Things You Must Know For Vehicle Hacking: PART 1
VEHICLE INTERNAL NETWORKING: Non-Ethernet Tech
Vehicles are hackable. Indeed they have been hacked before. Jeep has been hacked, Tesla has been hacked, others have been hacked and there will be more hackings coming up.
Welcome to the cyber show! Just like every domain else, the vehicle domain is also a battleground for fierce defenders and attackers.
This blog will be the first of the series `Things You Must Know For Vehicle Hacking`. In this series, I will try to feed some knowledge regarding vehicle networking types, OSI model, cybersecurity standards, automotive-domain specific security implementations, and some regulations.
<Networking in Cars/>
The famous F-35 Airplane depends on roughly 22 million lines of code. This plane is considered state of art. Large Hadron Collider harbors 50 million lines of code. That is a large codebase to write, maintain, and perform. What about US Army Future Combat System? Which was envisioned to create new brigades equipped with new manned and unmanned vehicles linked by an unprecedented fast and flexible battlefield network. How many lines of code were required to create all this complex mesh? Estimations are around 65 million lines !!
These are gigantic numbers. Until you hear how many lines of code a modern vehicle sits on. It is roughly 170 million lines of code! and Expected to hit 1 billion lines very soon!. This network is created through over 5000 feet-long cabling in each and every modern car! This is unprecedented in every sense of the word. But of course, this much code may also mean a larger attack surface maybe?
Vehicle networking can be very roughly clustered into two main areas: the pre-ethernet era and the automotive ethernet era. However, this should not give you the impression that the advent of the automotive ethernet washed away the previous technologies completely. On the contrary, they operate together. With some vital changes of course
In this blog, I will talk about basic networking topologies and non-ethernet networking technologies. Automotive ethernet will eat up the second post in the series.
<Network Topologies/>
Your network topology describes how each node is connected/interconnected to each others. Based on several factors, they can come in different forms and shapes. There are basic network topologies or more complex topologies which are mainly created using basic topologies. Understanding a network topology will help to resolve attack surfaces and possible weakness/strength points of the network.
Let’s take a look at some basic topologies.
<Point2Point Topology/>
This is the most primitive technology at our disposal. A single point is connected to a single point via a connecting medium where Each station on the network has a physical address (Media Access Control, or MAC address). The transmitting station formats data into frames. Think of two children holding metal cups that are connected to each other with a wire/cable. Directly talking to each other.
Or observe your ethernet which is also a point-to-point technology
<Ring Topology/>
A ring topology is a daisy chain in a closed loop. Data travels around the ring in one direction. When one node sends data to another, the data passes through each intermediate node on the ring until it reaches its destination. The intermediate nodes repeat (retransmit) the data to keep the signal strong. Every node is a peer; there is no hierarchical relationship between clients and servers. If one node is unable to re-transmit data, it severs communication between the nodes before and after it in the bus. (From Wikipedia)
Ring topology does not require a central controller or server. Compromising one node may cause bigger troubles :)
In vehicles, MOST(Media Oriented Systems Transport) technology is designed to use ring topology on the logical level. On the physical layer, it is a star topology.
<Star Topology/>
Star topology, aptly named again, consists of one central node and multiple peripheral nodes which are connected to each other through the central node. These central nodes are either hubs or switches. I assume you know the difference between them, hence I won’t be explaining those.
in this type of topology, all traffic that traverses the network passes through the central hub, which acts as a signal repeater. One advantage of the star topology is the simplicity of adding additional nodes. The primary disadvantage of the star topology is that the hub represents a single point of failure. However, compromising one node only allows tapping into the connection between the node and the central hub since all the nodes are separated from each other.
one variation of the star is the hierarchical star, also known as a tree topology, where each star topology represents a node and they are also interconnected to each other via a switch. you can add/remove nodes without affecting the rest of the nodes.
<Bus Topology/>
Bus topology is the most interesting and the most important topology for our use case since it is the most prevalent one in vehicles.
Bus topology, also known as plug-and-play, connects all nodes to each other through a trunk, to which all the bus nodes are connected. Hence, once one bus transmits data, others can read it easily. This means that once we tap into the wire, or can exploit one of the nodes, you fill the gap.
Now the fun part starts here. Bus topology is prevalently used in vehicle networking. Not only because it was the norm before automotive ethernet came out, but also because there are a lot of standardizations happening around it, and also because it is cheaper. Since it is plug-and-play, it is also easily scalable.
Small note for the future: Although automotive ethernet does not use bus topology in general, there is an exception to it which is 10BASE-T1S, which we will cover in the next blog.
