Researchers say they’ve discovered a security flaw that can affect any vehicle featuring “controller area network” systems – AKA a “CAN bus” – which is basically the network that interconnects components in a car. The “CAN bus” interconnects things like parking assist features, electric windows, and engine control units.
Researchers say hackers can access the connection and bombard it with error messages until the system shuts down to protect its other components. An attacker can therefore theoretically switch off safety features like airbags, ABS brakes, power steering or perhaps even lock someone out of their car.
Car hacking worries
With advancing technology pushing for completely autonomous vehicles, there is a huge concern that hackers could completely take over and control all aspects of a vehicle, which is a very worrying thought.
Newer cars boast clever features to help drivers and passengers have more efficient and smoother journeys. For certain vehicles, drivers can even create profiles which stores their favourite songs, destinations and the frequency of a specific journeys. Although the risk of having personal information stolen is present, this particular flaw reportedly doesn’t allow someone to hack into a component to take control or steal information, but rather hit it with a “denial-of-service” attack.
Previous and ongoing research
Back in 2015, researchers Chris Miller and Chris Valasek managed to remotely hack into and take complete control of a Jeep’s radio, windscreen wipers and fluid, and air conditioning. Shockingly, the duo were also able to control the vehicles steering, disable its brakes and even turn the power off.
Thankfully, the vulnerability was easily patched up with a recall and updated software, but the design flaw is thought to still affect the “CAN bus” messaging protocol standard used in “CAN controller chips”. As such, even a recall may not be effective because the security flaw is “not specific to one vehicle model or its underlying electronics.”
Online IT and technology news platform ZDNet say this particular flaw doesn’t attack to inject a malicious command into the network, but rather targets how the CAN system responds to error messages. When bombarded by an excessive number of error messages it disconnects and disables the device’s functionality.
This was an intended design to stop malfunctioning devices from triggering other systems on the “CAN bus”, but is nevertheless a vulnerability attackers could abuse. It therefore seems paramount to create a layer of cybersecurity to prevent attackers from reaching the “CAN” system.
Intrusion detection systems required?
Security researcher Charlie Miller was part of the team who hacked into the Jeep warns that an intrusion-detection system is required, but noted that the system could find it difficult to distinguish between a genuine fault component and an attack on the system.
Researchers are reportedly working hard to fix the problem, but note that the vulnerability is a worldwide problem, so without global compliance, security may not be effective.
Cyber risks and autonomous vehicles
The U.K. government recently gave car companies the go ahead to test a number of self-driving commercial trucks on British roads. However, the government also apparently recognises the magnitude of the task ahead; trying to stop vehicles purely controlled by software from being hacked.
They published the “Key principles of vehicle cyber security for connected and automated vehicles”, and the principles read as follows:
- Organisational security is owned, governed and promoted at board level
- Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
- Organisations need product aftercare and incident response to ensure systems are secure over their lifetime
- All organisations, including sub-contractors, suppliers and potential third parties, work together to enhance the security of the system
- Systems are designed using a defence-in-depth approach
- The security of all software is managed throughout its lifetime
- The storage and transmission of data is secure and can be controlled
- The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail
IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with an * are required.