CAR-HACKING DEMONSTRATIONS TEND to get all the glory in the security research community—remotely paralyzing a Jeep on the highway or cutting a Corvette’s brakes through its Internet-connected insurance dongle. But as the nascent automotive security field evolves, defensive tricks are getting cleverer, too. Now there’s a new prototype gadget that stops those vehicular attacks with an ingenious hack of its own.
In a paper they plan to present at the Usenix security conference next month, University of Michigan researchers Kyong-Tak Cho and Kang Shin describe an easy-to-assemble tool they call the Clock-based Intrusion Detection System, or CIDS. It’s designed to spot the malicious messages car hackers use to take control of vehicle components like brakes and transmission. The CIDS prototype uses a new technique to spot attack messages: It records the communications on a car’s internal network known as a CAN bus and—in just seconds—creates “fingerprints” for every digital component of a vehicle, the so-called Electronic Control Units or ECUs that allow everything from brakes to windshield wipers to communicate.
To perform that fingerprinting, they use a weird characteristic of all computers: tiny timing errors known as “clock skew.” Taking advantage of the fact that those errors are different in every computer—including every computer inside a car—the researchers were able to assign a fingerprint to each ECU based on its specific clock skew. The CIDS’ device then uses those fingerprints to differentiate between the ECUs, and to spot when one ECU impersonates another, like when a hacker corrupts the vehicle’s radio system to spoof messages that are meant to come from a brake pedal or steering system.
That sort of impersonation is key to how white hat hackers previously managed to remotely mess with vehicles’ brakes, transmission and steering systems.
The Clock Skew Method
No one has ever used clock skew to fingerprint car computer components before, but the fundamental idea isn’t entirely new. Security researchers have proposed using clock skew identification on other kinds of computers for more than a decade. The trick exploits the fact that the oscillating crystals computers use to track time have minute differences based on manufacturing defects and temperature. Over time, that means a computer’s clock can “drift” if it’s not constantly reset against a more accurate clock via the internet—and since cars’ ECU clocks are designed to allow signals to be sent at certain frequencies rather than certain times of day, their clocks tend to drift without ever being corrected.
“Since each clock drifts, based on the message arrival, I can tell whether it’s sent by [the car’s legitimate ECU] or someone else,” says Kang Shin, the University of Michigan professor who created CIDS along with graduate researcher Kyong Tak. “We can fingerprint it based on timing, according to that clock.”
By monitoring both that drift and the variance in the clocks’ skew over short periods of time, the researchers’ CIDS prototype, which connects to a car’s network via the OBD-2 port under the dashboard, fingerprinted dozens of ECUs. They tested simulated attacks on a Honda Accord, a Toyota Camry, and a Dodge Ram, and found that it was able to detect spoofed messages in each case. When it spots one of those spoofed messages, it can be programmed to either alert the driver or put the car into a “limp” mode that allows the driver to safely bring the car to a stop. And the defense technique would be tough for even a very motivated car hacker to defeat, they say—at least, not without an infected ECU that precisely replicates the temperature of the component it’s impersonating.
That means clock skew might be an effective new way to verify which component is sending messages on a CAN network, a security measure that doesn’t exist at all in most modern vehicles. “For the CAN networks you and I might have in our cars, there’s no authentication,” says Tadayoshi Kohno, a University of Washington computer security professor who both invented clock-skew fingerprinting techniques in 2005 and reviewed the Michigan researchers’ paper for Usenix. “This is way to add it in after the fact.”
Focusing on Defense
The Michigan researchers’ gadget is just a proof of concept. They don’t plan to build a consumer product, and they’re not yet releasing their code. Instead, they published a detailed paper on the technique. The prototype was built with just an Arduino Uno board, a Seeed Studio CAN-BUS shield, and some wiring, hardware that cost a total of around $50. They’re hoping to spur carmakers into integrating CIDS technology in vehicles.
“I hope this motivates people to focus more on attack detection rather than just performing attacks,” says Kang of the security research community. “There are a lot more defenses we can make for vehicle safety and security.”
The CIDS device isn’t the only gadget to defend against car attacks, though. In 2014, hackers Charlie Miller and Chris Valasek—whose Jeep hack later triggered a 1.4 million vehicle recall—built their own, much simpler vehicle intrusion detection device. That gadget detects abnormal messages that appear to come from the same source as legitimate ones at the same time, a sign that the network is compromised. “You can build more complicated [intrusion detection] algorithms, but why?” Miller writes to WIRED. “Our super simple one detects every known attack.”
But the University of Washington’s Kohno, who helped develop one of the first car hacking exploits in 2010, says that it’s still too early in the car hacking cat-and-mouse game to depend on any single method. He argues that the CIDS technique could eventually find more sophisticated attacks that have yet to surface. For a field like automotive security where lives are at stake, he says, any innovative defense technique is welcome. “One thing we know is that attacks always get better,” says Kohno. “Putting up defenses before the attacks appear is the forward looking approach, rather than wait for the damage to be done. We can’t undo that damage.”