Now we need to go a bit deeper into the nerve system of the vehicles, which are the protocols that vehicle ECUs(Electronic Control Units) are using to communicate.
<Non-ethernet Networking Technologies/>
hint: Do not think that following protocols are exclusive alternatives to each other. We see them form teams in vehicles and support each other instead of a substitute.
<CAN(Controller Area Network) />
I won’t bore you with the history, the development adventure, and boring technical details. Let’s get straight to the point.
Can is a multidrop (bus) technology where the user can add/remove nodes. Remember Multidrop or bus technology means every node or every ECU is physically, and electrically connected to the same wires as every other node. This technology is a cheap and lightweight one. CAN is relatively old technology. Even the buffed CAN (CAN-XL)has a limited bandwidth of 10 Mbit/s and the payload is very small as well. The original CAN’s payload is as little as 8 bytes, and CAN-XL can carry 2048 bytes.
Can uses non-destructive arbitration to avoid collisions in packet reception and transmission. This is handled in the arbitration section or the arbitration ID of the can network. So when there is a possible collision risk, the arbitration ID is used to identify the message or packet. and the packet or the message with the smaller ID is sent first, whereas the packet or the message with the larger ID is sent later but without a need for re-transmission. So the lower ID number transmits first, and the other one waits, not getting killed just waits. And nodes that transmit the higher ID packet also understand the situation and also wait.
This has a drawback: nodes that lost the arbitration (the ones sending the higher ID packet) will have to wait. This makes CAN not as time-critical and accurate in time.
This is why FlexRay was developed.
<FlexRay />
The inherent arbitration system of CAN was sort of troublesome. Hence the FlexRay came into existence. In vehicles, FlexRay is used in the Safety/Time Critical systems, Backbone, and Control Data context.
Just like his elder brother, FlexRay is also a Multidrop(bus, Plug’n’Play) technology hence every ECU is electrically connected to every other ECU. Remember the Arbitration ID in the CAN? FlexRay completely changed this architecture and also the message structure. How did it make all the changes?
Well, with redundancy and determinism. See, with every FlexRay chip, there is a redundant controller built-in. This controller is pre-programmed and the logic within cannot be altered on the runtime. So the system should be very well designed beforehand.
For avoiding message collision, FlexRay uses TDMA(Time Divided Media Access). TDMA can be analogous to a school class where every student knows their time to speak and waits for the previous peers before uttering. Hence there is no collision and no chaos.
Every node in FlexRay is aware of the time base so this helps each node to understand when it is allowed to transmit. So basically there is a cycle time, and it is divided into slices and each node has its time slot where it is allowed to transmit.
For that, FlexRay is battle-hardened in security-critical applications thanks to its very accurate timing. Also, it has a gross data rate of approximately 10 Mbit/sec.
These were the two big boys. Let’s briefly talk about the other two now.
<MOST />
As aforementioned, MOST stands for Media Oriented Systems Transport. MOST is aimed to be used in Infotainment systems and can support up to 150mbit/s !. Unlike others, it can enjoy fiber-optical cable if not a single-twisted pair copper cable.
The shortcoming with the MOST is that it is a Proprietary technology. (only one vendor). Also unlike others, it uses ring topology on the logical level where nodes can be visualized as a cyclical linked list. This causes a Single Point of Failure concern for if one of the nodes fails, the entire system goes down. This concern is extended to its tooling as well. Tools must be a part of the same ring and if there is a problem with a single tool, the ring goes down.
MOST nearly became obsolete with automotive ethernet introduced.
<LIN />
Local Interconnect Network(LIN) is the cheapest and the slowest among all. It can be used in non-critical applications generally. It is safe to think of LIN as a helper more than a real player in the game. LIN is very low cost with single wire copper cabling. Again, it is a BUS technology. It uses a Master-Slave system where the Master ECU controls the timing for transmissions of other ECUs.
It has a small payload of a maximum of 8 bytes and super low bandwidth with 20kpb/s. Also, LIN does not have a common time base across the network. LIN operates under a CAN platform, but it doesn’t require the robust data rate and bandwidth performance, or the higher cost, associated with CAN. It is generally used for further network expansion to peripheral devices.
<CleanUp/>
So far we got to know some basic terminology and protocols regarding automotive networking. Some attack surfaces, weaknesses, and also the basic network system mentality are covered. Next up is the Automotive Ethernet era where the real deal is going to surface.
Please bear with me, It will be fun, I promise!
Until next time..!
PS: Please do not forget to check the next episodes :)