CYBER SECURITY FOR VEHICLES A GROWING CONCERN

Posted by Extreme Tactical Dynamics on Jun 29th 2019

To be warned is to be forearmed. Technology experts today believe the automotive industry and telematic providers must deal head-on with the potential for all-out cyber security attacks on vehicles by exploring and testing-out electronic systems for vulnerabilities, recommending design modifications, alerting police departments, and educating the public of potential invasions before hackers get the upper hand. We have all watched enough movies to know that bank vaults, military and police security systems, ‘alien space craft,’ and nuclear power plants can be hacked with just a simple laptop, but few thought much about ‘cyber-attacking’ a vehicle using wireless electronic software until recently.

As vehicles are loaded with ever-increasing, high-tech systems, they become more vulnerable to expert exploitation due to 30 to 40 wireless entry portals on just about any current car. Add to these already existing entry points the additional sophisticated setups of Police Cruisers, and it becomes imperative to not only protect police systems from hacking, but to develop software that detects and warns of potential incoming threats on all vehicles.

4TH ANNUAL AUTOMOTIVE CYBER SECURITY SUMMIT

OCTOBER 24-26 SAN FRANCISCO
THE MARKER...501 GEARY ST (94102)
http://www.automotivecybersecurity.com/

Review current vulnerabilities from increased software use and with the Integration of Advanced Technologies…. Mapping Vehicles Attack Surface…. How Auto Industry will keep pace with Advancing Technologies…. Design of Internal vehicle Capabilities that respond to Attacks...and SO, SO MUCH MORE!

THE AUTOMOTIVE INDUSTRY SHOULD HAVE SEEN IT COMING---HACKING

car_theft In 1996, everything changed. OBD-II (ON-BOARD DIAGNOSTICS) specification was made mandatory for all cars manufactured in the United States to be sold in the United States. On-board computers had to be installed, though SAE had recommended the addition of standardized diagnostic connectors and set of diagnostic test signals for each vehicle in 1988. The first OBD was introduced in 1968 by VW on a few of its models, but it was not a common feature until 1980 that OBD’s ‘took off’ when California requirements and regulations had to be met.

In the 80’s the Age of Computers had arrived; it was just a matter of time, before ‘wise guys’ starting ‘messing around’ with their computers and wreaking havoc by breaking into as many secure systems as possible. The automotive industry, though a relative latecomer to the computer age is now a prime target...and laptops just made it even easier to hack an electronic system. Remote-control cars have taken on a whole new dimension with the advent of advanced, integrated technologies and have reached an entirely new level of telematic sophistication.

WHO’S DRIVING THE CAR?

As far back as 2011, a team from the Universities of Washington and California quietly conducted tests using hacker tactics on a sedan, and showed how the brakes and locks could be tampered with. These ‘well-behaved’ scientists didn’t go public, however; they discreetly contacted carmakers with their ‘research.’ Today that is NOT the case because authorities believe that weaknesses and flaws in an electronic system should be shared with the whole community, private and public. In fact, on March 14, 2015 Virginia became the first state to create an information sharing and analysis organization (ISAO) because this state had been a leader in car-hacking research. Governor McAuliffe said, “It is our logical next step.”

In May of 2015, the University of Virginia in cooperation with several federal agencies and numerous private companies made the headlines when it was announced that a team of experts had hacked into two police cruisers, a 2013 Ford Taurus and 2012 Chevrolet Impala showing how the vehicles could be commandeered. The vehicles were programmed to brake and to accelerate from an outside wireless signal; airbags were deployed at high speeds; collision avoidance systems were confused; tire pressure monitoring systems were activated, and engines were cut off in mid high-speed pursuit, or ‘ordered’ not to start up at all.

One goal of the Virginia project was to collect information and create a shared database of car vulnerabilities. The database would also contain information from Miller and Valasek's work conducted with the University of Washington, as well as research from other resources. Police Departments, cybersecurity companies, government agencies, etc. can all not only benefit from the varied information of the database, but can contribute valuable information to an ever-expanding catalog of cyber security breaches.

WHITE HAT/BLACK HAT HACKERS

175430385 In July of 2015, the well publicized video of a JEEP CHEROKEE being hacked by ‘white-hats’ went viral. Andrew Greenberg volunteered to be the test ‘dummy;’ he knew the Jeep was going to be hacked, but had no idea what would be done specifically by Miller and Valasek who were 10 miles away; they were connected by cellular phones. Greenberg cruised along at 70 mph, ready for anything. The experiment started slowly: the AC was turned on high, then the radio full blast; he couldn’t turn them down or off. The windshield wipers beat back and forth and foamy wiper fluid covered the glass. His two buddies appeared on the digital display screen; then they promptly reduced the speed and tampered with the brakes just as Greenberg entered an expressway. The ‘experimental’ software the hacking duo had designed silently rewrote the chips’ firmware to plant their own code.

Because these guys proved that any Chrysler vehicle with Uconnect from late 2013, all of 2014, up to the early 2015 models was vulnerable, on July 24, 2015 at 3:30 pm, Chrysler issued a recall of 1.4 million vehicles based on this report. Watch the video of Miller and Valasek ‘having fun’ at their computer…. and of Greenberg who wasn’t having much fun at all! https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

In July of this year, two car thieves were caught on camera as they used a laptop to disable a Jeep’s alarm system and start it up, then stole it from the owner’s driveway. Police reports noted that four other Jeeps and Wranglers in the greater Houston area had been ‘mysteriously’ stolen; none were recovered. Perhaps Senior Officer James Woods had not been aware of the white-hat hackers Miller/Valasek and of their trial software that had taken over the controls of a Chrysler vehicle just the year before. If this is the case, then this is a perfect example showing why agencies must stay informed, cooperate, and share information with each other if they are to stay ahead of the black-hat hackers.

The Houston Chronicle reported this month on August 6 that over 100 SUVs were stolen this summer and driven to Mexico by two guys who hacked into the electronic systems of the vehicles. Cameras show them using a laptop to override the manufacturer’s security system, and the Fortune Magazine article shows a photo of one of the hackers sitting on top of a Hummer with Texas plates that he had driven south of the border. For such clever guys….not so smart! Both have since been arrested.

Governmental Officials Meet the Automotive Industry to Discuss Security

On July 22, the first-ever Global Automotive Cybersecurity Summit was held in Detroit. U.S. Secretary of Transportation Anthony Foxx was a keynote speaker, as were other prominent representatives from several government agencies, GM, and cybersecurity experts. The event was sponsored by Billington CyberSecurity a leader in the field since 2010. All aspects of automotive vulnerabilities were discussed by the concerned experts. Recommended standards, best practices, and regulations were laid out in detail. Possible futuristic cyber threats were introduced, whether perceived or real, with the projected impact they would have on the automotive industry. Emphasis was placed on the ‘sharing’ of information among the many governmental and private groups, a practice all believed would strengthen alliances by the dissemination of vital information.

SO WHO OR WHAT CAN BE HACKED?

Police fleets could be particularly vulnerable because the vehicles are interconnected not only to each other and to a command center, but also to federal, state, and local databases. Sensitive personal information at all levels can be easily stolen by anyone who can crash the system because there is so much intensive interaction among groups.

In fact, any person behind the wheel could be bypassed and ‘overruled.’ Hackers with malicious intent can breach internal electronic systems and tamper with gears, lock the ignition, rev engines, give bogus GPS readings, and cut off the power steering all from a wireless source without anyone knowing it because detection software is still in its infancy. Without being able to prove what’s going on with your vehicle, all of these unexplained aberrations would be chalked up as manufacturer’s defects allowing hackers to do what they want without getting caught. High-tech detection equipment and foolproof software is needed now!

SAE SOLUTIONS

More than 130 organizations, agencies, volunteer scientists and engineers, and private companies have pooled their knowledge to provide a standard for dealing with automotive cyber security. It is SAE Standard J3061, the first of its kind, and comes in the form of a Cybersecurity Guidebook for Cyber-Physical Vehicle Systems. Patti Kreh, a member of the global association of engineers and business development manager for SAE International, explains the standard as a “design [in security]...from the beginning, you determine where potential vulnerabilities are, look at the risk association with each of those, and rate them, and then put your plans in place in order to minimize those risks.” SAE developed the standard in order to help automakers create and integrate electronic systems that are not easily hacked.

SUMMARY

Without being overly paranoid and borrowing from a cliche or two: "This is only the tip of the iceberg"….and “You ain’t seen nothin’ yet.” The race is on between the ‘good’ guys and the ‘bad’ ones; the stakes are high and getting this wrong could be potentially disastrous. Some authorities question the goals of cyber security systems in general, by asking: Should the automotive industry and cyber security experts even shoot for a tamperproof system? OR...Should white hats concentrate on developing software that detects then blocks or disables incoming malicious signals?... understanding full well that no system can ever be 100% secure.

As more and more technology is added to vehicles, there are more wireless portals and more ways to be invaded. This industry is moving fast; self-drive cars are already a reality. Add to that technology all the shenanigans of hackers whether good or bad, and it’s easy to wonder exactly who or what will be controlling your vehicle when you take the wheel.