The following answers several frequently asked questions about our research papers entitled
-
Experimental Security Analysis of a Modern Automobile
IEEE Symposium on Security and Privacy, May 2010
-
Comprehensive Experimental Analyses of Automotive Attack Surfaces
USENIX Security Sympsium, August 2011.
(An earlier version of the second paper was prepared for the National Academy of Sciences Committee on Electronic Vehicle Controls and Unintended Acceleration, March 2011.)
Update (August 2011): Many portions of this FAQ were updated to reflect the new materials in the USENIX Security 2011 paper.
- Who are you and what is your research about?
- What are these papers about?
- Should car owners be concerned?
- How much of a modern automobile is computerized?
- How can the computers in a car be accessed?
- Where do you see automotive technologies heading the future?
- Why is it important to study the security and privacy properties of existing, modern automobiles?
- Can you summarize your findings with respect to the computer security of a modern automobile?
- Did you take apart the cars, or study them "as is"?
- Do your results apply to other cars?
- What is new about this research?
- Are computer security and safety for automobiles synonymous?
- By publishing these papers, aren't you enabling the "bad guys"?
- What should be done to help protect the security of future automobiles?
- How can I learn more?
Who are you and what is your research about?
Our group is a collaboration between researchers at the University of California San Diego and the University of Washington. Our efforts are supported by grants from the U.S. National Science Foundation.
Modern automobiles are becoming increasingly computerized — with many components controlled partially or entirely by computers and networked both internally and externally. This architecture is the basis for significant advances in safety (e.g., anti-lock brakes), fuel efficiency, and convenience. However, increasing computerization also creates new risks that must be addressed. Our research mission is to help ensure that these future automotive systems can enjoy the benefits of a computerized architecture while providing strong assurances of safety, security, and privacy.
Our research consists of three complementary strands: conceptual, experimental, and developmental. We conceptually evaluate the computer security landscape for potential future automobiles in order to guide our experimental and developmental research. We experimentally evaluate real examples of today's technologies to create informed understandings of potential computer security risks with future automobiles, as well as understandings of the challenges for overcoming those risks. We then develop new security technologies to overcome those challenges and mitigate the associated risks.
Experimental Security Analysis of a Modern Automobile, IEEE Symposium on Security and Privacy, May 2010:
The paper "Experimental Security Analysis of a Modern Automobile" is an example of our experimental research theme. Our research was aimed at comprehensively assessing — and learning from — how much resilience a conventional automobile has against a digital attack mounted against its internal components by an attacker with access to the car's internal network. To help answer this question, we experimentally analyzed and evaluated the computers coordinated within the internal networks of a modern car and described the range of security issues we discovered in the process. All these analyses generally assume that unauthorized parties have (at least temporary) physical access the the automobile's computer networks, e.g., that they are able to plug their own hardware into a port underneath the car's dash.
This paper appears at the 2010 IEEE Symposium on Security and Privacy, a peer-reviewed academic conference in the computer security research field.
Comprehensive Experimental Analyses of Automotive Attack Surfaces, USENIX Security Symposium, August 2011:
In the paper "Comprehensive Experimental Analyses of Automotive Attack Surfaces," we step back and evaluate the external vulnerability surfaces of a modern automobile. We conceptually evaluate different potential vectors through which an attacker might be able to compromise computers within a car and, by transitivity, communicate over the car's internal computer network. Our conceptual analysis yields three key classes of remote attack vectors, or vectors that someone can leverage without ever being in physical contact with the vehicle. These three classes are: indirect physical, short-range wireless, and long-range wireless. We then experimentally evaluate representative examples of each of these classes of remote attack vectors and find that it is indeed possible to exploit these vectors. Additionally, we experimentally study how an adversary might be able leverage the wireless capabilities of our vehicle for post-compromise control. Finally, we draw lessons from our experimental vantage and reflect on the structural characteristics of the automotive ecosystem that give rise to security problems that we identify and that create challenges for mitigating them.
This paper appears at the 2011 USENIX Security Symposium, a peer-reviewed academic conference in the computer security research field. An earlier non-reviewed version of this paper was prepared as a report for the National Academy of Sciences Committee on Electronic Vehicle Controls and Unintended Acceleration and was presented at their March 2011 meeting.
Should car owners be concerned?
We believe that car owners today should not be overly concerned at this time. It requires significant sophistication to develop the capabilities described in our papers and we are unaware of any attackers who are even targeting automobiles at this time.
However, we do believe that our work should be read as a wake-up call. While today's car owners should not be alarmed, we believe that it is time to focus squarely on addressing potential automotive security issues to ensure that future cars — with ever more sophisticated computer control and broader wireless connectivity — will be able to offer commensurately strong security guarantees as well.
We are pleased to say that, following the publication of our first paper, industry is now taking automotive security more seriously. For example, both the Society for Automotive Engineers (SAE) and United States Council for Automotive Research (USCAR) now have efforts focused on automotive computer security. We have also had positive discussions with multiple car manufacturers and various U.S. government agencies. All the parties we have talked with are taking computer security for automobiles very seriously.
How much of a modern automobile is computerized?
