When considering the risks of cutting-edge automotive technology, the first thing that usually comes to mind is autonomous vehicles. But focusing too much on self-driving technology risks ignoring a critical reality: Today’s cars and trucks are already connected to the internet, and like any other internet-connected device, they can be hacked.
In 2015, preeminent hackers Charlie Miller and Chris Valasek dominated headlines with their landmark hack of a Jeep Cherokee. The duo, who now work at Uber’s Advanced Technologies Center, were able to hack into and remotely seize control of an unaltered vehicle and do everything from mess with the radio and windshield wipers to cut the transmission. From a basement couch 10 miles away and with Wired reporter Andy Greenberg behind the wheel, they exploited the car’s Uconnect system, an internet-connected computer feature that controlled the entertainment and navigation systems, enabled phone calls and, with a subscription purchase, offered a Wi-Fi hotspot. From the audio/visual system, they accessed the car’s diagnostic messaging system to gain control, ultimately incapacitating the driver and steering the Jeep off the road.
As white-hat hackers, Miller and Valasek reported the infotainment system vulnerability to Jeep manufacturer Fiat Chrysler. The team did not even realize the scope of their find: The technology was so ubiquitous that the manufacturer ultimately had to recall 1.4 million cars and trucks open to similar attack.
The pair’s 2015 hack and a subsequent 2016 hack of the same Jeep at full speed are far from the only successful exploitations of the many attack surfaces in connected cars. In 2015, German security specialist Dieter Spaar discovered vulnerabilities in BMW’s ConnectedDrive that allowed a hacker to remotely unlock the vehicle, track the car’s location and speed, and read emails sent and received via a feature called BMW Online.
In February 2016, computer security researchers Troy Hunt and Scott Helme discovered that the app for the Nissan Leaf could be used to remotely hack any Leaf’s in-car systems. The app interface used only the Vehicle Identification Number to control car features remotely without passwords, and features like battery life, travel times and distances, and climate control could be hacked into as well. While the flaw was not life-threatening, the vulnerability could still be exploited to run down a car’s battery or monitor users’ movement.
While the majority of such hacks so far have been carried out by security researchers, some small-scale exploitation of vehicle software has already begun out in the wild. In August, the Associated Press reported that two men in Houston were arrested for allegedly using pirated software to steal more than 100 Jeep and Dodge vehicles, exploiting an electronic vulnerability in software common among auto technicians and dealers to “advance auto theft into high-tech crime.” While a representative for manufacturer Fiat Chrysler was unaware of similar thefts elsewhere, he confirmed that the code database exploited in these crimes includes cars across the country.
“As you get more and more computers installed in vehicles—if somebody has that knowledge and that ability, they can turn around and figure out a way to manipulate the system,” said Houston police officer Jim Woods.
With cars today made up of almost as many software components as mechanical components, the vulnerability in this case is only the tip of the iceberg of crimes involving connected cars.
Proof-of-concept hacks have illustrated such vulnerabilities, but questions of scale and monetization present the biggest challenges for hackers going forward. Many exploits require tremendous amounts of time, expertise, and money and targeting specific vehicles is difficult. “It’s much easier to hack all the Jeeps than a certain one,” Miller and Valasek said in their 2015 presentation.
Ransomware Hits the Road
With potential payouts arguably the biggest incentive to push exploitation into practice, experts expect to see criminals find an application for one of the fastest-growing and most profitable forms of attack: ransomware. After the more than 300% year-over-year increase in ransomware reported to the Department of Justice in 2016, these crippling attacks pose one of the highest-profile cyberrisks going into 2017. Corporate networks and private cell phones are not the only vulnerable targets, however, particularly as hackers hone their skills on the attack surfaces built into modern cars. Many in the information security community expect to see ransomware that specifically targets connected cars, with hackers “bricking” (or rendering inoperable) vehicles and demanding payment for users to regain control.
While it did not impact cars, the recent attack in which the computer system behind San Francisco’s MUNI transportation system was incapacitated for ransom illustrates the potential impact of these attacks on the sector. “Ransomware is a likely exploitation scenario as that can provide a direct financial benefit to attackers,” said Jesse Michael, senior security researcher on the Advanced Threat Research team at Intel Security, which also leads the Automotive Security Review Board. “Although the recent San Francisco MTA ransomware attack didn’t directly involve hacking of the vehicles themselves, it highlighted the vulnerability of transportation systems to these types of attacks and brought new attention to these types of targets.”
