A newly uncovered flaw that affects nearly all modern cars can allow hackers to remotely access and shut down safety features. The bug, which security experts have described as a "denial of service attack" can allow hackers to disable cars' safety systems including airbags, brakes, parking sensors and more.
The vulnerability affects the Controlled Area Network (CAN) protocol, available in almost all modern cars, which is used to oversee communications between a car's internal units. Since the vulnerability is essentially a design flaw affecting the CAN protocol, it cannot be patched. The CAN protocol, which became the ISO standard in 1993, was developed by Bosch in 1983 and is deployed in almost all modern cars.
Researchers say that current technology can only allow car manufacturers to mitigate the attack with limits but that the attack cannot be entirely eliminated. A new generation of cars would have to be developed to patch the flaw comprehensively.
"It is currently indefensible by modern car security technology, and to completely resolve it would require broad, sweeping changes in standards and the ways in-vehicle networks and devices are made," Trend Micro researcher Federico Maggi, said in a blog. "Realistically, it would take an entire generation of vehicles for such a vulnerability to be resolved, not just a recall or an OTA (on-the-air) upgrade."
How does the attack work?
This particular car hacking technique is not similar to those previously seen. To conduct the attack, hackers would need a customized device that can connect to the car's CAN via open ports.Instead of injecting malicious code into the CAN network, the attack targets how the CAN responds to error messages.
Researchers explained that when the CAN protocol receives too many error messages it goes into a "so-called Bus Off state," disconnecting the device from CAN.
"This, in turn, can drastically affect the car's performance to the point that it becomes dangerous and even fatal, especially when essential systems like the airbag system or the antilock braking system are deactivated," Maggi said. "All it takes is a specially-crafted attack device, introduced to the car's CAN through local access, and the reuse of frames already circulating in the CAN rather than injecting new ones (as previous attacks in this manner have done)."
The Department of Homeland Security (DHS) has also issued an alert about the flaw. "The only current recommendation for protecting against this exploit is to limit access to input ports (specifically OBD-II) on automobiles. ICS-CERT is currently coordinating with vendors and security researchers to identify mitigations," the DHS said in a statement.