Attacking Moving Vehicles

2024, Mar 17    

It's no secret that modern-day vehicles have become more complex and are heavily dependent on technology to function. Gone are the days of a simple mechanical engines you could repair with nothing more than a socket set and pair of pliers. With the additional technology comes additional functional (such as lane-assist and self-driving), however with all technology there are also vulnerabilities.

My recent experiences with the lane-assist functionality in a vehicle got me thinking about how secure things actually are, and potential avenues for attack. Two distinct approaches came to mind and I figured I would share them here for your own amusement / paranoia. Differentiating these comes down to to traceability, with one leaving a digital footprint (in theory) and the other leaving no trace at all. Of note, I'm not aware of either of these attacks being used in the wild, but it wouldn't surprise me if these take off (pun intended).

Attack 1 - Falsified Road Data

Modern cars use a mix of systems for their self-driving capability, but in its simplest form the lane-assist functionality many modern day cars feature uses a combination of localised radar data to detect objects around the vehicle (especially in front of it) and a camera feed (either infrared or in combination with visible light) to read the road markings / road signs. This approach has been refined over the years and providing you are driving on a half-decent road (and have a clean windscreen) it works relatively well. Those who do a large amount of motorway miles will appreciate the ability to let the car keep you in the chosen lane and accelerate / decelerate automatically.

This attack focuses on the camera(s) that keep you in lane, specifically, overpowering them a mini projector fitted to the bottom of a drone. As the cameras fitted to cars are designed to work in very dark / very bright conditions, their tolerance to different levels of light is better than the human eye. By projecting a very bright image directly onto the camera(s) it could potentially trick the autonomous system into believing the road was different than it is, and in turn get the car to automatically steer into oncoming traffic / off the road itself.

As laser projectors exist and are capable of pushing a significant number of lumens there are two main obstacles to this approach. Firstly, synchronising the flight of a drone to a moving vehicle on a bumpy road is no easy feat, especially when the tolerance for a laser projector aimed at a camera on a windscreen is less than a millimetre. Secondly, car systems (at least newer ones) also rely on a combination of GPS/map data to aid in driving accuracy, however that isn't always an available source and isn't always used (travelling through tunnels etc).

While this type of attack may be viable, from a practicality perspective it is incredibly difficult to achieve and there are easier ways to sabotage a vehicle (for example, why not use the drone to blind the driver instead?)

Attack 2 - Remote Vehicle Hack

This type of attack is the more realistic however it relies on cars having some form of enabled connectivity combined with a vulnerability. In this example, a drone hovers above the vehicle (at a height whereby it isn't easily seen) and uses a directional antenna (Yagi) that points at the vehicle in other to connect to its systems via bluetooth/WiFi.

The challenge with this type of attack is less about the flying of the drone, but more around component isolation. The infotainment systems within a vehicle are designed to be protected from an attack and in theory shouldn't be able to access the CAN bus within the vehicle. That said, modern infotainment systems require a level of connectivity to other systems which blurs the line of sandboxing / component isolation. For example, OTA updates can be sent to modern vehicles which can update all of the systems within a vehicle (including the infotainment), showing a base level of connectivity which could be compromised.

Where an attack vector is known (i.e., outdated / unpatched software or broken bluetooth firmware) the drone would perform the attack on the vehicle, then act as a relay to the attacker (likely using a 4G/5G technology). From there, and depending on the vehicle, control of the different systems within the vehicle becomes possible. Modern vehicles that have steer-by-wire / throttle-by-wire / brake-by-wire don't require much of an imagination to consider what action could be taken.


So what is the moral of this? In truth, it's tricky... With most things in life we are at the mercy of the manufacturer to keep software secure / up-to-date. Unfortunately there are some that really don't try in this regard, and thanks to the term Minimum Viable Product (possibly my most hated term/acronym to date) security is commonly an afterthought. The only advice I can offer on this is to check how often the vendor releases security updates (or any updates for that matter) to their vehicle prior to purchase. See what their track record is like, and where applicable, see if they have had security incidents in the past (and how they have dealt with it). Multiple manufacturers have had issues with key cloning as an example, but not all of them have responded in favour of the public (those being directly affected).