Car hacking has been back in the news in the last week, that’s right, BACK in the news, when Wired Magazine published a story about hackers taking remote control of a car.
Many consumers and even some journalists think that car hacking is something a bit far-fetched. They view it as something still in the realms of science-fiction, spy thrillers or a hangover from 1980’s TV series Knight Rider. The reality is very different. Hacking cars at different levels has been going on for decades.
Almost as soon as manufacturers introduced microprocessors into cars, people began hacking them. The Ford RS Cosworth got much of the early attention where people swapped out the onboard chip for a modified chip to improve performance. Since then this has become a fairly common process in some motoring circles.
Journalists reporting on car hacks for over five years
While these qualify as hacks they are not what most people see as a hack. In 2010, UK journalist Peter Bright covered two incidents that should have sent alarm bells clanging around motor manufacturers.
His 14 May article “Car hacks could turn commutes into a scene from Speed” highlighted the risk from the On-Board Diagnostics (OBD-II) port. In that article, researchers were able to access the Controller Area Network (CAN) bus that connects all the Electronic Control Units (ECU) inside a vehicle. They demonstrated a range of actions including the ability to take control of the brakes.
This same vulnerability was highlighted again in July 2013 when Andy Greenberg, a Forbes staff writer was taken for a ride in a Ford Escape by security researchers Charlie Miller and Chris Valasek. What makes this second article frightening is that the researchers had been working on their hack after Valasek’s company, IOActive received an $80,000-plus grant from the Defence Advanced Research Projects Agency (DARPA), part of the US military.
Does physical access mean hacking risk limited?
Many would argue that if you need access to the physical vehicle then the risk of hacking is small. They would be wrong on two counts. The first is that the rise of the Raspberry Pi means that it is simple to develop a computer that can be placed under the dashboard and connected to the OBD-II port without the owners knowledge. Post accident it would be found but by then it would be too late.
The second reason is that hackers and security researchers are predisposed to keep pushing until they get a solution. With the door already part open, it wasn’t long before attacks from outside the vehicle were announced. This was exactly what Bright announced in August 2010 “Cars hacked through wireless tire sensors” when he reported that researchers were able to access the tyre pressure monitors on a range of vehicles using a wireless hack.
While the damage from this attack by researchers from Rutgers University and the University of South Carolina was contained, it was possible to crash the ECU. This hack raised the question that if you could attack one system over wireless, could you attack others.
Once again Greenberg took up the story when in June 2014 he again spent time with Miller and Valasek. He reported on their paper Survey of Remote Attack Surfaces that they presented at Defcon 22 which showed they were able to wirelessly hack into a Cadillac Escalade, Jeep Cherokee and an Infiniti Q50 among other vehicles.
A quote from the Greenberg article states: “For 24 different cars, we examined how a remote attack might work,” says Valasek, director of vehicle security research at the security consultancy IOActive. “It really depends on the architecture: If you hack the radio, can you send messages to the brakes or the steering? And if you can, what can you do with them?”
The difference between this and their early attack was the fact that they admit they did this as a proof of concept without actually attempting to hack the vehicles. As the document was released at the Black Hat security conference in Las Vegas, it was never going to take long before someone did do the practical work.
Unfortunately it wasn’t the car manufacturers but Miller and Valasek who decided to do the work. Once again they turned to Greenberg to break the story, not in Forbes this time but in Wired. The article details how Miller took control of the vehicle from his laptop despite being 10 miles away in his house. Along with the air conditioning and other systems, Miller took control of the brakes and the accelerator. This attack demonstrates the ability to kill someone in their car and leave no evidence.
Car hacking dismissed by manufacturers
In all of the cases prior to last week, car manufacturers had taken the view that automobiles were secure and the attacks were unlikely to cause any problem. In effect, they appeared to put their heads in the sand. When asked at conferences about the risk of access to the CAN bus, spokespersons for the manufacturers all took what appeared to be an agreed line that the CAN bus was secure and hackers could not do anything dangerous.
Even after the attack, Chrysler refused to accept that there was a widespread problem that they had been given plenty of notice about. Their response as quoted by the BBC was that exploiting the flaw “required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code.” Chrysler also said that manipulating its software “constitutes criminal action”.
Time to learn from the IT industry
This attitude from Chrysler is reminiscent of the response from software companies in the early 1990’s as hackers began to exploit bugs in software. While the software industry isn’t exactly a gold standard given it consistently gets hacked, it has at least developed processes to work with security researchers.
It pays out bounties to researchers who file information on exploits allowing the software vendor time to patch the vulnerability before it becomes public. There is also a grace period in which researchers allow the vendor time to act before making the exploit public. Sometimes this works and sometimes it doesn’t. What we do know is that there are a lot of companies who have released patches to their products before attacks started and the time between notification and patch is getting smaller.
