I enjoyed last week in Detroit at ESCAR (Embedded Security in Cars). I went there to present on the topic of vehicle security and how remote access and third party devices impact the threat landscape. Many researchers have published about the security concerns of vehicle systems, namely the CANBus and it’s simple nature that lacks security controls entirely. It has been shown that if an attacker is able to send messages on the CAN, they are able to control the vehicle.
I performed a security assessment of a third party OBDII dongle. This dongle sits in the diagnostics port of the vehicle (which is on the CAN), collects information, and sends that information through the cellular networks to the third-party servers. I found that this device follows the pattern we see in embedded systems which is to say that it was designed and created without any security in mind whatsoever. Cleartext communication channels, no hardware separation of concerns, hardcoded database credentials…the list goes on.
What this means for auto manufacturers is that it cannot be assumed that the vehicle CAN will be isolated. An attacker may not need physical access to a vehicle to execute an attack. Attacks are no longer limited to a single vehicle and may affect entire fleets managed by these types of systems. Defending against these attack vectors requires a separation that prevents a compromised dongle from affecting the vehicle in any way whatsoever. I created a proof-of-concept “CAN Protector.” This device acts as a gateway that propagates information out of the vehicle network (one-way/read-only) for consumption by third party devices.
You can find the slides here: http://www.slideshare.net/dgpeters/thuen-escar-48872976
Website for the conference is: https://www.escar.info/escar-usa/program.html