A big shout out to the Chrysler-Jeep control systems design team, it turns out that flat and un-partitioned architectures are not so secure, after security experts Charlie Miller and Chris Valasek demonstrated the ability to remotely take over a Jeep via the internet and steer it into a ditch. Chrysler has now patched the Sprint/UConnect vulnerability, and subsequently issued a recall notice for 1.4 million vehicles which requires owners to download a car security patch onto a USB stick then plug it into their car to update the firmware. So a big well done Chrysler-Jeep guys, you win this years Toyota Spaghetti Monster prize* for outstanding contributions to embedded systems design.
Our two track suited heroes Charlie and Chris have previously published a threat assessment of how hackable various cars are. For those who don’t want to wade through the entire 94 pages of the report here’s a handy summary spreadsheet on Wired, in which the Jeep Cherokee featuring as one of the most hackable. They point out that it’s the automated braking, parking, lane assist and adaptive cruise control functions, in other words where the driver relinquishes command authority, that are the direct target of the intruder. Although just being able to monitor remotely a car’s location via GPS could also be an objective. As to what you can achieve, well that can range from simple surveillance through to direct and potentially lethal action against a target. Now I’m somewhat uneasily wondering whether this sort of technology may have had something to do with the success of those drone attacks against Al Kayeeda upper management.
The report by Charlie and Chris canvasses a number of potential methods to improve security, one of their more interesting proposals is the deployment of a security monitor node onto the vehicle’s CANBus that listens for message traffic sounding like a coopted node trying to execute a flood attack on another node and having detected such an attack shutting down the bus. Unlike human traffic dominated networks, automation network are much more predictable so automated attack detection is quite feasible. As an ‘after-market’ style add on, a security monitor doesn’t require a complete redesign of the network architecture either, so all in all it’s a very good example of the virtues of economy of mechanism. For those of you with a system safety background all this might start to sound remarkably similar to the concept of a safety monitor, probably because it is. For a more robust security architecture again one would have to solve for the Byzantine Generals problem, which neatly brings Leslie Lamport’s metaphor of untrustworthy generals full circle.
So what of the future? Well there’s more connectivity on the way, for example vehicle to vehicle (V2V) which according to it’s proponents will entail remote entities connecting for the purposes of controlling braking or steering. Unfortunately such technology requires a level of trust between the participants in a completely ad-hoc network, which from a security perspective is problematic to say the least. You could for example imagine an attacker spoofing V2V technology to create an accident or for that matter city wide grid-lock. And of course look for legislation and precaution to once again lag behind our abilities :).
This has been another traffic report from the Internet of Things.
Reading back over the media commentary I don’t think anyone has really twigged to how serious this security breach could have been. On the face of it the security flaw allowed access to all vehicle fitted with UConnect. All. Of. Them. Had a real black hat got a hold of that vulnerability and, for arguments sake, commanded the brakes off and accelerator on for any vehicle in motion exactly how bad could the consequences been? That’s no longer an expensive recall problem that’s a tragedy of epic proportions.
Final disquieting thought, there’s nothing to say that other car manufacturer’s are not in the same boat right now. In fact I’d lay long odds that in meeting rooms all over the world there are software engineers and manages explaining to upper management why they don’t think it’s a problem for their product, even though they never designed for it, because they’re ‘morally superior’ to those Oompa Loompa’s over at Chrysler Jeep. Oh and because they are seamlessly confident they also don’t think they need to do anything else.
Still not worried?