In 2013 Charlie Miller and Chris Valesek showed how easy it was to take over a connected car. It was a monumental moment that made the auto industry stand up and take notice of the vulnerability of the connected cars they manufactured.
Miller and Valesek were not maliciously running cars off the road, but they did give demonstrations so that the auto industry would begin to take security seriously. As seen in this video, the two researchers had the capability through their laptops to shut down the vehicle's engine on the highway or spew window washing fluid onto the windshield, which could startle an unsuspecting driver to perhaps jerk the wheel and hit another car. They identified more than seven major categories of remote attack surfaces, based on their study of 20 models (2014 to 2015) from different car manufacturers.
To help give the auto industry a bit of a hand, FASTR (Future of Automotive Security Technology Research) recently released a manifesto, Toward Tomorrow’s ‘Organically Secure’ Vehicle, declaring its organizational and industry intentions to help enable the future of automotive security innovation. Formerly “Automotive Security Review Board” (ASRB) and founded by Aeris, Intel Security and Uber in 2016, FASTR is facilitating industry-wide collaboration to drive cybersecurity across the entire automotive supply chain.
FASTR is a neutral, nonprofit consortium that seeks to enable innovation in automotive security with a vision of self-healing vehicles. It is working to deliver the actionable applied and theoretical R&D needed to drive systematic coordination of cybersecurity across the entire supply chain and ensure trust in the connected and autonomous vehicle.
The number of connected cars is set to explode. Gartner, for example, predicts there will be 250 million connected cars on roadways by 2020. But FASTR says mass adoption of autonomous vehicles won’t happen without trust that these cars are cyber-secure.
Craig Hurst, FASTR’s executive director, said the societal benefits of connected and autonomous cars promise to be profound. However, with connectivity comes certain inherent risks, he warns. “Nearly every wireless communications interface in vehicles today has vulnerabilities,” he said.
The nature of the exploding complexity of modern vehicle computing is creating a “system of systems” that introduces dependencies across systems — meaning, a laptop connected to the internet, connected to poorly secured TCU (telematics control unit), connected to the brakes, he said.
“Security needs to be considered from an expansive, diverse perspective from the onset of vehicle system architecture design,” Hurst noted. “We are moving from a current state of limited but expanding vehicle connectivity (telematics, infotainment, etc.) to a highly complex, fully connected environment including vehicle to vehicle (V2V), vehicle to infrastructure control (V2I), or, more generally, vehicle to everything (V2X).”
He added that the attack surfaces of today’s connected vehicle goes beyond its in-vehicle systems to also include the increasing range of external networks to which the vehicle connects, including Wi-Fi, cellular, GPS (global positioning system), digital broadcast radio, service garages, toll roads, drive-through windows and gas stations.
Some systems shown to be vulnerable also include remote keyless entry, unsecured Wi-Fi hotspots, OBD-II (on-board diagnostic system) and USB. Intel Security in 2015 released a white paper in which it listed many of the most hackable and exposed attack surfaces on a next-generation car. Once a hacker has access via one of these entry points, injection of controller area network (CAN) messages may be possible, to manipulate other systems in the vehicle — even safety-critical systems, Intel noted.
“In the years ahead, the connected vehicle will come to rely more and more on external systems and networks to support new services and interactions. Plus, telemetric data analytics are evolving from concentrating mostly on vehicle performance and location to focus on more sensitive consumer experience and personal data such as 3D facial recognition, passengers in attendance, contextual voice processing, payment history and details, and driving habits,” Hurst said.
He hopes that through FASTR’s efforts, contributors to the organically secure vehicle of the future can work together on architectures and greenfield approaches and drive the agile, iterative research.
The manifesto states that holistic security is going to have to be an intentional and proactive undertaking from the outset of the design phase, and an OEM’s entire supply chain must be guided to adopt security best practices and produce technology components that are trustworthy. Arriving at a secure vehicle will demand innovation in process and management, as well as creation of more secure embedded systems.
Automotive OEMs are experts at building cars through their supply chains, and, today, they basically fuse together automotive security across disparate components, Hurst said.