There are over 250 million registered passenger automobiles in the United States. The vast majority of these are computer controlled to a significant degree and virtually all new cars are now pervasively computerized. Computers (in the form of self-contained embedded systems) have been integrated into virtually every aspect of a car's functioning and diagnostics, including the throttle, transmission, brakes, speedometer, climate and lighting controls, external lights, and entertainment.
How can the computers in a car be accessed?
The primary direct interface to the computers in a U.S. automobile is the federally-mandated On-Board Diagnostics (OBD-II) port. It is under the dash in virtually all modern vehicles and provides direct and standard access to internal automotive networks. In many cars a range of wireless devices are also attached to these networks, as can be some after-market products (e.g., entertainment units). In the experiments described in our May 2010 paper "Experimental Security Analysis of a Modern Automobile," we connected our equipment to the OBD-II port. We explore a number of other communications channels in our August 2011 paper "Comprehensive Experimental Analyses of Automotive Attack Surfaces", including long- and short-range wireless communications, the networked diagnostic tools used by automobile mechanics and the car's CD player.
Where do you see automotive technologies heading the future?
Future cars will likely have even more core functions implemented by computers and with more sophisticated capabilities. For example, some cars already use computers to park themselves, adjust the headlight brightness if another vehicle is approaching, or automatically engage the brakes to prevent an impending collision. We believe the trend of using computers in this manner will continue.
Cars are also becoming increasingly connected to the outside world and will likely become even more so. Many modern navigation systems inform the driver of impending traffic, wireless pressure sensors transmit digital signals to inform the driver of under-inflated tires, and many automobiles now offers Bluetooth interfaces to support hands-free calling. Even more advanced communications capabilities are offered by telematics systems which can support integrated wide-area features such as remote diagnostics, automated emergency response to a crash, or convenience features such as navigation and location-based services (and potentially even third-party applications). Finally, there is also considerable attention focused on developing new vehicle-to-vehicle communication capabilities to help cars anticipate traffic and avoid accidents. We believe this trend of more connectivity will likely continue as well.
Why is it important to study the security and privacy properties of existing, modern automobiles?
The computer security community is largely unfamiliar with automotive computer systems, the functionality they provide, and the networks they use internally. This was perhaps a reasonable situation when automotive systems were simple and had limited connectivity. However, the trends above — that modern automobiles are becoming increasingly computerized and networked — suggest that in the future, there may be increasing opportunities for unauthorized individuals (attackers) to access and tamper with a car's internal computers.
We believe there is a potential analogy with desktop personal computers, whose security concerns were not as widely appreciated until pervasive broadband connectivity exposed those latent flaws to Internet-based attackers. Our hope is that we can sidestep this same painful learning process with automobiles and think about their security well before significant risks manifest.
To be clear, we believe that the risk of computer security incidents to automobiles is very low today. At the same time, we also believe that these risks are slated to increase in the future. Thus, we argue that now is the right time for the full range of stakeholders — including not only car manufacturers, parts suppliers and technology providers, but also government regulatory bodies, the insurance industry, computer security and privacy researchers, and public interest groups — to focus on these issues together and ensure that our automobiles remain secure in spite of their technological transformation. To help advance this discussion, our research paper provides extensive experimental analyses of computer security issues in real automobiles. Such a detailed understanding of the issues with today's vehicles is critical if we seek to develop more robust technologies in the future.
Can you summarize your findings with respect to the computer security of modern automobiles?
Experimental Security Analysis of a Modern Automobile, IEEE Symposium on Security and Privacy, May 2010:
We conducted our computer security analyses on two modern cars. These cars were introduced into the U.S. market in 2009 and are of the same make and model. We determined that someone with access to the internal network in the car could use his or her own computer equipment to take over a broad array of safety-critical computer systems.
For example, in live road tests, were able to forcibly and completely disengage the brakes while driving, making it difficult for the driver to stop. Conversely, we were able to forcibly activate the brakes, lurching the driver forward and causing the car to stop suddenly. We were also able to control the lighting within the cabin, the external lighting, the vehicle's dash, and so on. A full description of the road tests is described beginning on page 11 of the IEEE Symposium on Security and Privacy paper (PDF).
For these experiments we focused on what an unauthorized party could do if they had the ability to access the car's internal network (e.g., via physical access to the car). For example, that unauthorized party might plug in a computer to the standard OBD-II diagnostic port under the dash. Clearly the risk in this scenario is low — it implies that someone already has physical access to the car — which is one reason we think consumers should not be alarmed by our results.
But our concern when writing this paper is that the increasing use of externally facing wireless interfaces may increase the exposure for future vehicles and provide a way for someone to remotely access the car's wired network. Hence, even though it may be challenging — and unlikely — for an unauthorized individual to perform the actions we describe in this paper, it is still important to understand them so that we can develop solutions that will continue to be robust even as our cars become increasingly connected.
