UK: Cybersecurity guidelines for car manufacturers ahead of driverless vehicles arrival Watch Now

Researchers have discovered a security flaw that probably affects all new vehicles. It allows an attacker to turn off safety features, such as airbags, ABS brakes, and power-steering -- or any of a vehicle's computerized components connected to its controller area network or CAN bus.

Because it's a design flaw affecting the CAN bus messaging protocol standard used in CAN controller chips, the vulnerability can't simply be patched with a recall as happened after researchers remotely hacked a Jeep in 2015. It's also not specific to one vehicle model or its underlying electronics.

Additionally, an attack on the flaw devised by several researchers sidesteps common intrusion-prevention and detection techniques that protect CANs against cyberattacks by blocking malicious CAN messages.

Instead of trying to inject a malicious CAN bus message or 'frame' into the network, the attack targets how CAN responds to error messages. If the CAN receives too many error messages from a device, it is disconnected from the CAN, disabling the device's functionality.

"Our attack focuses on how CAN handles errors," writes Trend Micro researcher Federico Maggi, one of the paper's authors.

"Errors arise when a device reads values that do not correspond to the original expected value on a frame. When a device detects such an event, it writes an error message onto the CAN bus to 'recall' the errant frame and notify the other devices to entirely ignore the recalled frame."

This mishap is very common and is usually due to natural causes, a transient malfunction, or simply by too many systems and modules trying to send frames through the CAN at the same time.

"If a device sends out too many errors, then -- as CAN standards dictate -- it goes into a so-called Bus Off state, where it is cut off from the CAN and prevented from reading and/or writing any data onto the CAN. This feature is helpful in isolating clearly malfunctioning devices and stops them from triggering the other modules/systems on the CAN. This is the exact feature that our attack abuses."

The attack differs from the Jeep hack on a number of levels. First, an attacker would need physical access to the vehicle and plug in a malicious device to target a specific component connected to the vehicle network.

As Wired notes, it also doesn't rely on hacking a component on the CAN to spoof new frames and hijack physical controls. Rather, it is a denial-of-service attack that "waits for a target component to send one of those frames, and then sends its own at the same time with a single corrupted bit that overrides the correct bit in the original frame".

Repeating this error-recall process enough times causes the target device to be cut off from the CAN, as it should under the protocol.

Nonetheless, Charlie Miller, one of the researchers behind the Jeep hack, said the attack should be factored into intrusion-detection systems for the CAN bus. He also pointed out that it would be difficult for an IDS to tell the difference between a faulty component and an attack.

Related coverage

Read more on IoT