Auto industry must adopt cyber security mindset, expert says
The automotive world was turned on its ear in July, 2015, when technology publication Wired released a story about a duo of hackers remotely accessing a vehicle that was being driven by a columnist.
This wasn’t the first display of just what can be done to a car remotely, as 60 Minutes ran a similar story last February that saw a hacker disable the brakes of another car on-camera.
The television story saw on-air personality Lesley Stahl driving through a line of pylons at the wheel of a Chevrolet Impala when control of the braking system was removed by the operator of a laptop on the other side of the lot.
In that instance, the car had been accessed through its OnStar system to allow a data packet to confuse the car’s computer and allow the installation of a bit of malicious code that allowed the takeover of the car’s systems.
In the Wired story, Charlie Miller and Chris Valasek sent writer Andy Greenberg out onto a St. Louis area freeway in a Jeep Cherokee.
Sixteen kilometres away, the hackers pecked away at a laptop, turning on windshield wipers and changing radio settings and blasting the air conditioning before disabling the transmission, while a truck was bearing down on the vehicle from behind.
At one point in the drive, they disabled the jeep’s brakes, sending Greenberg into a ditch.
The contact point in this case was the vehicle’s UConnect entertainment system, which — like the General Motors solution — relies on its connection to the cellular network.
As part of the opening of their new Toronto office, security company ESET invited me to sit down with Senior Security Researcher Stephen Cobb to talk about IT security in the automotive sector.
When IT security experts look at threats, there are essentially three types of perpetrators: the troublemaker, the criminal and the terrorist. The first one is more of a nuisance, but the potential is there for the second two to be very worrisome.
A current trend south of the border is the appearance of what experts call ransomware, where extortionists take control of a computer or network of computers after an email recipient clicks an infected link.
The effects of ransomware are very real, as in February 2016, an attack on Hollywood Presbyterian Hospital in Los Angeles shut down that facility’s entire computer network for more than a week, putting patients at risk.
The ransom demanded, and paid, to unlock the system was $17,000. The scenario has played out at medical facilities in Kentucky and the Washington D.C. area in recent weeks.
For the most part, law enforcement agencies in the U.S. are unprepared to deal with this type of crime, so most targeted businesses just pay the ransom.
Cobb sees this type of attack as the most likely exploitation of automotive computer hacking. In that case, there are two likely outcomes, one being where a vehicle’s systems are disabled temporarily until the ransom is paid.
If the demands are not met, it is likely that the car’s computer systems will be “bricked,” meaning that replacement of seriously expensive components is the only answer. Cobb says he “would stake my reputation on saying that ransomware used for cars is going to happen.”
So how does one gain access to a vehicle? Sadly, it is surprisingly easy, as easy as making a connection with the tiny chip in your car’s Tire Pressure Monitor Sensors and feeding a script to the car’s main computer to do whatever nefarious task is desired.
Third party dongles, as in the ones from your insurance company that monitor driving habits are particularly problematic as they are not very secure, nor are they easy to update if a potential threat is determined.
Why is it so easy? Cobb sees the problem as a fundamental flaw in the way that the auto industry looks at security versus safety.
Interestingly, Tesla, a company that is rarely accused of doing things in a traditional manner, is the only automaker that has a telematics system that immediately informs the company if a vehicle’s systems have been accessed and a protocol to follow up with the consumer.
As with any activity, once one person has learned how to do something, it then becomes easier for those who follow and automotive IT security is no different.
“There is a lot of concern about people hacking into infrastructure but there doesn’t seem to be a concern for cars,” says Cobb, adding: “What I sense in the automotive space is that we think it’s safe,” but the reality is that safe and secure are two very different things.
The auto industry, he says, needs to adopt a cyber security mindset to prevent existing vulnerabilities from escalating in future products.