“In fact, the complexity of legacy automotive control and bus systems — they have historically been dedicated systems operating independent of one another — has been viewed as a significant deterrent to hacking,” he said. “But a different approach to automotive security clearly is required moving forward, because of the many, many concurrent and significant changes that are playing out as we move toward the connected and autonomous car in the future.”
Taking over more than just the vehicle
The automobile will have a significantly expanded cyber-attack surface. Focus on automotive security will continue intensifying rapidly among industry and government, FASTR believes. The adoption of technology into modern vehicles without rigorous Security Design Lifecycle methodologies applied in a “system-of-systems” approach will create risks.
They are not just talking about the risk of loss of life if someone else took control of a car, but the risk of identity theft, as thieves would have a window into a driver’s habits. The location of the car could provide unique information of when someone will be home or perhaps what bank they frequent.
Forecasts call for 250 million connected cars on roadways by 2020. Analysis points to the market for partially and fully autonomous vehicles to approach $77 billion in 2035, with perhaps 12 million fully autonomous units being sold annually around the world, according to the report "Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” that was created by Massachusetts Sen. Ed Markey's staff.
“If an advanced connected or autonomous vehicle was compromised, one risk category would be personally identifiable data, such as home address, navigation and route history, communications logs, current location and route, etc. In addition, sensors may provide an interesting attack target to remotely access cameras outside and inside the vehicle, as well as microphones (both integrated in the vehicle and connected within the vehicle, such as in the case of a smartphone),” Hurst said.
Poorly secured connections either between vehicles or between vehicles and the data center will create threat surfaces with significantly larger risks, including fleets and broad system data and analytics. “Payment and transaction data is of particular sensitivity, obviously, and security measures should be directly proportional to the risks,” he said.
Here are some of the significant obstacles that the automotive ecosystem is facing, with a direct focus on trust in security:
- Trust in data confidentiality — Vehicle and operator data must not be divulged without the permission of the operator.
- Trust in data and system integrity — Vehicle and operator data must not be compromised or altered.
- Trust in data and system availability — Vehicle and operator data must be available to the systems and services that rely on them.
To safeguard privacy, Intel noted that hardware must use encryption and cryptography, along with reducing code vulnerabilities by embedding pointer-checking functionality into hardware. Other items that must be addressed are message authentication, enforcement of predictably holistic behavior of all systems, and firewalls to block unapproved and inappropriate messages, and alert security systems about any invalid attempts.
Intel’s report also said that data privacy and anonymity of personally identifiable information (PII) is now leaving the confines of the vehicle, requiring appropriate privacy controls and anonymization of data. Data privacy has two aspects: confidentiality of personal data and leaking of data outside the consumer’s control.
“Cybercriminals have been known to attack and steal data. This includes not only stored personal information, such as address books or credit cards, but also style of driving, current location, previous destinations, and other telemetry. For data leakage, there is a need for new methodologies to justify what data is stored, securely store data, destroy data upon consumption, and protect against unauthorized access,” Intel wrote.
“Since cars are left unattended most of the time – roughly 90 percent – it doesn’t make much sense to store data directly in the vehicle or to let the vehicle be the decision maker about external commands,” said David Miller, CSO for Covisint. “Instead, all vehicle data should be located outside of the vehicle and in the cloud, where it can be secured and where decisions can be made by owners at any time – and with autonomous vehicles coming fast, this is becoming even more important.”
The manifesto says that accelerating the realization of tomorrow’s organically secure vehicles demands tangible research deliverables today — reference architectures, proofs of concept and other theoretical and applied research — that would help automakers reduce risks and liabilities, foster trust in autonomous vehicles and accelerate the safety and quality-of-life benefits that these vehicles promise.
Communication channels must be protected among vehicles and devices, within the communications infrastructure and within the data center.
Cars are often lasting around 15 years, much longer than the life of most software and even computer hardware. As seen with Microsoft’s patches, the company will often end-of-life its support of the software, which in the case of vehicles could leave them left vulnerable to attacks.
Markey’s report stated that the proliferation of these technologies raises concerns about the ability of hackers to gain access and control to the essential functions and features of those cars and for others to utilize information on drivers’ habits for commercial purposes without the drivers’ knowledge or consent, the report stated.
“Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile. A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data.”