In July 2015, Wired magazine broke the story that hackers had taken control and killed the accelerator of a Jeep in motion on the freeway. The situation was not as dire as it sounds: the driver was a Wired magazine reporter working with researchers Charlie Miller and Chris Valasek to show the vulnerability of the electronics on today’s vehicles. Kaspersky later reported that the hack took months of time and effort, and not many consumers currently subscribe to the Wi-Fi service through which the hackers took control of the Jeep. Still, once into the vehicle systems, Miller and Valasek were able to take control of the car’s engine, transmission, sensors, GPS, radio, and even climate controls, posing a security risk serious enough that Sens. Ed Markey, D-Mass., and Richard Blumenthal, D-Conn., immediately introduced an automotive security bill in Congress. Chrysler immediately recalled 1.4 million vehicles to fix the bug that enabled the attack, and chip maker Intel formed an industry task force, the Automotive Security Review Board to focus on securing “cyber-physical” systems in vehicles.
But in the race to secure vehicles, the industry is coming from behind. Today’s cars are already rolling computer systems and businesses are already using connected cars to offer consumer and business services and to manage fleets and logistics. Even as they leverage connected car technology for competitive advantage, businesses need to weigh the risks so they can steer safely and remain in control of their data.
Automotive computing makes endpoint security a moving target
Gone are the days when a shade-tree mechanic could keep an automobile purring along. Today’s vehicles run on data as much as they depend on oil and gasoline. As Bruce Emaus, chairman of Society of Automotive Engineers International’s embedded software standards committee, told The New York Times, “It would be easy to say the modern car is a computer on wheels, but it’s more like 30 or more computers on wheels.” In fact, the most basic vehicles today have at least 30 electronic control units, and some luxury cars have as many as 100. Electronics control the engine, transmission, chassis (including brakes and traction), safety systems such as airbags, diagnostics, navigation, climate, and sometimes communication and entertainment systems. Many of these systems communicate with one another — for example, many cars automatically lock the doors once gears are engaged — so, as in the Wired story, once hackers break into one system, they can quickly take over others.
Endpoint security for mobile computers and other devices is a hot topic these days. Now you can think of an automobile as 30 to 100 moving endpoints that are connected to each other and to the networks of any businesses providing services to those vehicles. No wonder, as Dark Reading reports, the automobile industry has formed an Information Sharing and Analysis Center to share intelligence on vulnerabilities in car electronics and in-vehicle data networks.
Risks on wheels
Of course, the nightmare scenario is that a hacker could take control of someone’s vehicle and cause it to crash. Cyber-terrorists or extortionists could certainly try that kind of tactic, but it’s more likely to happen in an episode of Homeland than in our daily lives. For garden-variety cyber-criminals, vehicle hacking is likely to be monetized in other ways.
The most common near-term consequence of vehicle hacking could be auto theft. In July 2015, Wired reported that hacker Sammy Kamkar had invented a $100 device that attacks GM’s OnStar communication systems and allows a hacker to track, unlock, and start the vehicle. Kamkar said a hacker had only to plant the device in an inconspicuous place on the target vehicle, and wait. The OnStar hack demonstrates another likely consequence of vehicle hacking: theft of personal information. Kamkar’s device is capable of impersonating a friendly Wi-Fi network, then tricking a nearby Smartphone into connecting silently with it. Once connected, it could capture commands from the driver’s smartphone to the OnStar system, including credentials, and it could access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account. GM has since released a patch for the vulnerability that enabled the hack, but it is ironic that one of the most sophisticated capabilities available in cars today turned out to be one of the most vulnerable.
Once hackers have access to personal and other information from car systems, they are likely to find myriad new ways to use it. For example, GPS information could be used to track a driver’s personal habits and schedule. The information could be used to plan a burglary when a driver is away from home, used for extortion (for example, if a driver were visiting locations of illegal activities), or used to make a social engineering attack more credible. (For example, as a Business Journal article suggested, an attacker could send an email saying “You dropped this at the coffee shop” with a link to malware instead of a photo.)
While thieves may use automotive computers to target individuals, the big opportunity for sophisticated cyber-criminals will be to use vehicle hacking as a back door into business systems. As entertainment and communication systems become more common, more and more businesses will vie to provide services to always-connected vehicles: everything from streaming entertainment and news services to hands-free micropayments at the drive-thru, location-driven promotions from retailers, tracking the vehicle when your teenager is driving, and services that no one has thought of yet. The OnStar hack shows how easily hackers could steal user credentials, giving them access through the mobile services into the provider’s business systems.
If your business is providing services and deploying applications on consumer vehicles, you will be dependent on users to do updates for security patches. And if your IT department can’t keep up with security patches on in-house servers and laptops, how effectively will they be able to manage updates on a fleet of vehicles in motion?
Commercial applications also pose risks: GPS-based fleet management and logistics applications are already being used to optimize productivity, routing and dispatching, and fuel management. Every vehicle in a fleet is another endpoint to be secured, and it turns out that a whole fleet gives hackers more opportunities to succeed. In their report at the Kaspersky conference, Miller and Valasek reported that one of the challenges of their auto-hacking method is that they needed to drive while staying within range while hacking an individual vehicle, but hacking many similar vehicles is less difficult: “It’s much easier to hack all the Jeeps than [a] certain one.”
Proceed with caution
Gartner predicts that by 2020, there will be a quarter billion connected vehicles on the road, enabling new in-vehicle services and automated driving capabilities. During the next five years, the proportion of new vehicles equipped with this capability will increase dramatically, making connected cars a major element of the Internet of Things. Of this number, between 60 and 75 percent will be capable of consuming, creating and sharing web-based data.
A recent report from ABI Research states that attacks on automobile systems will increase rapidly in 2016 due to the major increase in connected automobile hardware built without foundational security principles. Writing in the report, Raj Samani, CTO of Europe, the Middle East and Africa at Intel Security, warns that “Poorly secured driverless cars and smart highways will further expose drivers and passengers in 2017 and beyond, likely resulting in lost lives.”
If your organization plans to leverage connected car technology, you need to examine the whole eco-system involved in delivering smart services, from the moving end-points to the data center and the cloud, and account for it in your security programs and incident response plans.
While connected cars offer abundant opportunities for new product offerings and improved business efficiency, organizations need to consider the privacy and security risks carefully before proceeding. Security standards and best practices will emerge for the automotive industry, but they will take years to mature and find their way into vehicles. If your business is providing services and deploying applications on consumer vehicles, you will be dependent on users to do updates for security patches. And if your IT department can’t keep up with security patches on in-house servers and laptops, how effectively will they be able to manage updates on a fleet of vehicles in motion? If your organization plans to leverage connected car technology, you need to examine the whole eco-system involved in delivering smart services, from the moving end-points to the data center and the cloud, and account for it in your security programs and incident response plans.
Smart vehicles can make your customer’s lives more convenient, save energy, and improve your business’s efficiency and profitability but, at best, a connected car is yet another endpoint that must be secured. At worst, it can become a projectile weapon. In its white paper The Internet of Things: Risks and Value Considerations, a team of ISACA experts notes that “The Internet of Things (IoT) revolution has the potential to be staggeringly transformational and, at the same time, highly disruptive to business.” The challenge with smart vehicles will be to leverage the technology for positive transformation while avoiding the disruption that a privacy or security breach could cause.
This is part three of a five-part series on the Internet of Things by Rick Kam. Read part one: Time to Get Smart About IoT Security and part two: IoT Security: Is Your Fitbit a Key for Criminals?