Today's vehicles are increasingly connecting – to each other, to the cloud, to the infrastructure – and, if the right security mechanisms are not in place, to hackers.
On Day 2 of CES 2019, I found myself in front of a “Smart City” demonstration, somewhat mesmerized by the blinking red lights of miniature autonomous cars speeding around a track.
Though compact, the self-driving vehicles reflected the actual architecture of today's connected cars – complete with elecronic control units (ECUs) and a Controller Area Network (CAN). It was here that the owners of the booth, the Israel-based company Karamba Security, allowed me – a black-hat beginner – to play the part of the hacker. With the push of a button, I sent exploits that caused the car to speed up, go in reverse, or stop completely.
Karamba offers security software that "hardens" the ECU, company co-founder and chairman David Barzilai told me at CES. The software works by only allowing changes that derive from the OEM. Any non-approved change is considered an attack.
My brief stint as car hacker was over when Karamba applied their security software to the vehicles; the previously successful commands were blocked.
These protections worked well in the CES setup, but that was a demo with miniature cars. Will a hardening of the controllers be enough to protect vehicles in the real world?
Barzilai spoke with me about the challenge of addressing today's automotive cybersecurity threats – and which of the threats he's most concerned about.
Tech Briefs: What are the most vulnerable points of a connected car?
David Barzilai: The first is the infotainment system – the sophisticated advanced radio system that has multiple connectivity [channels] within it: cellular connectivity, Wi-Fi, and Bluetooth. Each one of those protocols can be abused and may allow the hacker to get into the infotainment system, where malicious commands can then be sent into the vehicle.
The other vulnerable point in the connected car is the telematics unit, the one that reports location and enables location-based services – this is a fabulous attack vector. In addition to telematics, we have the more advanced systems, such as the gateway, the ADAS, and now coming up, the vehicle-to vehicle system. All of those enable hackers to infiltrate the vehicle and take control of it.
Tech Briefs: In 2015, researchers Chris Valasek and Charlie Miller demonstrated a hack of the Jeep Cherokee. By “breaking into” the car over the cellular network, exploiting a vulnerability in the vehicle’s infotainment system, the two-man team could then send fake commands to the vehicle. How has the threat landscape changed since the Jeep hack?
Barzilai: The Jeep attack was unfortunately based on a kind of very naïve mistake. Fortunately, nothing really happened. It was a white-hat hacker attack, it was reported on time. Fiat Chrysler, Harman, and even Sprint fixed the problem.
Cybersecurity awareness has risen so much after the attack. As such, there are quite intense penetration-testing efforts being done on controllers and systems going to the market.
The naïve attacks are mostly resolved; more sophisticated attacks, however, are still possible. We saw sophisticated attacks launched at Tesla and BMW, for example. We’re not perfect, as human beings or as developers. Hackers know that bugs exist out there, and they are creating more sophisticated attacks that are capable of launching those attacks in order to exploit those vulnerabilities.
Tech Briefs: Do self-driving cars call for additional security measures, or do the security basics and principles remain the same?
Barzilai: From a hacker’s perspective, these are very similar attack targets with quite similar architectures. They have a network, and through that network you have controllers connected to them. Some of them are externally connected, and as such can be used an as attack surface to stop the car, accelerate the car, or reverse the car, as we showed in the demo.
Tech Briefs: What would you say are the motivations for someone who wants to hack a vehicle?
Barzilai: The former assistant attorney general indicated back in 2016 that the administration’s greatest worry is connected cars, and autonomous cars will make the issue even more challenging.
Why is that? The sheer scale of each attack.
As an example: Until now there was only one attack that required a recall. The Jeep Cherokee hack resulted in a recall of 1.4 million cars that use the Uconnect infotainment system.
Organized crime or terrorist organizations could use that scale in order to blackmail not us consumers, but the providers – they are the ones liable for the attack. The idea is that they could threaten the manufacturer and show that they can attack a large fleet or large number of vehicles, all using the same system with the same security vulnerability.
Unfortunately, such connected cars are capable of being hacked remotely, and the hacks do not even need to be based on the ground or be within close proximity to the vehicle. Because of the sheer scale, terrorist organizations could use such attack vectors in order to serve their purpose.
Tech Briefs: What threats to the connected car concern you the most?
Barzilai: The driver now has convenient features like self-parking and lane correction, and automatic braking. The problem is that those systems that enable these features are also externally connected; they are also an attack surface. Hackers are capable of hacking those systems from the outside, and are thus capable of taking control of the vehicle and changing the vehicle’s speed and direction.
My concern is that – with those new capabilities that ADAS systems and connected gateways provide – we are far more exposed to hackers.
What do you think? Do you have security concerns with connected cars? Share your comments and questions below.