Alarming vulnerabilities in automotive security systems.
Dave Bittner: [00:00:03] Hello everyone and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network, helping defend you against advanced threats. Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.
Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Ken Munro: [00:01:53] Well, so you've probably seen there's been a lot of issues around key relay attacks for keyless entry vehicles.
Dave Bittner: [00:01:59] That's Ken Monroe. He's a security researcher at Pen Test Partners. The research we're discussing today is titled, "Gone in six seconds? Exploiting car alarms."
Ken Munro: [00:02:10] So the idea being a car thief will come along with a smart black box and use that to amplify your keyless key signal, and then can open your vehicle and drive it away. So, a lot of people are now looking at third-party alarms that provide another layer of protection to mitigate against key relay attacks. And that's what we started looking at.
Dave Bittner: [00:02:31] And so, what's the range of features that these third-party vendors are advertising?
Ken Munro: [00:02:37] Well, if you've got a mobile app for your car already you'll probably know some of sort of the functionality you'd expect. So, you can geolocate your car so you can see where you've left it in the parking lot. You could lock and unlock the doors. If you've forgotten, you can easily lock it. And you can check the status and immobilize/demobilize your vehicle. So the sort of things you're probably familiar with if you've already got a mobile app for your car. But these are also provided by third-party alarm vendors.
Dave Bittner: [00:03:02] And so, what's the benefit here of the third-party vendor? Is this a functionality that's not built into all cars?
Ken Munro: [00:03:08] Well, that's the thing. It's another layer of security. So, if you've got a vehicle that's vulnerable to, say, key relay, or maybe it doesn't have a high-quality alarm factory-fitted, you can have another layer of security. So, an additional set of immobilizers that will take control if the other ones are overwritten.
Dave Bittner: [00:03:26] All right, well, let's dig in here. Walk us through - what did you discover?
Ken Munro: [00:03:30] Well, what really got our attention is we noticed one of the alarm vendors advertised their system as unhackable...
Dave Bittner: [00:03:39] Hmm.
Ken Munro: [00:03:38] ...And that is a red flag.
Dave Bittner: [00:03:42] (Laughs)
Ken Munro: [00:03:41] We've looked at a few devices over the years - we looked set a cryptocurrency wallet that was promoted by John McAfee a little while ago, and that was promised as unhackable, and guess what - it wasn't.
Dave Bittner: [00:03:52] Hmm.
Ken Munro: [00:03:52] So that word is - it always gets our attention.
Dave Bittner: [00:03:55] Mm-hmm.
Ken Munro: [00:03:55] And we saw this, and we thought, you know, we have to have a look. So the first thing we started looking at were a couple of major alarm vendors. So, Pandora - very big brand in Europe and Russia. And then Viper - who I think are very well known in the US...
Dave Bittner: [00:04:08] Mh-hmm. Yup.
Ken Munro: [00:04:07] ...And are branded in UK as "Clifford" - now they have several brands around the world.
Ken Munro: [00:04:12] So we started looking. The first thing we did is we started looking at the smartphone apps. And we found some things that bothered us, but we couldn't really go too much further without getting hold of the equipment and having them fitted to our vehicles. We didn't want to start touching other people's alarms - that wouldn't have been ethical or right. So, we took a backseat, and then booked some expensive smart alarms to be fitted into a couple of our vehicles here.
Ken Munro: [00:04:37] And, yeah, about six weeks later we had them in, we had them working. And guess what - everything that we suspected turned out to be true. So, we had the ability to find your vehicle in real-time, whether you were driving, stationary, parked, or whatever. That was quite creepy. So it could track you, something like three million vehicles in real-time. So we knew where you were, where you were going, what you were doing.
Dave Bittner: [00:05:02] So, just to be clear here, not your own vehicle, but the ability to go in and track other people's vehicles beyond your own?
Ken Munro: [00:05:08] If you wanted to, yeah. Obviously, we only tracked our own, because where were the ethical guys. We're good. You know, we don't go at that breaking law.
Dave Bittner: [00:05:14] Right. Right.
Ken Munro: [00:05:13] But bad guy, vehicle thief, could track you, people in your vehicle, anytime - three million vehicles in real-time.
Dave Bittner: [00:05:22] What was the specific vulnerability here that allowed you to do that?
