By Kevin Lackey, OT, ICS & SCADA Cyber Security Principal
Driving (pun intended) towards a Minimum Security Standard for automotive control systems is more important than ever, as these systems are quickly becoming fully independent from human control. Within 20 years of the advent of computer regulated electronic fuel injection, first mass produced and available to consumers by Volkswagen in 1967 with their Bendix based Jetronic fuel injection, the average North American experienced daily hands-on interaction with a control system and probably never realized it. By 1994, every vehicle being sold in the United States was using some form of electronic fuel injection, which is itself a control system.
An electronic fuel injection system uses inputs–initially analog and now analog and digital–to feed information into an engine management system commonly called the Engine Control Unit (ECU). The ECU is a computer control decision maker that takes the incoming sensor data, evaluates it against timing and fuel maps and uses the input to control the air to fuel mixture, and cylinder fire events. To control fuel injection timing/duration, cylinder ignition, and engine power control, modern ECUs receive data from a variety of sensors:
- crank position
- cam position
- coolant temperature
- exhaust temperature
- exhaust O2 content
- air speed/air mass/air temperature
- throttle position sensor (tps)
As automobiles have become increasingly sophisticated, additional control units have been added to the vehicles. Body Control Units (BCUs) communicate with the system at large, including the status of lights, door locks, the presence of an authorized key fob, if doors are open, etc.
Transmission Control Systems (TCU) monitor transmission temperatures, current gear utilized, and other data. Prevalent in performance vehicles are Traction Control Units and Launch Control System. Traction control systems receive data from individual wheel speed sensors, differential sensors, and other sources to employ brakes or clutch-based-solutions to stop wheels from spinning. Launch Control Systems are tied into the brakes, ECU (throttle control), and traction system to ensure that a performance vehicle launches in a way as to not overcome its tires’ grip.
Traditionally, an automobile was directly controlled by a human driver. This diver controlled inputs–accelerator pedal, steering wheel, brake pedal & gear selector–that were directly mechanically tied to the automobile to control vehicle behavior. The accelerator pedal was connected via a carburetor linkage to a butterfly valve in the carburetor that was used to control how much air/fuel mixture the engine consumes. The steering wheel was connected via a steel shaft to the steering box. As the various computer control systems became more prevalent in automobiles, the inputs once mechanically connected migrated to “fly by wire”–modern cars no longer have a direct linkage from the accelerator pedal to the motor. Rather, a throttle position sensor is connected via a wire to the ECU informing the ECU of how far the accelerator has been depressed.
New vehicles with self-parking features, adaptive cruise control, and collision avoidance take the numbers of input sensors and fly-by-wire controls to new heights, utilizing LIDAR, CMOS sensors and the other data available to vehicle control systems to make and influence the cars driving behaviors. They can control the steering, apply the brakes, accelerate/decelerate and change gears based on the control systems’ situational awareness to avoid accidents, park themselves, and drive along the highway with minimal human guidance.
This automation, whether it be engine management, traction management, or collision/driving management is largely achieved by transferring data back and forth between the various input points and control units on a serial networking bus called Controller Area Network (CAN) bus.
The next generation of automobiles takes the dependence upon digital sensors, decision making, and automated vehicle driving to a human-independent level. Data from positioning (GPS), CMOS and LIDAR inputs will be combined with the existing ECU, BCU, TCU, etc. systems to produce vehicles that are fully self-driving. Many such proposed vehicles from the automotive industry lack any human operator controls.
Digital input will be fed to computers that will use digital and analog output to control the behavior/driving of the vehicle. Without proper security controls on the communications of whatever buses and communication pathways that will be employed, significant safety risks emerge.
Here comes the FUD.
Imagine a malicious hacker tapped into the GPS, LIDAR and CMOS input feeds. The hacker will have tremendous visibility into the whereabouts and surroundings of the vehicle. Now imagine the same hacker is able to inject packets directly onto the communications network/bus that control the steering, braking, and throttle of the vehicle. Armed with high fidelity digital imaging, and positioning data, the attacker can pick an high value target (crowds, historical buildings, sports gatherings, etc) and turn an occupied vehicle into a 5000lb kinetic energy weapon.
How do we prevent this from happening? Controls that mitigate the risks created by an attacker’s ability to inject and tamper with data on the wire will be discussed in LEO’s next automotive security blog post. Make sure to stay tuned and to follow us on social media @LEOCyberSec.