Analysis: CBR talks to industry experts about the trials and tribulations of securing connected cars.
For the second year in a row at the cyber security industry conference Black Hat, the hacking of a connected car captured headlines.
Charlie Miller and Chris Valasek hacked into a Jeep Cherokee by sending false messages to the car’s internal network and overriding the correct ones. The hack allowed them to force the vehicle to turn sharply, speed up or brake suddenly.
It’s not hard to see why the hacking of a connected car captures the imagination in such a way. While there are many ways that cyber attacks could endanger lives, the idea of an unseen attacker wresting control of your steering wheel away from you is understandably terrifying.
Valasek’s former company (both men now work at Uber) IO Active was behind the duo’s hack the previous year, when they managed to hack a jeep while a reporter from Wired was driving.
The firm recently released a whitepaper looking at common vulnerabilities in connected cars, assessing them in terms of the impact that they would have and the likelihood of them being exploited.
The vulnerabilities given rankings from Informational at the very bottom, through Low, Medium and High up to Critical.
In terms of impact, critical and high vulnerabilities made up 50 percent of the total vulnerabilities. In terms of likelihood, they made up 28 percent, while medium vulnerabilities made up 43 percent.
The five most common vulnerabilities, in descending order, were information disclosures, coding logic errors, buffer overflows, hardcoded credentials and backdoors.
The white paper concluded that “the majority of vehicle cybersecurity vulnerabilities are not solvable using ‘bolt-on’ solutions, instead relying on sound engineering, software development practices, and cybersecurity best practices.”
Corey Thuen, Senior Security Consultant at IOActive, tells CBR that the reason so many vulnerabilities are being discovered in cars post-manufacture is that security is a “relatively new concern” for the automotive industry.
As Kaspersky Lab’s David Emm says, this means it’s “critical that manufacturers are thinking about introducing security measures now, before the product comes to market.”
While Thuen says that the industry has been making “improvements in the awareness department”, the eternal problem of return of investment rears its ugly head.
“As we’ve seen in other industries, it can still be difficult to get appropriate spending in security,” he says.
A starting point, Thuen says, would be to follow the security industry’s best practices.
“The majority of vulnerabilities stem from a lack of understanding of security and a failure to incorporate the lessons learned over the past few decades.
“Microsoft, for example, got some black eyes in the security ring, the automotive industry should watch tape of that fight and learn from it.”
Manfred Kube, Head of M2M Segment, Gemalto, says that tamper-proof hardware and software is essential.
He adds that manufacturers should ensure that “operating software is encrypted and signed with securely managed encryption keys, and strong authentication solutions are used.”
Mark Hughes, CEO of BT Security, says that the solution is to start considering cyber security in the same way as other safety standards.
“On top of normal crash tests automotive bodies need to impose comprehensive cyber security analysis within safety tests so that manufacturers know when vehicles are vulnerable to hackers.”
It might take some time for the manufacturers to sort out these security vulnerabilities. For drivers who find their vehicles becoming ever more connected, however, some time isn’t good enough. What can owners do now to make sure they are safe?
Chris Oakley, Managing Principal Security Consultant at UK cyber security and risk management consultancy Nettitude, says that auxiliary functions should be disabled or avoided if unused.
He cites, for example, the option to control various components of the car using a mobile application as one such auxiliary functions.
He says that this will minimise the attack surface, but overall, there is a “dearth” of reliable information to keep consumers well informed.
David Emm says that “owners of next generation cars must learn that threats, specific to the computer world now apply to connected vehicles and take these risks into account.”
Even if the consequences of the attack are not fatal, the same thorny issues involved in conventional car crashes present themselves: issues of liability and responsibility. Is the driver responsible, for example, if their connected car is hacked and causes harm to a third party?
Andrew Joint, Commercial Technology Partner at Kemp Little says that ultimate liability rests with the hackers themselves.
However, he says that some responsibility will fall upon the car manufacturers.
“A driver buys a car and the law typically puts an obligation on the manufacturer to make sure the door or ignition locks work to an appropriate standard –the law will likely apply similar tests to the protections surrounding a computer system in a car.”
With connected cars now increasingly common on our roads, it is important that manufacturers, governments and the drivers themselves approach the security of connected vehicles with care.