OBD-II and the Zombie Apocalypse
June 8, 2016
Chances are, unless you are an exceedingly important person, international spy or someone who has really pissed off that nerdy kid down the street, the whole notion of âattack surfacesâ regarding your vehicle is probably no more relevant than the prospect of a zombie apocalypse.
Because just as bank robber Willie Sutton pointed out that he robbed banks because that is where the money is, a modern car or truck is pretty much a suite of computer processors and wheels, and just ripe for hacking.
Why hack a car?
Because thatâs where the computers are.
The Car Hackerâs Handbook: A Guide for the Penetration Tester by Craig Smith (No Starch Press), who runs a security research firm (Theia Labs) and who is a founder of Hive13 Hackerspace and Open Garages, is, on the one hand, an important work that can be highly useful to those who want to find the ways and mean to protect vehicles from cyber-attack, and, on the other, scary as hell for the rest of us.
Consider this matter-of-fact observation:
âItâs worth remembering that while the goal for ECU and other control module hacking is often the sameâto gain access in order to reprogram and change behaviorâitâs unlikely thereâll be a âmaster keyâ for all controllers. However, OEMs are generally not very creative and seldom change their ways, so insight into one controller likely applies to similar models from the same manufacturer. Also, few of todayâs auto manufacturers develop their own automotive computers from scratch, instead licensing prefabricated solutions from third parties like Denso, Bosch, ContinentalÂ and others. Because of this design methodology, itâs relatively common to see vehicles from different auto manufacturers using very similar computer systems sources from the same vendors.â
Which could lead one to believe that while there may not be a âmaster key,â there is likely to be a pretty good set of lock picks of a virtual nature.
Or consider this fun fact: âThe OBD-II standard mandates that you be able to reprogram vehicles through the OBD-II connector.â OBD-II has been part of all cars sold in the U.S. since 1996, which means that there are a whole lot of cars with a port just ready for things to potentially happen.
The OBD-II port is one of the aforementioned âattack surfacesâ on a vehicle. Among the others include everything from the USB ports that people seem to be so keen on having to 4G and WiFi. Heck, even the tire pressure monitoring systems that have been mandated in the TREAD Act for all cars sold in the U.S. since 1997 are an attack surface.
The Car Hackerâs Handbook is written for professionals and includes a variety of highly detailed examples and explanations, far beyond my comprehension.
But what is clear to me is that in light of last yearâs Wired Jeep hack, there are probably a whole lot of people in the industry who are professionals as regards installing the various systems and devices that are attack surfaces in vehicles (yes, yes, these things provide benefits, but they are still vulnerabilities, or potentially so) who havenât read and need to readâlet me restate that: NEED TO READâThe Car Hackerâs Handbook.
Again: chances are, most of us are unlikely to ever have our cars hacked, even though we may be susceptible to it. (All of us could be assassinated at any given moment, but how many of us need bodyguards?) Still, a colleague who lives in Silicon Valley, where the car is seen as a version of the California Gold Rush, thinks that there are all manner of nefarious things that could happen on a massive scale: what, for example, if a foreign government were able to hack into all of the Teslas on the road and hold them hostage for Bitcoins? While the overall number of Model Sâs and Model Xâs is comparatively small, just imagine how many people in northern California couldnât get to work.
(Hereâs hoping that that preceding paragraph isnât a case of whistling while walking by a graveyard.)