When I was a kid, my grandpa would inevitably fall asleep watching Sunday Afternoon Baseball, leaving time for my cousin and I to sneak a VHS in the VCR while he was unaware. A frequent pick was monster truck rallies. We would then spend the next hour (or until Grandpa woke up) enthusiastically watching heavily modded trucks smash much smaller cars.
Monster trucks are examples of hacking in the context of modifying, building, improving, and even inventing to gain speed or performance or to solve some other problem. This generally requires knowledge, skill, and, most importantly, physical access to the vehicle being modified.
Hacking can also refer to breaking into a computing system remotely or with physical access, often out of curiosity (think Kevin Mitnick or Matthew Broderick’s character in WarGames) or sometimes with malicious intent (think the 2013 Target breach or The Plague from the 1995 movie Hackers). This is the definition we will proceed with.
It is only recently that vehicles have become “connected,” meaning the onboard computers have the potential to be accessed remotely or maliciously hacked through wireless connections. While this still requires skill and knowledge, it eliminates the need for physical access to the vehicle.
The first connected vehicle is often attributed to BMW with their data transmitting onboard computers developed for use with Formula One in the 1980s. But it wasn’t until 1996 that connected vehicles were available to consumers with the introduction of GM’s OnStar emergency system. OnStar was then licensed out to other manufacturers in the early 2000s. I distinctly remember riding in a friend’s parent’s Subaru when having OnStar was new and intriguing.
After OnStar, vehicle manufacturers began adding SIM cards, GPS systems, and eventually the omnipresent infotainment systems supporting Apple or Android carplay we have today. This rise of in-vehicle wireless connectivity and infotainment systems has led to the possibility of gaining remote access to the onboard controller area network (CAN).
There are a number of prevention measures that could be widely adopted by vehicle manufacturers to remediate this risk, but first let’s talk about CAN architecture and well-respected vehicle hacking research.
Controller Area Networks (CAN)
Controller Area Networks (CAN) were developed at Bosch in the early 1980s and released in 1986. The first vehicle released with CAN was the Mercedes-Benz W140 in 1991. It took five years from public release of CAN to implementation, and then only another five years before the first connected vehicle appeared on the market.
Today, CAN is used widely across the transportation industry. It is used in cars, commercial vehicles, trains, airplanes, and even flight simulators. CAN has also been used in agriculture, industrial automation, and other embedded systems.
CAN is sometimes referenced with the full OSI model, but often is only referenced as having physical, data link, and application layers.
Over the years, various standards have been developed for CAN. Multiple renditions of ISO 11898 focus on CANbus for road vehicles at the physical and data link layers. Each industry also has its own standards—aviation, rail, industrial automation, agriculture, and others.
Car manufacturers use SAE International’s standard SAE J2284. The commercial vehicle and trucking industries either SAE J1939, or J1708 (physical layer) paired with J1587 (application layer).
There are multiple network topologies used by CAN. It can be implemented in ring, star, or bus, although it is most commonly used with a bus topology.
In a bus topology the Engine Control Units (ECUs), small computers called microprocessors, are linked along a network logically in a line. Communication is sent in unencrypted frames along the bus until the ECU it was meant for is found—no authentication is required. ISO TP is used to split and then reassemble too-large frames, particularly for traffic where the onboard diagnostics with physical access ports such as OBD, OBD-II, or EOBD are the recipient.
The lack of encryption and authentication means traffic can be manipulated anywhere along the bus with the right knowledge and an OBD-II connector. With the addition of connected infotainment systems, GPS, and onboard wifi, there are additional microprocessors added along a vehicle’s CANbus that open the door for remote, unauthorized access. You may be asking, “What is being done about this potential for hacking?”
Hacking and Research
Over the last decade or so, automotive hacking and security has become an increasingly popular research topic. What initially piqued my own interest was the 2015 reporting by Andy Greenberg, journalist for Wired, where he drove a Jeep Cherokee down a highway while researchers Chris Valasek and Charlie Miller remotely accessed the Jeep’s ECUs via Sprint’s network, rewrote the firmware for an ECU, and proceeded to cause mayhem. The next several years yielded more research and articles continuing the story. 2015 was, in general, a big year for automotive security research. It was also the year DEFCON’s car hacking village (a village is a group focused on a specific topic) was introduced and the same year another researcher discovered a flaw in GM’s OnStar phone app that would allow anyone to intercept communication to unlock and remotely start the engines of OnStar enabled vehicles.
