Everything We Want Out of Automotive Vehicles Makes Us More Vulnerable
It’s a given that the modern automobile is becoming a computer on wheels. The 100 million lines of code found in the various computer systems within a modern vehicle validate that assessment. That means, like a computer, they are vulnerable to hacks from malicious outsiders. Of course, rebooting a computer is just annoying. Losing control of your car while driving down the freeway is another issue entirely.
The accelerated development of autonomous cars, which by definition are filled with more connected technology than a dozen iPads, has upped the ante. The vulnerable systems, which include sensors, processors, various communications applications, and control systems, open multiple entry points for hackers. On top of this, the connections with other vehicles, the roadway, infrastructure, and mapping systems that are critical to self-driving cars add to the points of entry. Finally, once a hacker gains access to the control systems, he can affect the vehicle’s speed, steering, and braking.
These are cars that must be connected to the environment around them and to the cloud that aids their attempt to replicate a human driver’s brain. They have to transmit terabytes of data through the delicate nervous system of wired and wireless connections to make everything work seamlessly. Every connection, even those that may not leave the car, creates a potential point of vulnerability.
This is further complicated as each new generation of software is introduced (remember, these vehicles are working on a Silicon Valley development timeline measured in weeks as opposed to the traditional automotive cycles that run into years.)
All of these are known problems and the automotive and technology industries have spent millions trying to deal with these security issues. It’s an open question whether they’re getting ahead of the problem.
The Bad News: Hackers Are Good
So here we are in 2018—automotive hacking has become more ubiquitous. The cars are more complex, which seems to present more of a challenge to the hacker community. It’s been more than two years since some white hat (good guy) hackers took over control of a Jeep cruising down the road at 70 mph to demonstrate the vulnerability of that car’s system. More than a million cars were recalled to install a new security patch after that. Hacks to the sophisticated Tesla system (which employs over-the-air updates or OTA) have included a relatively simple demonstration of stealing the vehicle by hacking into the owner’s cell phone. The pitch was simple—download this software to get a free hamburger at your favorite drive-through. However, now along for the ride is malware that allows external access to your cell phone and your car.
The features dangled by Tesla and other cars for their owners, such as Autopilot, Wi-Fi, and LTE internet connectivity (and OTA), are creating more connections within and without the car. Love your SiriusXM connection? There’s another.
One of the companies focusing on helping plug these potential leaks sums it up: “Connected and autonomous vehicles require some of the most complex software ever developed, creating a significant challenge for automakers, who must ensure the code complies with industry and manufacturer-specific standards while simultaneously battle-hardening a very large and tempting attack surface for cybercriminals,” said BlackBerry Executive Chairman and CEO John Chen. Defining the problem is relatively easy for an array of companies now aligned as the good guys riding to the rescue:
“There is more than a dozen clearly defined attack surfaces that can provide points of entry for hacking into a passenger vehicle, and the number is growing fast. We are supporting our OEM customers with our differentiated software platform to address the cybersecurity challenge inherent to connected and autonomous vehicle development. We are developing a network of partners and collaborating specifically with LGE to ease the integration work for our customers and provide a comprehensive cybersecurity solution,” said Olivier Rabiller, Honeywell Transportation Systems president, and CEO.
The Problem is Well-Defined. The Solution? A Work in Progress.
The situation is pretty clear. Automotive connected system developers work in “best-case” scenarios, which allows them to build the most interesting and useful applications for the modern car. That leaves industry to clean up.
The auto industry’s point person/organization is Auto-ISAC (Information Sharing and Analysis Centers), a group formed with government support to share information about cyber and physical threats and ways to combat them. The group has set up a 24/7 warning system and protocols for sharing information and best practices for dealing with intrusions.
The broader goal of the group is to develop a “cybersecurity culture” at auto companies and suppliers, one where cybersecurity becomes part of the life cycle of vehicle development and testing. They’re two years into a program using a secure portal to report and discuss threats, sharing information with the Department of Homeland Security. The philosophy is “one company’s detection is another’s prevention.”
Clearly, they have to step up because of what they see in the field:
Mobile apps used to control car features (like remote start) are proliferating and can expose data and vehicle functions if they’re not properly secured.
Apps can now be downloaded to your car’s infotainment system, potentially including embedded malware.
On-Board Diagnostic (OBD) dongles are harder to get to (typically, you have to be in the car), but they provide access to the critical CAN bus that controls the car’s operating functions.
Key fobs that use a signal to open car doors are vulnerable to hacking, giving access to the vehicle.
These attacks are coming from a variety of sources—nation-states, criminals, and malicious “hacktivists.” The goals range from stealing objects in a car to car theft to holding the vehicle hostage for ransom. Another potential is absconding with personal information that might be loaded into your car’s advanced systems, such as credit card information or other personal data. Look a short distance into the future and you could imagine criminals redirecting self-driving cars to a local chop-shop or sending a ransom note to the owner, asking “if they ever want to see their car again.”
Stop This—I Want to Get Off
This all sounds pretty bleak, but there are methods of prevention—and they are working. Like many operations in the broader security field, you only hear about failures while the successes are happening silently in the background. If you or your friends haven’t had your car hacked, you can thank this army of diligent stewards trying to build a system that not only works to give you the great features you expect but protects the privacy of your data and isolates you from intruders. As LG and Honeywell outlined, they’re focused on “next generation” cybersecurity solutions that combine “gateway” protection along with threat monitoring that secures hardware from external attacks.
Companies like Argus, an Israeli-based tech security company, make it clear that there is no 100 percent secure guarantees. That said, their products are being used by a variety of auto companies and suppliers around the globe. The different elements of the system defend the infotainment and/or telematics systems from malware, protect the electronic control units (ECUs) from inside or outside attacks, and secure the in-vehicle network.
One positive glimpse of the future took place during the media preview of the Los Angeles Auto Show last year. A room full of more than one hundred 20- and 30-somethings sat around tables in teams of six or eight. It was the Hackathon, sponsored by Honda, challenging the teams to build mobility apps to help modern drivers navigate the city of Los Angeles. Those same coding skills are going to help some of the folks in that room join industry efforts to build more secure networks inside and outside of the car. These coders know what they want and they know how to protect it. That’s our hope for the future.
Along with new fuel sources for our trucking fleet come newer, smarter onboard diagnostics and mobile apps — which, unfortunately, are attracting hackers. Honda’s Hackathon presentation at the 2017 LA Auto Show called direct attention to the threat — and how to secure our fleet.