In-car electronic systems can be hacked with a simple modification to readily-available diagnostic tools, according to Craig Smith, automotive security expert at Theia Labs, Inc.
Using a ScanTools diagnostic device running SocketCan, Smith showed how he could sniff out the command packets and take control of a vehicle's electronic systems. He could even change the vehicle identification number (VIN) registered in the car's engine.
SocketCan is an open-source package which implements the CAN networking technology widely used in automation, embedded devices and the automotive industry.
Smith demonstrated the proof-of-concept attack at Derbycon last week. Called ICSim, the malware is a modification of the SocketCan package.
Smith said it is possible for malware such as ICSim to transfer itself from the diagnostics tool to the car's computer system and then to another diagnostics device, creating a chain of infection.
By connecting through the ODB port, diagnostic tools enable service engineers to turn off any ‘Check Engine' lights, get a better understanding of why a window is not opening, or even connect to the Engine Control Unit to re-assign a VIN number.
They are not security aware as in-car electronic systems contain little if any protective systems. Devices within the car – each controlled by its own processor – communicate using controller area network (CAN) data packets, a lossless, bit-wise arbitration method of contention resolution which entails every node on the network sampling every bit on the CAN network at the same time.
Unencrypted data traffic means that an attacker, having gained access to any given node on the network, is able to sniff all the data packets and deduce the command codes.
Commands are easily forged because packets have no source, which means the car cannot tell where the packet has come from to authenticate if it is an instruction it should actually carry out, Smith said.
Although expensive, the attack tools are readily available and the software is open source, making this kind of attack a very credible problem, he added. An attacker could infect a car and then use it to infect a garage's diagnostic tools simply by taking it in for repair.