How secure is your car? Unpatchable flaw lets attackers disable safety features

A vehicle hack can disable safety features on most modern cars by posing as a faulty electronic component.
Written by Liam Tung, Contributing Writer

Researchers have discovered a security flaw that probably affects all new vehicles. It allows an attacker to turn off safety features, such as airbags, ABS brakes, and power-steering -- or any of a vehicle's computerized components connected to its controller area network or CAN bus.

Because it's a design flaw affecting the CAN bus messaging protocol standard used in CAN controller chips, the vulnerability can't simply be patched with a recall as happened after researchers remotely hacked a Jeep in 2015. It's also not specific to one vehicle model or its underlying electronics.

Additionally, an attack on the flaw devised by several researchers sidesteps common intrusion-prevention and detection techniques that protect CANs against cyberattacks by blocking malicious CAN messages.

Instead of trying to inject a malicious CAN bus message or 'frame' into the network, the attack targets how CAN responds to error messages. If the CAN receives too many error messages from a device, it is disconnected from the CAN, disabling the device's functionality.

"Our attack focuses on how CAN handles errors," writes Trend Micro researcher Federico Maggi, one of the paper's authors.

"Errors arise when a device reads values that do not correspond to the original expected value on a frame. When a device detects such an event, it writes an error message onto the CAN bus to 'recall' the errant frame and notify the other devices to entirely ignore the recalled frame."

This mishap is very common and is usually due to natural causes, a transient malfunction, or simply by too many systems and modules trying to send frames through the CAN at the same time.

"If a device sends out too many errors, then -- as CAN standards dictate -- it goes into a so-called Bus Off state, where it is cut off from the CAN and prevented from reading and/or writing any data onto the CAN. This feature is helpful in isolating clearly malfunctioning devices and stops them from triggering the other modules/systems on the CAN. This is the exact feature that our attack abuses."

The attack differs from the Jeep hack on a number of levels. First, an attacker would need physical access to the vehicle and plug in a malicious device to target a specific component connected to the vehicle network.

As Wired notes, it also doesn't rely on hacking a component on the CAN to spoof new frames and hijack physical controls. Rather, it is a denial-of-service attack that "waits for a target component to send one of those frames, and then sends its own at the same time with a single corrupted bit that overrides the correct bit in the original frame".

Repeating this error-recall process enough times causes the target device to be cut off from the CAN, as it should under the protocol.

Nonetheless, Charlie Miller, one of the researchers behind the Jeep hack, said the attack should be factored into intrusion-detection systems for the CAN bus. He also pointed out that it would be difficult for an IDS to tell the difference between a faulty component and an attack.

Related coverage

IBM launches new security testing services for IoT, automotive

As the number of connected devices proliferates, security testing should occur completely through development to deployment, IBM says.

Self-driving cars vs hackers: Can these eight rules stop security breaches?

The UK has issued a set of cybersecurity guidelines for vehicles.

Plug car security holes before self-driving vehicles arrive, industry warned

European security agency says more needs to be done to make autonomous cars secure.

Volkswagen launches new cybersecurity firm to tackle car security

The automaker is partnering with Israeli cybersecurity experts to stay on top of digital threats to its vehicles.

Read more on IoT

Editorial standards