Cyber Security and the Automobile Industry

Cyber Security and the Automobile Industry

 

In the wake of several other cyber security blunders in the automobile industry as of late, namely (Tesla) and (Chrysler), Volkswagen is now making waves and not necessarily for the same reasons. The events, however, are connected. It was revealed via a study at West Virginia University (Reuters, 2015) that Volkswagen had made some modifications to the software in their nearly 100,000,000 lines of code in TDI (Diesel) cars between 2008 and 2015 to allow the vehicle to ‘defeat’ emissions (CNBC, 2015). This led heavy scrutiny worldwide, but especially in the United States. .

NOTE: New high-end cars are among the most sophisticated machines on the planet, containing 100 million or more lines of code. Compare that with about 60 million lines of code in all of Facebook or 50 million in the Large Hadron Collider. (New York Times, 2015)

Background of Actual Attacks

Non-Specific to Any Make or Model

“Carmakers and consumers are also at risk. Dr. Patel has worked with security researchers who have shown it is possible to disable a car’s brakes with an infected MP3 file inserted into a car’s CD player. A hacking demonstration by security researchers exposed how vulnerable new Jeep Cherokees can be. A series of software-related recalls has raised safety concerns and cost automakers millions of dollars” (New York Times, 2015).

Tesla

At Def Con 23, an annual “Hacker Convention” held in Las Vegas alongside “Black Hat,” it was demonstrated that a Tesla Model S could be hacked. NOTE: The vulnerability was already patched Over The Air (OTA) by Tesla prior to the presentation, as the researchers ethically informed Tesla in advance. Here is a recap from (Forbes, 2015) about their method and activities:

Rogers and Mahaffey had to rip the Tesla apart, quite literally, until they found an ethernet port that let them connect directly to the Model S’ CAN bus, the controller area network across which car data is sent and received. In total, they needed to chain four separate vulnerabilities to first gain access to the infotainment systems and the touchscreen used to control certain functions of the vehicle.

From there, they were able to do all kinds of diabolical things, including forcing the speedometer to disappear, altering the suspension, unlocking doors and the trunk, making windows go up and down, as well as killing the car.

Chrysler

Also includes Jeep, Dodge, Fiat, and Rams

In July, 2015, ahead of the Black Hat security conference, (Wired, 2015) released the story of how a pair of hackers, Charlie Miller and Chris Valasek, in St. Louis, Missouri were able to hack a Jeep wirelessly, from over 10 miles away. This is unique feat, in contrast to Tesla, as the Tesla ‘attackers’ had physical access to the car; this pair did not. The thought of driving a car at 70+ mph then it getting hacked while still going over 70 mph is disturbing. It seems like something from a spy movie or horror film.

The pair was able to take over the radio, windshield wipers, air conditioning, steering (in reverse only; for now), acceleration, braking, and gear shifting. The flaw was a zero day that was accessible through the entertainment system. “Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country” (Wired, 2015).
Note: Chrysler recalled 1.4 Million vehicles after ignoring it for 9 months according to Computer World The vulnerability used above could only be fixed using a USB “Thumb Drive” or by taking the vehicle to a dealer.

Volkswagen’s Conundrum

What Others are saying

As stated above, there are certainly ethics issues with regards to the software. This may not be the end of it. CNBC (2015) reports the following:

The automaker could face U.S. fines of $37,500 per vehicle, the EPA told reporters last week. With around 482,000 of its diesel vehicles sold in the U.S. since 2008, this could mean a penalty of up to $18 billion.

Class-action lawsuits from customers are still on the table, too, but VW could face more than civil penalties. Reports suggest the U.S. Department of Justice has launched a criminal probe into whether the company deliberately cheated emissions tests.
The EPA has not yet forced Volkswagen to issue a total recall but expects to do so in the near future. Volkswagen would foot the bill for any repairs, although the EPA claims affected diesel cars are still safe to drive.

Network World (2015) revealed the following:

After Volkswagen used software that manipulated exhaust values and defeated emissions tests, it has affected 11 million VW diesel cars built since 2008. A 2007 letter from VW parts supplier Bosch warned Volkswagen not to use the software for regular operations; in 2011, a Volkswagen technician raised concerns about the illegal practices in connection with the emissions levels.

Our Analysis

“’We should be allowed to know how the things we buy work,’ Eben Moglen, a Columbia University law professor and technologist told the New York Times. There have also been issues with On-Star and similar services passing credentials in an attack known as “OwnStar” according to (Ars Technica). We believe this to be the tip of the iceberg.

While the Automobile Industry has been in the spotlight for all the wrong reasons in the past years, none of these times (barring July 2015 and beyond) have been related to cybersecurity. They have used the “closed source” clause of the Digital Millennium Copyright Act (DMCA) of 1998 to their maximum advantage. Nothing has happened until recently that will compel their governing bodies to enforce some sort of cyber security awareness and compliance into their production standards. As stated above, cars are becoming increasingly technologically advanced. This creates a larger attack surface. As more people are driving “connected” cars, there are more opportunities for malicious hackers to hijack the cars and devices for their own gain (see below).

Possible Changes in Industry

Based on the connections in vehicles, there are multiple points of entry:

  • Bluetooth
  • Wireless
  • TPMS (Tire Pressure Monitoring System)
  • Wired (Ethernet; see Tesla)
  • USB
  • On-Star
  • Forged Keys
  • Smart Phones
  • Applications
  • Navigation Systems

While these are more functionality oriented and used as selling points, almost any of these could kill a driver and any passengers, if the ‘magic’ level of permissions are attained. I wouldn’t be surprised to see malware pushed to cellular phones that will lie in wait, then springboard to a vehicle when connected via Bluetooth. Furthermore, this would be a major source of revenue for the malicious hackers if they were able to plant Ransomware into a car. Most people can survive without their home computer; significantly fewer can do so without their car.

While the U.S. Federal Government is trying to work up some legislation for this, we are in the “Wild West” of policing ourselves, per se. It is up to the consumer to make our points known to manufacturers and to lobby for some sort of Automobile Cyber Security reform.

I will say that it seems like Tesla is doing it right. The company is more technology oriented that most, since it is a sister company to Space X. Tesla cars have a special adapted version of Ubuntu, which does have Open Source code and contributions from security researchers around the world. Perhaps more manufacturers will implement this system and start to either use Open Source Software or use “Bounty Hunting” for people to review the code they release for such vulnerabilities.

I don’t expect GM, BMW, Ford, and Nissan-Infiniti to be expert coders and elite hackers, I expect them to make exceptional cars. When cars are being designed and sold with the amount of technology that they do today, I expect them to see their gap in Knowledge, Skills, and Abilities and react to/correct the problem accordingly. Thus far, it doesn’t appear as if that is happening.

“This summer, the National Highway Traffic Safety Administration (NHTSA) said privacy and cybersecurity should be high-priorities for NHTSA as well as for the automobile industry” (Network World, 2015). This is certainly a true statement. Hopefully, the NHTSA will gain enough traction and momentum to enforce this across all vehicles sold in the United States and then the trend will replicate worldwide.

Photo credit: Clipart.co

References

CNBC
Network World
Reuters
New York Times
DEF CON 23 Speeches about Car Hacking
Forbes
Hacking a Tesla
Miller and Valasek’s Black Hat Briefing
Computer World
Wired
Ars Technica

Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

 

Enter your email address:

Delivered by FeedBurner





Contact Us


Subscribe to our mailing list

* indicates required







About Joe Gray

Joe Gray is a native of East Tennessee. He joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Since leaving the Navy, Joe has lived and worked in St. Louis, MO, Richmond, VA, and Atlanta, GA. His primary experience is in the Information Assurance (IA) and Cyber Security compliance field. He has worked as a Systems Engineer, Information Systems Auditor, Senior UNIX Administrator, Information Systems Security Officer, and Director of IT Security.

Joe is in pursuit of his PhD in Information Technology (with focus in Information Assurance and Security). His undergraduate and graduate degrees are also in Information Technology (with focus in Information Assurance and Security) from Capella University, where he graduated Summa Cum Laude for both degrees and completed a Graduate Certificate in Business Intelligence. He also is a part-time (Adjunct) Faculty at Georgia Gwinnett College.

Joe holds the (ISC)² CISSP-ISSMP, GIAC GSNA, CompTIA Security+, CompTIA Network+, and CompTIA A+ certifications. In his spare time, Joe enjoys reading news relevant to information security, blogging, bass fishing, and flying his drone in addition to tinkering with and testing scripts in R and Python.