This poses a significant escalation as attacks translate into the physical world of connected devices. “The threat is greater than simply losing your data—the growing fleet of connected devices, including the connected car, is turning into the Wild West of the internet where anything goes,” said Tim Helming, director of product management at DomainTools. “Hapless car owners who simply wanted a way to listen to music and talk hands-free will discover that they are connected to more than just Spotify when their cars won’t start and the infotainment screen announces that the car has been crypto-locked and is completely disabled until the ransom is paid.”
But determining how to target a specific car and find the owner to issue a ransom demand or how to target cars in a nearby region for theft currently requires tremendous skill and effort.
“As we jam-pack more technology into vehicles and we make mistakes, it’s going to be a question of how to monetize,” said Art Dahnert, managing consultant at application security firm Cigital, a part of Synopsys. “Theft is easy, but being able to do it on hundreds of cars or being able to figure out where hundreds of cars are located in a certain municipality or to do it remotely—those are some of the areas that the attackers are working on now. The question of how to get that in one easy-to-use exploit mechanism, I think, is going to delay some of the threat by three to five years at the most.”
The scope of potential realized damage also hinges on the automaker and information security communities. While questions remain as to whether this risk will fully materialize in practical application, the hacks to date have played a key role in raising awareness of the risk and even reducing it.
“The risk of seeing vulnerabilities exploited in the wild depends in part on whether they are discovered first by researchers, or by bad guys,” Helming said. “It’s possible that ransom-locking is the kind of thing we would see as a presentation at Black Hat or some other conference, which might reduce or even eliminate its spreading to the wild.”
How Companies Can Take the Wheel
In September, a group of Chinese hackers was able to remotely hack a Tesla Model S. The researchers from Tencent’s Keen Security Lab posted a video online showing themselves controlling the vehicle’s brakes, manipulating its side mirrors, running the windshield wipers and popping the trunk while the car was in motion. When the vehicle was parked, they were also able to manipulate some other features, including opening the sunroof, controlling some of the vehicle’s lights and unlocking its doors. The team responsibly reported the hack to Tesla, which deployed an over-the-air software update to fix the bug within 10 days. The vulnerability required the car to be connected to a malicious Wi-Fi hotspot, so the company estimated the real risk to customers was fairly low, but certainly not negligible. The rapid response and the approach of pushing through a wireless update have been lauded as not only an excellent response from the automaker, but also a critical capability to make connected cars a safe and sustainable product.
Tesla was the first car company to introduce a bug bounty program, offering hackers, like those at Keen Security Lab, cash for finding and reporting software vulnerabilities, a move several automakers have since followed. As more and more technology is integrated into vehicles, security researchers become an ever more critical component of mass risk mitigation for companies and the public alike. Essentially crowd-sourcing the information security talent needed to better kick the tires on company technology has proven a cost-effective and powerful option for blending the tech and auto industries.
This approach cannot suffice entirely, however, and security needs to be involved far earlier and more consistently in the development process. In addition to the recall and the mailing to drivers of a USB with updates, one of the immediate impacts of the first Jeep hack was that Chrysler made changes in how Wi-Fi hotspot packages could be purchased and cut off all TCP/IP traffic to vehicles. “This actually made the vulnerability go away,” Valasek said. But as Miller pointed out, this also meant there was no reason the vehicles needed that access in the first place.
Hackers’ lessons are valuable, and are trickling down through the auto industry at large. As in most modern products, security by design is increasingly critical in mitigating as much risk as possible before cars hit the showroom floor. Many automakers have taken note of Miller and Valasek’s hacks, for example, and addressed the vulnerability presented by the exploitation of diagnostic messages sent to microcomputers within the car. According to the duo, with any car made in the past five years, you cannot send diagnostic messages while the car is traveling more than a few miles an hour. This made their 2016 Black Hat hack particularly notable as they hacked their Jeep while going up to 60 mph. As it required physical access, the likely threat posed is low, but they and other information security researchers continue to present what some may consider “stunt” hacks to hammer the point that there are always vulnerabilities, and they require the early and continued integration of experts throughout the design and lifecycle of every car.
This pressure from the information security community is also pushing forward better solutions.