Ken Munro: [00:05:25] Okay, so technically, what we discovered were some missing authorization steps in the APIs that the mobile apps used to communicate. So - whilst you had to create a user account and you had to log in - what it didn't do is, after you'd logged in, checked correctly that you were the person authorized to make those requests. Essentially anyone with an account could make a request to reset a password.
Dave Bittner: [00:05:49] Hmm.
Ken Munro: [00:05:49] Like, send that password reset to any email address - so, obviously, to one in control of the hacker - reset the password, and then take control of the account, locking out the legitimate user.
Dave Bittner: [00:05:59] And you don't have to be an owner of one of these devices to spin up an account, right?
Ken Munro: [00:06:03] No, and that's where our first initial steps started. So, we created a couple of accounts for ourselves, checked to see if we could access our data from the other account. So, we weren't trying to access anyone else's data, but we could prove that we could access one from the other.
Dave Bittner: [00:06:16] And so, your ability to do this, you can go in and basically grab control of someone's account, and then what abilities do you have from there?
Ken Munro: [00:06:25] Right. So, we can track it. That's great. So, we know where your vehicle is. So, we can then unlock the doors, which you probably wouldn't be very happy about that. We can disable the alarm. And then we could disable the immobilizer. So, we're now in a position where we can get into your vehicle, and in some configurations you could drive it away.
Ken Munro: [00:06:46] But the bit that creeped me out the most was that, because we can track you in real-time, one of the bits of information disclosed in the app is the type of vehicle. So you could deliberately target expensive, fast sports cars. You could go and find them late at night, go and drive behind the owner, set the panic mode off on their alarm, which would usually cause someone to stop, and then you can go and assault them, take their keys, pull them out of the vehicle, and drive off in their expensive car.
Dave Bittner: [00:07:18] Hmm.
Ken Munro: [00:07:18] So that's just pretty horrible, right?
Dave Bittner: [00:07:21] Yeah, it is. The ability to target a certain group of vehicle owners, then this provides you with a map to where they are, and an ability to directly affect the vehicle that they're driving, including - could you shut the engine off?
Ken Munro: [00:07:33] So, we couldn't shut the engine off in motion on the vehicles we had the alarms fitted to, but we believe that on certain types of vehicles, with some of the alarms, we could successfully disable the engine in motion. So, whilst we couldn't prove it during our research, it's just a matter of having another couple of vehicles fitted, and we're confident we could kill the engine of certain vehicles whilst they're in motion. So, you know, you might be driving along the freeway at seventy, eighty miles an hour - all of a sudden your engine quits.
Dave Bittner: [00:08:02] Mm. Now, some of these devices have audio capabilities as well? They have microphones built in?
Ken Munro: [00:08:07] Oh, this was mad. This was really mad. One of the alarm vendors - this was Pandora - if you'd experienced a high-G impact, for safety reasons, it could automatically dial the emergency services and set up a call. So, you could call the emergency services - cool. However, we just realized that the same microphone in this component of the alarm that allows that - we could actually enable that microphone remotely, on around two million vehicles. So, we could setup a listening bug into two million cars and listen to the driver and their passengers talking, with no evidence of that happening. Nothing was evident to the user at all.
Dave Bittner: [00:08:44] Wow. So, a remote snooping capability that doesn't draw any attention to itself.
Ken Munro: [00:08:49] Yeah, and how often do you have conversations that you really don't want overheard when you're in the privacy of your own vehicle?
Dave Bittner: [00:08:54] Yeah. Just the amount of talking to myself that I do would be embarrassing.
Ken Munro: [00:08:56] (Laughs)
Dave Bittner: [00:08:59] Now, there's another part of this, and that has to do with the CAN bus on these vehicles, which is a part of all modern vehicles. Can you describe to us - first of all, what is the CAN bus, and how do these interact with it?
Ken Munro: [00:09:12] Oh, sure. Okay, so, the CAN is the car network. That's the bit that electronic components talk to. They talk to your throttle, they talk to the braking system, they talk to the brakes, they talk to the engine. It's what makes the car work and communicate. And it's the integration of other things in your car that expose the security of the CAN bus. So, if you've got breaking-by-wire or throttle-by-wire, you can actually start to tamper with the way that the vehicle operates. In some cases where you have self-park, you can in theory take over control of the steering column as well. And that's quite worrying.