Earlier, in 2010, engineers associated with the University of Washington and UC San Diego published research in IEEE’s Symposium on Security and Privacy showcasing that ECU access would allow a hacker to circumvent safety systems, override driver actions, and perform other actions such as turning off the engine. After 2015, a host of research appeared regarding remotely accessing Teslas, remotely accessing vehicles with onboard wifi, and unlocking vehicles by hacking the radio signals used by key fobs. Recent reporting focuses heavily on key fobs, but much more research has been done in 2022. Last year’s DEFCON car hacking village included topics such as programmable logic controllers in tractor trailer ABS systems, heavy duty equipment, securing the data link layer of CAN, autonomous vehicles, and motorcycles—showing that a wide range of vehicles have room for security improvement. Security researchers have answered the question “Can vehicles be hacked?” with a resounding “Yes.”
That leaves us with the question: how can vehicle manufacturers improve security and safety through best practices?
Future Improvements and Best Practices
There are a number of possible improvements the automotive industry can use to improve onboard networks to lower the risk of malicious access.
1. The first improvement is to segment ECUs out onto separate networks. Keep units with potential external entry points such as onboard wifi, SIMs, or the overall infotainment system on a separate network that either cannot reach the ECUs controlling the actual engine or has extremely limited access. Some manufacturers have already implemented this and keep the infotainment system on a separate network with a ring topology.
2. The next improvement is to implement some form of unique authentication. Maybe this is between ECUs or maybe this is additional authentication on the externally accessible modules. Part of this is also promoting security information and solutions amongst manufacturing and sales employees. When I purchased a used vehicle in 2016, the dealership I acquired it from was surprised when I specifically inquired how to reset the bluetooth PIN after finding out the PIN was 1234. The dealership employee had to go find the answer before they could help me. Make changing any driver-specific existing authentication mechanisms on modules such as infotainment systems a normal part of the purchasing process.
3. Similarly to solutions for authentication, it is important to inform consumers on how their onboard computers can be patched for security flaws. Many ECUs run embedded versions of the Linux kernel, which means critical Linux kernel vulnerabilities can, and do, exist in vehicles. Some manufacturers like Tesla implement over-the-air updates and make it known that this is how patching happens. Other manufacturers install software and security updates via USB when a vehicle is brought to the dealership, but sometimes the vehicle owner must both ask for and pay for this service when it should be complimentary. Overall, it needs to be easier for consumers to know when and how to install security patches outside of recalls.
4. Encryption is always highly suggested but may not be practical depending on the computing power in each ECU and the encryption algorithm chosen, since encryption has a tendency to be computationally expensive.
5. Many vehicle manufacturers have started putting out bug bounties on platforms such as Bugcrowd and HackerOne, where ethical hackers can report security findings about that manufacturer’s product. It would be great to see more manufacturers participating in these types of programs.
6. Finally, many vehicle compliance standards are fifteen years old or older. Continuous improvement of compliance standards is critical as more connected features are added to vehicles. There is work being done to cyclically update these standards and add new standards to fill in the gaps that the original standards do not cover. For example, in August of 2021, ISO/SAE 21434 was released. This standard is meant to address cybersecurity risk management in road vehicle electrical and electronic systems.
Slingshot into Security
Overall, the vehicle manufacturing industry has come a long way in the last decade. There is more information available about hacking onboard computers in addition to research into possible long-term solutions. Currently, the best ways to address the possibilities of vehicle hacking with malicious intent is to segment infotainment systems away from the engine controls, educate consumers on patching, simplify the patching process where possible, and add authentication mechanisms.
At Oteemo, the intersection of Cybersecurity and transportation & logistics is an area we’re dedicated to serving. With the increasing threat on the nation’s trucking industry, we recently launched our Transportation Logistics solution.
Oteemo has positioned itself to assist trucking & logistics companies in their cyber posture by helping them meet the ever increasing cyber threat on our supply chain. As vehicles of all shapes and sizes become more connected, the threat of hacking increases. Oteemo is working to meet this threat and ensure a safer, connected future.