Not surprisingly, one researcher realized last week that he could exploit Progressive’s Snapshot driver tracking tool in order to hack into the on-board networks of certain auto-mobiles. Snapshot is a tool manufactured by Progressive auto insurance that plugs into the OBD-II port. It’s purpose is to monitor driving behaviour in order to offer cheaper insurance rates to safer drivers.
For the uninitiated, the OBD-II is the input port down beneath and, in general, slightly to the left of your steering wheel. It’s the port into which your mechanic plugs his emissions inspection machine to check all the codes in your car’s computer systems to make sure you aren’t polluting. It’s also the port into which you can plug a diagnostic scanner to check why your check engine light has turned on.
Very simply put, your car’s computer network is going to consist of sensors, electrical control units and the controller area network (CAN) bus. The ECUs, of which there can be very many, serve a variety of purposes, but mainly they process signals from sensors monitoring everything from engine control to airbags to any number of other things I’ve never heard of. ECUs are connected together and communicate via the CAN bus. So, for example, if you crash your car, some sensor somewhere tells its ECU that it thinks you’ve crashed, the ECU then passes that message along the CAN bus to another ECU that tells your airbag to deploy.
@Progressive #Snapshot driver monitoring tool is insecure and exposes drivers to car hacking:Tweet
The OBD-II port used to be the only way to plug into and communicate with the CAN bus and its ECUs. New research shows that this can be done wirelessly as well.
At any rate, Digital Bond Labs security researcher Cory Thuen got his hands on one of these Snapshot devices, which are used in some two million cars. He reverse engineered it, figured out how it worked and plugged it into his Toyota Tundra. Then determined that Snapshot does not authenticate itself nor does it encrypt its traffic, contain digital validation signatures or offer a secure boot function.
To be clear, Snapshot devices communicate with Progressive over the cellular network in plain text. This means that an attacker, for example, could pretty easily set up a fake cell tower and perform a man-in-the-middle attack.
Despite these serious security lapses, the device has the capacity to communicate with the CAN bus. Therefore, its entirely possible that a remote hacker could inject code through a Snapshot dongle and onto the very network that controls your cars airbags and emergency brakes. Thuen’s work stopped short of injecting code into the car’s network. He claims he was merely interested in figuring out if there was any security in place to stop him from doing that.
Before you panic, I spoke with IOActive’s director of vehicle security research and famed car hacker, Chris Valasek, about pumping malicious code into the CAN bus last year, and he assured me that it’s easier said than done.
— Threatpost (@threatpost) January 19, 2015
Sure, it’s possible to inject code telling your car to initiate automatic parallel park assist while you are speeding down the highway. However, your car’s ECUs are processing thousands of other signals at any point while your car is in motion. So, in order to initiate automatic parallel park assist (or any other feature for that matter), the attacker would have to flood the CAN bus with enough signals to override all of the legitimate information that the car’s sensors are outputting.
Valasek and fellow researcher Charlie Miller managed to manipulate seat-belt locks, brakes and steering by flooding onboard networks with spoofed sensor signals a couple years ago. However, this process was labor intensive and Miller and Valasek, two of the brighter minds in the security industry, had a DARPA grant to work on their research.
The good news is that not many people are doing CAN bus research. A lot of people, on the other hand, are working on browser security research. Car hacking is likely to really take off as manufacturers begin integrating browsers and other internet connected features into the cars they build and sell.