector control it will be hard to bypass, but the dealer has some way of training new keys....
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by RS3 on Monday April 10, @10:02PM
The PCM (Powertrain Control Module- car's computer), by definition, is the fuel pump and injector controller, as well as ignition and many other systems, including getting the input from the key "chip" sensor. Also again, there is a procedure to "train" the system to learn a new keycode, and it's not a secret, but it's pretty involved and could take enough time that many thieves would give up and move on to an easier car.
(Score: 1, Offtopic) by krishnoid on Monday April 10, @12:02AM
I guess network security [youtu.be] is a problem any time a malicious attack is involved, and sometimes even when it isn't.
(Score: 3, Insightful) by Runaway1956 on Monday April 10, @12:09AM (1 child)
If that isn't self contradictory, then it is at least misleading. If the attack works equally well from the front or the rear of the car, then no one is going to mess with the headlights!! You have to gain access to the engine compartment, or lie on the ground, reaching up to fiddle with the wires at the front of the car. Basically, you're working blind. A tail light usually comes out by turning two screws, and you can access the wiring easy-peasy. Bonus with the taillight - just carry an 1157 bulb with you. If some rando asks what you're doing, show him the bulb, tell him your turn signal quit working. That will work a lot better than trying to explain why you're screwing around with the hood latch, instead of opening the door to pull the hood latch lever like a normal person.
Abortion is the number one killed of children in the United States.
(Score: 3, Interesting) by RS3 on Monday April 10, @03:49PM
I can't speak for most cars, but on my '02 Chevy van, which has only the simplest / basic light wiring (no CAN bus), you have to unlock and open the rear doors to get at the taillight housing screws. You could pry them open with a large pry bar, but you're going to do a lot of damage to the car you're trying to steal. Being a "car guy" I know many older cars had lights and housings with externally accessible screws. A friends '68 Camaro has the taillight housings entirely inside the trunk. Maybe you could pick the trunk lock to get in to a "modern" car's trunk and attach to the CAN bus.
(Score: 3, Insightful) by Snotnose on Monday April 10, @12:13AM (8 children)
Why would a headlight be on a network? Why would a headlight be on the same network as the anti-theft stuff? Why should a headlight be able to tell the anti-theft system what to do?
What's next, a USB stick full of "music" plugged into your entertainment center that will root the car?
I just passed a drug test. My dealer has some explaining to do.
(Score: 3, Insightful) by JoeMerchant on Monday April 10, @12:35AM (4 children)
Why would a network allow access to steal the car without the secret(s) contained in the owner's keys?
I mean: lost key replacement should be sufficiently secure to thwart a theft.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by RS3 on Monday April 10, @11:17PM (3 children)
I surmise you posed a rhetorical question, but I'll answer: security is always an afterthought. You know, it takes time to develop security, so you're losing sales, market share, the engineering/developer costs. Always push things out to the market as fast as possible, and then issue patches, but only when necessary for PR reasons.
Sorry for the cynicism, but we've all seen that paradigm become the norm.
(Score: 3, Interesting) by JoeMerchant on Tuesday April 11, @01:09AM (2 children)
But, how hard is it to apply asymmetric encryption in the ECU and do a challenge response where:
Key requests start
ECU sends challenge to key
Key uses its key to encrypt the ECU's challenge, sends this proof of key back to ECU
ECU uses its key to validate the Key properly encrypted the challenge, or not. No proof of valid key means no duty cycle for the fuel injectors, no spark for the plugs.
End of story, nothing on the bus can spoof that key function, eavesdropping doesn't matter, replay doesn't work. I wrote something similar into the Linux side of our product in a day, and a colleague re-coded it in dot-net for Windoze with different but compatible libraries, and the two implementations are 100% interoperable. I learned these basic principles in college in 1988 with a class with 30 students that they taught every semester.
