Can You Hack It? Securing the Connected Car

With growing consumer understanding of connected-car technology comes, inevitably, concern about its security. A survey of drivers in the UK, US and Australia by the University of Michigan Transportation Research Institute found that most of them are concerned about safety and security of these systems, with 30 percent being "very concerned" about system and vehicle security breaches from hackers, as well as the privacy of their location and driving data.

Chris Valasek, director of vehicle security research at IOActive, and security expert Charlie Miller recently released a research paper titled "A Survey of Remote Automotive Attack Surfaces," which details all the different fronts on which automotive systems could be hacked. TU contributor Susan Kuchinskas spoke to Valasek about just how bad the threat is and what can be done to make high-tech cars more secure.

How big is the threat to connected cars?

It's like anything else that involves computers. When you add additional functionality and complexity, there's a greater risk of security issues, whether it's a car, a refrigerator, a mobile phone or a PC. When you add more lines of code that are written by humans, the more it's prone to error, and you increase the probability that something has been done incorrectly. While car makers may not be as security-conscious as Microsoft or Google, they certainly want the best-quality product they can make.

In your report, you say there are three stages for a safety-critical attack. Can you outline them?

There are three pieces that make up what a remote, safety-critical attack could be. First is the remote wireless part. What portion of the automobile talks to the outside world? This could be something as familiar as Bluetooth or cellular. But cars also communicate wirelessly in different fashions. Tire pressure monitoring sensors, for example, are small, short-distance radios in each tire.

Additionally, we're seeing more desktop-like technology being implemented in cars. In-car apps and infotainment systems are now doing things like connecting with a phone to do things like lock and unlock the doors — and potentially more. That creates an attack surface.

The second portion is how the car is architected. Are computers that talk to outside world on the same computer networks in the vehicle as things like braking, the engine or steering? This makes up how you would go about performing an attack. You would first try to find a mistake in one of the things that communicates with the outside world, and then you would see what you could do inside the car. Some cars have things broken up so that the things that communicate with outside world are separated by one or more degrees of infrastructure.

The last part is the cyber physical attributes, that is, computers that read information off computer networks and perform an action, for example, adaptive cruise control. We included this in the trifecta of issues because we found that, when attacking these vehicles, we were able to leverage these safety systems. You could stop a car by forging a message saying a car is in front of you, time to brake. You don't have to find a vulnerability within the vehicle in order to control the automobile.

It sounds like cars with more advanced safety features such as collision prevention, may be more vulnerable. Is that correct?

I wouldn't say more vulnerable. These things will save your life long before they are used against you in an attack. But if someone were to compromise your car, then they could potentially use these systems against you. We don't like to use the term "vulnerable" for certain scenarios, because these things don't make the cars less safe, they make them much safer.

What are some worst-case scenarios for malicious auto hacks?

Charlie and I have shown in prior research that if you are on the proper network of an automobile you could potentially control steering, braking or acceleration. You could potentially remotely take over braking, which has been proven at the University of Washington and the University of San Diego. So this is not just theoretical, it has been done before.

How big is the danger of cyber-terrorism — causing mayhem on the highway or stopping all traffic to block emergency crews from getting through?

There's potential for that, but remember that it costs a lot. Not only financially, but you have the intellectual costs, and the time and effort. And each car ends up being different. You have to look at each make and model to see if it will work. It's not an imminent threat right now, but that may change in the future.

What about attacks against V2V systems. Won't those systems be standardized and, eventually, ubiquitous?

Those communications may be standardized, but the way the vehicle communicates with itself still will be different. Manufacturers haven't agreed upon standardized messaging for things like automatic braking and automatic steering. While these vehicle-to-vehicle communications may be standardized, the actual ability to control a car may not be. That being said, vehicle-to-vehicle and vehicle-to-infrastructure bring along more attack surfaces, and still more ways for people to wirelessly communicate with the vehicle.

Is this something the government should mandate?

I'm not entirely sure. I'm a computer security researcher, not a politician.

In an ideal world, who is best placed to secure the connected car — automakers or third parties? If the latter, what kinds of third parties?

It's like anything else: It's up to the individual manufacturer. While we have standards that give guidelines, it's still up to Apple, for example, to make sure Apple products are secure. With automakers, there won't be one governing policy. There may be working groups that make suggestions, and inter-manufacturer collaboration, but it's going to be up to each manufacturer of each vehicle or technology to make sure that they have the most secure products.

In your paper, you mention "defensive strategies including an IDS-type system to detect and prevent these types of attacks." Can you explain what those strategies are?

We came up with that technology. In the paper, you see it as a device that you plug in. We made it as a little device because little devices are neat. But it's not the actual device that is the product. It's the algorithm and the detection method we came up with. It plugs into the OBD-II port of a car, learns the car's network traffic patterns, and then detects anomalies. If we see anything that strays from that baseline, we can flag it as something of interest or actually shut down the car's computer network because we deem it detrimental to vehicle safety.

This sounds like the kind of third-party security strategy that a lot of enterprises have for their networks.

Absolutely. I used to work for a company that made this for computer networks. I've taken my experience there and applied it to automobiles. Luckily, vehicles are much simpler than computer networks, because messages are of standard lengths and we know when they should occur. You do know how a car should generally function under normal conditions.

Is this a strategy that car makers should use, employing third-party software or monitoring systems to watch for anomalies?

That is just one piece; we're not saying our technology is only thing you need. You need to think about security when you designing and implementing these cars. Every other computer network has layered preventive measures. You don't have just one thing protecting you at work. We're proposing the same thing for vehicles. We haven't seen any mechanisms or algorithms specifically designed for catching and preventing attacks. So we designed one and implemented it to prove that, if two guys in a garage can do this, certainly auto manufacturers can do it, too.

For all the latest telematics trends, check out Telematics Brazil & LATAM 2014 on September 24-25, Sao Paulo, Brazil, Telematics West Coast 2014 on October 30-31 in San Diego, USA, Telematics Munich 2014 on November 10-11 in Munich, Germany, Connected Fleets USA on November 20-21 in Atlanta, USA and Consumer Telematics Show 2015, January 5 in Las Vegas.

Leave a comment

Your email address will not be published. Required fields are marked *