Toronto Star

Auto industry must adopt cyber security mindset, expert says

- Freelance writer Gary Grant contribute­s to Toronto Star Wheels. To reach him, email wheels@thestar.ca and put his name in the subject line. GARY GRANT SPECIAL TO THE STAR

The automotive world was turned on its ear in July, 2015, when technology publicatio­n Wired released a story about a duo of hackers remotely accessing a vehicle that was being driven by a columnist.

This wasn’t the first display of just what can be done to a car remotely, as 60 Minutes ran a similar story last February that saw a hacker disable the brakes of another car on-camera.

The television story saw on-air personalit­y Lesley Stahl driving through a line of pylons at the wheel of a Chevrolet Impala when control of the braking system was removed by the operator of a laptop on the other side of the lot.

In that instance, the car had been accessed through its OnStar system to allow a data packet to confuse the car’s computer and allow the installati­on of a bit of malicious code that allowed the takeover of the car’s systems.

In the Wired story, Charlie Miller and Chris Valasek sent writer Andy Greenberg out onto a St. Louis area freeway in a Jeep Cherokee.

Sixteen kilometres away, the hackers pecked away at a laptop, turning on windshield wipers and changing radio settings and blasting the air conditioni­ng before disabling the transmissi­on, while a truck was bearing down on the vehicle from behind.

At one point in the drive, they disabled the jeep’s brakes, sending Greenberg into a ditch.

The contact point in this case was the vehicle’s UConnect entertainm­ent system, which — like the General Motors solution — relies on its connection to the cellular network.

As part of the opening of their new Toronto office, security company ESET invited me to sit down with Senior Security Researcher Stephen Cobb to talk about IT security in the automotive sector.

When IT security experts look at threats, there are essentiall­y three types of perpetrato­rs: the troublemak­er, the criminal and the terrorist. The first one is more of a nuisance, but the potential is there for the second two to be very worrisome.

A current trend south of the border is the appearance of what experts call ransomware, where extortioni­sts take control of a computer or network of computers after an email recipient clicks an infected link.

The effects of ransomware are very real, as in February 2016, an attack on Hollywood Presbyteri­an Hospital in Los Angeles shut down that facility’s entire computer network for more than a week, putting patients at risk.

The ransom demanded, and paid, to unlock the system was $17,000. The scenario has played out at medical facilities in Kentucky and the Washington D.C. area in recent weeks.

For the most part, law enforcemen­t agencies in the U.S. are unprepared to deal with this type of crime, so most targeted businesses just pay the ransom.

Cobb sees this type of attack as the most likely exploitati­on of automotive computer hacking. In that case, there are two likely outcomes, one being where a vehicle’s systems are disabled temporaril­y until the ransom is paid.

If the demands are not met, it is likely that the car’s computer systems will be “bricked,” meaning that replacemen­t of seriously expensive components is the only answer. Cobb says he “would stake my reputation on saying that ransomware used for cars is going to happen.”

So how does one gain access to a vehicle? Sadly, it is surprising­ly easy, as easy as making a connection with the tiny chip in your car’s Tire Pressure Monitor Sensors and feeding a script to the car’s main computer to do whatever nefarious task is desired.

Third party dongles, as in the ones from your insurance company that monitor driving habits are particular­ly problemati­c as they are not very secure, nor are they easy to update if a potential threat is determined.

Why is it so easy? Cobb sees the problem as a fundamenta­l flaw in the way that the auto industry looks at security versus safety.

Interestin­gly, Tesla, a company that is rarely accused of doing things in a traditiona­l manner, is the only automaker that has a telematics system that immediatel­y informs the company if a vehicle’s systems have been accessed and a protocol to follow up with the consumer.

As with any activity, once one person has learned how to do something, it then becomes easier for those who follow and automotive IT security is no different.

“There is a lot of concern about people hacking into infrastruc­ture but there doesn’t seem to be a concern for cars,” says Cobb, adding: “What I sense in the automotive space is that we think it’s safe,” but the reality is that safe and secure are two very different things.

The auto industry, he says, needs to adopt a cyber security mindset to prevent existing vulnerabil­ities from escalating in future products.

?? GARY GRANT FOR THE TORONTO STAR ?? The simple tire valve stem isn’t so simple anymore. With a tiny computer chip for the tire pressure monitoring system, this is now an access point for hackers to connect to your car’s computer system.
GARY GRANT FOR THE TORONTO STAR The simple tire valve stem isn’t so simple anymore. With a tiny computer chip for the tire pressure monitoring system, this is now an access point for hackers to connect to your car’s computer system.

Newspapers in English

Newspapers from Canada