Root Causes 317: New Automotive CAN Bus Attacks Demand PKI

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We are back to the topic of automotive. It's been a little while since we've had an automotive episode I think.

• 

  Jason Soroko

  It's been a little while and it's not because nothing's been going on. It's because, you and I, Tim, in the Root Causes podcast quite often want to get into patterns and get into reading past the first headline and technical journalism that wants to make every story unique. A lot of times, it's not been a unique story.

  But I think what's been going on is not really so much at the research level, at the automotive industry level, a lot of what's been going on is there's just been a whole pile of social media around, hey, my Lexus has been stolen. My Rav4 has been stolen. A bunch of cars have been stolen recently. Higher end late model cars, and a lot of people are starting to ask questions about it. And I just saw this article come up. It was a blog post. It was very detailed, and I want to explain what the progression has been and where we are at right now.

• 

  Tim Callan

  So just real quick, so everybody can follow this article. It's a long article, by the way, for what it's worth. But if you did a search, this is from the Canis CTO blog, somebody named Ken Tindell, Dr. Ken Tindell, and Ken's domain is kentindell.github.io or if you search for the story, CAN injection, keyless car theft, Ken Tindell, T-i-n-d-e-l-l. You will find it. So with that, go ahead, Jay. What do we see in this article?

• 

  Jason Soroko

  What we're seeing in this article, Tim, is the fact that you and I both know, if you have physical access to a computer, if the bad guy has physical access to a computer, it's almost game over, right? If the bad guy is sufficiently equipped and capable and so therefore, if you left your phone at the bar, you left your laptop at the coffee shop and somebody swiped it, then there's any number of physical attacks that are available to the bad guy to be able to compromise those computers, essentially. I think you need to think about your car as a computer that is physically available to the bad guy.

  So, let's talk about the progression of attacks through time and how they've been mitigated and where we are now while you're starting to see these attacks come up more and more.

  So, in the past, Tim, stolen cars, back in the old, old days, if you can get physical access to the key fob, this person presses the button, it remote access to the car, then of course, the bad guy can walk away. And the thing is, there were a lot of previous research and studies around the fact that the communication between the old key fobs and the new, they used to be completely unencrypted. Therefore, you could simply listen in.

• 

  Tim Callan

  Easily cloneable. You just stand there and lift the signal. Sure.

• 

  Jason Soroko

  You got it. And then of course, you know, related was at relay attacks which is where you were able to have a device that basically would do the same thing. You would listen for that signal, then you could replay that attack at a later time. Replay the signal that would be identical to what was coming from the original key fob. We've also seen the reprogramming of key fobs by bad guys. There's any number of attacks that were eventually mitigated because of the fact that the key fob itself, a lot of automakers actually started to encrypt the signal. And sometimes, the more advanced is, hey, is this signal coming from something that is signed by a given key fob. So every key fob eventually had its own digital identity.

• 

  Tim Callan

  Right. So even if I were to clone the signal, it wouldn't matter because I wouldn't have the private key.

• 

  Jason Soroko

  You got it, Tim. It went through a whole progression. The problem is that in all cars since I believe about 1987, 1986-1987, which is when the CAN bus eventually came to cars, originally to reduce the amount of wiring that was in cars. It essentially was the first computer network if you will, but it was highly optimized to the operational environment of an automobile rather than the way that most computers are set up in a traditional enterprise sense. The CAN bus is very, very trusting and when computer systems, electronic control units, or ECUs in cars, essentially what makes up the entire computer network of your vehicle, basically the CAN bus itself being very, very trusting when these ECUs receive a command to say open the door, start the car, when those commands are received, there's usually not a lot of scrutiny from within. The computers within the car are not asking where those signals came from. So typically those key fob security controls that were put in more recently, those are typically done at the Gateway ECU level. So the gateway ECU is kind of the gateway - literally the gateway which controls what communication then goes further into the CAN bus and then starts to actually operate the vehicle. The problem though is that further inside the vehicle the other ECUs behind that gateway aren't as well protected and are still very, very trusting.

  So what you're seeing, Tim, and the article is actually bringing up the idea of what a lot of people are seeing on YouTube which is people walking up to cars, doing something physical to the car and then walking away with the car, driving away with the car. And the example used in the article is very interesting in that an owner of vehicle had caught on a security camera some bad guys trying to mess with the headlights of his car and the guy was like geez, he thought it was just vandalism. Like why in the world would somebody be attacking the headlights of my car and then a few nights later he went and got it fixed and then the bad guys came back and then started messing again with the headlights and I think it was on the third attempt or something like that where eventually the car was stolen. It was gone. And what the article is trying to explain in extreme detail, which is lovely for anybody in the computer industry or the automotive industry, what it's really trying to explain is the bad guys simply wanted to get to the CAN bus wires of which in this particular model of vehicle you can get to the CAN bus wires, the most exposed wires there are actually control the headlamps.

