Security research underway to ensure you will not be carjacked by hackers
You’re driving down the highway, and suddenly your car brakes to a stop on its own. Or, your vehicle takes off at high speed, steering a course over which you have no control, leaving you helpless in a stream of speeding traffic.
These scenarios could happen.
Such fears spurred Chrysler to recall 1.4 million Jeep SUVs in 2015 after hackers demonstrated they could remotely control the vehicles. If this could happen to regular vehicles, what of self-driving or autonomous vehicles?
Prioritizing defensive measures
Computer security researchers Chris Valasek and Charlie Miller are now widely known for remotely hacking a 2014 Jeep Cherokee. As they demonstrated, they could take control of the vehicle’s braking, steering, and acceleration. Now the two ethical hackers are working to better secure vehicles with Cruise Automation, a self-driving car startup owned by General Motors. They spoke about the critical issues in a presentation at the 2015 Black Hat conference.
“The evolution of automotive systems has brought us into a world where both highly connected and autonomously operated vehicles are commonplace,” unnamed researchers at device security provider Riscure wrote in a recent white paper. “As connectivity of devices increases, so too do risks of hardware and software attacks. Not only does the risk of the attacks rise, but the potential impact and fallout of an attack increases exponentially.”
In the Black Hat conference session, Valasek said his primary concern is a remote attacker gaining physical control of a vehicle.
Valasek and Miller conceded that it is “impossible to make the vehicles attack-proof” due to budget and time constraints, but they can prioritize defensive measures based on analysis of the threat model. “Our number one concern is a cyber-physical attack that would threaten the safety of our customers. If a breach occurred that resulted in loss of privacy or personal information, it would be upsetting. However, such an attack fails to compare to the scenario where a car is compromised and passengers are injured—or worse,” the speakers said.
Efforts should be focused on remote attacks, especially long range, as they could affect many vehicles in a short time frame. “We use the same techniques as we would to secure a very small enterprise network or, more precisely, a small industrial control network,” the speakers said. “For the most part, we don’t need to invent new ways to secure things. We only need to carefully apply industry best practices to this particular problem.”
Cars are essentially a data center on wheels, they explained. Each autonomous car’s trunk is loaded with a system of GPUs and processors, a cooling system, and a computer-controlled motor.
Treating each Cruise car as a data center, Miller and Valasek focused on security from the ground up, working on the self-driving car line at Cruise Automation. It’s not so much a test bed for car security overall across the industry as an investigation into what works and what doesn’t, with the goal of using that information to secure its own fleet.
The components communicate with one another using Ethernet cables. The researchers eliminated Wi-Fi and Bluetooth systems, as well as the entertainment unit, which were previous attack vectors. Inbound communications to the vehicle and over-the-air updates were excluded too.
Rumors to the contrary, hijacking GPS is not an exploitable avenue for self-driving vehicles, said Valasek and Miller. The vehicles do not use GPS to navigate. Rather, they travel preassigned routes in which maps, speed limits, and traffic signs have already been input into their system. The cars use Lidar (light detection and ranging) sensors to verify position and identify potential obstacles in their path.
Other manufacturers and owners of autonomous vehicles face similar issues. Personal-use automobiles are not likely to be as tightly locked down as those belonging to a rental fleet or other service. Users want to keep features like Wi-Fi and Bluetooth. And be aware that self-driving cars built on top of pre-existing vehicle designs may carry inherent vulnerabilities that may be easily leveraged despite bolted-on security measures.
Alyssa Milburn and Niek Timmers are security analysts for Riscure. Calling the hacking of cars “cool,” they presented a session at the 2018 Black Hat conference called “There will be Glitches: Extracting and Analyzing Automotive Firmware Efficiently.”
“Vehicles are suffering the growing pains seen in many embedded systems: Security is a work in progress, and in the meantime, we see some fun and impressive hacks,” they promised.
Even when “secure boot methods have been universally implemented, without obvious bugs, adversaries no longer have access to unencrypted firmware and ECUs refuse to run any unsigned code,” Timmers and Milburn pointed out. They ask, “Will automotive exploitation be ‘mission impossible’ or do hackers still have a few tricks up their sleeves?”
Component firmware found in a car provides a starting point for an attacker to obtain sensitive information and discover potential vulnerabilities, Timmers and Milburn said. The process of reverse-engineering a specific component is typically a complex and time-consuming task. However, they outlined techniques “to significantly increase the efficiency of reverse-engineering the firmware of an instrument cluster,” among other shortcuts.
An unprecedented legal storm fast approaching
The security issues go beyond the physical effects of someone hacking a car. Ultimately, who’s responsible?
“A tidal wave of litigation over defective IoT cybersecurity is just over the horizon,” said IJay Palansky, a partner at law firm Armstrong Teasdale.
Palansky is lead counsel in the ongoing federal class action lawsuit that ensued from Miller and Valasek's Jeep hack. He represents the owners of the 1.4 million Chrysler cars and trucks that share the cybersecurity issues Miller and Valasek exploited in their attack.
Palansky hopes to break new legal ground and hold companies liable for weakly secured IoT products. “As far as I know, our case is one of the first, and the biggest, that involves claims that consumers should be compensated for inadequate cybersecurity in IoT products,” he said.
Calling the security of ubiquitous IoT products “feeble at best,” Palansky said established laws can impose liability on every company involved in the design, manufacture, or distribution of an exploited IoT device or its cyber-related components—especially in the event of a cyber-physical IoT hack that causes injury. “Such liability could be crippling, if not fatal, for organizations that don't know how to properly handle and prepare for potential lawsuits,” he added.
Full speed ahead: Lessons for leaders
In their Black Hat 2018 presentation, Miller and Valasek said that while they “work hard every day to make it difficult to hack these cars,” the vehicles are not unhackable. However, they added, “We want to make the return on investment so low that it’s just not worth the effort.”
- It's already been demonstrated, painfully, that the electronic systems in cars make them vulnerable to hacking.
- Aside from the technical challenges, these weaknesses add new legal risks.
- Several researchers—including two of the ones that first pointed out the weaknesses—are working on identifying the issues and testing solutions to make new equipment less susceptible.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.