Car hacking is the new car jacking

Lisa R. Lifshitz
In many respects, today’s new cars are essentially mini-computers on wheels, containing vast amounts of computer chips, sensors, and nanotechnology controlled by thousands of lines of software code.

By 2017, it is estimated more than 60 per cent of cars and trucks will be connected to the Internet. To date there is (unfortunately) no single policy or set of industry standards that govern the security of these technology systems and as a result, “car hacking” — where hackers maliciously compromise the technological systems of cars — is becoming an increasingly growing concern of late.

Auto manufacturers have consistently downplayed the threat of hacker attacks on vehicles, insisting these networked cars are safe or alternatively that the hacking requires actual physical access to vehicles. However, as early as 2011 researchers at the University of Washington and the University of California at San Diego reported they were able to wirelessly penetrate and exploit a car’s systems via Bluetooth connections, cellular network telephone vulnerability, network ports used for car maintenance, and even internal CD players.

Hoping to use shame to spur some industry action, earlier this month Twitter security engineer Charlie Miller and Christopher Valasek, a director of security intelligence at IOActive, presented a study at the 2014 Black Hat USA security conference in Las Vegas, identifying car models they determined to be most vulnerable to a remote cyber attack.

These researchers (who, in 2013, had used a laptop plugged into the on-board data port of a Ford Escape and Toyota Prius to demonstrate they could honk the vehicles’ horns, disable their brakes, and take over steering), reviewed the schematics of 24 car models to assess the vehicles for evidence of cyber vulnerabilities.

Miller and Valasek rated each car under three distinct categories: “attack surface,” “network architecture,” and “cyber physical.”

A car’s wireless attack surface included the range of features that can be hacked, including Bluetooth, Wi-Fi, mobile network connections, key fobs, and tire pressure monitoring systems.

The network architecture included how much access these features give to the vehicle’s critical systems, such as the horn, the steering, and brakes.

Cyber physical meant capabilities such as automated braking and parking sensors that can be controlled using wireless commands.

Miller and Valasek then assigned each of the three categories a “plus” to indicate whether a vehicle is more susceptible to hacking or a “minus” if less vulnerable. (See their results and analysis in Wired).

On Aug. 8 at the DEF CON hacking conference in Las Vegas, following the release of Miller and Valasek’s report, a group of concerned security researchers and white-hat hackers called “I am The Cavalry” published an open letter to the automotive industry encouraging joint collaboration between car manufacturers and cyber-security industries.

Characterizing modern cars as “computers,” Cavalry noted as cars are increasingly connected by software and embedded devices, they are increasingly vulnerable to “malicious hackers, software flaws, and privacy concerns.” A car whose network system is connected to a cloud server and accessible by Bluetooth, cell networks, or Wi-Fi is potentially vulnerable to intrusion.

To combat this vulnerability, Cavalry proposed an “automotive cyber safety program” based on five key security strategies:
(i)    Safety by design — ensuring that car companies employ a secure software development life cycle, which includes adversarial resilience testing programs for their products and supply chain;
(ii)    Third-party collaboration — publishing a co-ordinated disclosure policy inviting third-party cyber-security researchers to collaborate with the automotive industry;
(iii)    Evidence capture — ensuring vehicle systems provide tamper evident, forensically sound logging and evidence capture to facilitate safety investigations;
(iv)    Security updates – ensuring vehicles can be securely updated in a prompt and agile manner after discovering flaws; and,
(v)    Segmentation and isolation — ensuring manufacturers use physical and logical isolation measures to separate critical systems from non-critical systems.

Cavalry particularly noted the “segmentation and isolation” requirement poses a problem in almost all current-generation vehicles, as most vehicles share the same memory, computing, circuitry, and controller area network. They commented a malicious infotainment application or a compromise over Bluetooth or wireless should never, for example, have the ability to take control over critical functions such as disabling the brakes, deploying airbags, or turning the steering wheel.

Hacking the infotainment system should never cause an accident but at present is a real possibility.

Automakers are slowly waking up to the problem. In July, Delphi Automotive LLP, Battelle Cyber Innovations, the Alliance of Automobile Manufacturers (representing 12 of the top car manufacturers), and the Association of Global Automakers announced they had formed a coalition to study cyber-security issues.

Some car manufacturers ignored Miller and Valasek’s report, while others publicly stated they would endeavour to verify the claims and if warranted, would remediate them.

The Alliance of Automobile Manufacturers has publicly stated car companies are well aware of the importance of cyber security  but to date has declined to comment on Cavalry’s letter and a search of the Alliance’s web site does not mention the group or the letter.

In the meantime, as one of the last people in Toronto who doesn’t actually own a car, I sometimes envy individuals, particularly in the summer, who can just jump in their vehicles and blissfully ride off to parts unknown. On the other hand, given the above security vulnerabilities, maybe not.