Trend Micro discovers 'indefensible' car security/CAN standard flaw

Trend Micro claims to have discovered a hack is found that is not only successful in being able to drastically affect the performance and function of the car, but is also stealthy and vendor neutral. Discovered by researchers at Politecnico di Milano, Linklayer Labs and Trend Micro’s Forward-looking Threat Research (FTR) team, the hack is said to be currently indefensible by modern car security technology and to completely resolve it would require broad, sweeping changes in standards and the ways in-vehi
August 18, 2017 Read time: 3 mins
Trend Micro claims to have discovered a hack is found that is not only successful in being able to drastically affect the performance and function of the car, but is also stealthy and vendor neutral.


Discovered by researchers at Politecnico di Milano, Linklayer Labs and Trend Micro’s Forward-looking Threat Research (FTR) team, the hack is said to be currently indefensible by modern car security technology and to completely resolve it would require broad, sweeping changes in standards and the ways in-vehicle networks and devices are made. Realistically, it would take an entire generation of vehicles for such a vulnerability to be resolved, not just a recall or an OTA (on-the-air) upgrade.

The researchers say it abuses the Controller Area Network, or CAN, network protocol that connects all in-vehicle equipment, parking sensors, airbag, active safety system and infotainment systems and allows them to communicate. The standard for this network is called a Controller Area Network, or CAN.

Trend Micro’s online blog says, “It’s not the car manufacturers’ fault, and it’s not a problem introduced by them. The security issue that we leveraged in our research lies in the standard that specifies how the car device network (i.e., CAN) works. Car manufacturers can only mitigate the attack we demonstrated by adopting specific network countermeasures, but cannot eliminate it entirely. To eliminate the risk entirely, an updated CAN standard should be proposed, adopted, and implemented. This whole process would likely require another generation of vehicles.”

David Barzilai, co-founder and chairman, automotive cyber-security firm 8519 Karamba Security, agrees with Trend Micro that the CAN protocol can be abused, causing it to disable devices on a CAN network, and that 7178 IDS systems will not be able to help against such an attack.
 
However, he says, In order to remotely launch Denial of Service (DoS) CAN attacks, a hacker must compromise an externally-connected electronic control unit (ECU) and interfere with its factory settings. Such interference enables the hackers to start sending CAN messages that generate errors leading to a device DoS.
 
“Instead of changing the legacy CAN protocol in all cars that use it (practically all vehicles), the industry should harden the externally-connected ECUs according to their factory settings, to prevent any unauthorised change to the ECU. Blocking such changes enables the industry to prevent cyber-attacks, including the DoS attack that Trend Micro reported on.”

Location Based Systems

For more information on companies in this article

Related Content

  • Auto OEMs ‘focus on opportunities in infotainment, digital instruments’
    January 19, 2017
    One in every four passenger vehicles sold by 2025 is poised to feature digital instrument clusters, dedicated passenger infotainment systems, and integrated biometrics with bought-in device functionality, says Frost & Sullivan. Original equipment manufacturers (OEMs) are tackling the design of components that are in line with fast-changing technology trends and customer expectations. “The luxury segment car of the future will have augmented reality HUD, OLED displays, interactive cabin doors and windows,
    Read More
  • Roadside infrastructure key to in-vehicle deployment
    November 28, 2013
    The implementation of in-vehicle systems will require multilateral cooperation, as Honda’s Sue Bai explains to Colin Sowman. Vehicle manufacturers will shape the future direction of in-vehicle ITS systems, but they can’t do it on their own. So to find out what they see on the horizon, and the obstacles they face, ITS International spoke to Sue Bai, principal engineer in the Automobile Technology Research Department with Honda R&D Americas. Not only does she play an important role in Honda’s US-based ITS
    Read More
  • 3M reflect on why CAVs need lines and signs
    May 10, 2017
    Tammy Meehan and Thomas Hedblom of 3M consider the ongoing development of technology needed to introduce connected and autonomous vehicles. The transportation industry is in the midst of the most dramatic shift since Henry Ford introduced horseless carriages. Already we are seeing the increased use of advanced driver assistance systems (ADAS) which, along with the introduction of autonomous vehicles in the next few decades, will bring profound changes to vehicles and the environment in which they operate.
    Read More
  • ITS America, automakers call on FCC to protect the safety spectrum
    July 11, 2016
    ITS America, along with automakers and intelligent transportation organisations, has filed comments with the US Federal Communications Commission (FCC), urging the FCC to focus on safety first when considering changing the rules of the 5.9 GHz Safety Spectrum band. The 5.9 GHz Safety Spectrum was allocated by the FCC in 1999 for the purpose of intelligent transportation systems (ITS) designed to bring safety benefits for consumers. The FCC is considering a proposal to reconfigure the 5.9 GHz band that w
    Read More

Highlighted Content