New member intro, high-tech security question

My Nissan Leaf Forum

Help Support My Nissan Leaf Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
C

ctromley

New member
Joined
Mar 12, 2011
Messages
1
Hi All,

I hope the Leaf will be my next car. I am ahead of the curve regarding electric vehicles (EVs), being an engineer and having built and operated my own hobbyist EV. I have no qualms at all about that aspect. I'm not sure if my particular inquiry is better for the Engineering or Ask Nissan forums. Maybe both?

What worries me is something that has been getting increasing attention lately, and the Leaf raises the concern level higher. Modern cars are filled with microprocessors that communicate over a protocol called CAN bus. It's not very secure, and prone to a broad range of hacks. This article explains in more detail:

http://arstechnica.com/security/news/2010/05/car-hacks-could-turn-commutes-into-a-scene-from-speed.ars

The bottom line is that it's pretty frightening how vulnerable to hacking new cars are, if you have access to the OBD-II diagnostic port. But this applies to all new cars. The Leaf opens a new exploit. I just read it allows charging configuration changes via smart phone - that opens a whole new can of worms. Mobile phones are subject to all sorts of hacks, so exposing all the programming in my car (and there's a lot of code in there) to phone hackers is a bit too much to take.

Questions:
1. When using a smart phone to alter charging configuration, is the phone talking to the charger on the car or the power outlet? What are the details of that communication?
2. Does anyone here have sufficient knowledge of the Leaf's CAN bus architecture to know that a software hack via smart phone is not possible? Perhaps enforced via hardware?

I'm afraid the Leaf won't be the only car subject to software hacks, but it looks like it might be among the first. Phone/car communication is coming. But if my vehicle becomes as likely to "crash" as my PC or phone, it's time to stop buying new cars.

Can anyone give me some good news?

C
 
I'm also an electrical engineer and I worked on CAN for a couple of years about 10 years ago. That was when CAN started to be implemented in high-end cars. As far as I know CAN is now used in most cars on the road. CAN was created to cope with cars increasingly numerous and complex features and to make those possible without requiring miles of extra wiring. CAN was designed to be robust and more resilient than traditional wiring. However, CAN was never designed to be hacker proof.

Data on the CAN bus is not encrypted and the design allows for easily plugging a new "node" which can be spying or even sending messages to other "nodes" connected to the same CAN bus. There are often several buses in a car: one for engine, ABS, airbags functions and another for AC, lights, windows. Except for diagnostic, the format of the packets exchanged between the components are usually manufacturer specific but can be relatively easily reverse engineered. This is why CAN is a car hacker's dream. But CAN is only accessible from within the car. In order to hack CAN in someone's car without their consent you'd have to break in.

It may seem to you that the LEAF has been hacked more than other cars but I simply believe that's because it's unique and new. Geeks, hackers are dying to know what's going on within this car: how the battery is managed, how the electric motor is performing and all things Nissan won't show or tell. Who cares about what's going on inside of the latest F150 ?

The LEAF is remotely managed and controlled through a Nissan system called Carwings. All Carwings commands come from a server before they are sent to the car by 3G cellular network. The phone and the car don't communicate directly. Therefore remotely hacking into a LEAF would probably involve breaking into their server through the internet. Not from a phone directly. Also as far as I know Carwings only allows to check the LEAF's status, start charging and turn on AC. It won't let you open or turn on the car like some other manufacturers remote control do.

I feel very comfortable with my LEAF's CAN and Carwings. Those are technologies other cars on the road already have and I am confident Nissan has taken all necessary measures to make it secure.
 
There MIGHT be one CAN exposure:
While the car's charging-hatch is open, the CAN buss might be easily available on the QC port.

Hopefully, that section of CAN is isolated to communication between the car's charging control and the QC port, so the car cannot be hacked.

However, others have reported that it might NOT be isolated.
 
garygid said:
There MIGHT be one CAN exposure:
While the car's charging-hatch is open, the CAN buss might be easily available on the QC port.

Hopefully, that section of CAN is isolated to communication between the car's charging control and the QC port, so the car cannot be hacked.

However, others have reported that it might NOT be isolated.
Click to expand...


Even if that were true, to what means? Who, how, why, when? More like, never.
 
garygid said:
There MIGHT be CAN codes to unlock the doors, start the LEAF, and ... they could drive away?
Click to expand...


That's not going to happen. If you think it through completely it will become clear why that is not going to happen they way you suggest.
 
Since you seem to know the reason, and I obviously do not, please educate me. What did I overlook?

Only some cars will have the QC port.

The CAN messages are not YET known. Maybe there are NO such commands available?

Car is/was charging, so the hatch is open. Disconnect from charging, access CAN via QC port, ... ?

The RFID is not required to drive, once the car is "started".

Other might-be-possible CAN mischief:
Reset the RFIDs so the owner's RFID will not work?

Set a "no-drive" Error Code?
 
garygid said:
Since you seem to know the reason, and I obviously do not, please educate me. What did I overlook?

Only some cars will have the QC port.

The CAN messages are not YET known. Maybe there are NO such commands available?