  And so there is an ECU that literally controls the on and off of the headlamps as well as a tilting feature of the headlamp. So, this particular car had a feature that if the car was very, very loaded down and the angle of the car changed, the angle of the headlamps could actually change as well. And that was controlled by a computer and so they basically hooked up the wires, physically connected to the CAN bus wires and started flooding the car with instructions to open the door and start the engine and eventually the car was just overwhelmed with these CAN bus orders and saying okay, okay, you want me open the door and you want me to start engine. Got it. And that's what happened. Door opened, engine started, person is able to walk to the car and drive away and this is because the key fob was completely bypassed, and the bad guy was literally looking for the most accessible wiring to be able to physically send those CAN messages deeper within the CAN bus network of the car.

• 

  Tim Callan

  Wow. I don't know what else to say. But wow.

• 

  Jason Soroko

  I'll be completely honest. My first coming across of this article was from a tweet by Dino Dai Zovi, who is a phenomenal, phenomenal white hat researcher and inventor of a lot of pen testing systems, etc., etc. You can look him up. If you don't know him, well, I'll tell you what, most people know who he is. But he actually sent out a tweet with a link to this article, Tim, and had said, hey, it's starting to get interesting about - and I'm paraphrasing here - just my recollection of what he meant in the tweet was offline hacking is starting to get very interesting.

  And in other words, a car being literally not a computer on wheels, but a computer network on wheels is the best way to think about it. It's like a server room on wheels. And if you're able to physically wire yourself into that server room, well guess what, you could do a lot of bad things with computers that are in that server. And in this case, it was to physically steal the car away and what the article goes on to say, Tim, is something that you and I have alluded to and talked about in previous podcasts, and that has a lot to do with isn't it interesting that really ultimately the solution here is something that's going to end up being a little more expensive in a vehicle but just as the whole idea that the gateway ECU, the way in to this server room of a car was to basically know the genuineness of the key fob that was actually speaking to it. Well, what it really means is that every ECU in the car, or at least the very key ones, such as the ECU that controls the engine starting and the ECU that controls the windows opening and closing and the door opening and closing.

• 

  Tim Callan

  Door locks.

• 

  Jason Soroko

  Exactly. Those ECUs also need to be assured of the genuineness. For example, if it's the gateway ECU that ultimately is copying the CAN bus messages that get sent from ultimately originally from the key fob through the gateway ECU and then all the way over to those critical ECUs that control the doors and locks and the engine, well, that whole chain of genuineness of command needs to be assured. And so therefore, you need to have cryptographic systems essentially deeper within the car. Deeper within working within those other ECUs. And today, most cars just don't have that. And I can tell you firsthand that it's not like this hasn't been researched, it's not like it hasn't been talked about by the automotive industry. You can do searches on the internet for piles of this kinds of information. The problem is that there's a cost associated with it, and the automakers really just don't want to put in the cost.

  And I will also say, there's another argument. And this is mentioned in the article as well, which is, when a car works perfectly, automakers are really reticent to change. And I think there's a third issue here, which is cryptographic commands, and various kinds of things like this will ultimately, it puts latency. It puts a load on an already extremely flooded CAN bus. And so, Tim, it’s almost kind of weird.

  So let's talk about ultimately the trend quickly. And this gets back to enterprise IT where everybody kind of, on this podcast, feels a lot more comfortable. But I've also seen proposed networks inside of cars that actually look a lot more like enterprise networks.

  This is TCPIP, and all the things that we're used to, and there are actually Tier 1, Tier 2 automotive suppliers that have proposed solutions like this and actually offer solutions like this for portions of the car.

  So, isn’t it interesting, Tim, that we’ve talked about laptops computers, mobile devices all the traditional types of ways that we compute, and the more and more and more we get into really looking at, okay, what's the solution for this for automobiles, it ultimately is PKI. And ultimately, the way to get there in a way that's doable, is to make the network look a lot more like we're used to in an enterprise environment.

• 

  Tim Callan

  Just because there's so much work that's already been done in dealing with exactly this kind of problem in an environment that you can just reuse it.

• 

  Jason Soroko

  I think that's the exactly the point, Tim. It's like off the shelf technology that is available and has been well studied in enterprise environments needs to make its way into operational environments. The car being maybe the first to fall to that and then eventually, Tim, why not networks in all kinds of other operational technology environments. Nuclear plants, manufacturing plants, chemical utility plants, etc. All these things that are considered critical infrastructure that work on operational protocols are quite trusting and very insecure, simply because there's so much emphasis placed on reliability and just make it work. The people who built those systems are geniuses of reliability. Let's face it. It's just incredible how reliable the systems are.

• 

  Tim Callan

  Sure. And I can see that. You’ve got to some degree, if you're adding complexity, if you're putting PKI gates on various operations of the car, then you start to ask yourself, is the engine going to suddenly stop working while I'm going down the freeway at 80 miles an hour? And you have to have a high degree of confidence that the answer to that is no. And so if you don't have that, that's one less thing to go wrong. Like, I get that instinct. I even get that instinct more than the cost. Like, I appreciate your point about cost, but vehicles cost a lot of money. I remember we talked about this, about key fobs in an episode several years ago, where we talked about the incremental cost of an extra key fob of some feature and the key fob was like a dollar or two and it was kind of amazing that for a $50,000 vehicle, they weren't prepared to spend an extra dollar on the key fob. And so the cost thing, I don't know exactly what it would cost to make everything PKI enabled. I know that the certificates themselves probably aren't that expensive but that doesn't mean that the rest of it isn't.

