Tuesday, July 14, 2015

Cybersecurity & Civic Hacking # 6: How Cybersecure Is Your Car?

Yesterday’s post was about transportation-focused civic hacks, and Tuesdays are my 'cybersecurity & civic hacking' post days. So it just made sense to do today’s post about cybersecurity in vehicles.

I’ve been emphasizing real-world risks in this series of posts about cybersecurity and civic hacking. Trying to avoid scary hype. I just want people to understand that the need for improved cybersecurity in NE Wisconsin is real, that they should do something about that situation, and that they CAN do something about it.

Most of the people reading this post won’t have their car’s digital controls attacked in the next year or two, but because vehicles are becoming increasingly connected and automated, vehicle cybersecurity is  bound to become a major problem in the not-too-distant future.

When personal computers were first developed, people didn’t worry about installing security programs on them to keep them safe from viruses or cybercriminals. When computer viruses and computer attacks finally did become a problem, entrepreneurs and computer geeks formed companies to create security software to keep your personal computer safe. You probably wouldn’t dare use a PC hooked to the Internet in 2015 without security software.

Well, the same thing that happened to PCs is now happening to vehicles. Argus Cyber Security, is an Israeli startup company formed to make products and services for protecting cars from digital attacks. The article “Start-up protects connected cars from hack attacks” says that:
“...higher-end autos from companies like GM, Mercedes-Benz, Toyota, and others [are] equipped with Wi-fi using 3G and 4G data connections...“Companies will use the data connections to ensure that drivers don’t get lost or don’t take excessive risks, and monitor the condition of vehicles to ensure that they don’t break down on the road. But hackers will be able to take control of vehicles by hacking into those connections as well,” he warned...Like with most other innovations, it’s unlikely that manufacturers will turn back the clock on connected cars just because of some cyber-dangers – so it’s a good thing that companies...are...developing a cyber-security system specifically for cars…”
Argus isn’t the first vehicle cybersecurity company, and it definitely won’t be the last. TowerSec is an automotive cyber security company formed in 2012, and it is backed by a venture capital fund led by Tom LaSorda, former CEO of Chrysler. General Motors is also working on this issue, having recently announced the creation of a ‘cybersecurity chief’ position. I’m betting a lot more ‘connected-car’ digital security companies will be formed by entrepreneurs and computer geeks in the next ten years. Along with the oil change, your local auto repair shop will offer you several packages for cybersecurity and malware removal.

The article "Ford, GM and Toyota sued for 'dangerous defects' in hackable cars" highlights another indicator that digital attacks on cars are becoming more of a real-world problem. Car companies are now being sued because cars have been clearly shown to be 'hackable.'
"...DARPA's Dan Kaufman freaked out viewers on 60 Minutes when he remotely triggered a car's windshield wipers, then blasted the horn, and then disabled the brakes...Although car hacking isn't new, it's finally grabbed the attention of people like Senator Ed Markey. Markey released a "scathing report revealing that nearly all new cars can be hacked, but that only two out of 16 carmakers can 'diagnose or respond to an infiltration in real time'." In "Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk" (pdf), Markey "discusses the responses to this letter from 16 major automobile manufacturers...Markey highlighted security and privacy issues ranging from driving data collected and shared with third parties to "inconsistent and haphazard" security measures to prevent remote access to vehicles...Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions...Among other claims leveled at the automakers, the lawsuit filed against GM, Ford and Toyota adds: Defendants failed consumers in all of these areas when they sold or leased vehicles that are susceptible to computer hacking and are therefore unsafe. Because Defendants failed to ensure the basic electronic security of their vehicles, anyone can hack into them, take control of the basic functions of the vehicle, and thereby endanger the safety of the driver and others..."
At the start of this post, I said something needs to be done to improve cybersecurity in NE Wisconsin, and I said you can help make that happen. The way you can help is by supporting, and by telling other people about, this NE Wisconsin cybersecurity initiative:

Cybersecurity Proposal:  One or several NE Wisconsin colleges should launch a collaborative regional cybersecurity pilot initiative. Civic hackers known as the Northeast Wisconsin Cyber Defense Force (NEW CDF), in collaboration with the new college cybersecurity program, help area residents and businesses maintain the best possible computer security and personal privacy. NEW CDF is a cadre of ethical and knowledgeable technologists working together to improve and practice their cybersecurity knowledge and skills. CDF provides practical training for business and personal computer security at the CDF Cybersecurity Training Center or onsite at northeast Wisconsin businesses and organizations. This community of cybersecurity civic hackers also helps catalyze and spin off cybersecurity startups and other high tech businesses.

After the Cyber Defense Force is launched and trained, you'll be able to have someone local you can trust to explain what you need to do to keep your car safe from digital attacks.

The above articles highlight real-world dangers of our increasingly-connected and digitally-controlled cars. Don’t make the mistake of assuming that the US government and the huge car companies will develop a foolproof automotive cybersecurity system. The history of the computer industry tells us that won’t happen. If you’re interested in reading more about the topic, click on the links below.


Update July 27, 2015:  Wired stirred up a hornets' nest with its article “Hackers Remotely Kill a Jeep on the Highway—With Me in It" about a successful remotely digital attack on a Jeep. Fiat Chrysler initially just offered owner patches for the security vulnerability highlighted in the Wired article, but then decided to recall 1.4 million vehicles to apply the fix at Chrysler facilities, as explained in the article, "Fiat Chrysler recalls 1.4M vehicles to prevent hacking." Charlie Miller, who demonstrated the digital attack said he didn't think Chrysler was pointing at his demonstration when they said "manipulating vehicles without authorization" was a "crime." But as Cory Doctorow and EFF point out, it's entirely conceivable that courts could rule Miller's actions were criminal under the DMCA. If you want some cynical but practical advice on this issue, the article "What To Do if Your Car Tries to Kill You" from Rob Enderle advises using the emergency brake and regular brakes if your car controls appear to be hijacked.

