Since two security researchers showed they could hijack a moving Jeep on a highway three years ago, both automakers and the cybersecurity industry have accepted that connected cars are as vulnerable to hacking as anything else linked to the internet. But one new car-hacking trick illustrates that while awareness helps, protection can be extremely complex. They've uncovered a vulnerability in vehicular internal networks that's not only near-universal, but also can be exploited while bypassing the auto industry's first attempts at anti-hacking mechanisms.

Security firm Trend Micro on Wednesday published a blog post highlighting a little-noticed automotive hacking technique it presented at the DIVMA security conference in Bonn, Germany last month, along with researchers at LinkLayer Labs and the Polytechnic University of Milan. Their work points to a fundamental security issue in the CAN protocol that car components use to communicate and send commands to one another within the car's network, one that would allow a hacker who accesses the car's internals to shut off key automated components, including safety mechanisms.

"You could disable the air bags, the anti-lock brakes, or the door locks, and steal the car," says Federico Maggi, one of the Trend Micro researchers who authored the paper. Maggi says the attack is stealthier than previous attempts, foiling even the few intrusion detection systems some companies like Argus and NNG have promoted as a way to head off car hacking threats. "It's practically impossible to detect at the moment with current technology," he says.1

The researchers' attack is far from a practical threat to cars on the road today. It's a "denial of service" attack that turns off components, not one that hijacks them to take over basic driving functions like accelerating, braking, or steering as the Jeep hackers did in 2015, or Chinese hackers working for Tencent more recently achieved with a Tesla. And it's not a fully "remote" attack: It requires the hacker to already have initial access to the car's network—say, via another vulnerability in its infotainment system's Wi-Fi or cellular connection, or via an insecure gadget plugged into the OBD port under its dashboard.

Instead, the attack represents an incremental advance in the still-theoretical cat-and-mouse game between the automotive industry and vehicle hackers. "It doesn’t depend on a specific vulnerability in some piece of software," says Maggi. "It’s a vulnerability in the design of the CAN standard itself."

Autoimmune

That CAN vulnerability works a bit like an autoimmune disease that causes a human body to attack its own organs. Unlike previous car-hacking techniques, the researchers' attack doesn't take over components on a car's internal network and then use it to spoof entirely new "frames," the basic units of communication sent among parts of a car's CAN network. Instead, it waits for a target component to send one of those frames, and then sends its own at the same time with a single corrupted bit that overrides the correct bit in the original frame. When the target component sees that it's sent an incorrect bit, the CAN protocol requires that it issue an error message "recalling" that faulty message. Repeat the attack enough times---car components tend to frequently exchange messages---and those repeated error message trick the component into telling the rest of the network that it's defective, and cutting itself off from further communication.

That autoimmune attack, the researchers say, is far harder to detect, and easily circumvents existing intrusion detection systems that look for the anomalous frames that represent malicious communication within a car's network. Automotive security researcher Charlie Miller, who along with fellow researcher Chris Valasek hacked a Jeep in 2015 and designed an intrusion detection module they say would have prevented their own attack, acknowledged on Twitter Wednesday that the attack does represent a new advance in defeating car hacking defenses. "If you are designing CAN bus IDS...this is something that you need to plan for now." He added, though, that an intrusion detection system written by someone who knows about the researchers' trick could defeat it. "It is hard to defend against, but is certainly detectable."