Exactly. Even if a "compromised" node does not have direct *physical* access to a "special" bus, the fact that the compromised node can effortlessly masquerade as ANY node on the bus(ses) to which it has direct contact means any other gateway/bridge nodes *will* propagate forged messages that it generates *to* that "other bus" AS IF the messages were created by the genuine node instead.
This also assumes those gateway nodes are smart enough to recognize
*specific* traffic on "bus #1" as only legitimate *on* bus #1. I.e., if a node on bus #1 forges a message that a node on bus #2 would normally generate, the gateway *may* be naive enough to transport the message across the protection domain even though it was detected on the "wrong" bus! Because the code is written to assume that traffic on bus #1 is legitimate, regardless of content (security vulnerability).Looking at a factory service manual for a Nissan Murano (we're in the market for a new vehicle so I've been reading a lot of service manuals) shows one or two CAN busses (depends on whether or not the vehicle has the Advanced Driver Assistance System (ADAS) installed -- gizmo that acts as a proxy for the driver). The *first* CAN bus always has the following nodes:
- Engine Control Module
- Antilock Brake System
- Tranny Control Module
- Steering Angle Sensor
- All Wheel Drive Control Unit
- Automatic Backdoor Control Module
- Combination Meter (this is a display)
- Power Steering Control Module
- Audio / Visual Control Unit
- HVAC Control
- Body Control Module
- Intelligent Power Distribution Module
When the ADAS is present, it resides on a separate CAN bus along with the Driver Seat Control Unit and a Gateway Module (to the first bus).
So, hack any of these modules -- regardless of how "critical" they are for the vehicle to "operate as a means of transportation" -- and you can effectively masquerade as *any* of the other nodes on the same physical bus. And, potentially, as any node on the "other" bus as well! I.e., if the A/V Unit is hacked and emits a message that *should* have originated from the ADAS *via* the gateway, how can any node on the first bus know that it was NOT propagated to the bus by the gateway? How does any node know that it was not generated *by* the ADAS???
See above. Physical separation/isolation doesn't buy you anything. The (e.g., CAN) protocols don't authenticate the sender/recipient. You have to layer an additional protocol on top of it to even
*begin* to address these issues. And, why would you do so -- *if* your design attitude is that "connection to the bus indicates your authority to *use* that bus"??The recent alleged airliner hacks took advantage of this "design naivite" -- "if we see a command on the network that tells us to fly sideways, we'll assume it was generated by would legitimately create such a command; NOT some guy sitting in the coach cabin hacking into the in-flight ENTERTAINMENT SYSTEM!"
And a "firewall" can be any sort of packet filtering mechanism that may, in fact reside anywhere in the network. E.g., a VPN effectively gives you a secure tunnel (which may or may not be encrypted).
This is why I took the action of embedding authentication protocols in my network fabric (which is physically secure). So, you can subvert any node that you can gain access to (physically, etc.) and ONLY forge the transactions in which the compromised node could legitimately participate!
E.g., in my world, the A/V Unit would never be able to generate the "Transmission is in Park" message (well, it *could*... but the fabric would never route that message to anything that would recognize it *as* the "Transmission is in Park" message and act on it as if true!) Instead, you'd be able to claim the user is calling for the "Rear Window Defogger" to be active; or the "ACbrrr Active" signal; etc. (i.e., the signals that the A/V Unit *does* legitimately emit on that vehicle!)
[In my case, this assumes you have also cracked the rolling encryption keys to even *generate* CURRENTLY RECOGNIZABLE forms of those messages! If you appear to be spewing jibberish (bad keys), then your node is intentionally and deliberately cut off from the rest of the system; it's either malfunctioning or has been compromised! (Imagine a VPN for each virtual communication path in the system, enforced in the *fabric* itself!)]