If you are interested in the Internet of insecure Things, then you might like a new report which looks at the cybersecurity of connected vehicles, calling it "one of the biggest issues facing manufacturers today." Cyber Security in the Connected Vehicle attributed that threat to complexity, connectivity, and content. There's a "massive future security problem just around the corner," and it can't be fixed by trying to bolt on security during the implementation phase.
Complexity was called "the worst enemy of security," as a connected car could have "approximately 100 million lines of code," compared to 8 million for an F-35 fighter jet. There has been a dramatic increase in Electronic Computing Units, with some high-end vehicles currently having about 100 ECUs. There has also been a rise in the diversity of in-vehicle systems which provide both luxury and critical features.
Connectivity was called a "double-edged sword" since adding cars to the Internet of Things will continue to make vehicles "a more accessible and more attractive target to adversaries."
BI Intelligence estimated 75% of 92 million cars shipped globally in 2020 will be "connected cars." VDC Research claimed, "Connected vehicles are an attack waiting to happen. The average new car in 2015 contained more than 30 microprocessors, and the cybersecurity of those embedded systems is severely challenged by in-vehicle Internet connectivity." In 2014, only 2% of microprocessors in cars had hardware security features, VDC's report (pdf) claimed.
Regarding content, TU-Automotive's report suggested that cybercrooks will be attracted to possibilities of stealing personal information available via car networks. As more connectivity and services are added to connected vehicles, new attack vectors could open up. For example, "Services that involve financial transactions will be a prime target, and here the supporting infrastructure is at least as much an attack point as the in-vehicle parts."
TU-Automotive's 60-page Cyber Security in the Connected Vehicle Report costs $3,195, but the 13-page brochure (pdf) is free. While the brochure doesn't dive deep into the subjects of IoT car cybersecurity, the full report includes a map of the attack surface, types of hacks, attack anatomy, attack trees, a hacker heat map, and more.
The brochure does discuss some aspects of attacks on connected vehicles, citing previous research. Attacks on infotainment have included using CD players and DAB radios as entry points; it mentions the OBD port and tools to scan it; and the $60 CANtact open source tool was released at Black Hat Asia 2015 so the curious can hack their connected cars.
Other examples included vulnerabilities in Bluetooth. Researcher Keijo Haataja "divided the vulnerabilities into three categories, corresponding to the CIA model of security: threat of disclosure of unauthorized information, threat to integrity of information, and threat of denial of service." He added, "Powerful directional antennas can be used to considerably increase the scanning, eavesdropping and attacking range of almost any kind of Bluetooth attack."
In 2014, car hackers Charlie Miller and Chris Valasek said they considered "Bluetooth to be one of the biggest and most viable attack surfaces on the modern automobile, due to the complexity of the protocol and underlying data. Additionally, Bluetooth has become ubiquitous within the automotive spectrum, giving attackers a very reliable entry point to test."
It is important to consider dependencies, as the whole ecosystem must be trustworthy. If even one subsystem is insecure, it risks the security of the entire vehicle. Some functions will work with third-party developed OEM equipment, firmware, and software. The system may inherit weaknesses from one component or library, or it may be unprepared to handle "unanticipated user input." The best bet is to develop robust standards.
Automobile manufacturers have not necessarily greeted white hat hackers with open arms, but pentesters need to test the security of connected cars. However, neither white box nor black box testing is a "guarantee of future security."
The report states:
Considering the need to adopt the mentality of an adversary when using this methodology, system designers may not be the best people for such an effort, as cataloging all implicit assumptions (especially from a malicious viewpoint) made during system development is extremely difficult; hence the need for an external security testing process.
The full report includes "new and critical analysis to the evolving problem of cybersecurity in the vehicle." Additionally, TU-Automotive will hold a connected car cybersecurity conference at Novi, Michigan, in March.