Richard Clarke: Hastings Accident “Consistent with a Car Cyber Attack”

Document & FYI I'm not looking to sow a spirit of fear, just wanted to 'share' a little bit. I'm trying to find out if its available somewhere online.

Packet Sniffing and Targeted Probing. To begin, we Used CARSHARK to observe traffic on the CAN buses In order to determine how ECUs communicate with each other. This also revealed to us which packets were sent as we activated various components (such as turning on the headlights). Through a combination of replay and informed
probing, we were able to discover how to control the radio,
the Instrument Panel Cluster (IPC), and a number of the
Body Control Module (BCM) functions, as we discuss
below. This approach worked well for packets that come
up during normal operation, but was less useful in mapping
the interface to safety-critical powertrain components."
Even at speeds of up to 40 MPH on the runway, the attack packets had their intended effect, whether it was honking the horn, killing the engine, preventing the car from restarting, or blasting the heat. Most dramatic were the effects of De- viceControl packets to the Electronic Brake Control Module (EBCM) — the full effect of which we had previously not been able to observe. In particular, we were able to release the brakes and actually prevent our driver from braking; no amount of pressure on the brake pedal was able to activate the brakes. Even though we expected this effect, reversed it quickly, and had a safety mechanism in place, it was still a frightening experience for our driver. With another packet, we were able to instantaneously lock the brakes unevenly; this could have been dangerous at higher speeds. We sent the same packet when the car was stationary (but still on the closed road course), which prevented us from moving it at all even by flooring the accelerator while in first gear.

These live road tests are effectively the “gold standard” for our attacks as they represent realistic conditions (unlike our controlled stationary environment). For example, we were never able to completely characterize the brake behavior until the car was on the road; the fact that the back wheels were stationary when the car was on jack stands provided additional input to the EBCM which resulted in illogical behavior. The fact that many of these safety-critical attacks are still effective in the road setting suggests that few DeviceControl functions are actually disabled when the car is at speed while driving, despite the clear capability and intention in the standard to do so.
Engine.

Most of the attacks against the engine were found by fuzzing DeviceControl requests to the ECM. These findings are summarized in Table V-A. We were able to boost the engine RPM, disturb engine timing by resetting the learned crankshaft angle sensor error, disable all cylinders simultaneously (even with the car’s wheels spinning at 40 MPH when on jack stands), and disable the engine such that it knocks excessively when restarted, or cannot be restarted at all. Additionally, we can forge a packet with the “airbag deployed" bit set to disable the engine. Finally, we also discovered a packet that will adjust the engine’s idle RPM.

Brakes. Our fuzzing of the Electronic Brake Control Module (see Table IV) allowed us to discover how to lock individual brakes and sets of brakes, notably without needing to unlock the EBCM with its DeviceControl key. In one case, we sent a random packet which not only engaged the front left brake, but locked it resistant to manual override even through a power cycle and battery removal. To remedy this, we had to resort to continued fuzzing to find a packet that would reverse this effect. Surprisingly, also without needing to unlock the EBCM, we were also able to release the brakes and prevent them from being enabled, even with car’s wheels spinning at 40 MPH while on jack stands.

HVAC. We were able to control the cabin environment via the HVAC system: we discovered packets to turn on and off the fans, the A/C, and the heat, in some cases with no manual override possible.