Abusing the Internet of Things

(Rick Simeone) #1

Significant Attack Surface


The ability to surreptitiously take control of a car’s telematics ECU presents an attack surface
whose implications are profound. An attacker who is able to compromise an ECU can then
compromise other ECUs and inject fake packets that can cause the car to slow down, speed
up, come to a halt, or unlock its doors. Of course, the details of this scenario will differ among
cars, because of differences in architecture. Some manufacturers may hardwire functionality
that is outside of the realm of the CAN bus, while others may rely upon the notion that every
packet on the CAN bus can be trusted.
A crucial point to note here is the scenario in which an attacker may abuse remotely
exploitable conditions en masse (i.e., attempt to exploit as many cars as possible). Such a
brute-force attack may yield greater fruit for the attacker because every successful attempt
would result in unlocking the car and transmitting its current GPS coordinates. Imagine a sit-
uation in which an attacker has been able to gain control of hundreds or even thousands of
cars in this way. Demented individuals, hostile activists, or even terrorists with malicious
intent could remotely compromise the safety of drivers in moving vehicles to get attention or
to obtain media coverage, at the potential cost of injuries to innocent drivers.
The case for alarm regarding physical safety is clear and real. Consider also the risk to
privacy. Attackers could easily track compromised cars and possibly listen in on private con-
versations of executives, business competitors, or politicians to obtain and abuse corporate
and personal data. It is easy to imagine how this could be automated and even targeted toward
certain individuals or corporations depending upon their location.
We have learned to detect anomalies in our computing environment to figure out if suspi-
cious activity warrants our attention. This can be done simply by looking for network port
scanning activity or correlating various log sources (such as email, antivirus and host intru-
sion detection systems, and others) to obtain greater intelligence. No such approach is seen on
popular vehicles that allow short- and long-range communication via Bluetooth and cellular
networks. For example, Miller and Valasek state the following in their paper:


Besides just replaying CAN packets, it is also possible to overload the CAN network, causing a
denial of service on the CAN bus. Without too much difficulty, you can make it to where no CAN
messages can be delivered. In this state, different ECUs act differently. In the Ford, the PSCM
ECU completely shuts down. This causes it to no longer provide assistance when steering. The
wheel becomes difficult to move and will not move more than around 45% no matter how hard you
try. This means a vehicle attacked in this way can no longer make sharp turns but can only make
gradual turns”.

A denial of service attack is one of the easiest issues to detect, given the noise the attack
generates (it includes excessive amounts of network traffic). The car should be able to notice a
flood of CAN packets and realize that suspicious activity is taking place. Cars should employ a
fallback scenario when this occurs to guarantee the safety of the driver and passengers.


EXPLOITING WIRELESS CONNECTIVITY 169
Free download pdf