This article is part of the TechXchange: Cybersecurity.
What you’ll learn:
- How hackers are accessing car ECUs.
- What’s happening to prevent ECU and car hacking.
In 2015, a pair of ethical hackers, Charlie Miller from Twitter and Chris Valasek from IOActive, remotely toyed with a Jeep Cherokee driven by a volunteer driver. They managed to take control of the vehicle's infotainment system, radio, windshield wipers, and even the accelerator, which was done to bring awareness of vehicle-based cyberattacks to automotive manufacturers.
At the time, most manufacturers didn't consider cyberattacks on vehicles as a serious threat. But that notion has since changed, and safeguards are being developed to keep the latest generation of vehicles safe while on the road.
The amount of hardware and software incorporated into vehicles has increased exponentially over the last 20 years—and so have the potential security risks, with numerous possible points of vulnerabilities. The high number of electronic control units (ECUs) in vehicles and the integration of multiple communications options have necessitated establishing cybersecurity measures dedicated to the threats associated with said vehicles. To that end, automotive security is described as computer security focused on cyber risks within an automotive context.
ECU Description and Function
ECUs are embedded systems in automotive electronics (see figure) that control the electrical systems or subsystems in a vehicle. They control almost all of the vehicle's functions, including the engine, powertrain, brakes, transmission, dashboard, entertainment systems, and more.
Initially, ECUs were designed without the need to validate the systems they communicate with; instead, they accepted commands from those systems and shared information with any piece of hardware on the same wiring bus. Vehicle communication networks weren't considered a risk, as they would be for those connected to the internet. That's no longer the case, and it's not uncommon to have around 100 or more ECUs packed into a single car.
It's important to note that ECUs also are responsible for controlling a vehicle's safety systems, including anti-lock braking systems (ABS), acceleration, steering, obstacle avoidance systems, and more. Vulnerabilities within those systems make them a risk, as hackers can potentially disrupt or shut down those systems via exploitation.
This brings us back to Miller and Valasek's demonstration of vulnerabilities within the ECUs. First, they exploited a vulnerability in the software on a radio processor via a cellular network, then took control of the infotainment system and, eventually, the braking and steering. Ultimately, their results were enough to get the automotive industry to pay more attention to cybersecurity.
ECUs, which are outfitted with a number of electronic components to control systems, are in the same family as single-board computers (SBCs) and systems-on-chips (SoCs). They come equipped with microcontrollers and a limited amount of memory in the form of SDRAM, EEPROM, or flash memory. They also pack several inputs, including analog and digital, as well as numerous outputs, such as an H-bridge (for controlling servo motors, etc.), actuator drivers, and logic outputs. Communication is typically handled by CAN, K-Line, or Ethernet via bus transceivers.
Of course, ECUs also include embedded software and firmware components that facilitate communication between the various systems. This can include a boot loader for software updates and programming, metadata for ECU and software identification, version management, and checksums. Also in the mix are functional software routines and configuration data.
ECU Exploitation
The exploitation or hacking of ECUs and their systems are designated threats based on real-world and theoretical attacks.
Most real-world attacks aim at the safety of the people in and around the car by modifying the cyber-physical capabilities of the vehicle, such as steering, braking, and accelerating, without requiring actions or inputs from the driver. Theoretical attacks encompass supposed privacy-related goals, such as obtaining GPS data on the vehicle or capturing microphone signals and other endeavors.
Besides ECUs, hackers can take advantage of other vulnerabilities that allow them to jump from one system to another. For example, infotainment systems are wirelessly connected to cellular networks, allowing them to update firmware and grab data for multiple apps. They also use location-based data for roadside assistance, remote diagnostic services, and (in some cases) the sharing of information between vehicles or objects and other devices.
Those infotainment systems also tend to be connected to critical vehicle systems to provide drivers with data, including engine performance information, climate-control and navigation systems information, and other data that tie into driving functions. Given all of the connections that exist in this vehicle subsystem and the powerful, full-featured software that executes those functions, it's not only possible but probable that someone will exploit a vulnerability to gain access.
The most common network used in modern vehicle systems takes advantage of controller area networks (CAN) due to its affordability and ease of use. Most real-world attacks exploit those networks using a variety of intrusion methods. These include sniffing, which refers to the possibility of intercepting and logging packets or data from a network. In the case of CAN, every node listens to all communication on the network.
Attackers can monitor data to learn the behavior of the other network nodes before implementing the attack. This can include Denial of Service (DoS) attacks, which cause the network to be unavailable and lock the owner out of the system altogether. DoS attacks against ECUs connected to CAN buses may be made against the network by abusing the arbitration protocol used by CAN to always win the arbitration as well as targeting the single ECU by abusing the error-handling protocol.
Spoofing is another exploit that attackers can utilize that falsifies data and pretends to be another legitimate node on the network. These are divided into two categories: masquerade attacks, which inserts a data payload to adversely affect the network, and replay attacks that pretend to be the victim and send sniffed data used by the actual owner in a previous iteration of authentication.
Preventative Measures
To prevent those attacks, it's critical to apply physical or logical access controls on what type of information gets exchanged between more and less privileged subsystems within the network. To ensure that the communications are authentic, it’s also crucial for in-vehicle networks to take advantage of the security experience gained over the past few decades by combining strong cryptography with strong identification and authentication.
All of these measures should be planned early in the manufacturing design cycle to provide a robust security foundation for the system. Doing so early is less labor-intensive, less costly, and more effectively scrutinized for potential risk than incorporating security measures that require updates as the threats are carried out.
The increased popularity of utilizing Ethernet for in-vehicle networks is a positive development. Ethernet comes with cost-saving advantages and some powerful networking paradigms that support the speeds needed for applications like advanced driver-assistance systems (ADAS), autonomous driving, and applications of infotainment systems. Part of the Ethernet standard enables devices to identify themselves and prove their identity before joining the network and performing any critical functions.
As a result, standards are being developed to help secure those networks against malicious intrusions. One is the ISO 26262 standard, which defines a risk-based approach to dealing with (potential) hazardous operational situations occurring with the automobile's electronic equipment.
The standard relies on Automotive Safety Integrity Levels (ASILs) to determine risk classes for various ECUs in the vehicle. For example, the engine-control ECU belongs to a higher risk class than the ECU responsible for the taillights. Four integrity levels exist, beginning with A (the least demanding), and ending with D (the strictest), leading to varying constraints and requirements for the ECUs.
Other aspects of network and ECU safety can be accomplished using several practices implemented during the production cycle of modern vehicles. These can include limiting the developing and debugging access in production devices, with authorization limited to those with qualified security access. Protecting cryptographic keys, other secrets, and passwords are simple but effective methods of controlling unwanted intrusion.
Limiting vehicle diagnostic data during maintenance cycles to each ECU is another easy method of protection that can be implemented with firmware updates, keeping data localized. Limiting access to that firmware and limiting its modification provides increased protection even after the production cycle.
The ability to take control of a vehicle remotely is a terrifying aspect that places hackers in control of a vehicle that leaves drivers, potentially harming drivers and pedestrians. Developers and manufacturers are continuously implementing preventative measures to make vehicle networks and ECUs secure, which are made more resilient and hardened against attacks. While functional safety has been the priority, it's time cybersecurity becomes a critical part of that safety infrastructure.
Read more articles in the TechXchange: Cybersecurity.