Today's cars are more connected than ever before. Vehicles can communicate with other vehicles, be sent software updates via the cloud, or even help you pay ahead-of-time for your morning coffee as you pass a Starbucks.
But the more you open up internal parts of your system to this connectivity, the bigger the chance that those vulnerabilities are accessible from the outside.
So, how exactly are automotive cybersecurity vulnerabilities exposed, and what can engineers, automakers, and the average person do about it?
In this episode of Here’s an Idea, we’ll talk with researchers, including noted Jeep Cherokee hacker Chris Valasek, who have found weaknesses in today’s connected cars.
And we explore the teamwork involved in keeping today’s vehicles as secure as possible.
Listen to the episode below, and subscribe here.
- Chris Valasek explains how he and his colleague and friend Charlie Miller were able to hack into a 2014 Jeep Cherokee — and leave a Wired writer trapped on the Interstate 64 on-ramp in St. Louis.
- Stacy Janes, currently the chief security architect of the connected transport division at the Netherlands-based software security company Irdeto, reveals what part of the connected car is the 'Holy Grail' for hackers.
- Finally, we catch up with Lindsay Brooke, Editor in Chief of SAE's Automotive Engineering magazine and Autonomous Vehicle Engineering magazines, who tells us why a beat-up, twenty-year-old car might be safer than you think. Here are some excerpts from our interview with Lindsay Brooke:
On the Biggest Security Vulnerabilities:
"Beyond the vehicle, you've also got car companies as potential cyber threat targets. You've got Tier 1 suppliers, who obviously engineer and develop and integrate these systems in the vehicle. You've got telematic service suppliers. You've got car-sharing companies. You've got private and public transportation providers. You've got fleet operators. They're all part of this potential threat surface or threat vector that's out there right now, so it really goes beyond the vehicle."
"The IVI, which is the In-Vehicle Infotainment stack in the vehicle, is really kind of the big gateway to threat surfaces and connecting the vehicle to outside communications. Within that you've got the CAN bus in the vehicle, so once you get in, the bad guy can kind of navigate through the vehicle through the Controller Area Network, which is the CAN. That's the bus that a lot of these systems connect to and talk to, and then the CAN bus connects to all these various Electronic Control Units (ECUs) in the vehicle — everything from controlling your seats to your windshield wipers to your transmission shift points.
Really there are infinite pathways that, once the bad guys are in the vehicle, they can do a lot of things, as we saw with that Jeep hack in 2015."
"They're probably not going to hack my private car — because what can they get out of me? — but they could hack 10,000 General Motors pickup trucks. At the same time they go to General Motors and say, 'We're going to make this really ugly for you in the public. We're going to make your vehicles lock their occupants in or turn their windshield wipers on or be stuck in first gear.'"
On How Equipped Automotive Manufacturers are to Deal With Today's Cybersecurity Threats:
"Just about all the Tier 1 suppliers that supply these HMI systems and autonomous vehicle driving systems have cyber teams as well. Part of the problem from our public view is that no one can really say what their state of the art is, because that would give the black-hat guys information about what the level of defense is out there. We can only hope that they're building in layers of defense, and that's really what everybody is going for: to build layers of defense in, a multilayered approach, which is in-vehicle defenses, which is cloud security for all the services that are providing vehicle services through the cloud to vehicles, and then of course network security."
On the Automotive Security Market:
"There'll be players that come in, and there'll be big players that buy little players. There'll be little players that somehow aren't funded adequately, and they drop off the table. There'll be new startup players and emerging players that come out of nowhere and, just like we've seen in automotive, become dominant because they've got a technology. Automotive cybersecurity is a very dynamic space."
Learn more about SAE's automotive cybersecurity standard J3061™: Cybersecurity Guidebook for Cyber-Physical Vehicle Systems. This on-demand SAE Standards Webinar is a presentation and global discussion about J3061™ and consists of four sessions:
- Introduction and Overview of SAE Recommended Practice J3061™
- Parallels Between J3061™ and Functional Safety Lifecycle in ISO 26262
- Hardware Protected Security for Ground Vehicles and SAE Draft Document J3101
- Overview of NHTSA’s Vehicle Cybersecurity Research Program and Goals
Read a Q&A with Karamba Security co-founder and chairman David Barzilai.
Watch how Keen Security Lab took over a Tesla: