It seems like something out of an action flick—a hacker taking control of a car remotely, steering it, stopping it, and even stealing it. Not anymore. Modern vehicles are becoming increasingly connected, and more reliant on automated systems. The scenarios we once saw play out on screen have turned into a risky reality. With increasingly connected cars, manufacturers are breaking into a new frontier—but do they have the knowledge and tools to keep their vehicles secure?
In early August, two suspects were arrested in Houston on suspicion of using a laptop to hijack 100 Dodge and Jeep cars, both brands under Fiat Chrysler Automobiles. The video surveillance footage showed how easy it was for the men to take control and get into the vehicle. Security researchers have also been experimenting with connected vehicles for years, showing just how vulnerable they are. Experiments have shown that the cars can be compromised with different methods, through remote or physical access, or in some cases, through the vehicle’s supporting app.
In an experiment with Wired last year, security experts Charlie Miller and Chris Valasek wirelessly hacked into a Jeep Cherokee and demonstrated how they managed to take control of the vehicle’s entertainment system, air conditioning, steering, and brakes—all with someone in the car. Their research prompted Jeep to issue a recall of 1.4 million vehicles to fix the bug.
This year, at the 2016 Black Hat conference, Miller and Valasek presented a new technique for hacking into the Jeep Cherokee. Car manufacturer Chrysler patched the previously exposed vulnerabilities, but the two researchers found a way into the vehicle’s Controller Area Network (CAN bus) which handles communication between the different car systems. This hack allowed them to exert even more control than they previously had, allowing them to accelerate the car, turn the steering wheel, and engage the brakes. But, unlike last year, this was not a remote hack. The researchers’ laptop needed to be physically plugged into the Jeep’s CAN bus for it to work.
The Nissan Leaf is a case of car connectivity outpacing security. A flaw in the companion app was easily exploited, which allowed hackers to access the car. The app only needed the car’s Vehicle Identity Number to take control—a number which is printed on the windows of all the cars. Through this vulnerability an attacker could control heating, air-conditioning, and even drain the electric car's batteries remotely. They could also access trip data, which is something the owner might want to keep private.
The Leaf exploit wasn’t the first time a car with a companion smartphone application had security issues. Škoda Auto had almost the same problem with its Fabio III car and their SmartGate System. In the case of Nissan, the company disabled the app once the vulnerability was publically revealed and released a more secure version in early 2016.
Other car manufacturers were not so quick to act when faced with their vehicle’s security failings. In 2010 a team of researchers disclosed to General Motors (GM) that vehicles with the Generation 8 OnStar computer were vulnerable— hackers could use a simple audio attack as a pivot to gain access to the vehicle’s network of computers, allowing them to control everything from the brakes to the windshield wipers. It took the company five years to fully fix the issue.
Premium electric vehicle manufacturer Tesla Motors focuses more on cybersecurity than other manufacturers, and their cars have a reputation for being hard to hack—but hard doesn’t mean impossible. In 2015, two researchers were able to exploit vulnerabilities in the Tesla Model S and gain control of the car. They unlocked the doors, started the vehicle, and drove away. Although the researchers managed this much, it was a herculean feat. They had to disassemble the Model S and needed constant physical access to the car to pull off the hack. The method they used was largely impractical for most hackers, and shows how effective Tesla's security measures are. Still, the company immediately addressed the vulnerabilities, cutting off even that small avenue of attack.
What is being done?
In light of these proven vulnerabilities and widespread issues, governments and car manufacturers are starting to take this problem seriously. In the United States, legislation has been proposed to set new standards for car cybersecurity. The Security and Privacy in Your Car Act of 2015 mandates that the entire vehicle should be safeguarded against hacking, and that owners be made aware of what data is being collected, transmitted and shared. There is also strict punishment proposed for anyone who infiltrates a vehicle's electronic systems, including penalties as harsh as life imprisonment.
Meanwhile, car manufacturers are also beginning to overhaul their enterprise structure by adding cybersecurity experts in the mix. GM now has a global team of around 80 people dedicated to cybersecurity, enabling them to address security flaws much faster than in 2010. GM has also established a vulnerability submission program that allows researchers to submit security discoveries directly to the company.
Tesla and Chrysler are offering a similar deal, but with the added bonus of compensation for the research. The two companies are offering bug bounties—a reward for any security vulnerabilities found in their vehicles. Chrysler is offering $150 to $1,500 per bug, depending on the severity of the flaws, while Tesla is offering up to $10,000.
A strategy for the future
The smart car market is projected to continually grow. According to studies by industry experts, an estimated 36 million new cars with embedded telematics will be shipped globally by 2018. Autonomous vehicles are also becoming a popular trend. Google has been working on their self-driving cars since 2009 and aim to have their technology fully optimized by 2020. Large manufacturers like Nissan, Ford, and Toyota are also exploring this track.
Tesla is already ahead of the curve. The company unveiled their Autopilot system in 2015, and while it only features basic self-driving functions, many are enthusiastic about its capabilities. However, as quickly as technology develops, vulnerabilities are also exposed, adding more road risks if cybersecurity does not become a bigger priority.
Manufacturers have always been guarded about their research and development, but because of this issue players in the industry are sharing resources and collaborating on better cybersecurity practices. They have established the Auto Information Sharing and Analysis Center (Auto-ISAC), and outlined guidelines that will help manufacturers and suppliers be more prepared for cybersecurity issues. The Auto-ISAC board includes representatives from the largest car manufacturers in the world, with a board of officers that includes executives from Toyota, GM, Honda, and Ford.
The best practices outlined by Auto-ISAC include:
- Risk assessment and management
- Security by design
- Threat detection and protection
- Incident response and recovery
- Training and awareness
- Collaboration and engagement with appropriate third parties
This provides a strong framework that will allow automakers to share information, as well as analyze and develop solutions. It is a crucial step forward and a solid strategy in the fight against automotive cybercrime.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale