backtop


Print 31 comment(s) - last by thurston2.. on Sep 9 at 10:49 AM


  (Source: BiBi)
New how-to guide allows even layman hackers to carry out attacks similar to suspected government efforts

During a presentation at Def Con 21 last month, famed Apple, Inc. (AAPL) hacker Charlie Miller (who works at Twitter) and Chris Valasek, director of security intelligence at IOActive, revealed an interesting side project. The presentation showed how to affordably attack a vehicle's CAN bus with malicious messages, causing the vehicle to brake, refuse to break, or even steer into a wall.  The presentation shows how such attacks could be carried out -- even by relatively unskilled hackers.

I. CAN -- Useful, but Not Very Secure

Cars over time have grappled with increasing use of electronic control units (ECUs) and at times conflicting standards.  CAN (the Controller Area Network) was an industry wide effort to simplify and improve in-car communications.  While implementations vary slightly, CAN is governed by a set of published standards from the International Standards Organization (ISO) including ISO 15765-2 (ISO-TP) (sending) and ISO 1422914230 (receiving).

A part of a broader set of standards to make vehicle diagnosis easier (the so called On Board Diagnosis II (OBD-II) standard), CAN has been required on all light vehicles in the U.S. since 1996 and in the EU since 2001 (petrol vehicles) / 2004 (diesels).  But it turns out that as the vehicles are becoming more connected and ECU count continues to rise, fundamental security flaws in the standard and its implementation in current vehicles are showing through.
Car attack channels
There's many routes that you can use to attack the CAN bus. [Image Source: AutoSec]

The issue first received serious consideration in 2010 when Professor Tadayoshi Kohno of the University of Washington (UW) and Professor Stefan Savage of the University of California, San Diego (UCSD) published a paper entitled "Experimental Security Analysis of a Modern Automobile" [PDF], in which they tested self-erasing attack codes for ECUs which targeted the CAN bus.  

Once (temporarily) installed on a target ECU these codes were capable of sudden braking, brake failure, or acceleration, via sending malicious signals to various other onboard ECUs.  Amazingly, the authors found that many ECUs would even allow themselves to be reflashed (reprogrammed) while driving, with the proper CAN message encouragement.

The vehicle in these tests was rumored to be an OnStar equipped model from General Motors Comp. (GM).
 
In 2011 UW/UCSD researchers showed hackers could remotely attack vehicles via smartphones or Bluetooth. [Image Source: TomTom]

The UW/UCSD teams followed up that critical work with another paper, "Comprehensive Experimental Analyses of Automotive Attack Surfaces" which found that malicious attack codes could be transferred by Bluetooth -- or even into a CAN-connected CD player unit via a special CD or even remotely via malware on smartphones connected to your infotainment system.

However, while these kinds of claims were alarming, an open set of libraries to control CAN I/O was not available until at the time.  In other words, unless you were someone with a lot of resources -- e.g. a government -- or an automotive expert with a lot of time on your hands, you likely wouldn't have the knowledge or means to do these kinds of CAN based attacks.  That meant that cars enjoyed a modicum of security from your average script-writing internet hacker masses.

II. "Car Hacking for Dummies"

But that relatively safety appears to be coming to an end.  Funded by a grant from the Defense Advanced Research Projects Agency Mr. Miller and Mr. Valasek have baked a set of libraries to make writing code to study CAN signals and craft attacks much easier.  Dubbed EcomCat [zip], the attack library builds on the barebones ECOM API [PDF], which is distributed by EControls, a maker of CAN-interface USB devices.



The only difficulty is that EControl's ECOM can't easily plug into the ODB-II port, a CAN input commonly located near the passenger's seat.  But if you have basic cable-making skills, you can fashion a connector using the ODB-II connector shell , which ODB Diagnostics, Inc. sells.

Beyond that all you need are that typical assets of an internet hacker -- basic coding knowledge, time, and a target.

ECOM Cable
With a custom ECOM-to-ODB connector built from off-the-shelf parts (left), an EControls ECOM test cable (right), and a laptop, you can test car attacks like a pro. [Image Source: Def Con]

In their work, the authors use the APIs they developed to identify and attack various control signals in a 2010 Prius from Toyota Motor Corp. (TYO:7203) and a 2010 Escape from Ford Motor Comp. (F).  The authors showed how the APIs could be used to accomplish attacks similar to those the UW/UCSD team carried out on the brakes or throttle.  They also demonstrated how cars with automatic parking features (e.g. the Prius) could be used to even malicious steer the vehicle, as the car can now take control of the steering wheel with the right signals (typically a driver could override this if they firmly gripped and twisted the wheel, but not all drivers would know how to respond -- particularly given the surprise of the attack).

III. Danger is Rising

Again, the key difference between the UCSD/UW effort and the recent Def Con talk is that the UCSD/UW team did not release their attack software and kept their descriptions of the attack's finer details to a higher level.  By contrast the recent presentation not only comes with an open library of "helpful" attack software, but also explicit descriptions of how to buy/build an interface device and detailed examples of attacks on specific ECUs in terms even a layman with basic programming skills could understand.

