The cyber-security show comes to town!
In 2013 when Charlie Miller and Chris Valasek hacked a Prius, many casual observers saw this as an extreme party trick: A mere two years later these same people watched in horror as several OEM’s were forced to admit system vulnerability as these hackers again grabbed centre stage.
A year after hacking the Prius Miller and Valasek presented a ninety two page report at the 2014 Black Hat conference in Las Vegas which named twenty vehicles and brands that the pair deemed to be susceptible to attack. Each car’s rating was based on the vehicle’s attack surface, network architecture and "cyber physical". These items are important determinants in a vehicles vulnerability profile:
- The wireless ‘attack surface’ evaluates the range of features that can be hacked, and includes Bluetooth, Wi-Fi, mobile network connections, key fobs, and tyre pressure monitoring systems.
- The network architecture is an indication of the ease of access these features give to the vehicle’s critical systems such as the steering and brakes.
- Cyber physicalrelates to capabilities such as automated braking and parking sensors that could be controlled using wireless commands.
The study rated the 2014 Jeep Cherokee and 2015 Cadillac Escalade the most vulnerable, whilst the2010/ 2014 Toyota Prius and 2014 Infiniti Q50 were also deemed to be higher risk.
Manufacturers’ overwhelming response to the original Prius attack was that this was in actual fact a minor vulnerability, as the hackers had to access the vehicles hardware and be in close proximity to the vehicle. In July 2015 Miller and Valasek set up a demonstration that shattered this perception and shook the automotive community.
Finally, a remote hack publicly takes control of a Jeep
The pair remotely hacked a Jeep through the vehicle’s Harman Kardon radio and Uconnect computer which gave them access to the vehicles systems via the Sprint network; the cellular carrier that connects Chrysler’s vehicles to the Internet. This initiated the first ever recall prompted by cyber-security concerns and affects 1.4 million vehicles.
This single demonstration catapulted security concerns from the fringe to the mainstream. Finally the world understood: A malicious attacker leveraging a remote vulnerability could do anything from enabling a microphone for eavesdropping to turning the steering wheel to disabling the brakes.
While research has only been presented on three or four particular vehicles it’s clear that there are many more with security flaws.Each manufacturer designs their fleet’s platform differently, therefore analysis of remote threats must avoid generalities. Driving home the widespread threat Miller and Valasek revealed vulnerabilities in General Motors’ OnStar navigation system mobile app at a hacking conference in Los Angeles in August. The hack, uncovered by researcher Sammy Kamkar, allows hackers to force entry into the car’s onboard systems through the OnStar RemoteLink smartphone app. Using a device fitted to the target vehicle, credentials are harvested which can then be used to mimic the app.
Since the app allows drivers to do things like remotely lock and unlock doors, or start the engine, those functions are available to the hacker. GM has since released a patch that allows the OnStar system to check for fake access certificates, something it wasn’t programmed to do before.
European brands are also vulnerable to attack
While hacks of German cars have fallen short of the stunt to which Jeep was exposed, BMW was on the receiving end of bad cyber-security press around its digital-services systems earlier this year.
A study by German auto club ADAC found hackers could wirelessly open BMW, Mini and Rolls-Royce vehicles in minutes. An estimated 2.2 million vehicles equipped with BMW’s ConnectedDrive service were vulnerable. The Munich-based company quickly responded with an automatic system patch that takes place when vehicles connect to BMW’s server.
Image Credit: Frost & Sullivan
Responding to the latest revelations Benjamin Oberkersch, a spokesman for Mercedes’ Stuttgart-based parent Daimler AG explains: "Absolute, 100 percent safety isn’t possible but our systems are tested by internal and external experts to ensure they’re up to date." Daimler, BMW and Audi separate different vehicle domains; walling off the radio from the brakes and other critical systems with firewalls, whilst installing supplementary security features such as public-key-cryptography and virus scanners thereby adding another level of cyber security to these vehicles.
While car owners grapple with the implications of the recently revealed remote security threats, another threat has appeared on the horizon: Identify theft!
Identity theft poses a new threat to widespread connectivity
According to Phil Abram, chief infotainment officer of GM’s OnStar system, in a world driven by communication, commuters want to be constantly connected, and shopping from the steering wheel is the next logical step.
Eager to enhance their customers’ desire for connectivity and enable in-vehicle purchases of fast food, gas and more, automakers have big plans to bring e-commerce to the dashboard: By 2020, as many as 40 percent of new vehicles sold worldwide will let drivers shop from behind the wheel, predicts Thilo Koslowski, vice president of the auto practice at Gartner:
- Ford Motor Co. already has an app that lets drivers dictate an order to Domino’s Pizza using voice controls and a smartphone.
- General Motors Co. this year began offering AtYourService, which alerts drivers to deals at Dunkin’ Donuts or lets them book a hotel room on Priceline.com using voice commands.
However, as vehicles become rolling shopping malls, cybercriminals will have an opportunity to snatch unsuspecting consumers’ identity, as well.
Connected cars present a promising target, much like retailers or banks, where hackers can troll for credit card numbers, home addresses, e-mail information and all the other personal details required for identity theft. Hackers bent on identity theft are expected to infiltrate cars through the infotainment portal, as the Jeep hackers did, or market malicious apps that appear harmless or even helpful, but actually steal personal information. Opening the dashboard to apps from third parties will invite thieves along for the ride, said Ryan Smith, chief scientist for Optiv, a cybersecurity company that consults with automakers.
"Today the motivation for hacking a car is mischief, with an objective of hurting people or car companies," Koslowski said, but once drivers can shop at will as they commute, "the car will definitely be viewed as a vulnerable device."
I believe motor vehicles in the cyber environment are no different to other connected devices: Laptops and mobile phones are constantly at risk and need to be managed as such. The introduction of connectivity into the auto environment brings with it the responsibility of ensuring security, not only by manufacturers but also owners of these vehicles.
The consequences of not updating security patches could be far more harmful in a motor vehicle than for a laptop sitting in someone’s office!
Cars Ripe for Identity Theft as Shopping Comes to Dashboard – Bloomberg (Keith Naughton and Olga Kharif)
FCA to recall 7,810 SUVs to prevent hacking – Automotive news
BMW Patches Security Flaw That Let Hackers Open Doors – Security Week (Brian Prince)