GPS satellite navigation devices have become an indispensable part of everyday life for millions of drivers the world over. Without these little technological route planning miracles, many of us would literally crash and burn as we struggled to regain control over that map while driving too fast and drinking a large cup of coffee simultaneously. OK, so that might be exaggerating things a little, but the truth is that most 21st Century drivers are dependent upon satellite navigation to get from A to B. Efficiency is the key here, and systems that incorporate Radio Data System (RDS) Traffic Message Channel (TMC) data have become de rigueur over the pond in Europe and gaining strength in North America as well.
Which is why the tech and automobile world get more than a little fidgety when word of a spanner in the satnav works leaks out. Take my revelation in January that some TomTom Go 910 devices were being sold complete with a Trojan or two pre-installed, with the full knowledge of the manufacturer which had decided not to come clean and ‘fess up until pushed by the global fuss this blog entry caused. Yet that was a security exploit that merely used the satnav device as a distribution channel, a means by which to get onto a Windows based host computer where it could do some damage. The satnav device itself, running on a Linux based OS, was safe from actual harm. Imagine then, if someone could come up with an exploit that caused real problems for the driver and was entirely focused on the satellite navigation device itself as the means for delivery.
Imagine no more, as two Italian hackers have done just that at the Vancouver CanSecWest conference this week.
It’s a neat twist on the kind of data injection exploits that have plagued online computer users for years, and to be frank the simplicity is perhaps the most worrying aspect as it means it can easily be copied by those who would do you harm. Harm as in sending you wrong directions, creating a virtual accident to ensure your vehicle is sent on an alternate route to avoid the non-existent delays, and well, the possible consequences are only too obvious in a world obsessed by the fear of terror attack.
Using just a RDS encoder costing a few dollars, a hand-held antenna of the type well known to any self-respecting drive by hacker and an equally cheap and readily available FM transmitter, the hackers have demonstrated how data can be encoded into the FM signals required to inject it into the RDS TMC stream. The TMC encryption is so simple it can be easily broken by anyone sampling just the smallest amount of data and having the smallest idea of what they are doing, because it exists for discriminatory rather than authentication application. Even if you cannot break the encryption it need not be a great problem considering that TMC terminals will accept unencrypted data anyway from what I have been told about the way they work.
During the presentation entitled ‘Unusual Car Navigation Tricks: Injecting RDS-TMC Traffic Information Signals’ Andrea Barisani and Daniele Bianco from Inverse Path not only demonstrated the obscure and scary messages that can be broadcast to drivers, but also the limitations of standard satnav systems when flooded with these unusual messages. In their abstract the pair even jokingly mentioned how hitmen in the audience would love the role that RDS TMC injection and jamming could play in a social engineering scam. I would add terrorists to the list of laughing out loud observers.
While there are some specific requirements in order to successfully inject data into the RDS TMC stream, not least knowledge of the codes that denote particular events to be flagged to the end user, these are not that hard to come by if you have access to Google. The plain truth is that whether you wanted to induce panic by popping up an alert on myriad drivers’ satnav device screens about a bomb alert, and the consequential potential for accidents and freeway mishap, or send a specifically targeted vehicle along a different route (terrorist ears are already pricking up) then this hack makes it all too easily possible.
So far, and quite predictably, the satellite navigation device manufacturers and routing software developers have remained unavailable for comment. But then it is a weekend, so maybe the news will have found an efficient route to their desks by Monday and the comments will come thick and fast.
In the meantime, I urge bloggers who care about security to kick up as much fuss about this as possible. If we let it wash over us as just another story, then we could find ourselves writing about a much more serious satellite navigation inspired terrorist story in months to come…