Security must evolve with connectivity if automobiles are to stay safe
Ang Cui, CEO and Chief Scientist at Red Balloon Security, discusses how the increase in transport connectivity provides hackers with technological vulnerabilities that they can exploit.
Vehicles are becoming ‘smarter’ and more connected than ever before, but with these added technological features and capabilities come a new set of risks, which can be exploited by hackers.
Over the past few years, the transportation industry has become more aware of cyber-risks. A number of security researchers have demonstrated attacks on vehicle systems, a few car manufacturers have issued recalls on vulnerable products, Congress has held several hearings on the issue of car cyber-security1 and most of the large hacking conferences today generally include a focus on exploiting automotive vulnerabilities. However, this new awareness has not significantly altered the fundamental dynamic of automotive cyber-security.
Fundamentally, most vehicle systems still remain vulnerable to attackers – and the problem is about to get worse.
Understanding the threat
The computerisation of vehicle systems has made them software and firmware dependent – but this means they are now susceptible to software-based threats like malware, ransomware and other malicious codes.
This is particularly true with a key component in vehicle designs – the electronic control unit (ECU). The ECU is an embedded device which controls critical functions inside the vehicle, such as steering, brakes, acceleration, transmission, suspension and engine control. In addition to these mechanical controls, it also enables new features like infotainment systems, high-tech dashboard controls, navigation, autonomous driving and more. A single vehicle could have dozens of ECUs. These embedded devices run on various operating systems, such as QNX, but just like any other software- or firmware-based device, they have flaws and weaknesses that can be exploited.
As with many other IoT devices, security is not the primary consideration when designing ECUs. Even if there are some security features ‘baked-in’ to the design, these are often insufficient. OEMs are operating on tight budgets and timelines, meaning they are more focused on keeping costs low and meeting deadlines than engineering robust security capabilities into the device. In many cases, companies do not fully anticipate the potential for abuse.
To further complicate matters, it is not easy to update a vehicle’s embedded devices with software and firmware patches. With only a few exceptions, core vehicle systems (outside of the infotainment and navigation system) can only be patched through a manual process at the dealership or by USB sticks sent to the customer, as opposed to automatic over-the-air software/firmware updates. This complicates the most traditional approaches to security, which rely on continuously updated signatures and software patches to remove vulnerabilities.
For these reasons, hacking a vehicle’s ECU isn’t hard. The difficult part is gaining access to the system in the first place. But with more automakers increasing the connectivity of current and future models, this barrier is quickly being reduced.
Hijacking the ECU
The significance of these security risks to the ECU cannot be overstated.
If an attacker is able to compromise this device, they can essentially hijack the car, bus, commercial truck or any other vehicle. These attacks could range from ‘bricking’ an entire fleet of vehicles, to forcing a city bus to over-accelerate or sabotaging the breaks on a semi-truck. They could cause physical damage to a vehicle’s transmission, suspension and engine. In regard to self-driving vehicles, the car could be maliciously rerouted without the occupant realising it.
An example of this can be found in the 2015 Jeep Cherokee hack, in which security researchers Charlie Miller and Chris Valasek simulated a series of potential attacks. Wired’s Andy Greenberg2 wrote at the time: “As the two hackers remotely toyed with the air-conditioning, radio and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission. Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun. At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rear-view mirror. I hoped its driver saw me and could tell I was paralysed on the highway.”
Prior to this demonstration, hacking a car had always required a physical connection to the vehicle’s on-board diagnostic port. But this was no longer necessary, thanks to the vehicle’s new connectivity features. According to Greenberg’s 2015 report: “All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs and trucks, controls the vehicle’s entertainment and navigation, enables phone calls and offers a Wi-Fi hotspot. However, Uconnect’s cellular connection lets anyone who knows the car’s IP address gain access from anywhere in the country, due to one vulnerable element.”
While the specific vulnerabilities exploited by Miller and Valasek have since been fixed by Fiat Chrysler, that does not mean new vulnerabilities won’t be found and new exploits created. Software security is a cat-and-mouse game in which for every new software feature, security upgrade, etc. there is a corresponding advancement in the hacker’s technique.
More connectivity equals greater risk
As stated earlier, the vehicle’s computerised system is not difficult to hack. It would be fairly easy for criminal hackers to exploit weaknesses in the controller area network (CAN bus) and ECUs and launch a wide range of crippling attacks. The primary reason why we haven’t seen this happen in the real world is because it used to be difficult to remotely access a vehicle.
But with automakers pushing new connectivity features, from Wi-Fi hotspots to cellular data access and Bluetooth, they are unintentionally offering these vehicles to attackers.
To automotive engineers, it may seem inconsequential to add Internet connectivity to a car’s infotainment system. After all, the entertainment system doesn’t control any essential functions in the car. A hack of the infotainment system itself wouldn’t be life threatening and could be quickly fixed with a software patch shipped OTA or at the dealership and thus the benefit to risk ratio is fairly high. The problem, however, is that the infotainment’s Internet access is a gateway into the car’s larger internal network. Gain a foothold by exploiting that and a hacker could then spread into the CAN bus and the other ECUs – which control more critical vehicle operations, such as speed, brakes and steering. This method of escalating privileges and access is standard operating procedure for hackers. It is how they target large companies, even ones with robust security processes in place. The hacker starts by finding a weak link in the company, usually an employee. Once that person’s computer has been infected, the hacker then searches for other connected devices and linked accounts that can be used to spread laterally across the company’s network. This method can, and will, be used on automotive systems, starting with the infotainment system’s data connection or another accessible port.
