It’s been five years since the first reports of car hacking emerged, but despite progress in vehicle protection standards, automotive cyber-security remains on high alert.
New vehicles are packed with so much ICT that they are effectively ’data centres on wheels. They run millions of lines of onboard software: from advance driver assistance systems and engine sensors, to satnav and infotainment. Connected cars also process large volumes of incoming-outgoing data that flows through computerised componentry to ensure they arrive safely and efficiently at journey’s end.
Such ‘smart’ technology relies on bidirectional wireless links to communicate with devices and services in the wider world. However, they also make a vehicle more hackable as the extra functionality extends the ‘attack surface’ that cyber threats target. Each new service/capability brings new entry points: new data breach opportunities. Meanwhile, automotive smartphone apps and online support services have introduced back-end bugs exploitable by hackers intent on remote manipulation of a road vehicle’s inner technology.
According to Upstream Security’s ‘Global Automotive Cybersecurity Report 2020’, the number of known automotive cyber-security incidents almost doubled between 2018 and 2019. The study’s research team analysed 367 publicly reported automotive cyber-attack incidents since 2010, 155 of which are from 2019. These latest figures equate to a 94 per cent year-on-year growth.
Increases in the number of connected vehicles should be factored in. According to Juniper Research, 775 million consumer vehicles will be connected by 2023 – that’s up from an estimated 330 million in 2018. Most new 2020 models in the US will be internet-connected. The three top-selling US manufacturers, General Motors, Ford and Toyota, represent nearly 50 per cent of the home market sales, and will sell only connected vehicles by 2020. Other brands are not far behind – Fiat Chrysler Automobiles says it will provide connectivity in all its vehicles globally by 2022. Furthermore, some 90 per cent of Renault-Nissan-Mitsubishi vehicles will also be connected by 2022, the automotive alliance promises.
The potential for connected vehicles to be hacked became a reality back in 2014, when security researchers reported on electronic vulnerabilities in the connected car concept.
Published in early 2015 by the IET and Knowledge Transfer Network, the thought leadership review ‘Risk Perspectives for Connected Vehicles’ outlined many of the threat vectors and possible outcomes of the connected car concept for the first time. It was based in part on inputs from more than 50 experts from a range of engineering and technical disciplines. As well as a survey of inherent technological vulnerabilities, the report also focused on the motives that would cause cyber criminals to target a connected car’s security vulnerabilities. They included vehicle theft, data theft, denial-of-service/extortion, fraud and vehicle ID re-assignment.
The ‘Risk Perspectives for Connected Vehicles’ review concluded that the automotive sector would have to address some major challenges if it were to make products that could be sold as truly cyber-secure.
The study also highlighted the fact that efforts to re-engineer vulnerable components to be safer would be conditioned by the automotive industry’s lengthy product development cycles: it could be years before more cyber-secured cars rolled off production lines. Each new feature or enhancement would attract some hacker’s attention, be they White Hat (benign) looking to highlight a vulnerability for the common good, or a Black Hat (malicious) hacker out to steal data, extort ransom, or to just prove a point.
Furthermore, automotive cyber-security reference models that defined the nature of the problems and informed a best-practice approach would have to be developed from scratch. This meant setting up industry bodies and working groups – bodies that brought road vehicle experts together with IT security specialists, such as Auto-ISAC (Information Sharing Advisory Centre).
Bug bounties expose vulnerabilities
Bug bounties are initiatives where a company offers a monetary award to hackers and researchers who find and report security vulnerabilities in their products.
Uptake of bug bounties also exposes the large number of vulnerabilities that exist. Ford, for instance, had more than 1,500 solved reports since it began to submit bug bounties in January 2019. General Motors has a reported 1,030 vulnerabilities resolved, but like Fiat Chrysler Automobiles, commenced its bounty programme in 2016.
Most brands might prefer not to disclose the number and nature of vulnerabilities discovered by third-party bounty hunters. Electric car specialist Tesla, however, adopted the opposite approach. It coincides bounties with high-profile IT security and hacker events, and leverages the media attention such events attract to reinforce its brand assurance.
In March 2019, the company offered bug hunters at Pwn2Own, a hacking contest held at the CanSec West conference (Vancouver), the chance to bag a Tesla Model 3 sedan if they could demonstrably hack into the car and identify vulnerabilities. The car had a sale value of approximately $44,000 (£34,000); previous Tesla bug bounty rewards ranged up to $15,000 (£11,600).
Automotive companies also faced – and continue to face – organisational cyber-security challenges, such as recruiting in-house IT-security expertise, as well as forming partnerships with cyber-security solutions providers. “Recruiting enough cyber-security experts in the automotive domain where, globally, there is already a shortage of cyber-security experts, is daunting,” says Dennis Kengo Oka, senior solution architect at Synopsys. “They must find, hire and train people with both automotive process, technology and safety understanding and cyber-security understanding.”
