Thursday, August 19, 2010

City Crippler Car Worms

The other day, Bruce Schneier linked to a couple of recent papers on automobile security, or rather, lack thereof.

The first is a paper by a University of Washington/UC San Diego collaboration which looked at what you could do if you had successfully hacked into the internal network of a car (its "CAN bus").  They worked experimentally with current commercially available cars, and showed that pretty much all the electronics of the car can be reached from anywhere else in the car, and that they could disable the engine, activate the brakes, disable the brakes, and do other highly unsafe things while the car was moving.  They even found ways to disable the car that were not fixed by restarting the car or removing and replacing the battery.

It wasn't the focus of the paper, but they also mention some external avenues of attack to hack into the car remotely.  One is that things like music players become attached to the cars internal network, and that potentially includes things like iPhones which are connected to cell networks and have well-known vulnerabilities of their own.  Also, some cars have remote cellular connection to services like onStar, which goes to a component on the car's internal network.  And then they found no fewer than five wireless interfaces on the car, and,
While outside the scope of this paper, we wish to be clear that vulnerabilities in such
services are not purely theoretical. We have developed the ability to remotely compromise key ECUs in our car via externally-facing vulnerabilities, amplify the impact of these
remote compromises using the results in this paper, and ultimately monitor and control our car remotely over the Internet.
The second paper looks specifically at wireless tire pressure sensors which are now being required on new cars.  They show that the wireless interaction between the tire pressure sensors and the antenna on the back window of the car can be intercepted up to 10m away with a cheap antenna, and the protocol is not secure and can be intercepted and interfered with.

To my evil old alarmist brain, this raises some intriguing possibilities.  Let us make the following assumptions:
  1. Suppose it's the case that a small number (let's say 0.1%-1%) of cars on the road at any one time have internet accessible vulnerable components attached to their internal networks (eg a smartphone or a remote service interface).  It seems eminently likely that this is true.
  2. Let's further suppose that there exist vulnerabilities in the internal wireless interfaces of most cars, such that if you have compromised the network of one car, it's possible to compromise a second car if its within some range - let's call it the attack range, and guess it to be around 10m.
I stress that the second assumption is a hypothetical - it's not specifically documented in either of these papers that this can be done.  I don't know whether or not it's possible.  However, it's not completely implausible given that there are multiple wireless interfaces on these cars, and that it appears that the designers of car internal networks have been generally quite clueless about security.  Usually, when the security community comes across some new domain whose practictioners lack any understanding of security, it turns out that there are very large numbers of vulnerabilities of all kinds that are pervasive throughout the system.

Anyway, posit the second assumption as a hypothetical, because if that were true, I believe the implications would be pretty interesting.

In particular, I think it would open up the following cyberwar type attack to potentially seriously cripple entire cities.

The idea would be to launch a worm that would spread on the Internet (in any of a number of well explored ways) looking for vulnerable smart phones.  Smart phones have GPS devices in, so the worm, having infected the phone, could ensure it was only operating in some geographic area of interest (eg the US, or a particular city).  The worm could then check if it was on a smart phone that happened to be plugged into a car, and if so compromise the car.  It could then use whatever wireless opportunities were available to compromise any other cars within the attack range.  It could also disable the car (eg by locking up the brakes, stopping the engine, etc).

The idea would be that the worm would seed itself into the small minority of cars that are Internet vulnerable and from there spread into the larger majority that are not.

If this worked correctly, the end result would be a city with all its major freeways and surface streets full of disabled cars, a situation that would paralyze almost all commerce.  It would probably take weeks to straighten out the mess.

I think some basic principles here are these.  In heavy traffic like this:

I think we could expect a car worm to spread easily from car to car as the cars are closer than the posited attack range.  This would roughly correspond to the red areas in traffic maps like this one (from Google maps):

In lighter traffic (eg the green zones above) we might expect the worm to fail to spread. In all infectious agent/chain reactions there is a concept of the epidemic threshold. If an average infected agent (car in this case) can infect more than 1.0 other agents then the epidemic will continue to grow and spread. In regions where the average infection potential falls below this, the epidemic would usually peter out and die. So in traffic like this:

you might expect the worm to initially fail to spread.