Charlie Miller
Charlie Miller [Image Source: ZDNet]

With the Def Con presentation, what was once a purely academic attack is creeping closer to general use.

Thus, even if you don't buy into plausible conspiracy theories like those surrounding Mr. Hastings death, and aren't afraid of your government, you still now have something to actually worry about, since the Pandora’s box of "CAN hacking for dummies" has been open by these pro-disclosure researchers.

Pandora's box
Soon deadly sabotage attacks may be common on older vehicles. [Image Source: Unknown]

IV. Fiery Crash of Obama Administration Critic Fuels Interest in Car Hacking

The timing of Def Con 21 was uncanny, coming at a time when conspiracy theories regarding the death of prominent Obama and Bush administration critic and Rolling Stone contributing editor Michael Hastings were peeking.  Mr. Hastings -- a medical marijuana user -- allegedly had traces of both methamphetamine and marijuana in his system when his car steered off course on a deserted Highland Avenue at around 4:20 a.m. on June 18 and struck a tree prompting the Mercedes to burst into flames.

While fiery crashes and deaths are a rare, but not altogether foreign tragedy on America's highways, the reporter's adversarial relationship with the Obama administration -- and the Obama administration's willingness to harass reporters who dig too deeply -- has fueled theories that foul play might have been involved in the crash.

Controversy commenced when his neighbor and close friend, Jordanna Thigpen, told the LA Weekly that Mr. Hastings feared for his life and that he was concerned his car was tampered with.  At the time Mr. Hastings was working on a major exposé of the Obama administration and U.S. Central Intelligence Agency (CIA) director, John Brennan, according to a report by the local San Diego 6 News. 

Michael Hastings
Electronic hacking is one of the possible methods of sabotage that some suspect was used to kill journalist Michael Hastings. [Image Source: PrisonPlanet]

Prior to President Barack Obama's election in 2008, Brennan was working at Analysis Corp. -- one of two government contracting firms which gained unauthorized access to the then-Senator Obama's passport record.  That incident has led to speculation that Mr. Hastings might have been unearthing evidence of Mr. Brennan's possible role in the access, tampering, or "sanitization" of the President's passport.

While many details of the crash added up (methamphetamine users often become dangerously paranoid) -- others provoked suspicion, including reports that Mr. Hastings was allegedly visited by federal agents on the day of his death.  Former Cybersecurity Czar (formally, the U.S. National Coordinator for Security, Infrastructure Protection, and Counter-terrorism) Richard Clarke told The Huffington Post in an interview:

I'm not a conspiracy guy. In fact, I've spent most of my life knocking down conspiracy theories.  But my rule has always been you don't knock down a conspiracy theory until you can prove it [wrong]. And in the case of Michael Hastings, what evidence is available publicly is consistent with a car cyber attack. And the problem with that is you can't prove it.

Whether or not his suspicions prove true, the fervor surrounding the topic of automotive hacking is arguably justified.

Anyone with basic skills, physical access to your car, and mischief or malice in their hearts can now attach a malicious device to your car -- or potentially even reprogram one of your onboard ECUs.  When you start driving, the attacker's code will spring into effect, and if the author did their homework, it may erase any trace of itself after it accomplishes its objectives.

That's the bad news.

The good news is that once the public realizes this -- and once automakers realize that the public realizes this, the market will mandate they implement stiffer security into their CAN-connected components.  Such security will help to protect drivers not only from the government, but also from the much more common malicious members of the masses.  

And that's good news for everyone -- even if you're not paranoid.

Sources: Def Con/Charlie Miller, YouTube, AutoSec.org [1], [2]



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

By JasonMick (blog) on 9/5/2013 11:30:57 AM , Rating: 3
http://i.cdn.turner.com/dr/teg/tsg/release/sites/d...
quote:
A toxicology screen revealed “a small amount of amphetamine” in Hastings’s blood, which was “consistent with possible intake of methamphetamine many hours before death." However, the amount detected was “unlikely to have an intoxicative effect at the time of the accident.” Additionally, “marijuana was present in the blood…indicating intake hours earlier.”
And he had admitted to smoking crack before...

http://trueslant.com/michaelhastings/2010/02/09/my...

quote:
Michael Hastings: "My advice to journalists: Smoke crack, Twitter occasionally"

The best line in The New Yorker post is when Packer admits to living a crack-free lifestyle. (“I haven’t used crack, either,” he writes.) Well, I have smoked crack. I recommend it for all writers to try at least once, especially to New Yorker staffers. It’s pretty good–it’s crack, after all–and down the crack pipe went my first semester at college. But torching a crack rock is very different from typing a Tweet.

For what it’s worth, I’ve always thought that blogging, not Twittering, was the media version of crack. Metaphorically speaking: I get an intense high from instantly publishing, but the minute I stop, I get a kind of an empty and anxious feeling, as if I’ve just poured part of my soul into a spiritual void. I stopped smoking crack ten years ago–it got a little out of hand– but I have come to terms with blogging. It’s healthy as long as I don’t allow it to totally consume me.
So yea, sounds like he relapsed, but was not intoxicated at the time of the crash.

