US-Council News

Vehicle hack disables safety features on most modern cars

It has been discovered by security researchers that the majority of modern vehicles are at risk from a design vulnerability which could be potentially disabled by a hacker. The security flaw could allow an attacker to turn off the safety features, such as airbags, ABS brakes, and power steering; essentially any of the vehicles computerised components connected to its controller area network or CAN bus.

In a world where the majority of connected devices developed are flawed, there have been many examples of researchers, engineers and hackers infiltrating vehicles and exposing the vulnerabilities which have revealed some shocking results. A Jeep was hacked on a highway and a Tesla was breached, whereby the security researchers gained control of the braking system while the car was in motion.

Commenting on the news is Art Dahnert, managing consultant at Synopsys, who said “The problem identified by Trend Micro is related to the design and architecture of the CAN bus found in nearly all new cars today. The development of the technology goes back to the 1980’s, predating the World Wide Web. No one at that time thought that someone would deliberately try to sabotage a vehicle over the in car network.

“The attack involves creating a Denial of Service for a specific target by using the error management built into the CAN bus protocol. When an attacker causes the network to send too many error “messages” (frames) to a device, the design dictates that the target goes into a Bus Off state. This means that it will no longer respond to messages or send new ones, effectively disabling the device. In the case of an automobile it might be the ABS or airbags or even the electrically assisted power steering.

“Generally, these types of attacks will require access to the vehicle and the ability to persist beyond a restart. However, now that newer vehicles can be connected to the internet in a myriad of ways this is no longer true. Taking advantage of connected phones and telematics features, an attack could happen without direct physical access. And this isn’t necessarily isolated to a single manufacture or model of vehicle.

“Even though the problem has been identified, resolving it will be a long time coming. There are many factors involved, including the large number of vehicle and component manufacturers as well as the technical difficulties in developing a solution for this type of problem. Not to mention the requirements to allow access by the aftermarket and third party repair establishments.

“You can’t bolt on security, it has to be built in from the beginning. A simple update will not fix the cars on the road today.”