UW and UCSD researchers earn Test of Time Award for driving automobile security in new directions
(Cross-posted from Allen School News.)
Ten years ago, a team of security and privacy researchers at the University of Washington and University of California, San Diego published a paper, “Experimental Security Analysis of a Modern Automobile,” describing how they were able to override critical safety systems and take control of a range of vehicle functions of what was later revealed to be a pair of 2009 Chevy Impalas. That work, which was first presented at the IEEE’s 2010 Symposium on Security and Privacy in Oakland, California, opened up an entirely new avenue of cybersecurity research while serving as a wakeup call to an industry that was more accustomed to guarding against break-ins of the physical, rather than the over-the-air, kind. This week, the IEEE Computer Society Technical Committee on Security and Privacy recalled the significance of the team’s contributions and their enduring impact with its 2020 Test of Time Award.
The project was originally the brainchild of professor Tadayoshi Kohno of the Allen School’s Security and Privacy Research Lab and one of his mentors, UCSD professor and Allen School alumnus Stefan Savage (Ph.D., ‘02). Fresh off the success of Kohno’s 2008 IEEE Symposium on S&P paper examining the security of wireless implantable medical devices — which also later earned a Test of Time Award — he and Savage turned their attention to another technology gaining in popularity: the computerized automobile.
Backed by funding from the National Science Foundation and flexible funds from an Alfred P. Sloan Fellowship, the duo pulled together what they refer to as an “all-star team” of students. The lineup included then Allen School Ph.D. students Karl Koscher, Alexei Czeskis, and Franziska Roesner; and UCSD Ph.D. student Stephen Checkoway, postdoc Damon McCoy, and master’s student Danny Anderson. Checkoway and Anderson were no strangers to UW; the former had earned his bachelor’s from the Allen School and the Department of Mathematics in 2005, while the latter had just graduated with his bachelor’s from the Allen School in 2009. Allen School and UW Department of Electrical & Computer Engineering professor Shwetak Patel and UCSD professor Hovav Shacham joined the leadership team during the formative stages of the project, and UCSD research staff member Brian Kantor rounded out the group.
The team would become the first to drive home to automobile manufacturers, regulators, security experts, and the public the extent to which modern-day vehicles were vulnerable to cyberattacks. According to Savage, one of the main reasons they succeeded in doing so was that the students — all new, or at least, new to this area of research — “didn’t know any better” and were therefore undaunted by the task set for them by their mentors.
“Essentially, we bought two cars and said to the students, here are the keys, go figure it out,” recalled Savage. “To Yoshi’s and my delight, they did. And in the process, they established this entirely new subfield of automotive security research.”
The group called itself the Center for Automotive Embedded Systems Security, or CAESS. It was fairly large, as far as research collaborations go. According to Checkoway, its size was a feature, not a bug.
“This was an extremely collaborative effort; no task was performed by an individual researcher alone. I believe our close collaboration was the key to our success,” explained Checkoway, the lead Ph.D. student on the UCSD side who later joined the faculty of Oberlin College. “On a personal level, the large group collaboration was so much fun, that collaborative research has been my preferred method of research ever since.”
It is a theme that is echoed by Checkoway’s colleagues, even 10 years on.
“It was really exciting to join this great team and contribute to such an impactful project at the very beginning of graduate school,” said Roesner (Ph.D., ‘14), now a professor in the Allen School and co-director of the Security and Privacy Research Lab with Kohno. “I had recently decided to switch my focus from computer architecture to security, after discovering that I really liked the ‘security mindset’ of challenging assumptions in designs. This experience and this paper essentially launched my security research career.”
Koscher (Ph.D., ‘14), who has since returned to his old Seattle stomping ground as a research scientist after completing a postdoc at UCSD, was the lead Ph.D. researcher on the UW side.
“We really were one team, and there was definitely enough work to keep everyone on both sides busy.” Koscher recalled. “We at UW would attack a problem from one direction, while the folks at UCSD attacked it from another. Each side brought the puzzle pieces to complete the other.”
Among the puzzles the team needed to piece together was how to access one or more of a vehicle’s electronic control units (ECUs) — the collection of independent computers that communicate across multiple internal networks. At the time, it was estimated that the average luxury sedan contained as many as 70 ECUs running over 150 megabytes of code. This did not comprise the totality of the potential attack surface of a vehicle, however; additional entry points came in the form of the federally-mandated onboard diagnostic system, optional short-range wireless capabilities such as Bluetooth, and telematics such as OnStar with its long-range cellular radio link.
Beginning with 2008 models, all cars sold in the United States were required to implement the Controller Area Network (CAN) bus for diagnostics — making it the dominant in-car communication network not only for GM, but also other major manufacturers such as Ford, BMW, Honda, and Volkswagen. To facilitate the full range of exploits they wanted to explore, Koscher and the team developed CarShark, a custom CAN bus analyzer and packet injection tool.
