Rubicon Labs Q&A Series
A candid conversation with three researchers from the University of Michigan — Bill Hass, Leif Millar and Yelizaveta Burakova—hacked a truck and school bus. They tell us why all of us should be concerned…
Q: Your research contends it’s easier for a hacker to attack trucks, buses and other diesel engine vehicles rather than cars. Why?
A: One of the things that saved us a lot of time was that the messages sent over the internal Controller Area Network (CAN) of the truck and bus we looked at are defined by an open standard, SAE J1939. This means we could bypass the rather arduous task of reverse engineering the messaging protocol and focus on discovering what we could accomplish from within the CAN network. This was especially helpful when applying the same techniques from the truck to the school bus because the messages are the same.
Q: Because the J1939 is an open communication standard in diesel engine vehicles, you say anyone who can make an electronic payment can gain the knowledge necessary to attack safety critical components. Are you saying a non-engineer can hack a truck?
A: The verb hacking has taken on many meanings over the years, and one could say with the right tools and instructions a non-engineer can hack just about any system. That said, it takes a certain level of technical knowledge about a system and suitable motivation to actually develop the tools to successfully exploit it. With the open J1939 standard, technical knowledge is still required, but less time needs to be spent on reverse engineering.
A: Our hacks required a physical connection to the truck’s internal network, so maintaining the physical security of the vehicle would help thwart a would-be attacker. However, if it’s easy for someone outside the vehicle to clip into the network with a hidden device, that would make an attack much harder to prevent.
Including gateways or firewalls and physically segregating safety critical components in the network architecture will help prevent these types of hacks, but automakers will also need to choose and review their microcontrollers and other components carefully, especially those wireless interfaces.
Q: The majority of J1939 messages are of the 8-byte variety, leaving very little room in the message for security. Have you done any investigation into where security can be added to the protocol to begin introducing some type of data protection?
A: The CAN protocol can only transmit 8 bytes per data frame. A newer CAN protocol, CAN-FD, can transmit up to 64 bytes per data frame and inter-operate with regular CAN components. Authentication could be added with CAN-FD, but it would require a big change to current vehicle production standards and would be costly to implement and retrofit for current vehicles.
Q: You highlight a frightening ability to control all dashboard gauges and ability to override a driver’s input to control the engine brakes and accelerator pedal in large trucks, tractor trailers and school buses. Your test required a laptop be hardwired to the truck. On a scale of 1 to 10, how difficult would it be for an adversary to control the driving functions remotely — and how long will it take for that to happen?
A: There are a lot of variables, and for us a lot of unknowns – we only looked at a 15-year old school bus and 8-year old semi tractor. All an adversary needs to do is find a single weak point in the security of a wireless device, and some driving functions could be controlled remotely. If we had to put a number on it, it would be a range of 7 to 10. We would give it a year for a remote compromise to occur.
Q: A speeding school bus veering into a police station or a chemical truck with disabled brakes crashing into a hospital seem like unimaginable scenarios but your research shows they are entirely possible. If you were sitting face-to-face with the CEOs of auto and truck makers, what would your cyber-security advice be to improve vehicle safety?
A: Cyber-security should be treated with the same level of priority and scrutiny as safety. Automakers, and particularly truck makers, should consider investing in vendor reviews for the remote devices they attach to their vehicles. This is one of the fastest ways to improve the security of not just future vehicles, but vehicles that are currently on the road because many of the known remote attack vectors rely on flaws of outside or add-on systems (for example, OnStar, Progressive, telematics devices, etc.).
Finally, there needs to be open dialogue and collaboration with the security research community to encourage the rapid discovery of vulnerabilities and responsible disclosure to fix them before people’s lives are put at risk.
Q: Your hack of a truck and school bus and the well-known Jeep hacks of the past year exploited the anonymous nature of the vehicle control network to execute malicious commands. How can the auto industry and semiconductor suppliers provision identity to networked ECUs so that dangerous and bogus commands will be ignored?
A: This is not an easy problem to solve, given the constraints of the automotive environment. The short answer would be to implement cipher-based message authentication codes and a method to mitigate denial of service on the internal networks, but the implementation details raise other problems. The supply chain is deep and complex from silicon to final assembly, so maintaining trust is a challenge.
Q: You contend the biggest motivation for an attacker is usually financial – i.e, to hijack a truck filled with valuable goods, but Stuxnet illustrated the ability of governments to deploy malware targeted at industrial controllers in Iran. What is the likelihood that governments will be able to “weaponize” connected cars, trucks and other vehicles to achieve political or military goals?
A: If the recent and continued revelations about the NSA can tell us anything, then nation-state actors clearly already are technically capable.
Yelizaveta Burakova, Bill Hass and Leif Millar from the University of Michigan research was published in the 2016 USENIX Workshop on Offensive Technologies in Austin, Texas.
* Editor’s Note: This is the first of a series of Q&As with cyber-security thought leaders and innovators who share their views on the high stakes of living in a connected Internet of Things (IoT) world.