* These attacks were demonstrated on a "moderately
priced late model sedan" which is surely a bit of a different situation than a brand new luxury car.
That could mean more sophisticated systems and likely less time to reverse engineer - assuming you don't believe the manufacturer is complicit.
* On page 5 and 6 they describe the work necessary to pull the exploits off. They dumped over two dozen ECUs, desoldering them where necessary and, if I'm not mistaken - reverse engineered them and injected the code which was necessary to support the follow-on attacks.
Assuming the same type and method of attack, the attacker would have had to succesfully generate attack knowledge for a 2013 model-year car then gain intimate physical access to the vehicle to seed the exploits before eventually remotely exploiting them.
That reads like a tall order to me, but it could be the opposite. I could certainly imagine newer, increasingly connected vehicles being more exploitable.
That could mean more sophisticated systems and likely less time to reverse engineer
Car electronics change very little year to year. If you have an unreported exploit, it wouldn't surprise me if it were valid for more than 5 production years. The bigger issue is that the networks in these cars are only secured by physical access, and there are more devices on the bus every year.
A remote exploit must fetch a pretty penny, so I would expect professionals to get to work on pre-production units as soon as they are available in the hope that they don't change substantially.
then gain intimate physical access to the vehicle to seed the exploits before eventually remotely exploiting them
I think you read this wrong - the car was disassembled to explore the systems, but after vulnerability development, physical access to a target was not required. This is suggested by "Sniff MAC address, brute force PIN, buffer overflow" and "Call car, authentication exploit, buffer overflow". If modification was required, executing an exploit would involve a predetermined handshake (which is described later in the paper), not something as crude as buffer overflows.
">Car electronics change very little year to year. If you have an unreported exploit, it wouldn't surprise me if it were valid for more than 5 production years."
Anecdotally, most ECUs I've seen change up 1-3 years. I have no idea if later units might be code compatible with prior, but I'd doubt it.
>I think you read this wrong - the car was disassembled to explore the systems, but after vulnerability development, physical access to a target was not required.
Obviously, I'm not certain, but looking at the previous work they reference [0 .p12-13] seems to say that the bridging exploits [1 .p5] are dependent on re-flashing. Perhaps the 2011 Bluetooth overflow is injecting 2010 re-flash equivalent code?
"We were able to successfully reprogram our car’s telematics unit from a device connected to the car’s low-speed bus (in our experiments, a laptop running CARSHARK). Once reprogrammed, our telematics unit acts as a bridge, relaying packets from the lowspeed bus onto the high-speed bus."
"Note, such interbus bridging is critical to many of the attacks we explore since it exposes the attack surface of one set of components to components on a separate bus; we explain briefly here."
To what end?
At a glance:
* These attacks were demonstrated on a "moderately priced late model sedan" which is surely a bit of a different situation than a brand new luxury car.
That could mean more sophisticated systems and likely less time to reverse engineer - assuming you don't believe the manufacturer is complicit.
* On page 5 and 6 they describe the work necessary to pull the exploits off. They dumped over two dozen ECUs, desoldering them where necessary and, if I'm not mistaken - reverse engineered them and injected the code which was necessary to support the follow-on attacks.
Assuming the same type and method of attack, the attacker would have had to succesfully generate attack knowledge for a 2013 model-year car then gain intimate physical access to the vehicle to seed the exploits before eventually remotely exploiting them.
That reads like a tall order to me, but it could be the opposite. I could certainly imagine newer, increasingly connected vehicles being more exploitable.