Ken Munro: [00:09:43] Now, what we started looking at - for simplicity, and to make the alarm install easy for the installers - you would often connect the alarm to the vehicle CAN bus network, and the alarm was then capable of determining which vehicle it's connected to, and then could interact with the vehicle immobilizer, and could configure itself. So, it sped up the process of installation dramatically. But as part of that, we discovered that some alarms have the ability to issue commands to the vehicle network - to the CAN. And that's where things get a bit scary.
Ken Munro: [00:10:16] Now, we haven't completed the research in that space, but we've already seen evidence that it may be possible to issue commands to the cruise control - to accelerate. And also, because in some cases you need to tap the brake pedal before you start a vehicle, some of these alarms have the ability to talk to the braking systems.
Dave Bittner: [00:10:33] So, in other words - I'm trying to puzzle through this - a remote start function would need to simulate a foot on the brake to be able to remotely start the vehicle, for example?
Ken Munro: [00:10:42] That's absolutely right.
Dave Bittner: [00:10:44] And so, having that access, the vehicle itself - while driving - wouldn't necessarily know the difference between a real foot on the brake and one that was triggered artificially.
Ken Munro: [00:10:53] That's right. So you've got access to the CAN bus, which means - hopefully when we complete our research in the space - we'll be able to issue arbitrary commands to the vehicle network over the alarm API.
Dave Bittner: [00:11:05] Does this point to a fundamental issue with the CAN bus itself? Should this information be available to external devices being sent around in the clear?
Ken Munro: [00:11:16] Well, you're talking about reversing, what, thirty plus years of development there.
Dave Bittner: [00:11:19] Yeah.
Ken Munro: [00:11:20] That's the challenge. So, the CAN on the vehicle - there's very little one can do about it. So, if you were to apply, say, encryption to it, then you'd increase the latency - so when you press your brake pedal, instead of the brakes coming on immediately, they might be delayed by half a second, and, you know, what if you have a wreck as a result of that? That wouldn't be a good place.
Dave Bittner: [00:11:37] Hmm.
Ken Munro: [00:11:37] So the most important thing with CAN is stopping what we call "bridging onto it" - whether that's through your satnav, through your phone, through your Bluetooth, through your tire pressure sensors. The trick to vehicle security is stopping other systems talking to it, and therefore making it easier to compromise.
Dave Bittner: [00:11:54] I can imagine some sort of handshaking type of thing. Like, "I am the brake pedal, and here's how I am verifying that I am who I say I am, and I'm not someone else."
Ken Munro: [00:12:02] Kinda, yeah. Although, I think what many vendors are working on are the concept of what we call a "CAN gateway." So it means that, say, your satnav can only issue certain commands onto the CAN.
Dave Bittner: [00:12:12] Ah.
Ken Munro: [00:12:12] So your satnav needs to know how fast it's going, so how fast the wheels are rotating.
Dave Bittner: [00:12:15] I see.
Ken Munro: [00:12:15] So it should only be able to read that data. It shouldn't therefore be able to send information to the braking system.
Dave Bittner: [00:12:20] I see. Yeah, no, that makes a lot of sense. So, you discovered these things and you reach out to the vendors - what happened next?
Ken Munro: [00:12:28] Actually, that was the good bit. Probably the biggest problem we have when we're doing security research and find vulnerabilities, is the vendors just don't listen. In far too many cases. So, we try and disclose responsibly. And then we get to a point three, four months down the road where we end up having to go to the media in order to get them to listen and fix the bugs. However, in the case of these two alarm vendors, they were actually really responsive. So, Pandora - the Russian manufacturer - fixed it in four days, which included a weekend. And Viper, they fixed it in five days. So they were actually really, really responsive, and that's unusual. So, I think the good piece of this story is just how well the vendors responded. But what bugs me is that those vulnerabilities shouldn't have been there in the first place.
Dave Bittner: [00:13:14] Now, when you say "fixed it," what did they do under the hood?
Ken Munro: [00:13:17] So what they did is they implemented authorization checks, to make sure that, when you're making, for example, a password reset request, the email address goes to the email address on file, not just anyone's email address. Really simple fix. And that's what we liked about this, is we knew that the vendors would be able to fix it fast, which meant we could start writing up our work.
