That’s how easy it is to send a CAN packet on a CAN bus network. For more details on
how to use this tool to test and inject various types of CAN packets, read the whitepaper
about it.
Now that we understand how easy it is to inject CAN packets, let’s take a look at possible
ways to remotely gain access to the CAN. As we have seen in this section, once we have access
to the CAN, it’s easy to inject data. This gives us a good perspective on the high potential for
abuse once an attacker has compromised an ECU that is on the CAN bus.
Bluetooth Vulnerabilities
Miller and Valasek’s analysis of remote automotive attack surfaces states: “Right now the
authors of this paper consider Bluetooth to be one of the biggest and most viable attack surfa-
ces on the modern automobile, due to the complexity of the protocol and underlying data.
Additionally, Bluetooth has become ubiquitous within the automotive spectrum, giving attack-
ers a very reliable entry point to test.”
In the 2010 Ford Escape analyzed by Miller and Valasek, the Bluetooth functionality was
provided by the Accessory Protocol Interface Module (APIM) module, also known as the Ford
SYNC Computer. The researchers found that one has to explicitly press a button in the car to
put it into pairing mode in order for it to connect with and trust a particular smartphone. The
car displays a six-digit PIN that must be entered on the smartphone for the pairing to take
place. However, the research performed by the teams at UC San Diego and the University of
Washington has identified scenarios for exploiting Bluetooth through both indirect and direct
wireless attacks.
These researchers discovered vulnerabilities to various buffer overflow attacks after
reverse engineering the Bluetooth firmware from the car they used for their experiment (their
paper does not mention the model or the manufacturer). Buffer overflow attacks can be used
to overrun the victim computer’s memory, overwriting adjacent memory locations with injec-
ted code. This can allow the attacker to gain full control of the computer remotely. The
researchers did not disclose the exact code they were able to exploit, but they indicated they
were able to abuse improper implementation of the strcpy function, which is a very common
avenue leading to buffer overflow attacks.
Prior to exploiting the buffer overflow condition, an attacker first needs to pair a malicious
smartphone with the car using Bluetooth. The researchers explained that this could be done
in two ways: either indirectly or directly. The indirect option requires the attacker to either
gain temporary physical access to a phone owned by the driver of the car that has already been
paired with the Bluetooth system or, more plausibly, to lure the driver of the car to download
an app that has been infected. There have been many cases in which malicious apps have slip-
ped past the scrutiny of famous app store platforms such as the Google Play Store (originally
Android Market), so we have evidence that attackers have been able to make their apps avail-
able for download on users’ devices. The researchers claim that once the driver with a smart-
phone that has been paired with the Bluetooth system is lured to download and launch the
CHAPTER 6: CONNECTED CAR SECURITY ANALYSIS—FROM GAS TO FULLY(^166) ELECTRIC