Tuesday, June 10, 2014

Car networking era battle on security

With an external device connected to the car more and more, it faces many security risks, despite the current industry has recognized this, but realize that to develop effective programs still have a long way to go.
Compared future V2V systems and automatic driving car universal level, today's "car Internet" still in its infancy, but even so, there are many ways to have been malicious attacks from the cloud to the car system. Located below the instrument's car OBD2 diagnostic interface is now the most vulnerable to malware attacks. In the past, it just auto mechanic teacher diagnostic interface is used to connect the car, but now, it is even capable of receiving WiFi signals and thus the vehicle for remote diagnostics, remote unlock, if there is no protection of information security systems, then the car will become a "chicken . " This paper will present in automotive Internet information security risks, information and practical ways to deal with the invasion inventory programs.
A car interconnected risks
Remote code tampering
To optimize the vehicle electronic systems programming, car manufacturers can adapt the system code, and hackers can do, but the difference between the two is that the hackers for malicious code tampering.
Intelligent Transportation System is essentially exchanges V2V, V2I, the hacker can intercept and modify data in the information exchange process, thereby causing confusion.
In a computer, a malicious software can be uninstalled, it is not possible to reinstall the system. For a car, malicious software will lead to the sudden invasion of accidents - even the sound system volume suddenly increases will scare a rapt remote car driver, causing irreparable consequences.
Different products more generations cycle
More generation cycle of the electronic component inside is very long compared to the period of the computer 3, the former which is almost three times. This makes the car even if the electronic system fails to technical updates, loopholes can not be repaired.
And if you want to replace some electronic components, new issues will be raised. Due to the rapid development of electronic components, new components may not be with the original electronic systems and interactive good match for the market vendors and challenges.
Through information encrypted connection process seems to be able to ensure the safety of vehicles, but there are also "grabbed" concerns, simply put, is the malicious data is encrypted as normal data.
The high cost of security solutions
If the car's electronic system design are fixed, then the upgrading process will involve a huge amount of work; If using heuristic protection program, the need for greater data processing, programming itself caused trouble even as much processing software Intrusion; virtual private network (VPN) can provide good security, but if users are thousands of cars using it, the cost will be very expensive.
Thus, with the associated vehicle electronic systems, information systems and the outside world ever closer, the urgent need to optimize information security program.
Second, the way the car network intrusion
Physical connection
That is, through a special chip, connected to the CANBUS bus vehicle control car via Bluetooth, mobile data, etc., to the disadvantage of this approach is the need to install, easy to find; Spanish security researcher Javier Vazquez - Vidal (JavierVazquez-Vidal) and Alberto Garcia and easy music to pull (AlbertoGarciaIllera) 3 月份 demonstrated a small device they build, cost less than $ 20.
Such a device with the car's internal network physical connection and enter malicious commands affect all parts from the windows, headlights, steering wheel to brake. The size of the device is equivalent to three-quarters of iPhone through four antennas and car control area network (ControllerAreaNetwork, abbreviated CAN) connectivity, access to energy from the vehicle power system, ready to receive remote attackers sent by a wireless computer command and the input-vehicle systems. They named the device control area network intrusion tools, referred to CHT.
"Connect only takes five minutes or less time, then you can leave." German automotive IT security consultant Vidal said, "We can wait one minute or one year, and then start the device directs it to do anything for us things. "
Vidal said the researchers were able to depend on the input commands via remote CHT type models. They tested four different models (they do not want to disclose the specific manufacturer and model number), enter the command has closed headlights, activate the alarm, turn on and off this prank windows, anti-lock braking system also has access or emergency braking system, which may lead to a sudden stop a vehicle traveling in dangerous actions. In some cases, the installation of the device need to open the hood or trunk, while in other cases, they say only need to climb under the car to install.
Currently, such devices can be connected via Bluetooth wireless attacks which limits the distance to within a few feet. But two researchers said that when they showcase their research in Singapore, will be upgraded to a GSM cellular radio, so that in a few miles outside the control of the device possible.
OBD loopholes
Through the OBD interface of the vehicle, the car is written to malicious programs, such as the vehicle to cause the failure of the situation, the more difficult to achieve because the OBD interface is often in the car, the main way is to wait for an opportunity when the owners repair operations;
To install the chipset or car OBD Although invasive means are not clever, but it is best to use, after all, the existing automotive control systems have not been too many basic security, it is relatively easy to crack, if by OBD intrusion system bus, it will be much easier to control the engine ECU, as long as the car itself is functional enough, in addition to outside control acceleration and braking, and even take over the steering (pure electronic power steering and other active or wire).
Another popular risk, exists on the owners to buy their own installation "OBD communications equipment", now part of the electronics manufacturers introduced based on the information read car OBD WIFI or Bluetooth devices, automotive information can be passed to the phone via WIFI or Bluetooth or computer, which would allow owners to learn more vehicle information on their own, or even upload to the Internet via mobile phone APP, fuel consumption and other travel information exchange, seemingly beneficial and harmless, in fact, there are also risks, poor equipment manufacturers can malicious intrusion on the OBD program, but even the regular products may also be bad business in the sales cycle tampered with, such risks may have a real existence.
Wireless Control
High point of the car now has networking capabilities, whether it is intelligent copilot or interconnected driving, once connected to the network, it is likely to be compromised, which is a computer hacker attack was the same reason.
Freescale Semiconductor Technician RichardSoja said: "Remote wireless intrusion will become a major threat to many vehicle systems approach can save the data on a particular chip.." Although remote wireless intrusion has not been listed as the most threatening The car connection system means of attack, but several studies indicate its potential hazards. Component suppliers and sub-developers are looking for ways people can disable the vehicle interior network intrusion.
Infineon BjoernSteurich cross-functional team leader, said: "One of the effective ways to prevent the vehicle bus data on the use of digital signature secure data transmission when compared to all via the data bus is encrypted for this. method is more practical because it is not affected by network bandwidth. "smartphone has been the object of interest to hackers, and as more and more contact with the vehicle system closely, it will also be able to be used by hackers to break into the car connection system breakthrough. More and more smartphone users connected to the system, there is a lot of data transfer using applications and entertainment features, period, any vulnerability could cause the system to be "black."

No comments:

Post a Comment