Car is/was charging, so the hatch is open. Disconnect from charging, access CAN via QC port, ... ?

The RFID is not required to drive, once the car is "started".

Other might-be-possible CAN mischief:
Reset the RFIDs so the owner's RFID will not work?

Set a "no-drive" Error Code?
Click to expand...

From what I've read on these message boards:

1) You have to unlock the car to open the charge-port that would allow QC port access in the first place;
2) The car can't be moved while it is plugged in (i.e. the car couldn't be started);
3) Why would anybody steal a Leaf in the first place?

While plugging in to the CAN might be a source of 'mischief', it's a car... not a nuclear plant or a Federal Reserve depository. There have to be five easier ways to steal a Leaf, if that is your goal (drag it onto a flatbed truck with a winch might be #1). I've never met anyone who is weeny enough to try 'hacking' strangers' cars for the sheer delight of it.

Maybe garygid spent the weekend going through old '24' episodes and has Chloe on the brain :D
 
While I have not verified, the wiring diagram indicates that the can bus on the QC port is it's own bus and isolated by the charger from the rest of the vehicle's CAN busses.

No one is going to hack your car via the cellular radio. The radio doesn't have direct access to the CAN bus. That only leaves physical attacks, and while they are possible, the chances are rather remote.

A hack on the servers that control carwings are far more likely. And even then, the result of a hack might be that you are inconvenienced that someone started charging your car before the rates were lower, or they turned the heat up on your car.
 
Turbo can probably provide more info as can a few other CAN experts here, but my impression is that the CAN bus is primarily a reporting bus, not a control bus. I'm not certain that you can inject information on the bus and change the behavior of major components of the car.

I believe you can put false information on the bus and other components - like the displays - that read bus information can be spoofed into displaying false information, but not sure you can use the bus to change the basic generation of that info to begin with.

e.g. - I don't think you can put a message on the bus to throw the car into reverse, or to apply the brakes, or make the car go faster or slower. You can, as far as I know, put information on the bus that will have the speedometer display you are going faster or slower then you actually are, but I don't think you can manipulate the actual speed of the car through the bus.

Turbo? Others? Is this basically the story?

ETA - I believe this is why makers of devices such as the ScanGauge claim that plugging in their device can't do any harm to the car - whether the have the scan codes right or not.
 
If the QC Port's CAN buss is not connected to the "whole-car" CAN, that solves the problem, and is what I had hoped for.

Somebody else reported that it appeared to be all ONE big CAN buss, and I was reacting to that information.

1. When the car is charging, the hatch is open.
2. Remove the nozzle to stop the charging, then the car could be started and moved.

If one just "listens" gently (properly) to the information that the car puts onto the CAN buss, it is hard to damage the car.

Shorting the CAN buss could keep the car from operating.

Diagnostics, parameter setting, and even firmware upgrades are usually done via the CAN buss, but you generally have to know how to do it.

Important "driving-related" Messages (like "apply the brakes 10%") could easily go over the CAN buss.
 
There are 2 distinct CAN busses in the car, the "critical" one is indeed that, and is only shared amongst the more important devices in the car that actually make it drive. This CAN bus is not available outside the car, nor is it "up" when the car is shut down. The other non-critical bus is used for instrumentation, climate control, etc.

Yes, shorting the primary (EV) CAN bus would disable the car. So would shorting the 12V battery, or putting a nail in the tire.

The Telematics (carwings) interface is unlikely to be used for nefarious purposes, and it looks like reasonable security has been implemented.

I'd be more worried about getting in an accident, which is far more likely.

-Phil
 
Ingineer said:
There are 2 distinct CAN busses in the car, the "critical" one is indeed that, and is only shared amongst the more important devices in the car that actually make it drive. This CAN bus is not available outside the car, nor is it "up" when the car is shut down. The other non-critical bus is used for instrumentation, climate control, etc.
Click to expand...

While the general point is correct, the lines are not as distinct as you put them.


The "critical" bus (called EVCAN) is up any time the car is doing anything such as charging and obviously driving. It is available at the OBDII port. Certain aspects of the climate control are also on this bus.




Sending the right message can indeed 'drive' the vehicle. But that also means you need to block the "real" message. There are error correction techniques in place that keep you from injecting mission-critical messages. For one the messages are transmitted multiple times a second and are numbered sequentially...
 
turbo2ltr said:
Ingineer said:
There are 2 distinct CAN busses in the car, the "critical" one is indeed that, and is only shared amongst the more important devices in the car that actually make it drive. This CAN bus is not available outside the car, nor is it "up" when the car is shut down. The other non-critical bus is used for instrumentation, climate control, etc.
Click to expand...

While the general point is correct, the lines are not as distinct as you put them.


The "critical" bus (called EVCAN) is up any time the car is doing anything such as charging and obviously driving. It is available at the OBDII port. Certain aspects of the climate control are also on this bus.




Sending the right message can indeed 'drive' the vehicle. But that also means you need to block the "real" message. There are error correction techniques in place that keep you from injecting mission-critical messages. For one the messages are transmitted multiple times a second and are numbered sequentially...
Click to expand...

