Locks and Security News: your weekly locks and security industry newsletter
17th April 2024 Issue no. 701

Your industry news - first

We strongly recommend viewing Locks and Security News full size in your web browser. Click our masthead above to visit our website version.

Embedded security in cars - hackers and solution providers in one room at ESCAR 2011

As part of their continued research into all aspects of vehicle security, SBD recently attended the 2011 Embedded Security in Cars (ESCAR) conference held in Dresden, Germany. Delegates witnessed a variety of presentations encompassing different aspects of IT security in cars; broadly covering security protocols, CAR2X security and hardware security. BMW was present with a special exhibit to show the in-car deployment of a hardware security module developed as a result of the EVITA project.

Two of the presentations were from academics that showed how their respective university research teams had successfully manipulated, or 'hacked', certain vehicle functions. Of particular note is that some of their attacks were performed wirelessly - a trend identified in an SBD report 'Can thieves control my car?'

Whilst some of these manipulations resulted in minor inconvenience for the driver, such as 'spoofing' the TPMS to cause a 'low tyre pressure' warning display, others had more far-reaching consequences in that they could gain control of safety-critical systems such as brakes or override vehicle security. One research team even managed to inject malicious code into a vehicle by exploiting weaknesses uncovered in the embedded telematics system.

In a proof-of-concept attack the team was able to download their code into the vehicle remotely using an iPod to playback audio tones to the in-band-modem of the vehicle Telematics device. In common with other attacks using their Trojan code, this software could manipulate a range of vehicle systems (either with immediate effect, or delayed until a certain 'trigger' occurred) before erasing all evidence of itself.

Another speaker at ESCAR presented an analysis of possible security weaknesses in a proposed electronic tolling system. One such weakness related to a 'relay attack', whereby individuals in one vehicle could supply the authentication details of a following vehicle to the tollgate. SBD has been studying practical applications of relay attack since 2007, when we developed hardware that enabled us to access and start most smart key vehicles on the market. Whilst details of our work remain confidential to our clients through our countermeasure workshops, there is now evidence that criminals are using relay attack as a method to steal vehicles.

Driven by the ever-broader spectrum of attacks against vehicle physical and IT security, several speakers proposed ways the industry could respond. Potential solutions reviewed were CAN bus authentication protocols and asymmetric cryptography for vehicle access and engine start.

Vehicle manufacturers are also prioritising protection of embedded software, not just against aftermarket engine tuners but considering the increasing number of vehicle features that will be software-enabled in the future and the potential threats to CAR2X communications. Hardware security modules (both on-chip and off-chip) were discussed at length as a response favoured by German manufacturers in particular.

Another presentation at ESCAR showed how researchers had used a laboratory-based technique called 'differential power analysis' to recover the secret key from a contactless smartcard. The same researchers had previously used this method to successfully attack KeeLoq; a system commonly used for remote vehicle access control. This, and other 'side-channel' techniques, are increasingly employed by academics and test houses to try and recover secret keys where the underlying crypto is resistant to other attacks.

Whilst these and other cryptographic-based attacks are very impressive, SBD believes that thieves are currently exploiting far more basic weaknesses to access and steal modern vehicles. Professional criminals have access to electronic tools developed to steal specific vehicle models, but many of these tools employ relatively basic methods such as CAN message replay and diagnostic 'back door' or factory-mode commands. An illustration of how widespread such knowledge has become can be seen in the variety of professional vehicle locksmith tools available capable of registering new keys, etc.

For more information on the most recent automotive-related security exploits in the academic community or to get SBD's expert view on the latest tools used by criminals to steal vehicles, please contact Kimberly at [email protected]

7th December 2011