Key management can be a challenge, but there is no excuse for access to the system bus compromising security functions. The incompetence of what is on the market seems intentional.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by RS3 on Tuesday April 11, @03:24AM (1 child)
Very cool, nice work.
My GM key is a "transponder". There's a "chip" in the key that has a code. The chip is powered by magnetically coupled energy from a loop "antenna". The key spits out a code that has to match what the PCM expects. I don't know how many digits / bits the code uses, nor how long the code needs to be "on", or how many times the code gets transmitted to satisfy the PCM. IE, if you had a passcode guesser, how long would each incorrect code need to be transmitted to be okay or not.
IIRC, after some low number of incorrect codes, the PCM will lock you out. I found all this out the hard way- about 8 years ago a tree limb fell through the windshield, destroyed the dash and even damaged the steering column. So I got some used parts and mixed and matched and made it all whole. But, I got lazy and left the key chip sensor in from the salvage yard's steering column. After much trying, then research, it was the fun of putting the correct sensor from the original steering column in, doing something I forget to make the PCM happy (which might just have been to wait some amount of time, which was well satisfied by me moving parts around) and have a running car again.
I don't quite understand why the ignition lock's sensor cared about the key code, but it certainly did, so maybe it's another layer of security?
(Score: 2) by JoeMerchant on Tuesday April 11, @09:57AM
I mean, that (RFID number only) was state of the art 25 years ago, and at that time you would have needed a $0.75 microchip at the key reader to implement that algorithm from 1978. The key would only need a $0.07 RFID programmed with a unique (one of billions) key. Compare this with the 243 or fewer possible mechanical key codes, which admittedly take longer to try...
For the past 5-10 years, those chips in your credit cards have been capable of doing the challenge response algorithms on-chip ($0.40ish per chip) and they have become quite costly to read even with specialist technology. Considering that modern car keys cost hundreds of dollars to replace, I would expect them to be at least as secure as a credit card.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 3, Informative) by krishnoid on Monday April 10, @02:37AM
So it can answer status queries [amzn.com] (this is one of the nicer, pricier ones) to provide detailed diagnostics [medium.com] via the OBD-II port required to be made available in every car made for the US market since 1996 [ca.gov]. Add that in to the level of "security" you typically find in an Internet-accessible device (much less something entirely isolated), and there you go.
(Score: 3, Informative) by Immerman on Tuesday April 11, @03:29PM (1 child)
Presumably to turn the light on and off, and to report when the bulb has burnt out.
Keep in mind that we're NOT talking about something like Ethernet designed to transfer large quantities of information - the CAN bus is a single-wire protocol designed specifically for simple sensors and controls. A single network packet ("message") only contains an 11-bit Node ID (=sender, or recipient if someone else sends a message with your ID) and a maximum of 8 bytes of data (plus error correction and other overhead). This is a network technology specifically designed to transmit simple sensor or control values, with the option for more complicated systems to send *slightly* more complicated diagnostic data.
And one of the biggest advantages of bus based communication, in addition to removing hundreds of separate noise-prone analog sensor lines running all over the car, is that you can also remove the hundreds or independently switched power lines - everything can tap into a single always-on "power bus" (well, one of several separately-breakered circuits) and communication bus, with the switches located right at the device in question.
So, in the headlight example, your headlight socket can be wired to always-on power and communication busses, and an internal switch turns the headlight on or off when instructed. And hopefully sends "the bulb isn't working" messages as well, since there's no longer a dedicated power line that can be monitored to detect when an appropriate current draw doesn't appear.
Networked sensor and control systems are just WAY simpler and cheaper than the alternatives (aside from the extra electronics at every node) - especially with the CAN bus, which was designed from the ground up to be dirt cheap to implement so that it could be used for all a cars many sensors and controls without significantly increasing the cost of the car. You can literally just take the wires from a hundred different sensors and controls, twist them all together onto a single communication wire, and everything will just work.
