The state of automotive computer security 2

Automotive security came under fire recently when it was revealed that a flaw in the design of some brake systems could give a remote attacker access to the car’s internal network.

But what damage could an attacker really do once they gained access to a car’s internal security system? And how vulnerable are most of the cars on the roads? I mean, this story is little more than another piece of interesting trivia if we’re only talking about one or two models of a high end luxury car.

Well some researchers decided to set out this very question and their results are, quite frankly, astounding.

Here’s the abstract of their findings:

Abstract: Modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks. While this transformation has driven major advancements in efficiency and safety, it has also introduced a range of new potential risks. In this paper we experimentally evaluate these issues on a modern automobile and demonstrate the fragility of the underlying system structure. We demonstrate that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input–including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on. We find that it is possible to bypass rudimentary network security protections within the car, such as maliciously bridging between our car’s two internal subnets. We also present composite attacks that leverage individual weaknesses, including an attack that embeds malicious code in a car’s telematics unit and that will completely erase any evidence of its presence after a crash. Looking forward, we discuss the complex challenges in addressing these vulnerabilities while considering the existing automotive ecosystem.

Read the full report here (pdf download).

Simply put, the state of automotive security right now is pretty dismal. The cars we drive are a hacker’s dream.

No related content found.


Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

2 thoughts on “The state of automotive computer security