“Vatican” stops hacker attacks on cars
In today’s vehicles there are dozens of computers installed, the installed software in a modern car adds up to 100 million lines of code and more. These computers make it easier for the workshop to diagnose faults or warn drivers of a serious lane change, for example. The computers, however, only follow given control commands without thinking about it like a human being. If a stranger confuses the command hierarchy, uncontrolled control commands can suddenly hit the devices in the car and abruptly slow down the vehicle or cause it to spin,” says Stefan Nürnberger, head of the research group for automotive security at the Competence Center for IT Security CISPA in Saarbrücken (Germany). Only a few years ago, such scenarios were virtually impossible because criminals had to physically gain access to the vehicle in order to manipulate it.
Today, more and more vehicles have a permanent internet connection. It allows, for example, to include current traffic jam information in route planning or to activate auxiliary heating remotely. However, if such Internet-capable ECUs contain security gaps, attackers can send their commands to thousands of vehicles, “warns the computer scientist with a doctorate. Together with Christian Rossow, Professor of IT Security at Saarland University, Nürnberger is working on the idea that components such as an emergency brake assistant can check the authenticity of the commands addressed to them at any time. The “vatiCAN” software developed for this purpose ensures that only the real transmitter can attach the necessary authentication codes to messages.
These codes are constantly renegotiated between the vehicle’s ECUs and cannot be known to an attacker from the outside. Those control units that use our software can thus distinguish between genuine and fake messages,” explains Nürnberger the principle. The researchers attached great importance to the fact that car manufacturers could easily retrofit their safety solutions. The language that ECUs speak in a car is not changed by vatiCAN. The software can be retrofitted into existing vehicles in order to protect them against attacks,” said the researcher. Since it would be a Sisyphean task to adapt every language and every protocol for every brand and every model, the manufacturers are in demand here. They had the information needed to easily integrate the anti-hacking software.
At the International Motor Show (IAA), the researchers will be simulating a hacker’s attack on a real vehicle and showing how this can be prevented with the help of the software.
In addition to the authentication of messages, the software prevents attacks such as recording authenticated messages by including a time stamp in each message. If it is not up to date, the message was recorded and could become dangerous. Due to these additional calculations, the transmission of the message only needs two milliseconds more,” explains Nürnberger, who tested vatiCAN on a VW Passat. This is also acceptable for control processes in which the immediate reaction is important: “If data packets are delayed by two milliseconds, the braking distance is extended by just seven centimeters at a speed of 130 kilometers per hour.”
The researchers have already presented their method at an international conference in Santa Barbara, California. The software can be downloaded and used free of charge: www.automotive-security.net/vatican
Related news:
Cyber threats against cars are here to stay, experts say