Your Next Car Could Have A Firewall

Mitsubishi Electric is working on low-power firewalls for automotive embedded systems, to prevent car hacking before it happens.

Bertel Schmitt

Want to learn how to hack a car? How-tos teaching the hacking of a car’s internal network are the highlight of any Blackhat confab, and they are readily available on Youtube. A fuzzy video of a Tesla Model X getting pwned in China is always a sure way to make headlines. Dark thoughts of hackers messing with our cars trigger deep seating fears of losing control of our lives. Finally, the empire strikes back. Developments are underway to ringfence our car computers with firewalls and intrusion detection systems like those in big datacenters. Today, I received a first glimpse of them.

Cars have been “hacked” pretty much since the electronic KE-Jetronic obsoleted the mechanical K-Jetronic used to inject gasoline into our engines. When CPUs in our cars started to converse via a network called CAN-bus (as in Controller Area Network) hackers quickly hopped on that bus. Modeled after the infamous Wireshark network snooper, a CAN-bus centric CarShark tool soon followed, allowing hackers to override brakes, pop hoods, or to disable the car completely. 10 years later, the venerable CarShark is pretty much dead, but a huge selection of car hacking hardware and software has taken its place. 

However, CAN bus hacking required physical access to the car. Old cars were not part of the Internet. The hacker had to plug something into the OBD (on board diagnostics) port of our cars and sit next to us while putting his and our lives at risk with a laptop. These days, many cars are on-line 24/7, and they are at risk of being broken into with something more insidious than the old Slim Jim.  It was only a matter of time for a car’s entertainment system to be infected with a ransomware virus, gladly only as a proof of concept --- so far. 

This morning, Dr. Tetsuo Nakakawaji, leader of Mitsubishi Electric’s IT R&D Center, showed me what his company intends to introduce to keep hackers out of our cars. What he showed me looked pretty much like the layered defense surrounding commercial data centers or critical infrastructure: Intrusion Detection Systems (IDS) and firewalls protecting each ring of the system. Many IDS are signature-based, which exposes the system to a new threat until it has been found, documented, and programmed into the system. Mitsubishi’s IDS is heuristic, it looks for “abnormal” activity, and blocks it.   

“So?” some will say now, and right they are.  None of this is new, and it could be achieved by sticking a Cisco Firepower 9000 (or a pfSense box for the financially less endowed)  into our trunks, and by calling it a day. 

Not exactly. For price and power consumption reasons, the computers toiling in our cars typically are quite lightweight. A favorite car-CPU is an Arm-based System-on-Chip, something like a Raspberry Pi we can buy for $35. Mitsubishi Electric doesn’t sell boxes, and it wants to run its firewalls and IDS systems on the weak-chested chips favored by OEMs.  To get speed, Mitsubishi replaced raw computing power with higher-performance software.  

Despite some needling, Nakakawaji wouldn’t say more about the code than that it runs very well on very modest silicon, and a test was not provided this morning. 

Another example of Mitsubishi Electric’s in-car coding provided a little glimpse into their more-with-less activities. As we all are painfully aware, computers can take time to boot. Customer don’t want to watch twirly boot animations, customers want the thing to be up and ready when the go-button is pushed. To get around the boot time, developers at carmakers use fast boot tricks akin to the sleep functions on our laptops. An image of the memory is created, and stored, and next time, the image is simply shot into the computer instead of going through a laborious boot process. So far, so good. Or maybe not, because that image could be tampered with while we and the computer are sleeping, and next time we fire up the car, it will be hacked. 

The solution is to check the image before it is used. The image is read-in byte-by-byte, and using cryptographic routines beyond the scope of this article, the image is compared with what we had before we sent car and computer to sleep. That, however, takes time, especially on an anemic Arm, and it defeats a good chunk of the exercise’s purpose. Instead of checking the whole boot image byte-by-byte, Mitsubishi’s system reads only choice parts, and it “minimizes read time using a trusted tree method,” as Nakakawaji told me this morning while carefully checking whether my eyes would glaze over. As you can see from the link injected into his quote, trusted tree is not a Mitsubishi invention, and Nakakawaji readily concedes it. “The method is standardized, but our implementation is unique in the field.” 

But is it really faster, and how much?

“We haven't run actual benchmarks against the competition, but we definitely hope to be faster,” Nakakawaji said. Well, in Japan, bragging is considered uncouth, and we’ll see it when we see it.