Could a Hostile Worm (eg. STUXNET) Infect Autombile EECs?

Reading about the STUXNET worm, it was clearly cleverly designed. It sought out specific applications for Siemens controllers and gave them clear instructions to sefl-destruct the enrichment centrifuges…after which the worm erased itself.
Could such a worm/virus be deveolped to infect autombile engine control modules? Suppose one was developed (for Toyota controllers). This worm would instruct the engines to rev up to redline, and not allow the ignition to be cut off).
The results would be catastrophic-huge numbers of accidents, vehicles destroyed, etc. The worm would propagate vis IPODs plugged into the vES-a sobering thought!

Possible, perhaps.

But many such systems consist of embedded controllers running firmware burned into a memory device that isn’t field programmable. The only way to run a different program would be to remove one chip and substitute another.

And for such a worm to truly be destructive, it needs the ability to self-propagate from one vehicle to another. Since there is no path for this sort of communication, this seems unlikely.

vES?
Vehicle entertainment system?

I’d be willing to bet real money that there is no data connection between the iPod and the engine controller chip. In other words, they are two independent systems.

they’re not necessarily completely independent, usually there’s one or more gateways in there which separate the individual networks. Most common is separating the powertrain controls from the body controls, which uses things like the cluster or the main body control module as the gateway.

I read in a trade publication that there are many cases of counterfeit scan tools (expensive tools that can read and write information to the vehicle computer, used by mechanics). The tools were so well made that neither the mechanic nor the tools legitimate maker knew they were fake until they were sent in for warranty work and the tool maker opened it up. Until then the fake tool operated like the real deal, and accepted software intended for the real tool.

It would be easy for the maker of the fake tool to add malicious software so that it uploaded a worm when a car was in for service. If you also put a delayed trigger on the worm no one would know anything was wrong with the cars until a large number were infected.

We live in interesting times.

One part of the operation of STUXNet was that it was in two parts. It was a Windows worm. The initial security breach was with zero day vulnerabilities in Windows, and the worms propagation was Windows to Windows. It did not propagate PLC to PLC. The second part of its operation was attacking the PLC. The PLCs have essentially no security - and the infected Windows box was the machine specifically configured to control the PLC anyway. What is critical about a PLC is the “P” - they are programmable. So malware in the controller computer - the Windows box, was able to reprogram the PLC to operate differently.

The difference between this and a car system is that lack of programmability in a car system. There is no writeable code store. There are (in some cars) parameters that may be modified, but these are not a general purpose programming facility. The code that runs in the car is stored in non-modifiable ROM. Many embedded systems have a boot loader that will read the code from the ROM into RAM at boot time, and execute it from there, but it vanishes again when the system is reset. Cars are arguably interesting here, in that a modern car doesn’t completely reset each time it is started, but only when battery power is removed. However - the principle is clear. A PLC is specifically designed to be reprogrammed as part of its function. Car control systems are specifically designed not to be reprogrammable. The modchip industry for performance enhancements exists by supplying new ROMs.

The CAN bus scan tools used to diagnose and generally talk to the car controllers are not able to upload arbitrary code to the controllers. There is nowhere to put it. They can read and write specific parameters in the controller.

How/where is that worm going to be stored?

Sorry but while this once was true, it is not longer true. ECU on modern cars are programmable. Different car makers go about this in different way, but modern control units are programmable.
On Volvos (what I am familiar with) a new control unit contains a boot loader and that is it, when purchased. I have to hook up a factory tool, and order software from the factory to download it and make it work.
Now, could the scenario in the OP happen (load a virus via a iPod hooked to the audio system?
No for several reasons
The CAN bus consists of two or sometimes three data networks. The engine control module is on the high speed bus. The audio is on either the mid speed or low speed bus. The Central Electrical Module is the gateway between high speed and the rest of the car. To program a module the car has to be put into prog mode by the factory tool. That instructs all the modules in the car to stop transmitting and just listen for instructions. Since the iPod can’t reprogram the Audio Module when the AUD is not in prog mode, and when the AUD goes into Prog mode it turns off the iPod and other inputs. Well you just can’t get there from here.
Next even if you could reprogram The AUD to send the instructions across the CAN bus when the car is in prog mode, the CEM only allows certain messages from the low speed side transfer to the high speed side, and reprogramming the ECM is not on that list.
Finally at least with Volvo the ECM carries VIN specific Security details. Very hard to reprogram with a generic programmer. The companies that sell high performance control units for Volvos make you send the unit in so they can physically open the box to do mods.
I have many fears in this life, but getting a virus from hooking up my iPod to my Volvo is not even in the top 100,000.

Ford shares Volvo’s CAN architecture, so they work the same as you describe.

In the PCMs flash memory. I’m only familiar with GM vehicles, but they have been flash programmable since the early 90’s. Before that the PCM SW was on an EPROM that had to be removed for reprogramming. So any GM vehicle the last two decades can be completely reprogrammed via a scan tool.

But via an IPod or anything else that is not a scan tool and present on the correct bus? I highly doubt it for the reason in previous posts.