“Isolation of critical control systems from connected ‘infotainment’ systems is a mitigation strategy being used in many vehicles, however the efficacy of this strategy varies from implementation to implementation,” Michael said. “Hardware-enforced secure boot and cryptographically secure communications and firmware update processes are effective mitigation strategies for many types of attacks and are starting to be deployed within the industry, but are not in widespread use yet.”
At the end of their 2016 Black Hat session, Miller and Valasek announced their retirement from car-hacking, but did so with a call to arms: no one has “solved” the problems of connected cars, and no one will, so the hacker community must get involved and others must take on the challenges of finding, documenting and reporting vulnerabilities to improve safety and security.
The supply chain further complicates this effort. As with many other components sourced in the auto supply chain, much of the technology many manufacturers put into their connected cars is produced by third parties, including a substantial amount of code. Unlike with faulty airbags, however, pointing the finger at suppliers gets far more difficult with consumers who may not understand the layers of responsibility for cybersecurity measures in consumer products. And they may be right. Given the nature of cyberrisk, manufacturers could be on the hook with customers and regulators to a degree that differs a bit from other faulty components, particularly when it comes to reputation.
To aid in ensuring better safety and reputation for the industry as a whole, manufacturers and other key players focused on autonomous and connected cars have formed industry groups to promote responsible development through shared resources and standards. When it comes to security at the supplier level, there are also some industry standards to guide manufacturers and their suppliers, such as the guidelines from MISRA, the Motor Industry Software Reliability Association, a collaboration between vehicle manufacturers, component suppliers and consultancies. “The automotive industry has a much tighter cohesive little garden, so to speak, allowing manufacturers a bit more control to ensure suppliers are adhering to the right processes, meeting strict guidelines and driving standards further,” Dahnert said. “That happens somewhat already, there are some standards like MISRA and a couple of other guidelines that some manufacturers require of suppliers, but that needs to happen a lot more universally and at a much stricter level.”
Operator Error and Correcting Course
Users also pose a significant threat, whether to the security of cars on the road or to the automaker’s brand itself. When it comes to traditional cyberrisk vectors, it is hard enough to get users to comply with best security practices, and unfortunately, in the realm of connected cars, that can be both harder and more critical. Any IT manager will attest that it is impossible to get the majority of users to update vulnerable, outdated Adobe software—getting universal compliance on updating software in a car, where many may not even realize there is software, is a delusion.
Instead, manufacturers must figure out how to force updates safely. Locking a user out until they update would present myriad safety and user satisfaction problems. Requiring a visit to a dealer is similarly flawed. Even in the case of life-threatening physical defects, auto recall success rates hover around 70%, according to the National Highway Safety Administration, and Carfax estimates that one out of every seven cars on the road in the United States has an applicable open recall that has not been repaired.
“In-vehicle computer systems have a long development process and expected life span, and unpatched vulnerabilities can persist in this environment for a long time even after identical vulnerabilities in common components have been identified and mitigated in other industries,” Michael said.
Purely by virtue of volume and potential business interruption, these persistent risks could pose significant danger in corporate fleets, for example, or given the increased collation of telemetrics data, Dahnert believes cyberrisk vulnerability may ultimately be possible in the reverse form, penetrating the networks with which connected cars communicate.
According to Dahnert, the vulnerability identification and update process manufacturers and consumers have evolved in other electronics must be developed with connected cars as well. “Learning the lessons that occur in the computer space or the smartphone space will go a long way to mitigate this risk, but I don’t think we’re going to be able to do it until we actually feel some of the pain,” he said.
In presenting the Jeep hack at Black Hat, Miller and Valasek acknowledged the value added by much of the technology that introduces vulnerabilities may ultimately make it worthwhile. But utility without accountability and without constant, rigorous security improvement is not roadworthy. To that end, one of their aims was to increase consumer awareness and provoke greater scrutiny of technology the public is being told is safe.
“If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers,” Miller told Wired. “This might be the kind of software bug most likely to kill someone.”
Experts across the board agree there is a critical need for public pressure to increase security in connected cars, as public concern about these risks has not reached a tipping point to hold the right parties accountable.
“I don’t think manufacturers are too concerned yet,” Dahnert said. “They may not feel the heat until the media starts to educate consumers about incidents and then they start to demand better security in their products.”