Their wireless attack was conducted on an active vehicle. But it turns out the engine doesn't have to be running. This is separate from hacks that unlock doors wirelessly – we're talking about commandeering the engine control system potentially over the air, here.
Code boffins from the University of Michigan, in the US, have demonstrated that cars with Electronic Control Units (ECUs), common in recent model vehicles, can be compromised when the engine is off.
In a paper distributed through pre-print service ArXiv, "Who Killed My Parked Car?", Kyong-Tak Cho, a computer science PhD candidate at Michigan, Yu Seung Kim, automotive cybersecurity researcher at Ford Research and Innovation Center, and Kang G. Shin professor of computer science and electrical engineering also at Michigan, describe two attacks: battery-drain, and denial-of-body-control.
"We find that the conventional belief of vehicle cyber attacks and their defenses – attacks are feasible and thus defenses are required only when the vehicle’s ignition is turned on – does not hold," the paper says.
Recent vehicles often include an electronic control unit (ECU) that supports various wireless network protocols, such as Wi-Fi, Bluetooth and V2X. These ECUs turn out to be poorly protected because they've been designed to prioritize simplicity.
In an email to The Register, Kyong-Tak Cho described ECUs as car computers. "Most of the components in cars used to be mechanical parts but nowadays they are being replaced with electronics," he said. "ECU is basically a computer that consists of those several electronic parts. The explosion of low data rate small sensors and actuators is resulting in many new Electronic Control Units (ECUs), right now."
Citing Strategy Analytics’ data, Cho said the number of ECUs has been increasing every year. "While the average vehicle today has approximately 25 ECUs, some high-end models are said to have already over 100," he said.
Cho and his colleagues found that in-vehicle network standards and protocol implementations can control ECU functions via message injection even when the ignition is off.
The reason is that many cars support wake-up functions, to turn the car on, to read diagnostic information, to interact with access and temperature controls, and to provide anti-theft capabilities.
Without wake-up functions, ECUs would have to run continuously, which would drain the car battery.
The researchers tested 11 vehicles of various sizes from model years 2008 through 2017, including sedans, a coupe, a crossover, a plug-in hybrid electric vehicle, SUVs, a truck, and an electric car. All but the 2008 model supported ECU wake-up functions, making them susceptible to both the battery-drain and denial-of-body-control attacks.
The attacks assume access to the in-vehicle network via a compromised ECU, which can be accomplished wirelessly, via a vehicle telematics unit, or directly, via a OBD-II dongle connected to the target vehicle's OBD-II diagnostic port.
So these are not dire threats that demand immediate attention; rather they underscore the need for greater security in automotive systems. The physical access required to attack a vehicle via its OBD port would allow a variety of more dangerous system sabotage scenarios.
The battery-drain attack, as its name suggests, involves spamming the ECU with a variety of messages to utilize connected systems until the car's battery drains. The researchers were able to increase battery drain by a factor of 12.57x, killing the car's battery in a matter of hours or days.
The denial-of-body-control attack is more pernicious. The attacker wakes up the ECU to make it respond to injected messages and then switches the bit-rate. According to the researchers, this generates errors on the ECU's Controller Area Network (CAN bus) and forces it to shut down.
Some but not all ECU units will be bricked as a result, depending upon the bus-off recovery specification, making the car unable to be turned on with an inserted key fob and leaving the doors locked.
As a mitigation, the researchers suggest car makers implement an intrusion detection system that operates even when the vehicle is off, though they acknowledge this could tax the car battery.
They're skeptical that MAC or message encryption will do much to prevent ECUs from being woken up because the encrypted message would still include the same 010 bit-sequence used for ECU activation.
They also observe that automakers like Volvo, Lexus and Tesla have implemented smartphone apps that allow owners to interact remotely with their cars. They suggest it may be possible to extend their attacks by compromising those apps.
Nonetheless, Cho believes automakers are serious about addressing security issues.
"I think the way vehicle manufacturers have approached the vehicle security problem has changed significantly since the Jeep hack was demonstrated, which is a great thing," he said. "As far as I know, OEMs are designing and starting to use secure in-vehicle network architectures and also are trying to securely harden the remote endpoints to prevent hacks. They are starting to introduce bug-bounty programs (as software companies normally do) so that hacks can be prevented. I really believe all these efforts they are putting in really helping in securing the vehicle." ®