If car makers are as careless about security as other makers of smart electronics are, we’re in for some trouble. Charlie Miller, a security researcher at Twitter, Chris Valasek, a security researcher for IOActive, said as much in their talk at Black Hat. On top of that, a group of security experts at the Defcon conference called upon car makers to build cars that have real security measures in place.
The risk of hacking cars may seem remote, but as automobile manufacturers pack wireless networking and other computing systems into the newest models, the risk is tangible, as Miller and Valasek showed in their own evaluation of various models. They assessed the “attack surface” of 24 different vehicles. Cars that did not pass included the Infinity Q50 and the Jeep Cherokee. The pair are expected to publish cyber security ratings for cars soon.
“We found that when you add a lot of complexity to things, there tend to be errors,” Valasek said. “People need to do an architectural review and look at different cars. The more people looking at this, the better.”
At the end of their demo, Miller and Valasek showed how they successfully injected their own picture into the screen of a Jeep Cherokee, which Miller owned. They were clearly having too much fun, given their scary subject. Miller is a veteran of Black Hat. He gave talks in the past about hacking the Mac OS, Second Life, and the iPhone. His talks are always goofy, but his skill as a security researcher is highly respected.
Meanwhile, a group dubbed I am The Cavalry wrote a letter to car makers at Defcon. They want mandatory testing of digital tools within cars, a responsible disclosure program so that researchers can safely disclose vulnerabilities without legal risks, a black box in every model to record events, and secure software updates.
All of the researchers said a fatal mistake of older designs is that the car designers put different electronic systems on the same internal network. For instance, if someone hacked into a car’s Wi-Fi system, they shouldn’t be able to access the electronics that control the car’s steering wheel. That should be on a separate network that isn’t linked to another system like the car’s infotainment or navigation systems.
I Am The Cavalry’s letter said, “When the technology we depend on affects public safety and human life, it commands our utmost attention and diligence. Our cars command this level of care. Each and every day, we entrust our lives and the lives of those we love to our automobiles. The goal of our outreach effort here is to catalyze greater teamwork between security researchers and the automotive industry. Our combined expertise is required to ensure that the safety issues introduced by computer technologies are treated with the same diligence as other classes of automotive safety issues.”
Tesla has a lot of security in place, and it also has a vulnerability disclosure system. Most car makers seem unprepared for hackers because they’re not yet used to the idea of hackable electronic systems. The tire pressure monitoring system, for instance, is hackable. But the risks related to it are small. As car makers add more computing power and communications to their cars, they become bigger targets.
Miller and Valasek said they weren’t able to remotely hack any cars, but that they believe it is possible. (They didn’t have the budget to experiment on a lot of cars). And they showed off an intrusion detection system that could be plugged into vehicles to prevent outside interference. When a cyber attack happens, the car switches off the network features.
“We looked into systems in cars to see if we can control things like steering or brakes,” Miller said.
Valasek and Miller have received funding from the US government’s Defense Advanced Research Projects Agency (DARPA) for previous related research. DARPA also funds self-driving car research. In 2011, researchers from the University of Washington and the University of California San Diego figured out that they could hack a sedan through a disk inserted in its CD player, the diagnostic equipment used by mechanics, or a cellular connection.
Other researchers have noted that high-end cars have lots of computers to control brakes, acceleration, cruise control, and self-parking. Attackers have to find a way to exploit a system and then use that vulnerability to send a command to the electronic control unit. These flaws are a problem because it’s hard to patch a car.
Possible weaknesses include Bluetooth and cellular connections, Wi-Fi, in-car apps, and desktop-like features. These weaknesses make remote access to a vehicle possible. One solution might be to install gateways within networks that have security checks. That could help wall off various pieces of the network from each other.
“From our perspective, these are targets,” Valasek said. “Bluetooth is probably the biggest attack surface to go after [currently]. It is a viable attack surface.”
Adding cellular and Wi-Fi to a car, however, is more like the “Holy Grail of attack possibilities,” Valasek said. “It’s the most concerning.”
“It means that, in the future, cars will have Internet access and apps,” Miller said. “Once you add a web browser to a car, it’s over. I’ve written web browser exploits, and a lot of people know how to do this.”