Known by their wheels
IT researchers at the University of Southern California and at Rutgers University have investigated data protection in a case study on the security of electronically controlled car components. By maliciously interfering with modern car electronics, attackers can trigger a variety of dangerous actions. For instance an attack might disable the brakes while the vehicle is in motion, switch off the ignition, or cause a spontaneous emergency stop. Previous experiments in this field (Experimental Security Analysis of a Modern Automobile) have focused on the possible effects of such intrusions and on potential vulnerabilities in the internal network of subsystems, for example in the widely-used Controller Area Network (CAN).
However, this research put less emphasis on investigating potential ways attackers could hack into systems without physically manipulating a vehicle. Now, Ishtiaq Rouf at the USC and other researchers have found a vulnerability in the data transfer mechanisms between CANbus controllers and wireless tyre pressure monitoring sensors which allows misleading data to be injected into a vehicle's system and allows remote recording of the movement profiles of a specific vehicle. The sensors, which are compulsory for new cars in the US (and probably soon in the EU), each communicate individually with the vehicle's on-board electronics. Although a loss of pressure can also be detected via differences in the rotational speed of fully inflated and partially inflated tyres on the same axle, such indirect methods are now prohibited in the US.
The researchers used such simple means as GNU Radio and USRP to intercept the data transmission between individual sensors and the direct control systems. They found that these transmissions were unencrypted and the test vehicles' on-board electronics blindly trusted the received signals without validating them. This potentially allows attackers to launch misleading spoofing attacks as well as other activities designed to drain a sensor's batteries.
In contrast to what would be expected, the researchers managed to intercept the sensor signals from a distance of 10 metres. By using an antenna amplifier, they could even intercept communications at a distance of 40 metres from a stationary vehicle. The 32-bit sensor IDs obtained in this way offer a similar opportunity to that provided by video technology; to identify cars in traffic and help generate movement profiles. Drivers cannot disable the sensors and are just as vulnerable to this type of monitoring as they are to the recording of registration plates on video. Wireless monitoring is also likely to prove less error prone as well as considerably cheaper.
In order to protect car drivers from unwanted listeners, the authors of the study recommend that the developers of car controllers switch to secure transmission protocols. In the interest of car safety, they also advise that developers should first of all introduce a consistency check for received signals. Although existing IEEE draft standards to regulate wireless communication in and between cars are mentioned in the study, the authors don't seem to think too highly of these drafts and they don't mention them in their recommendations.