Comprehensive Experimental Analyses of Automotive Attack Surfaces, USENIX Security Symposium, August 2011:
For this work we also obtained and conducted our research on two modern cars of the same make and model. The car includes roughly 30 computers comprising both critical drivetrain components as well as less critical components such as windshield wipers, door locks and entertainment functions. These computers are interconnected via multiple CAN buses, bridged where necessary. The car exposes a number of external vectors including the OBD-II port, a media/CD player, Bluetooth, wireless tire pressure sensors, keyless entry, satellite radio, RDS, and a telematics unit. The last provides voice and data access via cellular networks, connects to all CAN buses, and has access to Bluetooth, GPS and independent hands-free audio functionality (via an embedded microphone in the passenger cabin). We also obtained the manufacturer's standard diagnostic tool. Dealerships and service stations can plug the diagnostic tool into the car's OBD-II port and then wirelessly (with a laptop) connect to the tool in order to diagnose and reprogram ECUs.
Whereas our previous work was focused on understanding the capabilities of an attacker who has gained access to the cars internal networks, this work studies how an attacker might gain such access. We studied three classes of attack vectors: indirect physical, short-range wireless, and long-range wireless. We examined each attack vector either as a means of compromising the car's computers or as a means of controlling a car that has already been compromised.
The indirect physical vectors included the CD player and the mechanic's diagnostic tool. Specially crafted CDs or a compromised mechanic's tool can install software on the car's computers which can perform any of the malicious behaviors we studied previously.
The two wireless classes of vectors include Bluetooth, wireless tire pressure sensors, FM radio, and cellular. The Bluetooth and cellular vectors allow total car compromise by exploiting flaws in the telematics unit. All of the wireless vectors enable controlling a previously compromised car by listening to their wireless channels and then sending a “trigger” message on the internal network.
Did you take apart the cars, or study them "as is"?
Experimental Security Analysis of a Modern Automobile, IEEE Symposium on Security and Privacy, May 2010:
We performed three classes of experiments. First, we tested car components individually in the lab. Second, we tested the components as a complete system with the car elevated on jacks. Third, we tested one of the two cars in live tests on a closed road course. See page 4, second column of the paper (PDF) for more details on the three stages of the experiments.
Comprehensive Experimental Analyses of Automotive Attack Surfaces, USENIX Security Symposium, August 2011:
As with our earlier paper, we conducted all our final experiments with complete automobiles. In some cases we first developed and evaluated our attack capabilities with car components, such as media players, in the lab.Do your results apply to other cars?
While our experiments are focused only on a limited set of cars (the cars for our May 2010 paper and the cars for our August 2011 paper), the automotive sector has many common suppliers and common development processes. We have no reason to believe that the types of issues we identified are not industry-wide.
What is new about this research?
In general, very little is publicly known about the practical security issues in automobiles on the road today. There are certainly a range of other research groups who have described the potential for such vulnerabilities (e.g., see references 19, 24, 26 and 27 in the paper (PDF)) but most of these efforts address car security threats abstractly or in isolation. Part of our papers' contributions are in taking this work to a more concrete, experimental context. We assessed the behavior of complete automobiles operating in the field as well as automotive components in response to specific attacks. We also studied the security implications of remote communications capabilities on automobiles (Bluetooth, cellular, and so on).
Are computer security and safety for automobiles synonymous?
Based on our experimental results, we observed automotive components that safely tolerate failures and disruptions in communications, but that were far more fragile with respect to tolerating attacks.
Stepping back, it's important to realize that there is a critical difference between traditional safety issues and security issues. Safety issues happen "randomly," whereas computer security incidents happen due to malice. This makes computer security fundamentally different from safety. This difference manifests in all stages of the lifecycle of a vehicle: from design, to test, to deployment. For example, manufacturers can (and do) develop procedures to test the safety of vehicles, but those procedures will seldom catch security vulnerabilities.
By publishing these papers, aren't you enabling the "bad guys"?
This is a common question concerning experimental security research, especially research that is forward-looking. In general we believe the answer is "no." First, motivated "bad guys" have historically demonstrated significant creativity and as cars become more computerized, more connected, and more accessible, we have little doubt that adversaries will be able to identify these security issues on their own. Second, while we believe our papers are the first to experimentally explore the security properties in complete automobiles, we are by no means the first to write about the potential security risks in vehicular systems; we are not identifying a new problem per se, but highlighting one that has already been discussed publicly. Third, we have purposely omitted crucial details from our papers that would be required to replicate our work. Finally, we have provided significant advance disclosure to the appropriate stakeholders such that fixes and mitigations could be developed and deployed.
However, against any small risk of "putting ideas" in the heads of future "bad guys," we believe there is a far greater benefit in putting these same ideas into the heads of "good guys" today. We do not want society to be taken by surprise for not having considered what new risks our future automotive designs may bring. If or when automotive attackers arrive on the scene, we believe defenses should already be in place. Research such as ours helps industry and government to stay a step ahead.
What should be done to help protect the security of future automobiles?
While our own research will continue to focus on the issues we have described and on developing new security technologies for future automobiles, we do not believe in a "silver bullet" solution. The automotive environment presents a new challenge for computer security and one that is unlikely to be solved any one group alone. We believe that addressing these challenges will require a concerted effort from all relevant stakeholders, including not only researchers, but those in the automotive industry (manufacturers, parts suppliers and technology vendors), government, insurance companies, public interest groups, the public, and others.