Connectivity features in vehicles are creating a broader ‘attack surface’ for the hacker to target. Any exposed port on a vehicle can be exploited by a hacker to gain access into the larger system.
This is not to suggest that automakers should stop adding Internet access to their vehicles. But it does mean that security must evolve.
The most common risk to vehicle systems in the future is malware.
Hacking is primarily a business endeavour and it is driven by a simple concept: keep costs and risks as low as possible while maximising revenue potential as much as possible. For this reason, mass-distributed malware is the most sensible approach for a hacker to exploit weak security inside vehicles, just as it has been with other types of connected devices. First it was PCs, then smartphones and now the IoT, which automobiles are becoming a part of.
To put this in a better perspective, consider the uptick in malware attacks seen in the last two years that are targeting connected devices in the home and office. These include botnet malware campaigns like Mirai and Reaper, as well as new cryptocurrency mining malware like DroidMiner. There are also un-targeted infections, like the WannaCry ransomware, which infected IoT devices by spreading through their connections with Windows-based computers and servers. We are likely to see a similar pattern emerge with automobiles.
In fact, automotive malware could prove to be one of the most lucrative new sectors for cyber-criminals. This is especially true with groups that specialise in ransomware attacks, in which a computer is disabled by the hacker until the victim pays a ransom fee to unlock it. A ransomware infection of a car or commercial truck would be extremely disruptive and costly to both individuals and businesses. Therefore, victims would be more inclined to pay – potentially paying more than they would for a PC or phone. As we’ve seen with many other ransomware cases, these infections are difficult to remediate and in most cases, it has proven more practical to pay the extortion fee than to rebuild the entire system affected. This is also true for vehicles.
For this reason, automotive ransomware is high on the list of threats, but we should expect to see other campaigns using botnet malware, crypto-mining malware and information-stealing malware.
Cyber-security reforms are needed
The transportation industry has an opportunity to learn from the evolution of security in both traditional PCs and other embedded device verticals. For instance, the endless emergency software updates of a Patch Tuesday are not what we want. There are theoretically an infinite number of vulnerabilities in the firmware/software we depend on. As defenders, we find out about a miniscule portion of vulnerabilities and we try to patch them, one at a time.
Firstly, every patch can itself contain new vulnerabilities or fail to fully address the underlying vulnerability. Secondly, and more importantly, we do not want a future where we apply dozens, hundreds or even thousands of patches a year. Certainly not to computers that are depended on. So what do we need? No single solution can prevent all attacks, so, a well-designed defence in depth strategy is needed. While many useful layers of defence exist, we want to especially highlight three crucial defences:
- Host-based defence
- Stronger development standards
- Ongoing security assessments.
Automakers, ride-sharing services, commercial fleets and public transportation systems need to go one step further by deploying real host-based defences into their vehicles. Host-based security built into the ECUs themselves can protect the ECU from inside each ECU. This is the security of last resort, so that if a hacker or malware is able to slip past the other layers of security, the automobile itself cannot be sabotaged – such as ransomware crippling the car or a malicious code that triggers unsafe operations within the brakes, steering, acceleration, etc. Host-based defences can go beyond the detection and prevention of active attacks. For example, Strategic Attack Surface Reduction can remove unneeded codes or services to prevent attackers from exercising any vulnerabilities found within such code and live-healing can go even further and repair the ECU code and data after an attack is detected to return the device to a safe working state.
Stronger development standards
The developers and manufacturers of ECUs and other automotive technologies need to ‘bake-in’ security to the firmware underlying these devices from the earliest stage of the development process. Software security should be a top consideration when designing these products, instead of the afterthought which it often is. Patching a vulnerability after the fact is far more expensive, and far less effective, than simply eliminating as many flaws as possible from the design in the first place. Automakers and public transportation providers need to hold their technology partners accountable for developing more robust cyber-security controls inside their products.
Ongoing security assessments
Automakers also need to go further with their own security practices, particularly when it comes to penetration testing and vulnerability scanning. All new vehicles and components should be thoroughly stress tested by internal and external security teams, including the use of ‘white hat’ hackers who can simulate the real tactics, tools and techniques that a sophisticated cyber-criminal would use to find a weakness inside the car and exploit it for malicious purposes. OEMs and public transportation systems should demand this level of strenuous testing for all of their technology partners.
Automotive systems are becoming more vulnerable to hackers and we should expect to see a corresponding rise in malware and other attacks. New technological features and greater connectivity are the two trends driving this increased risk and it requires a greater level of commitment to cyber-security by all actors within the industry – from the OEMs to the public transportation systems, ride-sharing services and commercial shippers. By implementing several important reforms, the industry can control the risk and keep vehicles secure.