If you are headed to the Consumer Electronics Show in Las Vegas next month, you may find Stacy Janes next to his driving simulator. Janes and his team will spend time at the popular technology fair demonstrating the hack of a connected car.
“We can actually take control of the simulator and show you what it's like to be in a vehicle that you don't have control of anymore,” said Janes. “People seem to enjoy it.”
Remote vehicle hacks, however, have been demonstrated in the real world – and have raised serious, far-less-enjoyable concerns. Is it safe to be behind the wheel of the next generation of cars?
Janes, chief security architect of the connected transport division at the Netherlands-based software security company Irdeto, spoke with Tech Briefs about the growing connectivity of today’s vehicles, and how the connected features are driving new cybersecurity measures.
Tech Briefs: In 2015, researchers Chris Valasek and Charlie Miller remotely took control of a Jeep Cherokee. How have automotive cybersecurity threats changed since then?
Stacy Janes: When connectivity first started in the automotive industry, it was in the in-vehicle infotainment (IVI) system. Now the car is becoming more like a personal computer or a mobile device, where there's more things you can do with that connectivity. We're seeing actual app-type stores in IVIs. As more and more of the vehicle software uses that connectivity, there's more of a chance of a vulnerability being exposed by it. The more you open up internal parts of your system to that connectivity, the bigger the chance that those vulnerabilities are accessible from the outside.
Tech Briefs: What new features concern you, from a security perspective?
Stacy Janes: The big [concern] for me is over-the-air (OTA) updates. We've seen over-the-air updates come from Tesla and from other OEMs. It's an excellent feature for the automotive industries, especially with connectivity. In any type of connected environment, however, the update mechanism is a kind of “Holy Grail.” If you can take over the OTA system, you can keep updating the system, and you can even block out the OEM from fixing it – without getting physical access. So, that is really a place where security needs to be focused.
Tech Briefs: What’s the worst-case scenario for this kind of OTA attack?
Stacy Janes: As an attacker, what I would want to do is take an electronic control unit (ECU) with an OTA client on it; take it out of the vehicle; put it on a bench; and start working at it. Can I get that client to attack a server in a trusted way and give me some access to that server?
Imagine if you can push new software on a vehicle. It could be an app, or it could be firmware for one of the ECUs. Now imagine the scenario where I have taken over control of the OTA system; we've seen this in the personal computer market and mobile market. I can push malicious applications to your head unit, or I can push malicious software to a telematics device. It could be as simple as: “I just want to mine Bitcoins on your car.” If I can use your system to put my bad software onto your vehicle, and at the same time block you from putting a fix down, that's really an advantage to me.
Tech Briefs: Are you confident in manufacturers’ abilities to defend against these threats?
Stacy Janes: The industry, as a whole, has started learning, researching, and looking at standards and specifications. Some of the new conversations that we've had with OEMs and Tier-1s in the last two months show a very mature understanding of what it takes to protect connected systems. It's a complicated problem, but OEMs do seem to be taking it seriously.
Tech Briefs: How is ransomware being used against connected vehicles? Take us through a scenario.
Stacy Janes: For the automotive industry, their biggest threat is anything that involves money – harming your brand to either shut you down, take your competitive edge, or just to make you pay.
If I wanted to ransomware the automotive industry, I'd go after the OEM. It doesn't have to be super-complicated. Instead of figuring out how to cut the brakes on a moving vehicle, I could just make the vehicle an environment you do not want to be in.
Let’s say you start your two-year-old car in the morning, and the IVI screen is flashing white to red, and the audio system is turned all the way up, playing at full volume some music you don't like. You'll call the dealer, and they'll tow the vehicle to the dealership. At that point, the dealership has 10 or 20 or 100 vehicles rolling in on the same day with the exact same problem.
[A ransomware attacker] could hold your brand for ransom, contact the OEM, and say, "You have one hundred dealerships, each with fifty to a hundred cars, all with the exact same problem. This is what I've done to your vehicles. Give me five million dollars."
Obviously, there's probably a hundred different scenarios. The gain to you, an attacker, would be higher if you can go after a larger corporation with deep pockets.
Tech Briefs: How vulnerable are automated vehicles compared to cars with drivers?
Stacy Janes: So, you have Uber and Waymo, who are both putting autonomous technology on top of existing production vehicles. Waymo and Uber vehicles are based on something I can buy. And then you have someone like Cruise, under General Motors, which is building an entirely new vehicle that is proprietary.
If I wanted to go and attack, let's say, a Jeep, like Chris and Charlie did, I would go out and buy a Jeep, take it apart, reverse engineer it, figure out the vulnerabilities, and use that to attack an identical type of Jeep product by that OEM. If you want to do that to an autonomous vehicle by Cruise, you’d have to break into a General Motors storage facility and steal one. That's probably going to get noticed. Right now, just by the way they're kept, autonomous vehicles are harder to attack than a production vehicle, simply because they're harder to get your hands on.
Tech Briefs: With vehicles, is data privacy also a security challenge or priority?
Stacy Janes: Very similar to a mobile device, the vehicle is starting to store more and more information about you. We're seeing features at General Motors, for example, where your vehicle can order your coffee as you're approaching a coffee shop. Plus, the vehicle also has your GPS and location information.
We're starting to see more and more of that information show up in vehicles, and, like a mobile device, that data needs to be protected. Now, fortunately, this is a known area: how to protect data at rest and data being transferred. This shouldn't be a really difficult thing for OEMs to wrap their head around. As long as the vehicle uses known best practices for protecting data, it will be a harder nut to crack than what we're seeing on the server side with other companies and industries that are losing data already.
Tech Briefs: What vehicle-hacking threat worries you the most?
Stacy Janes: The most worrying threat is obviously anything that involves driver control. We saw from the work of the Keen Security Lab , and of Chris and Charlie on the Jeep, that you can actually affect the control of some vehicles through getting access to internal networks. With a Tesla, Keen researchers were able to move the seat back. So, imagine if you're driving down the highway, and your powered seat moves you far enough away from the controls that you can't touch anything. At the same time, maybe you can just confuse, distract, or scare the driver into crashing the vehicle themselves using screens or whatever features are available in the vehicle.
With people inside, [driver control] is always going to be the most concerning, especially for the autonomous industry. If we see anything that says, "This autonomous car was hacked, and someone got injured," that's really going to hurt that industry, because there's already a fear factor in driving in a car with no driver. So, that side of it is still the part that worries me the most.
Tech Briefs: Should we feel safe driving in today’s connected cars?
Stacy Janes: I have a brand-new 2018 connected vehicle. The thing about connected vehicles right now is I don't think we have the scale to make a malicious attack financially viable. By the time that scale is there, I think they will be caught up technology-wise.
Security is about supplying a resistance to a force coming from another person based on their motivation. So: take away their motivation, or apply resistance that's higher than their motivations. As long as the industry properly maps that out and stays with it, I’m confident they’ll be successful.
What do you think? Do you feel safe in today’s connected cars? Share your questions and comments below.
This interview has been lightly edited for length and clarification.