Using this approach, the team determined that weaknesses in the underlying CAN protocol meant that, by infiltrating almost any one of the vehicle’s ECUs, an attacker would be able to leverage that access to circumvent a broad array of safety-critical systems. In a series of experiments, both in the lab and on the road, the researchers demonstrated the ability to control a variety of vehicle functions while overriding or disabling driver input. They also examined scenarios in which malicious actors could exploit multiple components in a composite attack, including using the telematics unit to bridge multiple ECUs and to inject or wipe malicious code.
Czeskis (Ph.D., ‘13), who is currently a Staff Software Engineer at Google focused on authentication, identity, and protection of high-risk users, recalled both the audacity and novelty of what he and his fellow students were doing — particularly when it came to testing.
“We had to verify that our hypotheses and techniques would hold outside of the lab setting,” he explained. “That meant we often had to drive the car up to the computer science building, lift it on jack stands, and then repeatedly rev the engine and honk the horn for extended periods of time while puzzled students walked by.
“We also needed to test our techniques in a safe, real-world setting, so we took our car to a decommissioned airstrip,” he continued. “That involved signing a waiver acknowledging the ‘possibility of death’ as a graduate student while working on this project! Of course, we had appropriate safety precautions in place. As a motorcycle rider with protective equipment and perhaps a higher tolerance for risk than other members of the team, I ended up being the test driver at the airstrip and other test environments.”
The results of those tests ranged from annoying to downright alarming. For example, the team found through its stationary testing that it could gain control of the radio to deliver audible clicks and chimes at arbitrary intervals. The researchers also gained full control of the Instrument Panel Cluster (IPC), including the speedometer, fuel gauge and other displays, to deliver a message to a hypothetical driver that they had been “Pwned by CarShark.” The team found additional ways to interfere with functions that could compromise driver and passenger safety through an ECU called the Body Control Module. These included locking and unlocking the doors, adjusting or disabling the interior and exterior lighting, operating the windshield wipers, and engaging in the aforementioned horn honking.
While all this sounds frightening enough while stationary, the team demonstrated that they could do these things while the car was moving at 40 miles per hour. They also broke into the Engine Control Module which, as the name suggests, gave them control over the vehicle’s engine. Once they gained access to the ECM, the researchers were able to temporarily boost engine RPM, and even disable the engine completely. But the researchers didn’t stop there; they also infiltrated the Electronic Brake Control Module. That enabled them to lock individual brakes or sets of brakes — a capability they later demonstrated to great effect in a CBS “60 Minutes” segment featuring correspondent Lesley Stahl behind the wheel. They could also release the brakes and then prevent them from subsequently being enabled.
The team knew they were onto something big, but it took a while to figure out who they could go to with their findings. “When we started, we didn’t even know how to get in touch with the right people — if they even existed — at the manufacturer,” Koscher recalled. “It took the industry by complete surprise.”
They eventually did find the right people at GM, opting to initially share their findings directly with the company while declining to “name and shame” them in the paper released to IEEE Symposium on S&P and the public.
“It was clear to us that these vulnerabilities stemmed primarily from the architecture of the modern automobile, not from design decisions made by any single manufacturer,” Kohno explained. “It later came out that our model was from GM, but it was never just about GM. Like so much that we encounter in the security field, this was an industry-wide issue that would require industry-wide solutions.”
Those solutions, which can be directly traced to the UW and UCSD collaboration, include new standards for motor vehicle security, guidelines for original equipment manufacturers (OEMs), and the creation of the Electronic Systems Safety Research Division at the National Highway Traffic Safety Administration. And the impact of the team’s work continues to be felt to this day.
“I think it was a bit unexpected how impactful this work would be,” Koscher said. “Yoshi’s previous work included exploring vulnerabilities in pacemakers and voting machines, but progress had been slow in those industries. It wasn’t clear that automobiles would be any different.
“But it turned out this time was different. Shortly after disclosing the vulnerabilities we found, GM appointed a VP of product security to lead a new division of over 100 employees solely focused on improving the security of their vehicles,” he continued. “In 2012, DARPA announced their $60M+ High-Assurance Cyber Military Systems (HACMS) project, partially inspired by our work. The following year, industry security researchers began to replicate our work. But I think it finally hit me when DEF CON, the world’s largest hacker conference, introduced their Car Hacking Village in 2014.”
In addition to transforming an existing industry, the team’s work has also generated an entirely new one. “Our project spawned dozens of startup companies — and hundreds of jobs — focused on automobile security,” Savage noted.
Following the conclusion of the project, McCoy went on to join the faculty of New York University, while Shacham later left UCSD to join the faculty of the University of Texas at Austin. Anderson launched his own firm, Daniel Anderson Software Consulting, focused on creating independent iOS apps. Kantor later retired from UCSD after more than 30 years of service. He passed away last year.
“This work was really visionary at the time, and it proved to be a game-changer for industry, government, and academia,” Kohno concluded. “I like to think that was due to the high quality of the work, and how thoughtful we were in its execution.”
The team was formally honored today for that quality and execution in a virtual award ceremony during the IEEE Symposium on S&P 2020 online. Read the research paper here, view the team’s award acceptance here, check out the UCSD announcement here, and learn more about this and related work on the CAESS website here.
Congratulations to the entire team!