New Jeep hack proves cars still exposed: Page 3 of 4

August 04, 2016 //By Junko Yoshida
When automotive security researchers Charlie Miller and Chris Valasek take the stage Thursday morning (August 4) at the Black Hat conference in Las Vegas, they will outline new methods of CAN message injection. The two researchers who now work for Uber’s Advanced Technology Center will demonstrate how to physically seize control of the braking, steering, and acceleration systems in a vehicle.

Layered approach needed

The lack of security solutions for ECU networks poses a real safety problem, he said, because CAN networks are directly tied to a vehicle’s actuation — brakes, steering, etc.  By his count, “85 percent of actuation occurs on the CAN networks.”

Without authentication, encryption or cryptographic key management, the CAN network is the weakest link in the entire security chain, he stressed.


15 of the most hackable and exposed
attack surfaces on a connected car. (Source: Intel)

To protect cars from hackers, the automotive industry needs a layered approach, noted Uze.

First, if authentication is done on the network, it allows only a legitimate member to participate in CAN bus communications, said Uze.

Second, by adding encryption to a CAN bus, a rogue message, in order to be recognized as legitimate, would have to emulate everything from encryption to key exchange and authentication code.

The third element is an asymmetric solution for key exchange. When all legitimate members on the network – 50 ECUs, for example – are white-listed, then when the 51st pops up, “you know it isn’t legitimate.”

Trillium, a two-year-old start-up founded by Uze in Japan, has developed a technology called SecureCAN — “a CAN bus encryption and key management system for protecting payloads less than 8bytes.”

Historically, the assumption among automakers and tier ones was that protecting the CAN bus is impossible, due to limits in the ECU’s processing power and in-vehicle bandwidth.

With SecureCAN, Trillium claims it can offer authentication, encryption or cryptographic key management to the CAN bus. No other technology company is offering this yet.