However, car traffic has the interesting property that it would probably self assemble to infectious densities.  If a few cars get infected and disabled, cars coming up from behind will slow down as they approach and carefully skirt round the infected/disabled cars.  They in turn might then get infected, which will soon snowball into a complete blockage of the road.  Then all cars approaching the blockage will slow down and form up in line immediately behind the car in front, with each car being infected and disabled as it approached too close.

Thus even relatively lightly trafficked roads would soon be blocked by a series of clusters of disabled cars (with open road in between).

In addition to stressing that it's unclear whether the kinds of vulnerabilities required to do this exist, I also stress that this is no teenage prank - it would be a major project requiring tens or even hundreds of millions of dollars in engineering work to carry out.  Vulnerabilities would have to be identified in all major make/models of cars, and code written to identify the type of components on neighboring cars, compromise them, disable each different kind of car, etc.  If you figure that it takes a few engineering years of effort for each make/model (look at the author lists on the papers above), and you would probably need to target tens or hundreds of models, you can see that the effort is up in the tens-thousands of engineering years, and thus tens - hundreds of millions of dollars.  So this is definitely only a nation state possibility.

It will be interesting to see as more research on automobile security comes out whether such car-to-car vulnerabilities exist or not in present day cars.


galacticsurfer said...

Wow! China or India takes down USA at rush hour. Totally cool! I wonder if fly by wire is equally vulnerable. That would not be so funny but you could spread it over satellite GPS to all flights and knock them out of the skies. The prospects for cyberwar are awesome. Think of all the possibilities with military vehicles. Actually a CIA tpye of thing would be to target public officials and cause accidents, which would remain officially accidents as no one would let on that they were a victim of this stuff.

I actually heard of a guy offering a cure for this tpye of stuff related to car "keys"(German public radio report on science and technology). You know, the kind where you go "beep" and the car is opened. somebody picks up the code 10 meters by wire away and can open all cars of the same make globally. The guy was on a trade fair offering his solution which I believe was individual coding for each car so it oculd not spread the risk. Maybe it changed each time according to an algorithm, I don't remember. Anyway this weakness is a car thief's dream. He could take all the Mercedes SLs in the country for the mafia and change the plates and sell them in Russia.

Eric Hacker said...

Very interesting thoughts, but the proposed attack method is old 3rd generation warfare thinking. John Robb would suggest that we look at whether much better attack ROIs can be achieved given the listed vulnerabilities. Unfortunately, it doesn't take me too long to come up with scenarios that fit the bill. (pun intended)

Sure they might be more localized and cause less damage per attack, but the development and equipment investments are low and the economic damage high enough that the ROIs are much higher. It is certainly within the reach of Global Guerrillas.

Borepatch said...

Correlary: The auto manufacturers have no Patch Tuesday mechanism - and in fact probably bought the components from a much smaller 3rd party supplier.

The half life of any of these vulnerabilities will be measured in years, not weeks.

I guess I'll be looking into that GTO after all ...

New Englander said...

Good article, but your estimate of the attack cost is way too high. I would expect vulnerabilities to be frequently applicable across models and even manufacturers. I imaging that with a handful of test models, given your hypotheses, an attacker could probably develop generic code that would "infect" upwards of half of the theoretically vulnerable population in a target area.

gratissol said...

Nice article, in the morning! There was a fictional short story in the German computer magazine c't some years back, where exactly this scenario was described. The hacker used it there for a drive-by-wire scenario in which all the infected cars were redirected to a specific location and arranged themselves there to spell out some love message to the hacker's girlfriend, while they all honked their horn and blinked their lights like crazy. That'll be more the 4chan-way of pursuing this whole idea, but still worthwhile to consider... ;-)

Alex Truck said...

It is amazing how technology manages to solve one problem, only to pre-expose us to another. On one side it is bad, but on another we will never be out of jobs :)

Jay said...

This is the very helpful Article, If this worked correctly, the end result would be a city with all its major freeways and surface streets full of disabled cars.
Nissan Micra India