On Friday (28th of July), the Industrial Controls Systems Cyber Emergency Team or ICS-CERT, issued an alert in response to a public report of a vulnerability in the Controller Area Network (CAN), Bus standard.
The vulnerability detailed in the alert is a stealth Denial of Service attack that requires physical access to the CAN, and an attacker with extensive knowledge of how to reverse engineer the traffic. This ultimately results in the disruption of the availability of arbitrary functions of the target device.
The public report that is referenced in the ICS-CERT alert is from a group of Italian security researchers from Politecnico di Milano (the largest technical university in Italy), in their report the researchers detail how “modern vehicles incorporate tens of electrical control units (ECU’s) , driven by, according to estimates, as much as 100,000,000 lines of code. They are tightly interconnected via internal networks, mostly based upon the CAN bus standard…”.
The report presents how the denial-of-service attack against the CAN bus standard is harder to detect, because it exploits the design of the CAN protocol at a low level. This allows an attacker to target malfunctions in safety-critical components or disable vehicle functionalities such as power steering or airbags for example.
The attack exploits the weakness in the CAN protocol, working between the physical and data link layers of the OSI stack without requiring any message sending capability to the attacker.
It is important to note that the research conducted in the report concluded that this attack is completely undiscoverable without a major restructure of the CAN bus networks, which is widely adopted in automotive, manufacturing, building automation, and hospitals.
A full proof of concept of the CAN denial-of-service was posted on Github, the project titled “A Stealth, Selective, Link-layer Denial-of-Service Attack Against Automotive Networks” proves the attack detailed in the paper released by Politecnico di Milano. The attack was delivered against a Alfa Romeo Giulietta using a Arduino Uno Rev 3 to disable the parking sensor module (identifier 06314018) on CAN B operating at 29 bit / 50 kbps.
In summary, this exploit focuses on recessive and dominate bits to cause malfunctions in CAN nodes rather than complete frames, which have been found in previously reported attacks which can be detected by IDS/IPS systems unlike this attack.
Because of how the denial of service attack exploits the design of the CAN protocol, and how easily an input port (typically ODB-II), can be accessed by a potential attacker the recommendation from ICS-CERT is to limit access to these input ports. They are also working with the automotive industry and other industries to strategize mitigation plans.
Finally, given how widely CAN bus is adopted by the automotive, healthcare, and manufacturing industries this further highlights how singular weaknesses in a secure environment can compromise the network as a whole.
About the author: Stuart Peck, Head of Cyber Security Strategy, ZeroDayLab
From a background of threat intelligence, social engineering, and incident response, Stuart Pecks heads up Cyber Security Strategy for ZeroDayLab. Stuart regularly delivers threat briefings to FTSE-level executives and directors throughout the UK and Europe. Passionate about educating organizations on the latest attacker trends facing business today and how to combat them, Stuart’s key areas of expertise include: the dark web, social engineering, malware and ransomware analysis & trends, threat hunting, OSINT, HUMINT and attacker recon techniques.
(Security Affairs – security cameras, IoT)