The auto industry now needs to establish its own bounty scheme in order to head off a problem that can only get bigger. Automobiles are becoming increasingly complex distributed computer system with hundreds of vendors now supplying computer controlled systems to auto manufacturers.
With the increase in software components inside cars the manufacturers need to take a leaf out of Microsoft’s book and create their own patching process. This has to address all the components inside the car and that means that any after market, third-party electronics need to be registered to get updates through the auto manufacturers patch system. Car owners also need to start treating their cars in the same way that they treat their other electronic devices and regularly patch them.
Liability costs already mounting for auto manufacturers
Along with a bounty programme, auto manufacturers need to step up their own internal security testing divisions. Unlike software vendors, there are laws covering liability when something goes wrong with a vehicle. Over the last few years, the number of lawsuits hitting car manufacturers has surged.
In 2013, Toyota had to pay $3m when a driver was killed due to unexpected acceleration in a vehicle. In February this year it was ordered to pay $11.44m when it was found to be 60 percent liable for a crash in Minneapolis. In January 2015, Honda received what was then a record fine of $70m from the US National Highway Traffic Safety Administration (NHTSA). None of these yet relate to the issue of hacking although that is now firmly on the NHTSA radar.
In March 2015 Network World revealed that General Motors, Ford and Toyota were being sued for not protecting their vehicles from being hacked. The impact of this lawsuit if it is upheld and there is every reason to think it will be, is that auto manufacturers face a multi-billion dollar bill for recalling cars and retro fitting secure components.
It was announced today that Fiat Chrysler has been fined a record $105m and will also buy back 1.5m vehicles as part of a settle due to previous recall failures. In a statement contained in the BBC News story covering this fine, NHTSA administrator Mark Rosekind said Fiat Chrysler has admitted to: “effective and timely recall remedies, notification to vehicle owners and dealers and notifications to NHTSA.” He also went on to say “Fiat Chrysler’s pattern of poor performance put millions of its customers, and the driving public, at risk.”
The risk from governments and ethical hacking
One of the other big stories from recent weeks has been the data dump from Italian ethical (or not so ethical as we now know) company Hacking Team. It has become clear that not only were they uncovering vulnerabilities but they were not reporting them to vendors. Instead, they were selling the exploits to customers along with the necessary information to weaponise those attacks.
Among the countries and companies they sold to were a number of intelligence agencies. It is not a big jump from what we now know from Miller and Valasek to believe that these same agencies would use an attack against a vehicle to kill someone. It would, for example, be far cheaper than using a drone to find and kill a target. Get the registration, trace the VIN number, search for the vehicle around the world and just turn off the brakes while pressing the accelerator.
Before anyone thinks this is far-fetched, we are engaged in a complex cyber warfare campaign against nation states around the world. The opportunity to take out a major target with such impunity will be overwhelmingly attractive to spy agencies.
If this is attractive to spy agencies it is even more so for cyber terrorists. It would only take a couple of incidents to have people worried about using their cars. If the hack can then be shown to be equally effective against public transport, and we’ve already seen proof of concept attacks against aircraft, terrorists would be able to quickly create fear around the world.
A US only problem?
At present the hacking attack against Chrysler Jeep in the US appears to be confined to the US only. A statement issued by Chrysler UK on behalf of its UK and European network states:
“It is important that we are 100% clear about this – the ‘hack’ published in Wired Magazine was conducted through an embedded cellular modem, a feature that is not available in vehicles sold outside of the US, since international markets are current not offering the same connectivity feature as the US Market vehicles.
Based on these findings, Jeep vehicles sold in the UK (and also across Europe) are NOT in any way exposed to the type of attack the magazine has reported.”
While this attack is confined it appears to the US, there are several other attacks, against Chrysler and other manufacturers that do not rely on the same embedded modem. It will be interesting to see if countries not yet affected by this problem invest in local cybersecurity support.
While Chrysler is the first manufacturer to recall its vehicles it won’t be the last. It is also highly likely that this won’t be the last recall for Chrysler. The auto manufacturers appear to have been caught napping here with their heads in the sand.
Towards the end of last week US Senators Markey and Blumenthal introduce the Security and Privacy in Your Car Act of 2015 or, as it is already being called the SPY Car Act of 2015. It seeks to introduce a date by which car manufacturers will have to meet strict cybersecurity standards. It will be interesting to see if they are successful in making this law given the lobbying power of the auto manufacturers.
But the big question that everyone is currently ignoring is will this affect consumer confidence? For now, no. But it will only take one proven attack by terrorists and all bets are off.