There’s a car-theft gang in Atlanta that’s stealing late model, high-end Toyota and Lexus vehicles by hacking the cars’ CAN (car area network) Bus. Apparently, this type of car theft originated in Japan, where criminal hackers have developed a device called a CAN Invader that can shut off the vehicle’s immobilizer, unlock the car’s doors, and start the car once the thief physically hacks into the vehicle’s CAN Bus. Apparently, gaining physical access is distressingly easy. Toyota and Lexus vehicles have a vulnerable node near the driver-side front wheel well. By unclipping and peeling back the inner plastic fender liner surrounding the front wheel, thieves can unplug a CAN Bus connector from a headlight ECU (electronic control module) and plug the CAN Invader into the freed cable. Punch a button on the CAN Invader and the car’s yours to drive away.
This sort of access to a vehicle’s CAN Bus network won’t surprise anyone who has or has used an OBD-II (On-Board Diagnostics) scanner, which plugs into a socket under a car’s dashboard and can extract a wealth of diagnostic information about the car from the CAN-connected ECUs. More advanced, bidirectional OBD-II diagnostic tools can also actuate any switch or take control of other vehicle functions. The surprise for me is that the car is equally open to such intrusive probing from an innocuous connector that’s easily accessible from outside of the car. In Toyota and Lexus vehicles, it appears this targeted connector is part of the headlight wiring.
The physically vulnerable ECU controls the high- and low-beam headlights and the turn signals. Once thieves realized that there’s easy external access to all vehicle functions through this connector, development of a one-button tool for stealing a car was inevitable. During an interview on an Altium ONTRACK podcast, CAN expert Ken Tindell, CTO of Canis Automotive Labs, explained:
“So for example, one of the cars we’re looking at, the engine immobilizer ECU’s on the powertrain side. So are the headlights. So you crack open the headlights and you pull the connector off the back of the headlight ECU, plug into that, and now you can directly send commands to the engine immobilizer saying, ‘Hey, I’m the key fob, and I say it’s okay to drive.’ And it’s like, ‘Okay.’”
This problem is symptomatic of any unprotected network, in a vehicle or in a data center. There’s no good reason you should be able to unlock doors and start a vehicle from a cable plugged into a headlight ECU other than a lack of design foresight. A properly secured network would never allow such a thing to happen. However, when the CAN Bus was conceived in the 1980s, it was not developed as a secure network. Combining an unsecured network with easy external physical accessibility seems like an invitation for disaster. As John Parker, the Black Lectroid from Planet 10 in the 1984 movie called The Adventures of Buckaroo Banzai Across the 8th Dimension, said with his thick Jamaican Rasta accent: “It is a very bad design.”
The potential for more hacking mischief and mayhem grows as automobiles become like software-defined vehicles and appear as wireless edge nodes in the ever-expanding Internet. There will always be people in society who want to hack into vehicles (and everything else) for profit or just for the pleasure of wreaking havoc on their fellow citizens. In an unconnected matter, the ability to hack into a vehicle using only a mobile phone has already been demonstrated.
Vehicular network security was a keynote topic at last month’s NXP Connects conference held in Santa Clara, California. Claude Gauthier, Director of Strategic Innovation for Automotive Ethernet Solutions in NXP’s In-Vehicle Network Group, presented that part of the keynote. Gauthier is also the vice chair of the Automotive SerDes Alliance, which has been developing increasingly fast SerDes PHYs for automotive applications. The alliance started with 100Mbps Ethernet and now has design solutions to 10Gbps, with 25Gbps designs under development. Based on this background, Gauthier’s vision for automotive networks is heavily biased towards Ethernet, but that’s a safe bet because Ethernet’s history includes a long series of conquests in any network market it enters.