The lines are pretty distinct! I said the EV bus was not up when the car is shutdown, this is 100% true. The car is obviously not shutdown when it's charging or driving. Sending the "right message" includes cracking the cryptography of the smart-key system before someone is just going to drive your car off.

And since you are giving me such a hard time, it's not called an "OBDII port", it's called a DLC3. Also: EV's are exempt from OBD2 compliance.

The point I was trying to make, is nobody can sneak up to your car and inject malicious messages into the charge port and do something bad to your car or easily steal it. If they gain physical access to the car, then all bets are off. They could secretly replace an ECU with altered firmware just as easy as they could inject malicious CAN frames into the DLC3 connector. You are probably more likely to have your car destroyed by lightning, and definitely more likely to have a heart attack before you even make it to your car!

If someone wants to steal it, it's easier and quicker just to tow it.

I really hate to see knowledgeable people perpetuate all this FUD for no reason. It doesn't alter understanding by those of us that understand the technical minutiae, but it sure scares the layman
 
Um I wasn't giving you a hard time, I was agreeing and adding information.

You are right, I misunderstood you when you said "shut down". I took that as meaning "not driving". No need to get your wires all wadded up.

The lines I was talking about are the systems and what can bus they were on. I previously agreed that an external attack is not a concern. No FUD here.
 
turbo2ltr said:
Um I wasn't giving you a hard time, I was agreeing and adding information.

You are right, I misunderstood you when you said "shut down". I took that as meaning "not driving". No need to get your wires all wadded up.

The lines I was talking about are the systems and what can bus they were on. I previously agreed that an external attack is not a concern. No FUD here.
Click to expand...

Thanks, I guess I also read your post as more critical.

FYI, here is the layout:
pic
 
A recent article (Mar. 14, 2011) on this subject caught my eye today:
http://www.technologyreview.com/computing/35094/?mod=chfeatured&a=f

A quote from the article saying CAN bus access is not necessary to perform these hacks:

The researchers were able to control everything from the car's brakes to its door locks to its computerized dashboard displays by accessing the onboard computer through GM's OnStar and Ford's Sync, as well as through the Bluetooth connections intended for making hands-free phone calls. They presented their findings this week to the National Academies Committee on Electronic Vehicle Controls and Unintended Acceleration, which was brought together partly in response to last year's scandal over supposed problems with the computerized braking systems in Toyota Priuses.

The team, including Tadayoshi Kohno, an assistant professor of computer science at the University of Washington, and Stefan Savage, a professor of computer science at the University of California, San Diego, had previously shown that they could take control of a car's computer systems, provided that they had physical access to the vehicle's onboard diagnostics port—a federally mandated access point located under the dashboard in almost all modern cars.

With the new work, the researchers systematically analyzed ways they could get at a car's computer systems without having physical access. They used a 2009 mass-production sedan equipped with fewer computer systems than many high-end cars. For each attack that succeeded, they confirmed that they could take complete control of all of the car's internal computer systems.

The researchers attacked the car's Bluetooth system, which allows a driver to make hands-free cell-phone calls. They found a vulnerability in the way the Bluetooth system was implemented that allowed them to execute code to take control of the car. To do this, the researchers used a smart phone already paired with the car or found a way to illicitly authorize a new smart-phone connection.

Nowadays many cars come equipped with cellular connections that perform safety functions, such as automatically calling for help if the driver is in a crash. The researchers found that they could take control of this system by breaking through its authentication system. First, they made about 130 calls to the car to gain access, and then they uploaded code using 14 seconds of audio. The researchers also found other ways to gain access, for example via the car's media player.

"We were surprised to find that the attack surface was so broad," Kohno says, referring to the wide variety of ways the researchers were able to gain access to the car's computer systems.
Click to expand...
Perhaps the Leaf architecture does not lend itself to such attacks in the same way, but this sounds a little scary to me.
TT
 
Good thing the LEAF's CD player is hidden behind the navigation screen :D

http://www.ubergizmo.com/2011/03/songs-can-be-used-to-hack-cars/
 
Ingineer said:
pic
Click to expand...
Not clear from this which side of the VCM the charging port is on, but I would guess the lower CAN buss with the battery module. The BCM (body control module), which would control the locks, windows, and such, is on the upper CAN buss. If this is true, then the VCM could act as the firewall.
 

Similar threads

D
Whacky Hacky: Adding extra DC/DC and DC/AC converters to PDU? (Gen1 Leaf)
2 3
Replies
42
Views
2K
Jsprinkle
J
majbthrd
lowest mileage LEAF battery fail ever?
Replies
6
Views
1K
thew
thew
M
2023 nissan leaf S new owner So many Questions
Replies
13
Views
3K
knightmb
knightmb
majbthrd
TCU Teardown
Replies
9
Views
6K
Stanton
Stanton
S
Findings with my new 2022 SV Plus and Carplay and Crackling sounds
2 3
Replies
42
Views
16K
KevintheLeafGuy
K

Latest posts

Back
Top