CAN Standard Helps Attackers to Switch Off Brakes, Steering and Engine

Security researchers from TrendMicro and the Technical University of Milano explain in a blog post “The Crisis of Connected Cars: When Vulnerabilities Affect the CAN Standard” and a video how to switch off any electronic control unit (ECU) attached to the CAN bus. An attacker could switch off the brakes, engine or steering of your car. The researchers exploit a feature defined in the CAN standard. Every vehicle using CAN bus – so, basically every car, truck, harvester, tractor and construction machine – is open to the attack.

Let us assume that the attacker wants to switch off the brakes. If the attacker has local access to the vehicle, he only needs to attach a CAN device with a malicious version of the CAN stack to the CAN bus. It is as simple as connecting the two wires of the CAN device to the respective wires of the CAN bus anywhere in the vehicle. Such a CAN device costs not more than 15 Euros and the CAN stack software is freely available.

If the attacker only has remote access, he must hack into the infotainment system, the terminal or the telematics box of the vehicle. The famous jeep hack shows how to do this. It is much simpler for agricultural and construction vehicles than for cars, because security is often neglected. Once hacked, the CAN driver is replaced with a malicious version.

The malicious version of the CAN stack abuses a feature of the CAN standard to deal with bus contention. Whenever the ECU of the brake writes a frame to the CAN bus, the malicious CAN stack immediately sends a frame where a bit of the original frame is flipped. The brake recognises a bus contention and sends a highest-priority error frame to recall its original frame. This error frame tells the other bus participants to ignore the original frame. After the malicious stack has killed 32 frames from the brake in this way, the CAN bus takes the brake ECU from the bus. The brake is switched off.

A full fix for this security flaw would require a change of the CAN standard. This will take some time, probably a couple of years. There is no easy way to mitigate the risk of a local attack. This is especially a problem for tractors, harvesters and construction machines, which can easily be accessed locally. You can make a remote attack harder by signing the CAN stack cryptographically.

Writing Apps for GM Cars

Just three years ago, this would have been unthinkable. GM publishes an SDK (NGI SDK) to write apps for the infotainment systems of its cars and an app (GM Dev Client) to run the app in the car.

General Motors has launched GM Dev Client, an industry-first app that gives approved developers who have created in-vehicle applications the ability to test them in a real GM vehicle. In-vehicle app testing is the next step for app developers who have already created a proof of concept using GM’s next-generation infotainment software development kit (NGI SDK).

Of course, you need a car or at least access to a car from one of GM’s brands, which is a bit tricky in Europe. And, it is must be a model from 2017 or newer.

By the way, these third-party apps are written with Web technologies (HTML/CSS/JavaScript).

Will Android Take Over In-Vehicle Infotainment?

For Nathan Tennies from Barr Group, the answer seems to be a resounding “yes”:

It’s frankly hard to see how automakers using AGL—or other infotainment platforms—will be able to keep up with Google. […] And for some automakers, putting the kibosh on Google may ultimately be more important than providing customers with the best IVI experience […] But mobile giant Samsung provides a cautionary tale about the difficulties of competing with Android.

Samsung and the other Android handset makers provide a cautionary tale why using Android is a bad idea. The premium handset market is heavily dominated by Apple’s iOS. Customers are willing to pay prices of 700 Euros and more for an iPhone, because iOS is the big differentiator from Android.

Why should customers pay 700 Euros for Android phones, if 300 Euro Android phones are good enough for them! Android OEMs can only differentiate on price. And their average selling prices have been declining for years.

Car OEMs would be stupid to bet on Android. They would give away an easy and compelling way for differentiation. I can’t see this happening for premium car makers like Daimler, BMW, Porsche and Tesla. They are currently investing heavily in operating systems other than Android.