And the node electronics have gotten *cheap* - most sensors just need to incorporate the same tiny off-the-shelf bit of electronics that read a single analog sensor voltage and periodically broadcast it as a network message.
As an example - Tesla dramatically reduced the production cost of their automatic door handle assemblies, while also increasing the reliability, by replacing a few simple switches used to detect critical handle positions and activate the associated electronics (electronic latches, handle retraction, etc) with a magnet and CAN-connected digital compass.
(Score: 2) by RS3 on Thursday April 13, @01:54AM
Great info and insight- I was going to post similar.
Adding: there may be reasons to vary headlight / taillight brightness, which could be done much more easily with communication bus. For example, some cars' brake and turn signal lights are insanely too bright at night. I wish they'd dim them at night. I need to be able to see to drive safely.
Engine knock sensor's PCM input is 100k ohm, and the unshielded wire runs through the wire harness bundle, right past ignition wires and distributor on its way to the PCM. Not sure how well that works, but soon I'll be 'scoping some PCM signals hoping to solve some problems with it and I'll know how much ignition noise is getting in. One of many symptoms: I'm getting huge amounts of "knock spark retard". I tried dampening the signal with a parallel resistor (pot) and capacitor, but that sets an error code. Stupid thing is too smart I guess.
O2 sensors the same thing- unshielded wires into high-impedance PCM input, also crank trigger, which is critical and most important sensor.
Most other sensor signals are buffered in the sensor (low impedance / high drive output), or just much lower inherent impedance.
(Score: 4, Interesting) by inertnet on Monday April 10, @08:29AM
I heard about this trick many years ago. It won't work on my car though, the insurance requires it to have an extra immobilizer, which comes with an extra remote. One might get access to the car with this attack, or a relay attack, but they won't be able to start it without immobilizing this immobilizer. This type of car happens to be a popular getaway car for criminals, so it even has an extra GPS tracker that I can query.
(Score: 4, Touché) by DannyB on Monday April 10, @02:02PM (9 children)
One day, scientists will invent a way to build automobiles that don't need microprocessors. It will be an amazing revolutionary achievement. People will be in awe and wonder at the marvel of these new microprocessor-free automobiles. It will be a wonderful advancement for humanity.
How often should I have my memory checked? I used to know but...
(Score: 2) by JoeMerchant on Monday April 10, @03:03PM
I almost bought one of these [google.com] in the mid-80s. Probably would still be running today if I had.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 3, Interesting) by turgid on Monday April 10, @08:24PM (5 children)
In the 90's I used to go to the pub and drink Guinness with a guy who was an embedded developer. I once or twice took my home-made code down the pub for a code review over a few pints. He was working on a CAN bus implementation. He said that all the electrical stuff would be on this serial bus in future because it was cheaper than having separate wires for all the different things. That was when I realised just how cheap microprocessors had become.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 0) by Anonymous Coward on Monday April 10, @08:36PM (4 children)
> ...drink Guinness with a guy who was an embedded developer.
I've only looked at CAN bus documentation briefly, but I know several people that have had to configure CAN networks, mostly for custom data acquisition (hundreds of channels of data) in test labs and for field testing. It's always a big, error prone mess.
Now I know why(?)--your drunk guy designed the damn system! Do I sue your guy, do I sue Guinness, or maybe both?
(Score: 2) by turgid on Monday April 10, @09:00PM (3 children)
CAN Bus is Laurel and Hardy meet Frank Spencer, the Keystone Cops and the Chuckle Brothers. Heaven knows why anyone uses it.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2) by RS3 on Monday April 10, @10:50PM
I can see legit reasons including diagnostics, but I also see a lot of things that are done (across the board in life) because everyone else seems to be doing those things. People do things because 1) it helps their resume, and 2) they don't want to fall behind the times and look stupid, lazy, head in the sand, etc., and 3) don't want to be caught off-guard when things are so CAN bus enabled that they can't offer some option on the car until they run CAN bus.
