Trend Micro discovers 'indefensible' car security/CAN standard flaw

Trend Micro claims to have discovered a hack is found that is not only successful in being able to drastically affect the performance and function of the car, but is also stealthy and vendor neutral. Discovered by researchers at Politecnico di Milano, Linklayer Labs and Trend Micro’s Forward-looking Threat Research (FTR) team, the hack is said to be currently indefensible by modern car security technology and to completely resolve it would require broad, sweeping changes in standards and the ways in-vehi
August 18, 2017 Read time: 3 mins
Trend Micro claims to have discovered a hack is found that is not only successful in being able to drastically affect the performance and function of the car, but is also stealthy and vendor neutral.


Discovered by researchers at Politecnico di Milano, Linklayer Labs and Trend Micro’s Forward-looking Threat Research (FTR) team, the hack is said to be currently indefensible by modern car security technology and to completely resolve it would require broad, sweeping changes in standards and the ways in-vehicle networks and devices are made. Realistically, it would take an entire generation of vehicles for such a vulnerability to be resolved, not just a recall or an OTA (on-the-air) upgrade.

The researchers say it abuses the Controller Area Network, or CAN, network protocol that connects all in-vehicle equipment, parking sensors, airbag, active safety system and infotainment systems and allows them to communicate. The standard for this network is called a Controller Area Network, or CAN.

Trend Micro’s online blog says, “It’s not the car manufacturers’ fault, and it’s not a problem introduced by them. The security issue that we leveraged in our research lies in the standard that specifies how the car device network (i.e., CAN) works. Car manufacturers can only mitigate the attack we demonstrated by adopting specific network countermeasures, but cannot eliminate it entirely. To eliminate the risk entirely, an updated CAN standard should be proposed, adopted, and implemented. This whole process would likely require another generation of vehicles.”

David Barzilai, co-founder and chairman, automotive cyber-security firm 8519 Karamba Security, agrees with Trend Micro that the CAN protocol can be abused, causing it to disable devices on a CAN network, and that 7178 IDS systems will not be able to help against such an attack.
 
However, he says, In order to remotely launch Denial of Service (DoS) CAN attacks, a hacker must compromise an externally-connected electronic control unit (ECU) and interfere with its factory settings. Such interference enables the hackers to start sending CAN messages that generate errors leading to a device DoS.
 
“Instead of changing the legacy CAN protocol in all cars that use it (practically all vehicles), the industry should harden the externally-connected ECUs according to their factory settings, to prevent any unauthorised change to the ECU. Blocking such changes enables the industry to prevent cyber-attacks, including the DoS attack that Trend Micro reported on.”

Location Based Systems

For more information on companies in this article

Related Content

  • New model generation with PTV’s Model2Go
    August 8, 2022
    PTV Group has launched a product which automates much of the painstaking business of building transport models. Adam Hill talks to the company’s Udo Heidl and Ben Stabler to find out more
    Read More
  • Robin Chase interview: Heaven and hell
    June 13, 2018
    A shared vision - or even much of a conversation at all - about what a better mobility balance looks like has been lacking…until now. Andrew Stone speaks to Zipcar founder Robin Chase about fairness – and the importance of not demonising cars
    Read More
  • Mature solutions for emerging economies
    June 8, 2015
    Siemens’ Marcus Welz talks to David Crawford about suitable ITS solutions for emerging economies. Be bold in vision - and output - and user-oriented in practice,” Marcus Welz advises emerging economies planning ITS investments. Says the Siemens Group senior vice president and global sales director for ITS: “Their road users need better, more reliable and safer trips – but without costs increasing too much. The good news is that many countries are already tackling the big issues of traffic and the environmen
    Read More
  • First set of standards for C-ITS, ‘a key step towards connected cars in Europe’
    February 13, 2014
    Meeting at the 6th ETSI workshop, the European Committee for Standardisation (CEN) and the European Telecommunications Standards Institute (ETSI) have confirmed that the basic set of standards for cooperative intelligence transport systems (C-ITS), as requested by the European Commission in 2009, have now been adopted and issued. The Release 1 specifications developed by CEN and ETSI will enable vehicles made by different manufacturers to communicate with each other and with the road infrastructure systems,
    Read More

Highlighted Content