Hardware Backdoor for Remote Control over Cars

A modern car’s resistance to hacking has been once again tested by security researchers, who have built a device to spy on internal communications and deliver commands to the vehicle. The piece of hardware has GSM support, allowing an attacker to activate available payloads by sending an SMS from anywhere in the world.

An automobile today relies on small computers called electronic control units (ECUs) to monitor and manage its components and systems. They handle operations of critical driving systems such as braking, steering, acceleration and stability, and complementary systems like multimedia, parking, navigation and lane correction. It is not unusual for a modern vehicle to integrate 100 ECUs – especially high-end ones, which typically communicate in real time over a system called controller area network (CAN).

Aptly named Bicho – meaning “bug” in most Spanish-speaking countries -, the device is a hardware backdoor that connects through the OBD-II port to a vehicle’s CAN bus. It is the product of Argentinian researchers Sheila Ayelen Berta and Claudio Caracciolo, who introduce the device as “a very smart backdoor,” due to its capabilities. The duo will present their work at this year’s edition of the Hack in the Box security conference in Amsterdam, on April 13.

The two researchers say the attack payloads can be configured for automatic execution according to specific circumstances. This would allow an attacker to trigger malicious commands remotely when the target reaches a GPS position, run over or below a set speed, when the fuel gauge indicates a particular level, or when Bicho detects the transmission of a CAN message.

“The Bicho supports multiple attack payloads, and it can be used against any vehicle that supports CAN, without limitations regarding manufacturer or model. Each one of the payloads is related to a command that can be delivered via SMS, this way it allows remote execution from any geographical location,” reads the abstract for the presentation of Bicho.

Programming the hardware backdoor is possible through the Car Backdoor Maker software, also developed by Caraciollo and Berta, and released as an open source project. It has sections for inputting the phone number for the SIM card inside Bicho, for setting the attack initiation parameters and the command the CAN bus should send to the ECUs.

Bicho is a powerful tool and has great potential for harm, so researchers and car-hackers should tinker with it responsibly. A website has been set up for enthusiasts to add CAN messages for various car makes and models. The purpose is to understand the reach of the CAN communication protocol.

OpenCANdb is in an early phase, with 12 entries available currently, for modules like headlights, beacons, tachometer and driver seatbelt status. Since learning the specific CAN messages a car manufacturer implements into their products for ECU management could become easier in the future, real-world abuse scenarios are limited by the need for physical access inside the target vehicle.

Add Comment

Your email address will not be published. Required fields are marked *