In 2015 there was no such thing as a ransomware attack against a hospital. In 2016 there were 10 such attacks. The cyber criminals who penetrate and disable computer networks until users pay ransom, profit from vulnerable and easy targets. And while there have yet been no ransomware attacks against automobiles, they’re the threat cybersecurity experts fear the most.
“There are multiple ‘attack surfaces’ in vehicles through which nefarious players can plant bad software; you don’t need to be on the internal networks,” explained Stacy Janes, Chief Security Architect – Automotive, at Netherlands-based Irdeto. Along with various apps, the most vulnerable points of entry are those on the outward-facing gateways: vehicle telematics, the OBDII port and the IVI (in-vehicle infotainment) stack—all of which connect the vehicle to outside communications.
The IVI system offers more remote attack surfaces than any other vehicle component, notes electrical engineer Craig Smith, author of The Car Hacker’s Handbook. Gaining access to the IVI “opens a door to additional info” about how the vehicle works, such as how it routes CAN bus packets and updates the ECU. Understanding the IVI system can also provide insight into whether the system ‘phones home’ to the OEM; if it does, hackers can use access to the IVI to see what data is being collected and potentially transmitted back to the manufacturer.
Penetrating the IVI system is how a real-world ransomware attack on the mobility industry might play out, said Janes. He offers a scenario: You get in the car, turn it on and the IVI screen starts strobing wildly. The audio system volume cranks up, the heat comes on full blast and you can’t shut it off. There’s nothing you can do, so you get the car towed to a dealership—which is jammed with vehicles victimized by the same attack.
The dealer’s service manager already has contacted the OEM, which says thousands of vehicles are afflicted. And the attacks continue. Later in the day, the OEM receives an anonymous email: “Tomorrow, your company pays us millions in bitcoin or we’ll release a statement on what we did. We’ll destroy your brand. Have a nice day.”
A matter of public safety
Such a cybersecurity scenario was not envisioned seven years ago, when researchers at Rutgers University and the University of South Carolina successfully penetrated a non-encrypted tire-pressure monitoring system (TPMS) and were able to display false tire-pressure reading “spoofs” on the cluster—and track the car’s movements. In 2011, security intelligence experts Dr. Charlie Miller and Chris Valasek, working on a DARPA grant to probe vehicle cyber-weaknesses, hacked a Toyota Prius and a Ford Escape, disabling the power steering, taking control of horns and playing havoc with cluster displays.
Miller and Valasek then executed their seminal 2015 remote hijacking of a Jeep Grand Cherokee, prompting Chrysler to recall 1.4 million vehicles and dispatch USB drives with software updates to owners. The mobility sector was awakened, but not before University of California researchers demonstrated they could disable a Corvette’s brakes and activate its windshield wipers by hacking the insurance-company dongle plugged into the car’s OBD port.
“From a security perspective those were all very basic attacks, compared to what we see in other markets,” observed Janes, who is also the cyber team lead for the GENIVI alliance. He calls the current era “the researcher phase.”
“Right now, you have attackers learning about cars and car people learning about security. As long as the car people stay a bit ahead, the attackers won’t bother with autos,” he said, “because they’ll have to invest too much money in order to mount a sophisticated attack.”
But if the OEMs fall behind, the bad guys will get bolder. “We saw this with attacks in other industries—financial, mobile, media companies, healthcare,” Janes said. “The attackers are a business. Some attacks can cost $1 million to execute, but they make $10 million—not a bad ROI, right? Automotive needs to get ahead of it and stay ahead, so it gets too costly for the attackers and they move on to another sector.”
The experts Automotive Engineering interviewed for this article believe the cyberattack threat will only increase as connected and autonomous vehicles gain market share. Already, over half of the vehicles sold in the U.S. are connected, with an expanding number of potential vulnerabilities. More than 250 million connected cars are expected to be in use by 2020.
Unifying to face the growing threat, OEMs and suppliers in 2015 founded the Auto-ISAC (information sharing and analysis center), a global community to address vehicle cybersecurity risks. With around 30 members, Auto-ISAC operates a central hub for sharing, tracking and analyzing intelligence about cyber threats, vulnerabilities and incidents related to the connected vehicle.
SAE International is part of the Auto-ISAC community, having published seven related Standards, including J3061, the world’s first automotive recommended practices on the topic. “SAE hopes to be a strategic partner—we see many synergies to benefit the entire industry,” said Patti Kreh, SAE’s New Program Development Manager.
A cyber incident “is a problem for every automaker in the world,” asserted General Motors CEO Mary Barra in her keynote at the 2016 Cybersecurity Summit in Detroit. “It is a matter of public safety.”
Separation and ‘layered defense’
The best end-to-end defense in automotive cybersecurity is “a multi-layer approach involving the complete ecosystem of connected vehicles,” said Dvir Reznik, Senior Marketing Director at Harman International. “There is no ‘silver bullet’ in this space.”
Known as “security in depth,” the building-blocks of defensive software should fit together like a Lego structure, the experts agree. They include code installed in subsystem ECUs and those which monitor all internal network communications, alerting the system to any changes in normal network behavior. Their job is to halt attacks from advancing within the network. The outward-facing modules such as IVI head units “on the vehicle perimeter” also are the focus of cyber-defense software products.
Ulf Lindqvist, program director at SRI International, an independent non-profit research center involved with national-security level cybersecurity research and analysis, said a broad automotive protection approach should be relatively simple. “Security really is all about separation,” he noted. “Just because [a system] is authorized to talk to the CAN bus doesn’t mean you should do so.” The problem, he continued, is “there always seems to be some reason or another to connect” quasi-related vehicle systems.
And cloud security products and services are entering the market. These are designed to detect and address threats before they reach the vehicle. They also can transmit over-the-air (OTA) updates and intelligence in real time. OEMs are demanding such end-to-end solutions, one of the drivers behind companies such as Harman and IBM Security joining forces earlier this year to offer expanded “security suites.”
A pioneer in automotive cybersecurity solutions is Argus Cyber Security. The company's original “gateway box” was added to the vehicle network to create a discrete firewall that searched CAN messages and shut down the network if an anomaly was detected. Argus’s current technology builds the monitoring component into one or more ECUs on the vehicle. Other leading cybersecurity firms, including Caramba, Harman and Nokia offer similar approaches.
Meg Novacek, Argus executive director for North America business development, said the company’s vision of the ideal automotive cybersecurity architecture is comprised of four elements: a secure communications gateway; the company’s Intrusion Detection and Prevention System (IDPS) system that can immediately identify a cyber-attack and block it; OTA updates for vehicle software and some type of principal hardware security module that incorporates remote-attestation capabilities.
When Caramba’s software engineers build the binary code that goes into the vehicle, it includes some of Caramba’s own code that basically takes a ‘digital fingerprint’ of the binary. Once installed in the vehicle, it is constantly monitoring. And if anything tries to change that ‘fingerprint’ or overwrite anything, it shuts the network down.
The advantage of this approach is that “you know from the factory what is supposed to be in there. If anything alien tries to alter that, the whole thing gets shut down,” observes analyst Sam Abuelsamid of Navigant Research.
Some engineers and cyber-security experts say machine learning and artificial intelligence (AI) are potential solutions for anomaly detection. Advocates including the Battelle Memorial Institute say they are also platform-agnostic, can be applied to any onboard ECU and don’t require constant updating of signature databases and detection-engine components. In such systems, abnormalities detected can generate audible alerts, vehicle intervention (such as limp-home mode) or directly notify first responders, depending on the severity of the threat.
An endless battle
“Self-healing” software code that can be changed back to original form after it’s compromised, is in development at some companies, as is Blockchain technology. Blockchain sends information over a network of independent computers, known as a distributed ledger, intended to ensure that the transaction is secure and ownership rights over the data or property are protected. The Toyota Research Institute (TRI) is exploring blockchain in collaboration with the MIT Media Lab and other partners. Many experts believe it could accelerate development of cyber-secure autonomous driving technology.
One point on which all cyber-security experts agree is hacking will never end.
“It’s really hard to make guarantees in this space,” said SRI’s Lindqvist. “We have to get to the place where successful hacks are rare—and they have to have limited consequences.”
“This is a Spy vs. Spy kind of game,” noted Irdeto’s Janes. He and others said some OEMs and Tier 1s have begun incorporating network-security engineers into their electrical architecture and subsystem design processes. They’re conducting detailed threat analyses and baking security into RFQs, pushing cyber requirements down through the tiers.
“If you want to kill the autonomous-vehicle industry, let an autonomous car get maliciously hacked with injuries or lives lost,” he said. “Engineers need to adopt a hacker’s view of the world to understand and defeat the threat.”