The recent Jeep Hacking experiment is drawing public attention to potential safety issues with connected cars, while urging car manufacturers to speed up investments in cyber security and safety features. While cyber security threats are becoming more and more serious and are an increasingly popular topic, the issue of cars’ security flaws has been a serious concern for far longer than most of us have realized.
Cars and code go back a long way, but security hasn’t caught up
The 1978 Cadillac Seville made big news when it introduced the ‘trip computer’ – the first car to have field-tested a microprocessor. Today, with hundreds of networked computing devices, the average car’s software accounts for over half of its production costs!
The code running these cars manages everything from emissions reduction, improving efficiency, running diagnostics, communicate with roadside infrastructure via dedicated radio channels, relaying diagnostic information to the manufacturer using cellular data as well as a host of other critical functions including safety such as airbag deployment, traction control, anti-lock braking etc.
While automobile designers have been quick to focus on the car’s instrument cluster, including dashboard navigation systems, virtual instrument clusters and rear-seat entertainment systems, they were slower in their efforts to make their cars’ computing systems secure. With the recent trend of users expecting to sync devices of their choice (e.g. smartphones, after-market dash-cams, diagnostic mobile apps with Bluetooth OBD-dongles, etc.), vehicle manufacturers have to deal with new threats posed by this connected ecosystem.
6 times auto researchers exposed major security flaws
To draw the auto industry’s attention to security issues, automotive safety researchers have demonstrated the vulnerabilities of connected cars by accomplishing a number of frightening feats:
- One team wirelessly hacked into an internet-connected infotainment system used by several specific car models. Using its software update feature, the researchers installed malicious software to commandeer the car’s control systems.
- Another team of researchers wrote a malware that worked its way to the car’s control software whenever diagnostic equipment was connected to the on-board diagnostic port cars have.
- A similar experiment was able to take over a truck by exploiting vulnerabilities in the J1939 control bus, which the researchers claimed was much easier than hacking a car.
- In yet another incident, security researchers were able to brute-force their way to a Nissan Leaf’s APIs from the Internet. The car’s Mobile App (since withdrawn) had a vulinerability that allowed the researchers access to the cars telematics data such as driving range via APIs that had no security mechanism in place (‘security by obscurity’).
- Researchers were also able to hack through the OBD plug-in device some insurers offer simply by sending a carefully crafted text message to the device. Another team of researchers have practically exploited all threat vectors of cars, including vulnerable diagnostic instruments, through the media player by playing a specially crafted media file via vulnerabilities in a car’s Bluetooth as well as by calling the car’s cellular modem and playing a specially crafted audio encoding.
- But wait, there’s more: other vulnerable exploit vectors researched include in-vehicle Wi-Fi, telematics, remote keyless entry and RFID immobilizers, dedicated short-range communications (DSRC) used to communicate between vehicles and the road infrastructure, navigation systems, satellite radio and even tire pressure monitor sensors. These vulnerabilities could allow malicious actors to eavesdrop on occupants of a car by turning on the car’s Bluetooth microphone, or tampering with the car’s odometer or by gaining access to a car’s location information.
Why are these vulnerabilities not a bigger concern to auto companies?
Despite all these high profile demonstrations of automobile security vulnerabilities, the auto industry has been quick to downplay the threat. Its primary safety concerns are centered on accidents or faults rather than the purposeful and malicious type of threats typical of cyber-attacks. That explains why auto industry’s safety frameworks – such as ISO 26262 covering automotive electronics safety – do not cover security threats.
Furthermore, automobile safety standards take a long time to evolve and implement, since all elements of the standards should remain stable over a long term while being backward compatible as well. The industry’s recommendations for designing cyber security into the system – SAE J3061 – have only just been published. Once widely adopted, this framework will provide a structured process to help ensure that cyber security is built into designs throughout the product development pipeline.
Why does the auto industry have these long-known software vulnerabilities in the first place?
Perhaps the answer lies in the way the industry is structured: automobile manufacturing is mostly a very efficient assembly operation, relying heavily on OEM suppliers for all components. This setup works very well for mechanical assembly, where individual parts made to demanding specifications can be tested and quality controlled. When it comes to electronic systems, auto manufacturers act as system integrators and develop ‘glue logic’ to integrate the software associated with individual electronic modules. This glue logic is where most of the security vulnerabilities can be traced back.
Meanwhile, key suppliers to the automobile industry have been working to continuously enhance Automotive Security Hardware, covering a wide range of solutions from security add-ons for low-end hardware to more sophisticated high-performance systems. Technologies such as Secure Hardware Extension allows automakers to add essential security functionality, including cryptographic key management, hardware crypto module, and secure boot to standard automotive micro-controllers. Evita, security architecture for automotive on-board networks, covers the security needs of software and hardware components for complex car networks. Industry bodies are also actively working on security issues – for example, Side Channel Attack Analysis for automotive security – to help identify potential side channel attacks and to help design countermeasures.
Why your biggest privacy threat might be your car
Highly-publicized hacking experiments like the Jeep Hacking video are leading lawmakers to consider establishing standards to ensure automakers implement the right safety, security and privacy mechanism in their connected cars. Until the time when laws and standards shape up, there is an urgent need for car manufacturers and their suppliers to leverage expertise from the IT security community to develop security reference architecture, guidelines and processes.
They can help make the public aware of privacy issues such as potential risks and the precautions that should be taken before installing after-market devices such as dash-cams. Meanwhile, car manufacturers should implement security best practices used by their peers – especially Tesla – such as a robust patch process for software updates over VPN connections. Thankfully, although car security hacks are becoming increasingly more sophisticated, there are developments being made that will eventually outpace them.