I'm not sure if my '02 Chevy has CAN bus, but certainly a similar system. Through the OBD-II connector I can scan for running data and diagnostic codes in:
- PCM (main computer)
- air bag system
- instrument cluster (dashboard)
- body controller (lights, HVAC, etc.)
- ABS (anti-lock brakes)
The PCM has a pretty thick bundle of wires (copper) carrying signals and information from the above mentioned subsystems. One CAN bus could carry many of those signals, and eliminate many of the wires- saving on wire, labor, and complexity, and centralize and simplify diagnostics,
Personally I prefer simple, but as designers keep adding more and more and more features and functions to cars, there's more and more status data and control system communication needed. Rather than have hundreds of wires coming from all of the subsystems, one pair of wires snaking all around the vehicle does the work.
(Score: 1, Interesting) by Anonymous Coward on Tuesday April 11, @12:17PM (1 child)
> CAN Bus is Laurel and Hardy ...
At least for industrial instrumentation, it seems that ethernet (and related) is becoming the standard. No idea how long that will take to get to cars where CAN is still popular.
(Score: 2) by RS3 on Thursday April 13, @01:59AM
I keep thinking the same thing, but Ethernet is probably more expensive and might be overkill for most things in a car. Also, it requires 4 wires, not the 2 of CAN, and it'll need Ethernet switch with many many inputs, so yeah, just speculating but I don't see it any time soon. Like I said, "speculating" - maybe some cars have Ethernet already... but not out to every sensor and control, but maybe it would go between a few major control modules.
(Score: 3, Interesting) by RS3 on Monday April 10, @11:04PM
It all started in the '70s to meet emissions and MPG requirements. It's pretty impossible to get high efficiency and low emissions without much finer precision control of the ICE process. Koenigsegg [koenigsegg.com] is making previously thought impossible kW/cc due to their incredibly advanced control systems that are only possible with today's super-fast microprocessors.
(Score: 3, Insightful) by Immerman on Tuesday April 11, @04:14PM
And nobody will want to work on them because they're a rat's-nest of hundreds of wires that must all be properly connected to between sensors, controls, displays, etc., with any wiring faults that form over time causing problems that are difficult to diagnose or repair.
Rather than a dirt-simple networked system that has everything connected to the same two wires wherever is convenient: a power line, and a communication line. And every node able to report if anything is wrong, with wiring faults being easily distinguishable from failing sensors.
It's all in where you put the complexity.
Modern cars have become ridiculously complex, mostly because they're no longer really cars, but instead vast, complicated emission control systems that have a car built around them. Because without those control systems they're severe toxic gas factories, and population densities have risen to the point that the associated health problems are hard to ignore.
As electric vehicles take off, most traditional manufacturers are unfortunately still leaning in to that complexity - loading them down with a million "luxury features" of dubious real value in order to justify a premium price tag.
Fortunately, we're also seeing an increasing number of manufacturers, especially in China, getting back to the roots of the automobile industry, back before the internal combustion engine was invented, when cars were little more than an electric motor and battery bank wrapped in a passenger-friendly shell. There's not really any need for an electric car to be much more complicated than an electric bicycle, and those manufacturers targeting the budget end of the market are embracing that philosophy in spades.
Of course they also tend to have limited ranges unless you shell out for an extended-range model - all those "luxury" features exist in part to hide the fact that the batteries are still extremely expensive. But battery prices just keep falling, and many manufacturers in the niche seem focused on adding the simple "luxuries" that are actually valuable: Heaters & AC, speaker systems (that you can plug your own media player), standard AC power plugs, improved suspension, etc.
They're getting really good at delivering a perfectly adequate modern car with lots of utilitarian extras, with minimal under-the-hood complexity, for only a few thousand dollars. And as that market consolidates, hopefully at least some of the winners will continue to embrace that philosophy rather than trying to take on the more profitable and complexity-laden manufacturers in their own game.