The day before yesterday was an important day for the information security industry. Investigators announced exploitation of the first ever 0-day vulnerability for cars. The wireless attack was demonstrated on a Jeep Cherokee.
Charlie Miller and Chris Valasek found the vulnerability in the onboard computer of the car. People have been talking for a long time about attacks on such systems if the attackers have access to a diagnostics jack. However a remote attack on a car’s critical systems remained a purely theoretical scenario about which experts have warned for a long time (including experts from Kaspersky Lab). Many hoped that the car manufacturers would recognise the risk of such vulnerabilities being exploited and take preventive measures. Well, we overestimated them.
The investigators gained access through the onboard entertainment system not only to non-critical settings but also the car’s controls like the brakes and accelerator. The investigators plan to publish the technical details of the hack in August but the overall scheme of things is already known.
To start with, the air conditioner, radio and windscreen wipers went crazy and the driver could do nothing about it. And then the car itself. The accelerator and brakes of the Jeep responded only to the remote investigators and not to the car’s owner at the wheel.
It is important here to note that the car had not been modified. All the above was carried out using a vulnerability in the onboard Uconnect system, which handles contact with the outside world via the infrastructure of the Sprint cell operator in cars of the FCA auto-group (Chrysler, Dodge, Fiat, Jeep and Ram). It is enough to know the external IP-address of the victim to rewrite the code in the head unit of the car (more about these units a bit later).
The company has already released a patch for Uconnect, which can be installed either at official dealers, or, for the technically minded, independently via a USB-port. At the moment the investigators can see a vehicle’s VIN, GPS coordinates and IP address by connecting to the Sprint network and using the 0-day exploit they found. By the way, to find the specific vehicle among the 471 thousand vehicles with Uconnect on board is, according to the investigators, rather difficult.
A conceptual defence
This is not the first incident showing the insufficient safety mechanisms built in to modern cars as standard. Before this we saw the local seizure of the steering through the OBD-II diagnostic port and an illicit software update through a false cell base station.
Both the operating system manufacturers and the car manufacturers are now implementing important and necessary but insufficient cyber security measures. The situation is made worse by the fact that the architecture of the onboard electronic networks of vehicles was developed in the 80s, when the idea that a car would be connected to the Internet was something out of science fiction. And, consequently, although the electronic components are reliable and functionally safe the same can not be said about their cyber-security. Here at Kaspersky Lab, as in the case with conventional computer networks, we are convinced that complete multi-level safety will only be achieved by a combination of the right architecture, developed taking into account all risks, including cyber-risks, the correct setup of pre-established equipment and the use of specialised solutions.
The Kaspersky Lab approach is based on two fundamental architectural principles: isolation and controlled communications.
Isolation guarantees that two independent entities can in no way affect each other. For example, entertainment applications will not be able to affect the technical network. Not on board an aircraft and not in a car.
Control of communications guarantees that two independent entities which should work together for the system to function will do so strictly in accordance with the safety and security policy. For instance the system for acquisition of telemetry and sending it to the service centre can only read data about the condition of the car but not transfer control signals. This sort of control would have been of great help to our Jeep owner.
The use of cryptography and authentication for the transfer and receipt of information within and from outside are also indispensable parts of a protected system. But, judging by the results of the investigators, Jeep either used weak vulnerable algorithms or the cryptography was implemented with errors or not implemented at all.
The described approach — isolation and control of communications – comes naturally to a micro-kernel operating system with controlled inter-process interaction. Each logical domain has its own address space and all contact between domains is always carried out via a safety monitor.
Of the onboard electronics controlling critically important functions of the vehicle and theoretically open to attack the key elements are the head unit (HU) and the electronic control units (ECU), which form a whole network of controllers. There are control blocks for the engine, transmission, suspension etc.
Head units work on real time operating systems (RTOS) such as QNX, VxWorks and others. Kaspersky Lab intends to offer its own protected operating system for head units after obtaining the necessary certificates.
Both of the architectural principles mentioned above (isolation and control of communications) are fundamental principles of KasperskyOS — a safe micro-kernel operating system with controlled inter-process interaction.
The operating system was created from scratch and security was its main priority from the word go. This is the main difference between our product and the operating systems now installed in cars. We called a key component of our safe operating system the Kaspersky Security System (KSS)
During operation this system has responsibility for calculating a verdict on the security of any given event happening in the system. On the basis of this verdict the kernel of the operating system takes a decision to allow or block the event or inter-process communication. With the help of the KSS it is possible to control any activity — access to ports, files, network resources via specific applications etc. At the moment KSS works on PikeOS and Linux.
The software on the electronic control blocks is only small blocks of code and for these Kaspersky Lab intends to cooperate with microelectronics firms to jointly guarantee the safety of this embedded software.
In place of a conclusion
We really don’t want to deny ourselves the comforts which the computerisation of cars has brought. However if car manufacturers don’t start taking the problem of the cyber-security of their Internet-connected cars seriously and don’t start demanding that car component manufacturers do the same then people who are concerned about safety will have to switch to classic cars. Yes old cars don’t have computers. Yes they don’t have computer-controlled fuel injection, navigation systems, climate control and other modern gadgets. But on the other hand they only obey the person at the wheel.
Zero day exploits: now available for cars