Ilaria Matteucci and Gianpiero Costantino managed to hack the ECU of an automobile, revealing new risks for those who drive
When we hear about cyber security, hacker attacks and violation of privacy, we immediately think of two objects to protect: the computer and the smartphone. However, all too often we do not take into account that in the Internet of Things era there are many more devices connected to the Internet, and therefore potentially the object of attention by cyber pirates. These devices frequently hide in the most unexpected places. Like the home garage.
Ilaria Matteucci and Gianpiero Costantino, researchers at the Trust, Security and Privacy research unit of the IIT-CNR, are well aware of this and they study the weaknesses of the technology that manages our cars.
“We tend to take it for granted”, begins Matteucci, “that safety in the car is about reducing the risk of accidents or their consequences on people’s safety. So the first things that come to mind are technologies such as the airbag or assisted braking. But there’s a good deal more.” The scientist is referring to the control systems, the control units, which communicate with each other using a particular communication system, the CAN-bus. Developed in the 1980s and widespread especially since the late 1990s, this technology is now found in virtually all automobiles.
In the brain of the car
Intelligent electrical control units resemble computers. They have their own operating system, a program to run and are connected to the Internet, with the aim of sharing information with each other in an extremely reliable way. Thanks to the CAN-bus, for example, the ABS system calculates the speed of the car and communicates it to the engine control unit.
“Everything is very efficient, but unsafe”, explains Matteucci. “The system has several vulnerabilities.” The Achilles heel of the CAN-bus is its total lack of security. In older generation cars this was not a danger as communications via CAN-bus remained confined within the car’s limits. In modern cars, on the other hand, through the infotainment system connected to the Internet, these communications are also accessible from the outside.
“The latest car infotainment systems work like tablets, indeed, they are real tablets. And like all tablets, they can be hacked”. Once inside the infotainment system, you can access songs, photos, videos, phone books, recent calls and messages. Or you can discover the car’s GPS positions. In the worst case scenario, since the infotainment system is connected to other control units, a hacker may also be able to activate other controls or turn the steering wheel.
Good pirates
For some years now, the two researchers have decided to take on the role of hackers, trying to violate car systems to find (and report to manufacturers) the weak points.
“We have made several attacks”, recalls Costantino. “In the first, Candy, which had as its objective the violation of privacy, we geolocated a car along its entire route, took photos with the parking sensors and activated the environmental microphone to listen to the conversations inside the passenger compartment”. The guinea pig in these experiments was initially a simulator, then the scientists tested the effectiveness of the attacks on their own cars and on a radio purchased for the occasion. “Then we moved on to Candy Cream, an attack in which we were more active. We were able to change the speed indicator and turn on the warning lights on the dashboard.”
Today Matteucci and Costantino have a car dedicated to the experiments, which is located in the parking lot of the CNR in Pisa. After a period of research and attempts, the two managed to dismantle the radio and turn it on in their laboratory.
“It’s not at all banal to be able to operate a radio outside the car without having direct support from the manufacturer, but it was essential to work more easily, without being forced to experiment with the engine running and the computer inside the car”, explains Matteucci.
Last November Matteucci and Costantino had an important public recognition for their research: the security flaw they discovered in the Head Unit of a KIA car entered the CVE (Common Vulnerabilities and Exposures), the public list of vulnerabilities that helps the international IT community to correct and improve the security of IT products.
The results of this research will be useful for car manufacturers. “There is a tendency to underestimate the risk of hacking a car, which takes a back seat to that of having an accident. But in the very near future, when self-driving cars are circulating on the roads, cybersecurity will be at the core of the discussion”.