Gauthier explained that automobile design is becoming more holistic, which will shape the way future designs integrate networks and ECUs. Current design is mainly domain-based, with separate ECUs designed for specific functions including body control, in-vehicle infotainment (IVI), automated driver assist systems (ADAS), connectivity (wireless connections to the outside world), and propulsion. Long-time car makers such as Ford, GM, and Fiat Chrysler have developed a multitude of domain-based, legacy ECUs while new car makers such as Tesla are starting from scratch. Gauthier discussed several more unified network architectures including body zonal networks, which create zones based on location in the vehicle, cross-domain zonal, which is based on a central automotive computer and is therefore a more optimal design for a software-defined vehicle (SDV), and a “consolidated compute” system approach, which is designed to handle even more in-vehicle network bandwidth by consolidating traffic through several network zone aggregators.
These four network organizations appear in Figure 1 below. The cross-domain zonal and consolidated compute network architectures shown in Figure 1 have a central vehicle computer at their core, which would operate an autonomous vehicle.
Figure 1: Software-defined vehicles (SDVs) will require increasingly sophisticated in-vehicle network architectures. Image credit: NXP.
Figure 1 illustrates the growing bandwidth needed in these evolving in-vehicle networks through the thicker and thicker lines used to interconnect various functions. The main driving force behind this need for more bandwidth is the increasing use of video cameras in a car’s design. Cars with ADAS and autonomous driving systems use multiple video cameras, and adding even one camera to a zone can consume that zone’s network bandwidth. Overall, cameras consume 90 percent of a car’s network bandwidth, he explained. It’s better, said Gauthier, to put that video traffic on a high-bandwidth network backbone.
During a pre-keynote interview at NXP Connects, Brian Carlson, a Global Marketing Director at NXP, compared the various systems in a vehicle to various systems in the human body. He made the following comparisons:
- Skeletal and nervous systems – Vehicle electrical/electronic architecture, networking, sensors
- Muscular system – Vehicle dynamics control (motor, traction control, chassis, etc.)
- Respiratory and digestive systems – Electric vehicle charging, power conversion, battery management
- Immune and lymphatic systems – Vehicle security, intrusion-detection and -prevention, security updates
- Endocrine system – Vehicle management including intelligent power management
- Cardiovascular system – Vehicle data management and software over-the-air (OTA) updates
Whether you agree with these body-vehicle systems comparisons or not, it’s clear that modern vehicles are systems of interconnected systems, with high-speed networks in the vehicle serving the same purpose as the human body’s central nervous system.
Unsurprisingly, NXP has a line of SoCs and multiple software stacks, collectively called the S32 Vehicle Compute Platform, which is intended for use in developing these more advanced vehicle networks and the associated ECUs. Ethernet networks are a part of the S32 Vehicle Compute Platform’s strategic roadmap, because the adoption of Ethernet as an in-vehicle networking scheme can leverage all relevant Ethernet development work including IEEE time-sensitive networking (TSN) standards and the multi-layer approach to network security that’s been developed for other Ethernet applications such as in data centers.
What’s prevented auto manufacturers from adopting Ethernet networking earlier is absence of need (now countered by the increasing use of video cameras in cars) and the increased cost of Ethernet networking compared to the low cost of the mature CAN Bus. However, the exponential increase in the use of electronics in vehicles now demands more performance than the CAN Bus can provide, while efforts like the Automotive SerDes Alliance continues to reduce the cost of automotive Ethernet networks, so the shift to Ethernet is inevitable. Automotive design will evolve.
Of course, adoption of an Ethernet-based, in-vehicle network will obsolete existing OBD-II scanners and diagnostic tools the way that electronic fuel injection, coil packs, and computer-driven engine timing have obsoleted the old automotive engine timing lights and tach-dwell meters. Those older tools are fine for working on vintage vehicles, like the 1958 DeSoto Firedome that I once owned, but they’re not useful for tuning today’s fully instrumented, computer-controlled cars. The older, short-lived OBD standard even allowed for some rudimentary troubleshooting with a multimeter or even a simple continuity light, but you can’t do those simple tests with OBD-II systems and certainly I don’t expect that kind of simplicity from a similar Ethernet-based network test standard. But that’s the price of progress, isn’t it?
Ob la di (OBD-I), ob-la-da (OBD-II), life goes on, bra
La-la, how the life goes on
Ob-la di, ob-la-da, life goes on, bra
La-la, how the life goes on
— The Beatles, 1968