Traffic infrastructure: opening up to the world
In high-end cars the infotainment and navigation systems are hooked up to both, the CAN network and to external public networks. The infotainment components communicate via the driver’s mobile phone or headset and they receive software updates from their vendors. With information provided by the CAN network, it is possible to turn up the music volume when driving faster or upon entering rough terrain. Autonomous vehicles take this a step further: they will communicate with the traffic infrastructure to steer and protect the car.
So suddenly a car’s CAN network provides a number of potential entry points for malicious intruders. Communication with the outside is done via Bluetooth or IP networks, some of which may connect to the Internet. And the Internet, if anything, is a highly non-trusted network. The CAN bus and it's hardware and software components were not designed to operate in such an unsafe environment. CAN offers no actual form of authentication or authorization. If a syntactically correct CAN message arrives at the car’s brake system, it just assumes that the message is legitimate and stems from a trusted source.
Moreover, car network processors are designed to be very small and inexpensive, just good enough for their task, and consuming as little power as possible. They usually run tiny operating systems and some communication and control applications. They don’t feature memory protection or an isolated sandbox to run processes in. Every application, also an application that shouldn’t be there, is able to access and rewrite the complete processor memory.