The Fast and the Furious 8 has been a hit in China recently, sparking widespread discussion among movie fans. In my opinion, there are two main hacking technologies involved in the film - The Eye and Zombie Cars, which are actually related to two cutting-edge security technologies in reality - automotive and IoT security and attacker tracing. ▲ Activated "zombie car" zombie fleet - car and IoT security First, let's talk about smart cars and non-smart cars. Smart cars can actually be treated as an IoT device, which means that the attack surface of smart cars is similar to or even greater than that of other IoT devices. In fact, cars, like computers, rely on buses for internal communication, and the bus in cars is the CAN bus. The CAN network was developed by BOSCH, a German company known for its research and development and production of automotive electronic products, and eventually became an international standard (ISO 11898), and is one of the most widely used field buses in the world. The CAN bus protocol has now become the standard bus for automotive computer control systems and embedded industrial control LANs, and is also the main bus for communication between on-board ECUs. Currently, cars on the market have at least one CAN network, which serves as the backbone network for interconnection between embedded systems to interact and share information in the car. The short frame data structure, non-destructive bus arbitration technology, and flexible communication methods of the CAN bus can meet the requirements of real-time and reliability of cars, but it also brings a series of security risks, such as broadcast messages that are easily monitored, priority-based arbitration mechanisms that are vulnerable to attacks, and passive address domains and non-authentication domains that cannot distinguish the source of messages. Especially in the context of the vigorous development of automobile networking, in-vehicle network attacks have become the source of automobile information security problems, and CAN bus network security analysis has gradually become the focus of industry security experts. For example, at the DEFCON hacker conference in September 2013, hackers demonstrated how to control the Ford Kuga and Toyota Prius models from OBD-II to achieve steering, braking, throttle acceleration, instrument panel display and other actions. The in-vehicle CAN network security issues are currently mainly explored through the analysis of security vulnerabilities and various attack methods, because the vulnerability and threat model analysis of in-vehicle network security are particularly critical. In this way, as long as we seize the CAN bus, we are equivalent to seizing the nerves of the car and can control the car. ▲ What consequences will the car attacking the CAN bus in the self-driving state in the film cause? The first consequence is loss of control: One of the main applications of the CAN bus is to support the communication of active safety systems. When the vehicle is driving, active safety systems will be a double-edged sword. They do play an irreplaceable role, but considering the operability of active safety systems and the ability to adjust the correct input, it will also cause the driver to rely completely on active safety systems. Therefore, a sudden failure will cause unpredictable and dangerous consequences. In order to cause a dangerous condition, a malicious attacker will inject error frames into the CAN bus to make the active safety system fail. For example, installing an attack in the traction control system will cause dangers such as loss of vehicle control. If the attacker's target is the adaptive cruise system, it will cause the car not to stop as the driver expects. In addition, in order to maximize the harm to the driver of the car, if the data can be obtained directly from the CAN bus, the attacker can trigger a DoS attack based on specific conditions. For example, a certain speed of the car, a certain throttle percentage, or a certain GPS location. The second consequence is ransomware: a malicious attacker sets an attack in a target frame in the CAN bus, which will cause the driver to lose control of the throttle position and thus be unable to move the car. Although these may not necessarily induce a dangerous state, an attacker motivated by money will exploit the vulnerability of the car's entertainment system to force the car to stop and display a message on the entertainment system screen, asking the owner to pay a ransom to regain control of the car. The third possibility is theft: Nowadays, most expensive car door locks are controlled by connecting to the ECU via CAN, usually through the OBD-II port. It is easier and faster to isolate the data frames responsible for locking/unlocking the car doors than to reverse the active safety devices. Therefore, an attacker can isolate the data frames responsible for locking the car doors in a few minutes, program his device to perform a DoS attack on specific frames, and then plug the device into the OBD-II port to prevent the car doors from locking. For an attacker, this attack result is possible. It is possible to enter the car with low cost and then steal any valuable items in the car. For a long time, almost the entire automotive industry has a consensus that the CAN bus cannot be protected. There are two reasons. First, the ECU's computing power is insufficient; second, the bandwidth of the in-vehicle network is limited. Some LIN buses use 16-bit or 8-bit MCUs, but the encryption algorithm used by AES can only process data in 16-byte blocks, which means that the LIN bus is often in a "naked" state. Therefore, automotive safety will definitely be a hot topic in the future. As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity. |
This article introduces in detail the specific im...
China's mobile financial Internet industry ha...
Typhoon Dusurui, the fifth typhoon this year, has...
(1). Choice of keywords: It depends on whether yo...
The end of the year is approaching and various ac...
As the flagship of Volkswagen's SUV camp, the...
Whether you are doing user operations, new media ...
After the WeChat subscription account revamped it...
How to control traffic under oCPC smart bidding? ...
"Sitting with legs apart" is an indecen...
Every year, many farmers have headaches because o...
Some people hear or see others winning the lotter...
The hardtop version of the new generation Porsche...
The new pay-as-you-go interactive query service c...