Vehicle forensics - decrypting the data memory of modern cars

Vehicle forensics

decrypting the data memory of modern cars

Michèle Trebo
by Michèle Trebo
on September 26, 2024
time to read: 11 minutes

Keypoints

Experts use state-of-the-art technology to visualise the traces in the digital interior of the vehicles and thus provide answers to complex questions.

  • Vehicle forensics is used to analyse accidents, tampering and criminal offences
  • vehicles are increasingly digitally networked and collect large amounts of data
  • CAN bus data as well as telemetry and infotainment data enable detailed analysis of driving behaviour and user activities
  • cyber attacks on vehicles are possible via CAN bus and networked systems

Vehicle technology is becoming increasingly complex and networked. As a result, the amount of data that modern cars collect and store is also growing. This data is not only of interest to manufacturers and engineers, but also opens up new possibilities in forensics. Whether reconstructing accidents, investigating tampering or solving criminal offences – vehicle forensics helps to bring hidden information from the digital systems of vehicles to light. However, decoding this data requires technical expertise and legal intuition.

Digital treasure chest of modern cars

Modern vehicles are complex digital systems that continuously collect data via a large number of sensors. These sensors provide important information about the vehicle’s condition and driving behaviour, including speed, braking behaviour, steering angle and various parameters of the driver assistance systems.

CAN bus

The CAN bus (Controller Area Network) acts as a central data connection via which almost all electronic control units (ECUs) within the vehicle communicate. Due to its robust design and the use of two wires for differential signals, it has also become popular in other industries such as medical technology and heavy industry. Through reverse engineering and the use of specialised software, such as Wireshark, the data packets can be monitored and irregularities in the communication between the ECUs can be identified. This information provides deeper insights into the behaviour of the vehicle under different conditions. Ultimately, this data enables experts to create precise movement profiles and analyse critical events such as braking or acceleration.

Security vulnerabilities

Various investigations and demonstrations have shown how vulnerable modern vehicles are to cyber attacks, both through vulnerabilities in the CAN bus and through exploits in network systems such as Uconnect.

In a study and an accompanying presentation, security researchers demonstrated how they hacked a Jeep Cherokee by exploiting vulnerabilities in the vehicle’s Uconnect system. Using the mobile network and WLAN interface, they were able to take control of various vehicle functions, including the radio, air conditioning, windscreen wipers and even the brakes. The attack was made possible by security gaps in the CAN bus and in the firmware of the ECU. The zero-day exploit directly accessed the physical components of the vehicle. It was also emphasised that many vehicles are online by default, often without the owners’ knowledge, which facilitates such attacks. In addition to manipulating non-safety-critical functions such as the radio, they also showed how they could immobilise the vehicle or unlock the doors.

Similar vulnerabilities in the CAN bus system are shown in a presentation that explains how attackers can send manipulated messages to the Control Units (ECUs) of vehicles through faulty implementations of the Data Length Code (DLC). These gaps in firmware programming can allow attackers to overwrite critical variables and gain unauthorised access to vehicle functions.

Another example that illustrates the vulnerability of modern vehicles shows how a hacking collective discovered a vulnerability in a Tesla vehicle and demonstrated how they took control of functions such as brakes, doors, dashboard screen and windscreen wipers from a distance of 12 miles. This attack was based on connecting the vehicle to a malicious Wi-Fi hotspot and a web browser exploit.

Real incidents

One incident in particular illustrates the risks that can arise from security gaps in the CAN bus of vehicles. In this case, a vehicle was stolen through a vulnerability in the CAN bus. Attackers used a method known as CAN injection to gain access to the vehicle’s control units and start it. Using a weak point in the headlight wiring, they were able to manipulate the CAN bus and take control of the vehicle. CAN injection involves the injection of fake data packets into the CAN bus that mimic the legitimate communication signals between the control units. In this way, commands such as unlocking the doors or starting the engine can be manipulated without the need for the physical key. Security researchers are working on implementing segregation in cars, particularly between infotainment systems and the engine control unit. This illustrates how a clear separation of these systems can help to increase the security of the vehicle and minimise the risk of access by unauthorised third parties. The attack works because the control units accept the falsified signals as authentic and the vehicle functions can therefore be manipulated.