Dave Bittner: [00:13:37] Now, have you looked at any other manufacturers of these sorts of devices? Have you found any that were doing it right from the get-go?
Ken Munro: [00:13:45] (Laughs) It's not often we find smart tech that does security a hundred percent right. It's very, very rare that we do. There are a few good examples - not many. We are continuing our research. We're looking at a bunch of other devices right now that relate to vehicle security - not strictly alarms. I won't go into detail about what they are, but we are continuing our research, and so far every product we've looked at has serious security flaws, and we'll be releasing those a little later in the year.
Dave Bittner: [00:14:11] What about from the manufacturers' side of things? What sort of work are they doing to try to prevent these things from happening?
Ken Munro: [00:14:18] By and large, the automotive manufacturers, the OEMs - they're doing a good job. They're actually really working hard toward security, and actually many of them are completely re-architecting their vehicle networks including security at every point. The problem is, vehicles last for a while. Maybe your vehicle lasts ten, fifteen years. So we have this huge legacy problem.
Ken Munro: [00:14:39] There's also quite a significant lead time in the development process for a new vehicle. You know, you're talking three years from drawing boards to full production and sale. So, even the manufacturers that are right on it and doing a great job right now, it still can be eighteen months to three years until we see the fruits of their efforts actually getting onto the tarmac.
Dave Bittner: [00:14:59] Yeah, it really is an interesting development as the technological sophistication in the vehicles has grown over the past decade. I saw someone comment recently that, you know, they said "my favorite iPhone accessory is my car."
Ken Munro: [00:15:13] (Laughs) I love that. But that's true. I mean, we're seeing, what -the automotive tech grow by fifteen to twenty percent every year, which is incredible. However, unfortunately, security wasn't keeping pace with that development of functionality for many years, and I think it took people like Charlie Miller and Chris Valasek to draw attention to that with a Jeep hack a few years ago. And it was that - that point was the wake-up call, three and a half, four years ago. But only now we're starting to see vehicles hit the road which have got good security controls included.
Dave Bittner: [00:15:42] Now, what are your recommendations for the folks who may be developing products like this? Things that interact with vehicles. What are your recommendations in terms of making sure that they don't have these sorts of security problems?
Ken Munro: [00:15:53] Well, I just love the irony of a vehicle car alarm making your vehicle less secure. And I think that that did have a reputational impact upon these alarm vendors. So it's - I think it's really important that you take security very seriously. It was evident from the majority of the coding work that these two vendors did in their mobile apps that kind of got it, but they didn't check thoroughly enough. So it's really, really important to get an understanding of secure development practices, so that your development teams code correctly, and safely, and securely.
Ken Munro: [00:16:24] But also then to verify it. Don't just take the word of your developers or your third-party suppliers that their products are secure. You've got to get it checked. You've got to thoroughly, thoroughly make sure that the product that you're taking to market doesn't make your customers less secure.
Dave Bittner: [00:16:39] And is this the kind of vulnerability that, had this been sent out to a third-party tester, is this the sort of thing that would have been readily discovered?
Ken Munro: [00:16:47] Yeah. That probably the most embarrassing bit, is that these are really simple vulnerabilities. Don't get me wrong, we do some really hardcore research work here, involving taking chips off PCBs, reverse engineering them, fault injection using lasers and magnets and electrons, and stuff like that. But this was real simple. It was what's called an insecure direct object reference, and it's right up there in the OWASP Top 10 list of most commonly found vulnerabilities.
Dave Bittner: [00:17:12] Now, what about from the consumer side of things? If I'm someone shopping around, and I want to make my car more secure and not less - any tips for folks out there?
Ken Munro: [00:17:22] Well, ironically, actually going with the two vendors that had this this train wreck, actually is probably a good idea now, because they've addressed their security concerns. They've had a bad experience, and they're right on their security now. So, arguably, I'd look for an organization that maybe had a bad experience of security, because they're the ones that are going to be taking it right now.
Dave Bittner: [00:17:45] Our thanks to Ken Munro from Pen Test Partners for joining us. The research is titled, "Gone in six seconds? Exploiting car alarms." We'll have a link in the show notes.
Dave Bittner: [00:17:54] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: [00:18:04] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:18:13] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben; editor is John Petrik; technical editor is Chris Russell; executive editor is Peter Kilpe; and I'm Dave Bittner. Thanks for listening.