Hackers can force airbags to deploy


#1

Originally published at: https://boingboing.net/2017/10/24/what-could-go-wrong-2.html


#2

Oh hey I know a few guys who work for MITRE. Nice to know some of what goes on there.
Also that would really make the commute suck.


#3

This is why I always make sure there are no hackers hiding in my footwell before I leave for work.


#4

It’s not immediately obvious (to me) from reading the article or the vulnerability specification whether this can be remotely triggered (e.g. by WiFi) or if this requires physical access to the connections in the car.


#5

The linked text says this about that:

…via predictable Security Access (SA) data to the internal CAN bus (or the OBD connector).

Disclaimer, I’m no expert when it comes to cars, like at all…

The ODB connector is a plug that (I believe) is usually accessible from some hidden location on the dashboard (the glove compartment, behind a panel, somewhere) and maybe under the hood. So for now this would require physical access to the (inside of the) car. Of course you could plug something in there covertly and deploy the code remotely later.

However most cars are in one way or another connected to a wireless network, (bluetooth, wifi, even mobile data) for the media features of your car. If you’re a really clever hacker you may be able to jump from there to the CAN bus and in that way deploy this exploit remotely without the physical access. I’m not really following this closely but I don’t think a working example of jumping from the “media part” of the board computer to the “car part” has been found yet.


#6

You can even do it ‘remotely’ from the outside by hitting the car just hard enough…

No need to hack anything :wink:


#7

Hmm, the problem with this is even if it did work correctly, it’s open to a denial of service attack. Preventing an airbag deploy is just as bad, if not worse then deploying an airbag outside of a crash. Critical safety systems should be communicating over a dedicated bus, physically isolated from the rest of the vehicle’s systems. The real security vulnerability isn’t that they implemented the key wrong, is the fact that any of this communication was possible over the can bus.


#8

I am not telling my Dad about this.
father of working air bag on problems, 1996


#9

That is not the case - while it’s perhaps true that no generally appicable method of getting between the two buses has been found that will work for all cars, each individual car is its own special IT security dumpster fire. Plenty of methods have been found for taking control of individual CAN bus connected modules, including the ones that are on both buses (and so, that can be used to turn a position of access to one bus, into access to both buses).

This paper is from 2010 and examines 2009 model year cars, I don’t think there’s any particular reason to think things have improved. http://www.autosec.org/pubs/cars-oakland2010.pdf

TL;DR

  • several ways of getting a foothold - Bluetooth, wifi, malicious mp3 file that takes over the car stereo, etc.
  • a couple of ways of turning that foothold into complete access - reflashing the instrument panel firmware being one
  • no problem controlling the car once complete access is achieved - on that model of car, they could take over brakes, dashboard display, and engine, but not steering.

#10

No, it really isn’t. My airbag fails to deploy every time I drive. Having it deploy unexpectedly, at speed, would probably kill.


#11

I’m not sure why I thought this wasn’t the case :man_facepalming: Maybe I expected some sort of airgap between the two? Or at least a very rigours firewall?

The only upside I see is that the airbags can only be deployed when going less then 6 km/h. If not for that restriction this would be a perfect assassination method, deploy the airbag on a busy piece of highway and you’re done. Everybody uses Bluetooth in their car, so to get access all you need to do is hack their phone :confused:


#12

I understand many airbag models have been recalled in the past due to exploding small pieces of metal or plastic into the chests and faces of those they’re supposed to protect. That said, I hope these hackers know what they’re getting into, b/c it seems some of bag manufactures sure as hell don’t. As for the code writers…even if they do know what they’re doing, they likely can’t implement it anyway due to this, that, or the other boss-man constraint.


#13

I hate to be the bearer of bad news, but it’s far worse than you think. The ODB port is the On-Board Diagnosis port that’s been required in cars sold in the US since the early 90’s, and now is pretty much a world-wide standard. This little connector is usually located on the left side of the driver’s footwell, directly under the dashboard.

Now comes the fun part. You know those little plug-in dongles that insurance companies give you to install in your car in exchange for “good driving” discounts? Yeah, those plug into the ODB port, and they connect to the cellular data network. And in most cases they have NO security that would keep bad guys from modifying their code to force an airbag deployment using this exploit.

As of the time of this 2015 Jalopnik article on the lack of security in the Progressive Sanpshot product, the insurance company had handed out over 2 million of these little guys. Remember that scene at the end of “Kingsman: The Secret Service” with all the heads exploding? Yeah, like that.


#14

Damn! That is worse then I thought!

Well at least now when you get one of those “we’re not punishing you for not giving up your privacy, we’re just rewarding everybody but you that does” discount-plans, you’ll know the privacy aspect is only the second worst aspect of the deal…


#15

I feel a bit pedantic in having to point out that preventing an airbag deploy would be fatal during an accident. Obviously while driving under normal conditions, your airbag shouldn’t deploy, but in this hypothetical scenario where an attacker has access to the car’s bus, they could theoretically operate other parts of the car. There are demos of steering, braking, and acceleration being controlled by a security researcher. How hard would it be to cause a highspeed head-on collision intentionally? A premature airbag deploy might kill you, but I think causing a fatal accident would be easier with the airbag disabled. That would be my concern at least.


#16

The hack I read about years ago was to hit an accelerometer on a parked car with a hammer, making the airbags deploy. As a safety feature this unlocks the doors so you can steal all the stuff inside.


#17

Yes, but once you’ve got the airbag disabled, you have to arrange for the fatal crash, and if you’re in that business, you can’t exactly blame the airbag.


#18

Crazy Chrysler security hole: USB stick fix incoming for 1.4 million cars

It’s 2017 and Hayes AT modem commands can hack luxury cars

Car hacking’s dynamic duo offers to save others $1m in research

Related:
Hackers can turn web-connected car washes into horrible death traps


#19

Aside from its power-of-two-ness, I have to wonder why 256 keypairs?

That’s a hopelessly tiny search space if you are worried about an adversarial activation(especially because you can’t really rate limit or lock out; or you’d have a denial-of-airbag attack); but seems needlessly complex if you are assuming a secure channel over which to send ‘detonate’ or ‘don’t detonate’.

Why not either a simple binary value; or something that at least looks vaguely robust?


#20

This topic was automatically closed after 5 days. New replies are no longer allowed.