Researcher Don A. Bailey will be showing at the Black Hat security conference next week how easy it is to open and even start a car remotely by hacking the cellular network-based security system. Even more disturbing is the message that demonstration brings, that cars aren't the only things at risk.
"We are seeing more GSM [Global System for Mobile Communications]-enabled systems popping up in consumer culture and industrial control systems. They're not just in Zoombak [Global Positioning System] location devices and personal security control systems, but also in sensors deployed for waste treatment facilities, SCADA [Supervisory Control and Data Acquisition] and call-back systems, physical security systems, industrial control systems," Bailey, a senior security consultant at iSec Partners, said today. "These GSM modules open up that world to attacks in a whole new way."
Bailey, who stumbled upon the realization of how widespread flaws in embedded systems might be when he hacked the Zoombak a few months ago, turned his attention to another easily accessible, and as it turns out, easily hackable car alarm system. He won't name the vendor, but he and Mathew Solnik, security consultant at iSec Partners, were able to unlock a car and start it by manipulating the car security and control system over the cellular network. They did this by sending special SMS messages to the car computer, a method they call "war texting."
"When we looked at this car security and control system we determined within the first few hours that it was completely ownable, front to back," Bailey told CNET. "This is not just a theoretical attack. This is a practical attack we've used on more than one system now."
But a stolen car can be replaced and insured. The real concern is that the same architecture that Bailey and Solnik exploited is being used in many other areas where exploitation would create more widespread and severe impact. The use of cellular and data networks opens legacy control environments and others to all sorts of attacks such as man-in-the-middle, message spoofing, and data injection, according to Bailey.
One problem is that vendors are using smaller chipsets to save money and they don't have enough code space to handle large number cryptographic processing, so the systems can't validate that messages are coming from trusted sources, he said. Also problematic is combining the baseband with the microcontroller, which tells the baseband what to do and connects to the cellular network. The baseband doesn't provide application level encryption, so the commands are in clear text and easy to retrieve via reverse engineering, Bailey said. Another issue arises because the networks aren't partitioned, so devices are able to talk to each other and thus can compromise each other, he added.
"This unique architecture is used all over the place. It's getting popular because of smart phones, the lower costs of GSM and decreasing costs of microcontrollers and basebands," Bailey said.
Bailey said he has been in touch with the Department of Homeland Security and US-CERT about these issues and representatives are interested in coordinating with vendors on solutions.