By Frederick Hirsch, Upham Security
Third in a series of blogs from the Industry IoT Consortium Trustworthiness Task Group. For a comprehensive look at trustworthiness foundations in IIoT, download our foundational document.
Connected systems introduce risks to each other, so a single system cannot be effectively trusted unless the other systems to which it is connected are also trusted.
The publicized “Jeep Hack” provides a vivid example from the automotive industry of failures of trust in individual and aggregated systems.
Cybersecurity researchers Charlie Miller and Chris Valasek in 2015 and 2016 created a series of technical security exploits that allowed near-total remote control of a consumer vehicle, a 2015 Jeep Cherokee. Their work demonstrates how alignment of assumptions about the operational context is necessary across the different components of the supply chain. The designers of the entertainment unit used different contexts from those engineering the CAN bus.
In cars like the Jeep, the radio/entertainment system head unit (labeled “RAD” in the figure below) is an externally facing device that can receive commands through external interfaces such as USB and Bluetooth. Properly secured designs enforce strict separation between head-unit communications and systems related to life safety on the car. However, in 2015 these design requirements were not well understood. Miller and Valasek recognized this flaw.
As shown in the figure, they also found that the head-unit used an easily guessed password. This is convenient for the dealer, service people, or manufacturer, who might need those passwords to service the car. Miller and Valasek figured out how to apply a software update to the bus gateway through the head-unit.
Figure: Hacking a vehicle - Jeep CAN bus, annotated to show exploits
This bus gateway was supposed to arbitrate the connection between the CAN bus and the bus with the head-unit, but since the password was guessed, this control was not effective. After the update, Miller and Valasek had access to all of the devices on the internal CAN bus, including those that control the car.
Further, firmware updates to the gateway were applied through the head-unit. They required a signed checksum, but the feature was poorly implemented, and an illegitimate update was not stopped. As shown in the figure, the hackers’ update was accepted by the gateway as a legitimate update without any authentication.
Once they had access to the CAN bus from the head-unit, they could issue commands to others on the bus, including opening and closing windows, turning on blinkers and windshield wipers, changing speeds, and turning the wheels.
The attacks in 2015 did not work at highway speed because they were based on the diagnostic system, which did not allow changes to be made above 5 mph. The attackers learned that the tire pressure monitoring system was the source of the information about the speed of the vehicle, so in 2016 the Jeep Hack evolved to spoof the tire pressure monitor messages to tell the car that it was going slowly.
This was possible because the protocol for the bus discarded duplicate messages. Once they knew how to get illegitimate message numbers onto the bus before the actual tire pressure monitoring systems messages through a spoof attack, they could go at highway speeds. The tire pressure management message was discarded as duplicative, so the car concluded it was going slowly, when in fact, it was not.
This example shows clearly how one untrustworthy system (the radio/entertainment head unit) in an otherwise trustworthy solution can render all connected systems untrustworthy. It is essential that all systems connected to other systems be trustworthy. Otherwise, a failure of trust in one can bring down the others and result in a failure across all the connected systems.
The system of concern can be larger than a single-vehicle. A major concern with attacks on cars is that this can scale beyond a single automobile to that of an entire fleet of cars – imagine taking control of numerous cars as they drive on the highway. This could certainly lead to catastrophe. Another scenario to consider is that of self-driving cars or trucks, especially at the point when there is no driver paying attention. Without the failsafe of a driver to take over, this too could lead to harmful scenarios unless care is taken. Clearly, the need for attention to trustworthiness will grow with time.
Trustworthiness in the IIoT is explored in a new IIC foundational document, “The Industrial Internet of Things Trustworthiness Framework Foundations.” Co-authored by members of the IIC Trustworthiness Task Group, the document defines and motivates trustworthiness, highlights the need to consider trustworthiness throughout the system lifecycle, and raises awareness of technologies, processes, and practices. It also highlights traceability and assurance of trustworthiness based on evidence.
Papers from Charlie Miller and Chris Valasek are available at http://illmatics.com/carhacking.html.