The Kia Boys Movement, favoured by TikTok, has triggered a wave of car thefts, especially of Kias and Hyundais. This trend movement began in mid-2022 and is responsible for a significant increase in thefts. Attackers are using simple methods to steal the vehicles, such as removing plastic panelling and using USB cables to bypass the ignition.

Detecting attacks on vehicle communication systems, such as the CAN bus, requires in-depth knowledge of the internal protocols and specialised tools for monitoring and analysis. By specifically analysing this communication data, forensic investigators can prove and trace manipulation of the CAN bus. The identification of weak points in the ECU firmware also plays a role here. The findings from the analyses are not only important for security researchers, but also for vehicle manufacturers who need to protect their systems against possible attacks. For vehicle forensics, these vulnerabilities offer the opportunity to read out and analyse relevant data in order to investigate incidents such as criminal offences or manipulation.

Infotainment and telematics systems

In addition to mechanical data, modern vehicles also store a wide range of digital information, which is managed via infotainment and telematics systems. This includes, for example, the last location of the vehicle or the call lists of a connected mobile phone. Telematics systems continuously record data on driving behaviour and the condition of the vehicle. The so-called Event Data Recorder (EDR) is particularly relevant in this context. This records information such as speed, brake application and seatbelt activation, especially in the seconds before an accident. This data is comparable to the recordings of a flight recorder. An EDR continuously stores data for short time windows, usually 20 seconds before an accident, and then overwrites old information. This stored data is saved in the event of an accident and is available to investigators to reconstruct the course of the accident. EDRs are usually integrated into the vehicle’s airbag control unit and are now standard in modern vehicles.

Recognising manipulation

Vehicle manipulation is an increasingly relevant topic in forensics. Data can be manipulated or falsified, for example to change the mileage or modify the software in such a way that exhaust emission values are manipulated.

The Dieselgate scandal in particular showed how far-reaching and systematic these manipulations can be. The manipulation of odometer readings is one of the most common forms of fraud in the vehicle market.

However, modern vehicles store the mileage in several places so that discrepancies can be recognised. A forensic investigation of the digital systems can prove manipulation by comparing various data sources.

Future and challenges

With the increasing introduction of autonomous vehicles and ever more complex vehicle control systems, the importance of vehicle forensics will continue to grow. Increasing amounts of data are being collected, but the challenge is to make sense of this information while ensuring data protection. The use of vehicle data for forensic purposes requires a careful balance to be struck between the interest in investigating accidents and criminal offences and protecting the driver’s privacy. In Switzerland, access to such data is subject to strict regulations. This information may only be used without the express consent of the vehicle owner in clearly defined cases, such as after serious accidents or if criminal offences are suspected.

Summary

Modern vehicles are increasingly digitally networked and collect extensive data, which is used not only for technical purposes, but also for forensic analysis of accidents, manipulation and criminal offences. Experts can access this data and decode information using specialised tools and techniques. The communication protocols in the vehicle, such as the CAN bus, play a decisive role here. At the same time, there are significant security vulnerabilities, which make vehicles vulnerable to cyber attacks. The forensic investigation of modern cars therefore offers valuable insights, but faces technical and legal challenges.

About the Author

Michèle Trebo

Michèle Trebo graduated from the ZHAW with a bachelor’s degree in computer science and a master’s degree in business informatics and worked for six years as a police officer in cybercrime investigation and analysis. She is responsible for research on criminalistic topics such as darknet, cyber threat intelligence, investigations and forensics. (ORCID 0000-0002-6968-8785)

Links

Are you interested in a Penetration Test?

Our experts will get in contact with you!

×
Trapped in the net

Trapped in the net

Michèle Trebo

Brain before post

Brain before post

Michèle Trebo

From crisis to opportunity

From crisis to opportunity

Michèle Trebo

Open Source Intelligence Investigation

Open Source Intelligence Investigation

Michèle Trebo

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here