Update August 04, 2015:  If you think the Jeep hack was just a random laboratory-type incident and that you don't need to worry about your electronically-controlled vehicle, read the article "From Car-Jacking To Car-Hacking: How Vehicles Became Targets For Cybercriminals" that talks about hacking cars with electronic fobs for keyless entry. "The morning after Laura Capehorn parked her Saab 9-3 estate, all she could find of it was a car-shaped hole in the snow...Police immediately asked to see the car's key, and weren't surprised to find out it was an electronic fob..."It's shocking how easy it is to steal a car in this way," Capehorn says. "Especially given that nearly all new cars use these sorts of keys."...Some 6,000 cars and vans were stolen using this keyless entry hack last year in London alone - that's 42% of all vehicle thefts, according to the city's Metropolitan Police..."

Update, August 05, 2015:  How long will it be until many people pay a monthly fee for a cybersecurity program (which isn't 100% effective) on their car? After all, Microsoft and the Windows personal computer manufacturers didn't build 'safe' computers, so how can we expect car manufacturers to provide safe connected cars as part of the purchase price for the car? At least that's one conclusion you could draw from the article "Most consumers are worried their cars could be hacked; many would pay for automotive anti-virus." "...pity poor Chrysler, which just happened to be the first car maker to end up with egg on its face. Increasingly, cars are run by computers, and increasingly, that means hacks like this are inevitable. Consumers seem to implicitly understand this. Kelley Blue Book jumped at the news to churn out a survey of users showing that, yes, they all know about the Jeep incident, and yes, they all (ok, 4 out of 5) think car hacking will be a problem within the next three years. Much to my surprise, many even said they’d pay for hacking protection services, with $8 per month being the preferred cost. I smell a marketing opportunity for antivirus makers! I also smell a rat — why should consumers have to pay extra to keep computer criminals out of their cars?..."

Update, August 15, 2015:  Car cybersecurity is beginning to have huge financial impact on car manufacturers. Volkswagen appears to be the latest, per the article "VW Has Spent Two Years Trying to Hide a Big Security Flaw." Security researchers told the chip manufacturer about the security flaw in Feb 2012, and the VW response was a lawsuit to block publication of the security flaw information. Following negotiations with VW, the information was recently published with part of the specific digital attack information deleted. The next step is likely that VW will spend millions replacing the insecure parts. This will be a common pattern in connected cars of the future. Apply, rinse, repeat.

Update September 28, 2015:  "Complex Car Software Becomes the Weak Spot Under the Hood" is an NYT overview of software in cars of 2015. "...New high-end cars are among the most sophisticated machines on the planet, containing 100 million or more lines of code. Compare that with about 60 million lines of code in all of Facebook or 50 million in the Large Hadron Collider. “Cars these days are reaching biological levels of complexity,” said Chris Gerdes, a professor of mechanical engineering at Stanford University...with new technology comes new risks — and new opportunities for malevolence. The unfolding scandal at Volkswagen — in which 11 million vehicles were outfitted with software that gave false emissions results — showed how a carmaker could take advantage of complex systems to flout regulations..."

Update March 22, 2016:  "Radio Attack Lets Hackers Steal 24 Different Car Models" -- "For years, car owners with keyless entry systems have reported thieves approaching their vehicles with mysterious devices and effortlessly opening them in seconds. After having his Prius burgled repeatedly outside his Los Angeles home, the New York Times‘ former tech columnist Nick Bilton came to the conclusion that the thieves must be amplifying the signal from the key fob in the house to trick his car’s keyless entry system into thinking the key was in the thieves’ hand. He eventually resorted to keeping his keys in the freezer. Now a group of German vehicle security researchers has released new findings about the extent of that wireless key hack, and their work ought to convince hundreds of thousands of drivers to keep their car keys next to their Pudding Pops...The ADAC researchers say that 24 different vehicles from 19 different manufacturers were all vulnerable, allowing them to not only reliably unlock the target vehicles but also immediately drive them away..."

If interested in learning more about digital (in)security on vehicles, click on the links below:
Automakers Tackle the Massive Security Challenges of Connected Vehicles
Hackers can grab car data, even take control of vehicle
Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk” report from US Senator Ed Markey
Car Hacked On 60 Minutes
Researchers Plan to Demonstrate a Wireless Car Hack This Summer
Hackin' At The Car Wash, Yeah
People With Bad Credit Can Buy Cars, But They Are Tracked And Have Remote-Kill Switches
The time a hacker remotely bricked cars in Texas
Teen hacks car with $15 worth of parts
Deus ex vehiculum
Car Hacking Enters Remote Exploitation Phase
Inside the Government Lab Hacking Into Cars
Car Hacker's Handbook
Car Hacker's Manual” on Amazon
"Attacks On 'Insecure' Progressive Insurance Dongle In 2 Million US Cars"


DHMN Civic Hacks posts about 'Cybersecurity & Civic Hacking':
C&CH # 01: "Cybersecurity: A New Horizon For Civic Hacking?"
C&CH # 02: “Cybersecurity & Civic Hacking # 2: Public Wi-Fi
C&CH # 03: "Cybersecurity & CH # 3: The Right Person / Topics Of Interest"
C&CH # 04: "Cybersecurity & CH # 4: Malware"
C&CH # 05: “Cybersecurity & CH # 5: Even Cybersecurity Companies Get Hacked!
C&CH # 06: This post, published July 14, 2015
C&CH # 07: "Cybersecurity & CH # 7: Data Breaches"
C&CH # 08: "Cybersecurity & CH # 8: Hype or Reality?"


No comments:

Post a Comment