Remember, though, meth can trigger psychosis if abused, and there's no real way of telling if someone was psychotic via an autopsy.

Hence I'd propose four hypotheses to explain the crash:

1. He had a psychotic break from smoking too much crack, thought the feds were "on to him", and tried to flee, lost control while speeding, crashed, and died.

2. Tired @ 4 am he fell asleep at the wheel, and his foot was on the gas pedal accelerating into the wall.

3. His car was sabotaged either electronically or physically to damage the steering and accelerate, causing it to hit the wall.

4. Some combination of 1-3.


By Flunk on 9/5/2013 12:47:58 PM , Rating: 3
Of those options #2 is by far the most common, so that's my vote.


By Adonlude on 9/5/2013 2:07:06 PM , Rating: 2
People fall asleep on meth? I thought that drug was like the opposite of sleep.


By GuyMontag on 9/5/2013 1:36:07 PM , Rating: 2
".. he had a psychotic break from smoking too much crack>"

Really? Hastings used crack 14 years ago; then he went on the wagon at age 19 (although admitted a drunken binge in 2010 and did some Adderall in 20120.


By JasonMick (blog) on 9/5/2013 1:58:44 PM , Rating: 2
quote:
Really? Hastings used crack 14 years ago; then he went on the wagon at age 19 (although admitted a drunken binge in 2010 and did some Adderall in 20120.
Err... adderall is methamphetamine salts... pretty much speed.

Adderall is legal and a useful treatment if you have certain psychological disorders but it also can be highly addictive and has a high potential for abuse.

To illustrate this point, let me share a true story...

I had a personal experience where a developer friend of mine who I used to work with weekly stopped responding to my calls for a few months and fell off the face of the Earth. Then one day I dropped him a line on Facebook and he agreed to meet up.

We met and when I got there he was raving about the government tracking him via a satellite (ironically he also had gone to the FBI the day before and filed an identity theft against a coworker).

It took me a couple of minutes (he had an odd sense of humor) to realize he wasn't fully joking, and was in fact fully psychotic. He revealed that he had been stockpiling his adderall (not using them as prescribed) and had taken them in mass and had not slept in several days.

He refused to listen to me when I told him to calm down and he ran off and sped off in his Boss Mustang... if his family had not talked him down and convinced him to go to the hospital something very similar could have happened.

Ultimately he was institutionalized and had to stop taking Adderall...

The thing that really rings a bell with my own personal experience with my friend is Mr. Hastings comment to his neighbor about government choppers watching him. It sounds an awful lot like my friend who when psychotic thought government satellites were watching him at all times.

Again, I'm not saying this is usual or what happened to Mr. Hastings, but having witnessed it personally I can say that meth psychosis (including from Adderall, which is meth salts) is real and dangerous... it happens and it is possible.


By ShaolinSoccer on 9/6/2013 12:20:05 AM , Rating: 2
Believe it or not, there are people who are not on any drug and behave the exact same way. I know, because I have met someone like that.


By thurston2 on 9/9/2013 10:33:34 AM , Rating: 2
Adderall is not methamphetamine salts it is mixed amphetamine salts there is a difference.


By GuyMontag on 9/5/2013 1:44:19 PM , Rating: 2
IF there was foul play, I'd go with #3 (the other theories floating around in the blogosphere have been debunked).

The key question still unanswered is WHY Hastings’ car was speeding. The night he died a neighbor claims he asked to borrow her car because he thought someone may have tampered with his car. Maybe Hastings had reasons to be scared (or maybe he was paranoid) and drove too fast, or maybe his car brakes/accelerator had been “hacked” or tampered with.

Unfortunately, the LAPD never tried to answer that question or investigate the crash as a potential homicide. IF this crash was an assassination, we will never know since the LAPD failed to find any evidence of foul play since they never even looked for it.

For details,see “Michael Hasting’s Fiery Car Crash: Accident or Assassination?” in my post “More Lies Borne Out by Facts, If Not the Truth” at the Feral Firefighter blog.


By Dobo on 9/5/2013 11:32:04 PM , Rating: 2
Crack is cocaine, (well it's supposed to be) methamphetamine is available on the street but also as a schedule 2 in the pharmacy(very very rarely prescribed) adderall is dextroamphetamine salts they are similar but as far as legally obtained drugs go adderall and and other speed type drugs are more common. He could've taken sudafed(levomethamphetamine) which will show as meth(dextromethamphetamine) in a drug test. Unless they use a process called chiral analysis it could be very misleading. It would be interesting to see the lab assay results untampered.


By thurston2 on 9/9/2013 10:45:50 AM , Rating: 2
Sudafed is not levomethamphetamine it is psudoephedrine. Vicks inhalers contain levomethamphetamine. Adderall also contains levoamphetamine as well as dextroamphetaimine. Sorry to be so anal but the media is often very wrong when it comes to drugs with similar names but very different effects and it just fuels people's ignorance.


"I want people to see my movies in the best formats possible. For [Paramount] to deny people who have Blu-ray sucks!" -- Movie Director Michael Bay














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki