OBD-II and the Zombie Apocalypse
–
June 8, 2016
Chances are, unless you are an exceedingly important person, international spy or someone who has really pissed off that nerdy kid down the street, the whole notion of “attack surfaces†regarding your vehicle is probably no more relevant than the prospect of a zombie apocalypse.
Maybe.
Because just as bank robber Willie Sutton pointed out that he robbed banks because that is where the money is, a modern car or truck is pretty much a suite of computer processors and wheels, and just ripe for hacking.
Why hack a car?
Because that’s where the computers are.
The Car Hacker’s Handbook: A Guide for the Penetration Tester by Craig Smith (No Starch Press), who runs a security research firm (Theia Labs) and who is a founder of Hive13 Hackerspace and Open Garages, is, on the one hand, an important work that can be highly useful to those who want to find the ways and mean to protect vehicles from cyber-attack, and, on the other, scary as hell for the rest of us.
Consider this matter-of-fact observation:
“It’s worth remembering that while the goal for ECU and other control module hacking is often the same—to gain access in order to reprogram and change behavior—it’s unlikely there’ll be a ‘master key’ for all controllers. However, OEMs are generally not very creative and seldom change their ways, so insight into one controller likely applies to similar models from the same manufacturer. Also, few of today’s auto manufacturers develop their own automotive computers from scratch, instead licensing prefabricated solutions from third parties like Denso, Bosch, Continental and others. Because of this design methodology, it’s relatively common to see vehicles from different auto manufacturers using very similar computer systems sources from the same vendors.â€
Which could lead one to believe that while there may not be a “master key,†there is likely to be a pretty good set of lock picks of a virtual nature.
Or consider this fun fact: “The OBD-II standard mandates that you be able to reprogram vehicles through the OBD-II connector.†OBD-II has been part of all cars sold in the U.S. since 1996, which means that there are a whole lot of cars with a port just ready for things to potentially happen.
The OBD-II port is one of the aforementioned “attack surfaces†on a vehicle. Among the others include everything from the USB ports that people seem to be so keen on having to 4G and WiFi. Heck, even the tire pressure monitoring systems that have been mandated in the TREAD Act for all cars sold in the U.S. since 1997 are an attack surface.
The Car Hacker’s Handbook is written for professionals and includes a variety of highly detailed examples and explanations, far beyond my comprehension.
But what is clear to me is that in light of last year’s Wired Jeep hack, there are probably a whole lot of people in the industry who are professionals as regards installing the various systems and devices that are attack surfaces in vehicles (yes, yes, these things provide benefits, but they are still vulnerabilities, or potentially so) who haven’t read and need to read—let me restate that: NEED TO READ—The Car Hacker’s Handbook.
Again: chances are, most of us are unlikely to ever have our cars hacked, even though we may be susceptible to it. (All of us could be assassinated at any given moment, but how many of us need bodyguards?) Still, a colleague who lives in Silicon Valley, where the car is seen as a version of the California Gold Rush, thinks that there are all manner of nefarious things that could happen on a massive scale: what, for example, if a foreign government were able to hack into all of the Teslas on the road and hold them hostage for Bitcoins? While the overall number of Model S’s and Model X’s is comparatively small, just imagine how many people in northern California couldn’t get to work.
(Here’s hoping that that preceding paragraph isn’t a case of whistling while walking by a graveyard.)