A 2019 survey by Synopsys and SAE International, on IT security practitioners and engineers employed in the automotive industry, found that 84 per cent of those polled have concerns that their organisations’ cyber-security practices “are not keeping pace with evolving technologies”. It also found that 30 per cent of organisations do not have an established cyber-security programme or team, and for 63 per cent test less than half of the automotive technology they develop is for security vulnerabilities.
Because they are directed through a wireless connection (which itself may be required to be hacked to gain access), hackers exploit the connectivity that exists to facilitate over-the-air vehicle software updates and bidirectional data exchange. Such remote attacks have consistently outnumbered physical attacks since 2010 and accounted for 82 per cent of all attacks in 2019, according to Upstream Security’s ‘Global Automotive Cybersecurity Report 2020’.
To enable such complex contact, connected vehicles are equipped with different wireless communication systems, such as dedicated short-range communications (DSRC40), visible light communication, image sensor communication, Bluetooth and Wi-Fi or mobile communication technologies (e.g. 3G, 4G, 5G).
Key to most automotive hacks is gaining control of a vehicle’s multiple engine control units (ECUs). Among the first standardised pieces of computer componentry to be fitted to production automobiles, ECUs receive inputs from the driving function sensors and adjust the actuators (control signal-activated components) which control a car engine’s physical mechanisms; before ECUs, engine-management functions were mechanically controlled.
ECU operations are centralised by a controller area network (CAN) bus, across which all of a vehicle’s data is trafficked. CAN buses allow microcontrollers and devices to communicate with each other’s applications using a message-based protocol, but without a host computer. This makes them the epicentre of vehicular connectivity – and, in cyber-security terms, a single point of vulnerability. Typical CAN buses are insecure because they have no segmentation/boundary defences, no device authentication function and no encryption. What differentiates the CAN bus from other network bus topologies is that data constantly passes over the CAN bus whether or not it is functionally requested.
“This means that car’s window switches have a potential path of communication to the brake controller, the entertainment system has a channel to the vehicle’s airbags, and so on,” explains the SANS Institute’s ‘Developments in Car Hacking’. “By gaining access to the CAN bus, an attacker can send spoofed messages over the bus. Successful attackers must understand and be able to manipulate a CAN data frame’s ID and data fields. An attacker’s malicious data frames will then be picked up and processed by listening controllers.”
The mid-decade car ‘stunt hacks’ generated much media interest, but were based on conditional one-off research projects. In a July 2015 hack, Charlie Miller and Chris Valasek initially took control of non-critical functions of a Jeep Grand Cherokee, such as the radio and climate control, but when the brakes were deactivated, the potential of car hacks was vividly demonstrated, and the SUV ended up ditched at the side of a road. In response to the publicity around the hack, Jeep brand owner Fiat Chrysler Automobiles recalled approximately 1.4 million Grand Cherokees and Dodge Durango SUVs in order to install remedial software to keep hackers at bay. In addition to the costs incurred by the recall, Fiat Chrysler’s stock value fell by 2.5 per cent.
In September 2015, the company issued another recall for approximately 7,810 Jeep Renegade SUVs, based on further hackability concerns. Shares fell again, this time by 1.9 per cent.
Around this time, White Hat security researchers wrote their own ‘attack code’ and had to be clever enough to undertake a degree of discovery and research into the targeted car technology. In 2020 they can avail themselves of a range – albeit limited (to date) – of tools and services tailored to their requirements. Research by cyber-security company IntSights, for instance, discovered online shops that sell car-hacking tools and code grabbers, and services that disconnect automobile immobilisers and provide firmware for hacking into ECUs.
Hackers are paying increased attention to attacks on cloud-based platforms that deliver automotive services; analysis from Upstream Security suggests that 27.2 per cent of incidents in 2019 were made via this approach – that’s up from 24.4 per cent in 2018. (By comparison, hacked mobile apps accounted for 12.7 per cent of incidents.) Server-related attacks are incidents where threat actors gain control of back-end servers (i.e. telematics servers) using more conventional hacking techniques. These cloud-based systems are increasingly where online automotive services and support are hosted. Once ‘in’, the hackers can access sensitive data, remotely track and control vehicles, disrupt the service provider’s operations, and more.
The opportunities this vector brings – as reported by Upstream Technology – were demonstrated in April 2018 when a White Hat hacker hacked into thousands of GPS tracker app accounts, gained access to the back-end service and, in turn, accessed data and even the control of tens of thousands of connected vehicles. By accessing their servers, the perpetrator was able to see the location of thousands of vehicles worldwide, access the personal data of the app’s users, and send commands to open doors and shut down engines while the car was in motion.
Multi-vehicle server attacks could also carry the potential to disrupt entire cities, and thus pose a critical risk to drivers, passengers and pedestrians. Physicists at the Georgia Institute of Technology (Georgia Tech) and Multiscale Systems applied physics in a study that simulated what it would take for hackers to wreak distributed havoc by mounting remote attacks to stall multiple cars in a given urban proximity.
“Randomly causing 20 per cent of rush-hour cars to stall would mean total traffic freeze,” says assistant professor Peter Yunker at Georgia Tech’s School of Physics. “At 20 per cent, the city has been broken up into small islands, where you may be able to inch around a few blocks, but no one would be able to move across town.” Hacking only 10 per cent of all cars during rush hour would debilitate traffic enough to prevent emergency vehicles from expediently getting through traffic, Yunker has suggested.
Active responses by the automotive industry have scaled to the nature of the threat, but cyber-security safeguards will take time to inform automotive design shifts. Automotive manufacturers traditionally favoured a proprietorial approach to product design and construction; this has changed markedly over the last decade, to the point where typically more than 50 per cent of vehicle parts and components are sourced from third-party vendors. This means that security strategies have to be applied to supply chains. Automakers are, however, now more open to learning from security strategies in the enterprise sector, which has more years of experience in threat counteraction.
In terms of ECU/CAN configurations, Tom Blackie, CEO at VNC Automotive, sees increased usage of hypervisor-based solutions, whereby a powerful centralised processing unit is used to run multiple vehicle functions in virtualised machines. “Thereby [fewer] points of entry attack are made available and the vehicle systems can be more easily protected,” Blackie explains. “For example, there is a clear move to separate mission-critical systems from infotainment elements using such virtualisation. There is a further added advantage to this, as the hypervisor solutions frequently allow for multiple operating systems to be run on the same central hardware.”
Blackie adds: “For another example, the vehicle instrument cluster may run a proprietary real-time operating system that has had years of use – and hence known reliability; while the head unit infotainment solution may run the Google Android OS, which offers a user interface similar to mobile apps. The two run side-by-side while being isolated and secured from interfering with each other.”
Clearly, it would be best if vehicles were designed around a common set of cyber-security specifications. To this end, automotive industry players and cyber-security experts have come together to evolve standards that will be comparable and universal as ISO 26262, which addresses risk assessment and threat analysis regarding automotive functional safety.
One of the first initiatives in this area, SAE’s J3061 (described as a ‘Cybersecurity Guidebook for Cyber-Physical Vehicle Systems’), provides guidance on vehicle cyber-security and was based on and expanded from existing practices being implemented or reported in industry, government and conference papers.
ISO/SAE 21434 (subtitled ‘Road vehicles – cybersecurity engineering’) is an automotive cyber-security standard under joint development by the ISO and SAE International. Due to appear in May 2020, ISO/SAE 21434 will cover all stages of a vehicle’s lifecycle – from design through to decommissioning. It will apply to a vehicle’s electronic systems, components and software, plus any external connectivity. ISO/SAE 21434 should provide developers with an approach to the implementation of security safeguards that scopes the whole supplier chain. Compliance with this standard by automotive manufacturers, their supply chains, and components developers will be critical for automotive product development.
In the UK, 5StarS is a government-funded project to research and develop an ‘Automotive Cybersecurity Through Assurance’ framework for assessing the cyber security of road vehicles. It brings together in consortium five research bodies – Axillium Research, Horiba Mira, Ricardo, Roke, and Thatcham Research – to address the threat spectrum around connected cars and autonomous vehicles. The consortium is developing a five-star consumer rating framework, similar in model to the European New Car Assessment Programme (Euro NCAP) safety performance assessment. It is aligned with emergent regulations and standards such as ISO/SAE 21434, and the impending United Nations Economic Commission for Europe directives (expected to call for mandatory audits of car manufacturers’ cyber-security management systems, with the possibility of making them part of the MOT test).
Automotive cyber-attack events
Australian charged after setting up an online application that enabled him to remotely control the stop and start function of his ex-girlfriend’s Land Rover and track her movements. The man helped his ex buy the car, and therefore had possession of the car’s vehicle identification number: this gave him access to control various functions of its onboard tech.
Hacker able to modify various features in Dacia’s Logan and Sandero models using CAN programming. Modifications included the hill-start assist feature for manual gear, adjustment to the lower limit of the oil pressure sensor, adjustment to the default fuel refill values on dashboard gauges, and setting the backlights to be always on.
Connection of a Raspberry PiCAN board to the on-board diagnostics port of his Jaguar XF enabled a White Hat hacker to decode and send CAN messages. Using the device, the hacker built and integrated additional infotainment that receives signals from the XF’s radio controls.
White Hat researchers hacked components of a Skoda Octavia vRS 2017. The key fob was vulnerable to rolling code bypass attacks, giving access to the vehicle. The infotainment system was yielding private user information, making the system vulnerable to exploit. The VW TP 2.0 protocol was reverse-engineered, enabling a hacker to gather information about the system, including the vehicle’s speed and location.