Security Before autonomous vehicles go mainstream, connected cars require security vigilance
As connected cars embody sophisticated hardware and software, cybercriminals are able to exploit vehicle vulnerability for their own gain. The problem is more complex once Vehicle-to-Everything infrastructure is factored in. Fortunately whitehat researchers and OEMs are taking the threat seriously.
In 2015, Fiat Chrysler recalled of 1.4m vehicles in the US, after Charlie Miller and Chris Valasek demonstrated that hackers could control a Jeep Cherokee remotely, using the car's entertainment system which connected to the mobile data network. They disabled the car's transmission and brakes, and, while the vehicle was in reverse, take over the steering wheel.
A year later, the hackers were able to again compromise a Jeep Cherokee, by updating the electronic control unit's firmware to disable those checks and balances, turning the steering wheel and activating the parking brake at highway speeds. It became one of the most notorious cybersecurity finds by researchers who now both work for Uber.
So what is the state of security and connected cars in 2020? According to Alexander Wyglinski, IEEE Senior Member, one of the biggest misconceptions about cars, in general, is the level of electronics, computing, and automation that are used by them.
"For instance, power steering, automatic transmission, fuel injection, and many other operations are all performed electronically (as opposed to via traditional mechanical methods). Consequently, this makes the vehicle's electronic/embedded computing systems and components quite vulnerable to cyber-attacks.
Additionally, when these electronic and embedded systems were first implemented for automotive applications, security was not initially one of the primary design requirements. Many of these electronic modules operate without much cybersecurity, including any form of encryption, thus making them easy targets for hackers who have some understanding of how these embedded systems work and the vehicular operating environment."
Autonomous vehicles need to be treated the same way as other forms of computer networks in terms of security.
What is the prevalence of car hacking, and what are the main points of attack?
Upstream.auto's researchers analyzed 367 publicly reported incidents since 2010, 155 of which are from 2019. They found three main forms of cyberhacks:
Key-fob hacking is the most popular attack vector used in 2019, representing 38% of incidents analyzed by Upstream compared to 30% overall since 2010.
Server attacks involve a range of server types including telematics command-and-control servers, database servers, web servers, and account for 27.2% of attack vectors since 2010 according to Upstream.
These attacks are remote and long-range. Upon gaining access to a telematics server, hackers have access to everything connected to it, including apps, data, and all its connected vehicles. This can lead to multi-vehicle or fleetwide attacks, which are extremely risky to all parties involved, from OEMs, telematics service providers, and companies who manage fleets to the drivers themselves.
According to research by Georgia Tech's School of Physics: "Randomly stalling 20% of cars during rush hour would mean total traffic freeze. At 20%, the city has been broken up into small islands, where you may be able to inch around a few blocks, but no one would be able to move across town." Hacking only 10% of all cars during rush hour would debilitate traffic enough to prevent emergency vehicles from expediently cutting through traffic.
Mobile Apps Used to Hack Vehicles and Servers
Mobile phone apps can be used as an attack vector to access the vehicles and servers an app is connected to. In April 2019 in Chicago, thieves hacked the Daimler Car2Go car-sharing app and thieves were able to access and steal around 100 luxury vehicles.
Vehicle to Everything (V2X) Brings its own suite of challenges
I spoke to Phil Neray, VP of IoT & Industrial Cybersecurity at CyberX. He notes that while cybersecurity issues with vehicles are not things to overlook, they're likely to target high profile individuals (e.g. celebrities and politicians) vs. the everyday consumer. We also discussed that threat is not always in the car but the environment around it. An example is smart road infrastructure like smart traffic lights.
According to Phil: "The devices used were built for low cost, and high volume and rapid time to market. Security was not a primary design consideration in most cases. And they have open source Linux, and they have an open source web server and user interfaces. And we know that there are tonnes of vulnerabilities in that open source software. It is very easy to break into those devices. Not to mention the fact that many of them have default credentials that have never been changed. Just try all the common password combinations and eventually you'll get in."
Thus, it would be easy to cause chaos or disruption as Phil notes, "You could see adversaries being motivated by the ease of entry. Whether nation-states wanting to cause chaos or cybercriminals doing it if they wanted to deploy ransomware and say, 'Hey, we're gonna turn all the traffic lights to red until you pay us millions of dollars'."
Dr. David Brumley, CEO of ForAllSecure and professor of computer science at Carnegie Mellon University, explained that the challenge is as much about technology as process: "I think the good thing is that it's not like it's on-off switch where we just flip an on switch, and everyone's using fully autonomous vehicles for everything all over the place. And so we have a chance to learn. So I think there's going to be a history of people finding vulnerabilities and fixing them. And it's just crucial to make that part of the incremental rollout. I look at it as more as you have to get the process, right. When you roll something out, how do you quickly identify it? And how do you fix it? How do they go about testing them and get them out and not be in this traditional mindset of it taking decades."