  But, to your other point, what I really can't have is I can't have these vehicles that are careening down the street that are giant, deadly weapons. I can't have these vehicles doing things on their own that are causing deaths. And you can see where that focus on reliability might cause them to be reluctant to make changes in something that's already working.

• 

  Jason Soroko

  This is something I learned a long time ago, looking very, very closely in the automotive industry is all the automotive OEMs, the big names out there that we all know, we drive their cars, those guys own the liability. And so if you're the lawyer, you're the Risk Officer, you're the Compliance Officer at one of these big OEMs, you're like, no way are you throwing in this unknown technology.

• 

  Tim Callan

  Now, on the other hand, if you can buy a kit in the aftermarket that you can then learn to use by reading, or watching videos that are publicly available, and then from there, you can go to any of a number of late model cars at night with a screwdriver and steal the vehicle, that might be motivational for these auto manufacturers to be able to say that they are not subject to this particular attack and that might be motivational for them to try to solve these problems.

• 

  Jason Soroko

  You and I, Tim, on this podcast, have talked a lot about when the barrier to entry to do these attacks is so low that just about anybody can put it in their pocket and go, this is the game changer. The article actually gives a really good example of the bad guy who would actually stolen the car was caught with - and they didn't really realize this until later apparently - they were caught with what looked like just a Bluetooth speaker and let's say a policeman had come across this person and the person had stolen a car. Well, most police officers are trained to look for paraphernalia for car hacking. Car stealing. And in this case, it was simply a piece of consumer electronics that looked like they could have bought at Best Buy in 10 minutes and what it was was just a completely rewired Bluetooth speaker that was basically a CAN bus injection system solely designed to steal away this particular car. There's no policeman in the world who could identify that as a carjacking tool and the availability of these things is a no brainer.

• 

  Tim Callan

  So then if these things become widespread, and these steps become widespread, and knowledge about them becomes widespread, then that can lead to these manufacturers then viewing it as a competitive differentiator to make themselves immune to this attack. And that might be what forces this to change. Certainly, if they don't change, then you'll see these things used more and more.

  I mean, they're not cheap. This article says here that I think they were like 5000 euros. So certainly that isn't cheap, but if you're going to go out and you're going to steal 30 to $50,000 vehicles left, right, and center, then you can easily see where somebody would make that investment.

• 

  Jason Soroko

  Absolutely. I don't think the analogy is script kitty here. It's organized crime. But it is peanuts for organized crime to get ahold of this.

• 

  Tim Callan

  It’s not state sponsored. It's just a career criminal. Pure and simple.

• 

  Jason Soroko

  That’s right. That’s right.

• 

  Tim Callan

  Wow. Well, okay. I think that's interesting. I think your point, Jay, about really moving this to the very tried and true approaches that we have and communications approaches that we have on what looks like a more traditional enterprise network, because you can't perform this attack there, is a very interesting one.

• 

  Jason Soroko

  Yes. Absolutely. The hope is that all the OEMs are aware - - that’s not even a hope. I know that they are. The hope is that they take a look at the solutions that have been proposed over the years and guaranteed there'll be a split. There would probably a split of two in the world that that will come up and there will be solutions coming over the next five years of models that are being designed in right now and you'll start to see PKI becoming even just that much more ubiquitous, not just at the gateway of your car, but now deep inside your car, and PKI is going to have to save the day again.

• 

  Tim Callan

  Yep. And once again, PKI, we've seen its flexibility, its applicability to so many different systems and use cases and the fact that foundationally at its core, the basic strategy behind PKI remains undefeated. And that's why once again, you can turn around and say I understand how I would put this in an automotive environment system, and it would yield the same protection that we've enjoyed in so many other aspects of our lives.

• 

  Jason Soroko

  You got it, Tim. Just a side note, before we end this one off. I know there's a few conversation threads about this going on around the internet and I find a lot of the comments saying hey, all you got to do is protect the firmware of the ECU. And, look, this attack doesn't even require the modification of firmware to any of these to use. These are attackers who are using the ECUs perfectly as they are designed, and they come right from the factory. That's a whole other level of attack that when we were talking about folks like Charlie Miller, Chris Valasek, who showed us what can happen when you cannot just inject CAN messages, but also modify firmware on cars and there's been a whole level of research around that. Once again, that has to do with code signing firmware signing in, etc. So that's another place for PKI to be but, in this case, this is just all about the analogy of getting slightly deeper into the server room and this server room just happens to be a car. And so, Tim, this is the progression of things and we'll be staying tuned on what the industry does here.

• 

  Tim Callan

  Definitely. Let's stay tuned on this one, Jason. This is very interesting.