The National Cryptologic Museum opened its doors to the public last week. As part of the exhibits, visitors will be able to interact with a quirky little car with a big claim: under the hood, it demonstrates hardware that can thwart many cyberattacks on automobiles.
The BESSPIN Vehicle Demonstrator
DARPA’s System Security Integration Through Hardware and Firmware (SSITH) program set out to develop secure-by-design hardware to mitigate a wide range of cybersecurity threats. Galois participated in the program under the Balancing the Evaluation of System Security Properties with Industrial Needs (BESSPIN) project.
As part of this project, we developed a vehicle demonstrator (named the BESSPIN demonstrator) that would showcase the effectiveness of the newly designed hardware in thwarting cyberattacks on an automobile. The demonstrator showed that this novel, DARPA-funded hardware could successfully defend against an attack modeled after one seen in the wild.
The driving simulator demonstrator is designed to show visitors both the process of hacking and the experience of being hacked for an unprotected and secure car. The driver’s role is to travel to the airport, while the hacker’s role is to exploit a vulnerability in the car’s over-the-air update server, gain access to the Infotainment system, and hack both the Infotainment and critical systems such as brakes, steering, throttle, and transmission. The demonstrator is intended for a wide audience without deep technical knowledge; by the end of the demonstration, visitors will have a better understanding of the dangers of driving a vulnerable car and the importance of protecting their vehicles with secure hardware.
Under the hood
Our demonstrator’s hack is attacking the vehicle’s infotainment Electronic Control Unit (ECU), and could be conceptually executed on many modern cars. This is because the Infotainment system requires network connectivity and provides various services. One of these services is a remote software (Over-The-Air or OTA) update service that contains a buffer overflow vulnerability. We exploit this vulnerability to change the value of the cryptographic key used to verify the signature of the downloaded update. This allows us to upload a binary that sniffs the current car’s position and sends it back to the hacker. By doing this, we can exfiltrate the car’s position without the driver’s knowledge.
Once the OTA service is compromised, a hacker can upload and execute an arbitrary binary. The second stage of the attack is to upload a program that leverages a software error in the implementation of SAE J1939 protocol in various ECUs controlling critical systems, such as brakes or acceleration. As a result, the hacker can remotely disable brakes, set max acceleration, or engage Lane Keep Assist System (LKAS). (These kinds of attacks aren’t just theoretically possible, they’ve been demonstrated in the wild before.)
For the demonstration, we created a secure automotive architecture that can be used to emulate the control modules found in modern automobiles. The heart of the system is two sets of custom FPGA boards, which are configured to act as a car’s ECU modules. The processors used in the system are CHERI from SRI-Cambridge and HARD from Lockheed Martin. Both of these processors have security features that can eliminate incoming attacks.
We started with a Smart ForTwo car and removed the engine, airbags, and other parts. We replaced the windshield with a large monitor to run the BeamNG driving simulator. We modified a speedometer, steering wheel, pedals, and level shifter to route the driver inputs to the ECUs. This completed the driving experience: the result was a driving simulator that allowed visitors to sit in a real car interior and experience the ECU hardware hack.
The BESSPIN Demonstrator. Two players participate in two scenarios: nominal and secure. In nominal mode, the hacker player launches an attack, harming the driver. In secure mode, the hacker player’s attack is thwarted by the secure hardware, allowing the driver player to complete the trip.
The next destination
If you happen to be visiting the National Cryptologic Museum, make sure you stop by the exhibit! Museum visitors will be able to drive safely with the power of SSITH.
For a deeper dive behind the demonstrator technology, look at the DARPA SSITH video below.
The code for the vehicle, as well as all of the other codebases made for BESSPIN, is open source. More information about the demonstrator is available at its GitHub repository. To learn more about Galois’s BESSPIN project and various software artifacts, check out our top-level BESSPIN repository.
You can also find a more detailed video below: