Fuzzing Collision Avoidance Systems for Phun and Prophet
Posted by FirmWarez on 14 Aug 2014 in Blog | 0 comments
There has been quite a bit of research and noise on the topic of “cyber” security for on-board automotive networks. Various attack vectors have been demonstrated (CAN bus, back doors, the usual suspects), and there is a strong movement (“I Am The Cavalry“) pushing the concept that in vehicles, (info)security is safety.
I’m a certified gearhead: <brag>I own a custom modified car — my own work — that will do 0-60 in under 5 seconds and I’ve held a rally competition license.</brag> I’ve been involved in a number of automotive projects electronic and otherwise, and weld good enough to bet my life on it. (My life; not yours. Unless you suck.) I’m also an embedded systems engineer with 20 years of experience (not sure if that’s bragging rights or indicative of some form of psychosis). Looking at the existing body of work from my point of view, I believe these research efforts are to be applauded; and honestly I hope to be able to devote some bandwidth to the cause and concerns myself.
Engine
Some time back I was bantering with a friend and the topic of self-driving cars came up. That conversation really got me to thinking about collision avoidance and automated emergency braking systems, and what phun could be had, not by hacking in to wire and playing CAN-i-bus network guru (don’t all you wiresharks use CAN-i-bus?), but by fuzzing the external systems necessary for such fancy robo-Stig maneuvers. Yeah, I became certain that one could be as badass as Batou: “I’m sorry, but I had to hack your eyes pal.”
Oh, the phun we can have hacking Toyota-san’s eyes. I mean no one in a Lexus is worth carjacking, are they? Up for some good old Mexico City ransom? Let’s get that Lexus to stop for no apparent reason, and via the finest automatic rifles drug money can buy convince Mr. Nice Guy inside to go along for a friendly ride. Or maybe we need a roadblock? Trigger collision avoidance in a Volvo (“Later versions will automatically apply the brakes…”) in front of drivers of much older machines. Then there’s always the phun of triggering “Collision-avoidance Steering Support” in a particularly curvy section of road, just to see if our idiot-who-depends-on-a-machine-to-tell-him-it’s-dark-and-he-needs-to-turn-the-lights-on driver knows the difference between understeer and oversteer. Yeah, phun times.
This isn’t meant to be research or a white paper, this is just some hax0r tossing out “what ifs”. Maybe my handle should’ve been “The Prof”; I like these high level thought experiments, and as the books say “the proof is left as an exercise for the student”. Some come on Student, get me another pint of Guinness and start doing some maths or something. I’ve got papers to grade and cheerleaders, to, um, grade. Hey, I’m a busy guy.
Anyway.
Hmm. How do? Well, a sophisticated attacker could play around with fuzzing the radar signals with properly tuned transmitters. Care to modulate things to make it look like we’re about to slam in to a big old dump truck? Anti-collision systems also utilize IR and cameras — many opportunities there for fuzzing and false images.
Of course sometimes the best attack vectors are the oldest attack vectors…meanwhile, in Mexico City… Drug Lord Furious Gorge figures out how to use black mylar balloons in the right pattern and right place and time to stop Mayor Grande Whig in his Lexus. Chaff you see, cuz radars luv some chaff. “But, but Firmwarez you idiot,”, you say, “Drug Gang can just shoot the car!” Yep, but by chaffing the Lexus, Furious Gorge(tm) gets Grande Whig without firing a shot, and gets a nice new Lexus to boot, with no more evidence at the scene than some innocent party favors. Or leaves the phun mystery of why it looks like Senior Whig just walked away from his car, no shell casings, no broken glass. Yeah, that’s how I’d play in Mexico City.
<gearhead cred>So the Rush song Red Barchetta was inspired by a short story published in Road & Track about a dude in an MGB being harassed by modern ‘safety cars’.<gearhead cred> Wonder what a talented driver will be able to do against a self-driver, without even using any attack vectors other than “unexpected” maneuvers. A good competition driver can scare the hell out of ‘normal’ people already, wonder how that kind of skill could be used to convince a mindless blob of overly complicated OS based embedded systems to start performing unnecessary “collision avoidance”. Richard Foster’s little song inspiring story just might have been looking in to the future, but he had it backwards. It’ll be the asshat in the MGB taunting “smart” cars in to doing stupid things. You know, the kind of asshat with an MGB powered by a fuel injected aluminum block V8 with a Pony on Its Ass.
Little Fast Car is Fast
Disclaimer: I only do phun like this for the sake of research, under controlled conditions. I’m one of the good guys. If you don’t understand I was saying that would be phun for purely academic reasons, you should probably be reading somepony else’s rants.
So there you go, all sorts of phun to be had studying this concept.
The prophet part? Well, the prophecy is that as on-board automotive systems become more complex and utilize various external sensors for self drive, self recovery, and collision avoidance, there will be “air-gapped” attack vectors. If I can fool your eyes, I can fool radar and cameras. No Batou level cyber brain required.
Whew. And I made it through this without ranting about how I have NO desire to have an OS between my foot and the brake calipers…
