A new vendor-neutral vulnerability discovered by security researchers affects a number of smart cars and could put drivers and passengers in the vehicle at risk of “dangerous” or “fatal” outcomes if exploited.

Researchers at Trend Micro, Linklayer Labs and Politecnico di Milano discovered the security flaw, which was caused by a design choice made within the Controller Area Network (CAN) Bus, a standard created for smart car manufacturers to follow.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

The CAN Bus is intended to establish a universal framework for vendor to operate from. By standardizing how certain systems within smart cars operate, it makes it possible for vehicles from different manufacturers to communicate with one another. Instead of accomplishing that intended outcome, the creators of the CAN Bus standardized a significant security shortcoming.

The issue deals with how the framework deals with error messages. Typically in order to exchange information, the communications systems write a frame—a message encoded in binary, a series of ones and zeros. When that frame is passed on and the numbers don’t correspond with the expected value, it produces an error message.

If a system produces too many error messages, it may be malfunctioning. In order to keep other systems operational while another stutters, the CAN Bus standard requires the that malfunctioning device enter a “Bus-Off” state. Once in such a state, the device cannot read or write data—it is effectively inoperable.

The problem is, an attacker can abuse this detection system to shut down certain operations of a vehicle using the CAN Bus system thanks to a number of other design decisions that fail to protect against a third-party attacker.

This stems from the fact that there is no authentication process to confirm a device reading or writing information sent to the CAN, so there is no way for the system to know if the data it receives is from a device inside the vehicle or an outside source.

The CAN also automatically trusts all data it receives, ignoring the possibility of unauthorized access. It’s also impossible for the system to determine if a device within the system has been compromised based on the information it sends to the CAN.

All of these issues add up to allowing for the possibility of a hacker manipulating the information sent to the CAN, allowing for a simple transfer of unverified messages to result in the shutdown of systems vital to a vehicle’s operation and to the safety of drivers and passengers.

Trend Micro researcher Federico Maggi warned the attack could be used to shut down operations like antilock braking systems or the car’s accident responses like deploying airbags. Such an attack could be “angerous and even fatal,” Maggi warned.

All it takes is a specially-crafted attack device, introduced to the car’s CAN through local access, and the reuse of frames already circulating in the CAN rather than injecting new ones (as previous attacks in this manner have done)," Maggi wrote.

The flaw affects all cars currently on the road that were built using the CAN Bus standard. It is a problem that a simple patch won’t be able to fix, as it stems from the design of the framework itself. Instead, it will require an update to the CAN Bus standard itself, and for an entire cycle of vehicles with the new standard to take ot the road while vehicles uperating under the previous standard are phased out.