Vehicle Cybersecurity: Industry Responds to Vulnerabilities

By: Krista V. | Cyber Threat Intelligence Analyst, NJCCIC

A series of media reports throughout the summer drew attention to various vulnerabilities in many of today’s Internet-connected vehicles. While the identified security gaps present serious risks to public safety and certainly warrant an industry-wide response, it is important to note that there have since been no reports of malicious hijacking of a vehicle’s vital functions by a cyber threat actor. Nonetheless, these disclosures underscore an overall lack of cybersecurity considerations as more of our lives are connected to the ‘Internet of Things’. As with the tech industry, auto manufacturers are striving to innovate and be the first to market with the next best thing; however, the abundance of integrated computers and Internet-connected add-ons are sacrificing the security of their users (or in the case of cars, their passengers). Thus, security experts are advocating for greater vehicle security by keeping entertainment systems, telematics, and critical functions separated by firewalls and encrypting communication between these components.

The Summer of Cyber

The headlines began in July, when two ‘white hat’ hackers were able to remotely control a Jeep’s steering, brakes, and dashboard functions while it was in use, by commands sent through the car’s entertainment system. The hack was made possible by the insecure telematics computer system used for navigation and diagnostics. The Jeep manufacturer, Fiat Chrysler, subsequently recalled 1.4 million vehicles to fix the security flaw, the first recall of its kind to address a cybersecurity vulnerability. While the hack provided the researchers with a concerning level of access to the vehicle’s critical controls, it was not an easy operation and would not be possible for any novice hacker (it reportedly took the two professional hackers over a year to develop the tactics necessary to access and manipulate the Jeep’s systems). Additionally, in early September 2015, Chrysler ordered a second recall of its vehicles to address unauthorized access. The recall will update software in about 7,810 of its new Jeep Renegade cars. These new vulnerabilities would be costly to exploit and require extensive technical abilities to execute.  Luckily, about half of the affected vehicles are still with dealerships.

America’s youngest and only all-electric automaker, Tesla Motors, also experienced similar issues when it was revealed at the Def Con hacker conference in August that Tesla’s Model S had six critical vulnerabilities. The Model S lacked protection around individual components, allowing security researchers to infiltrate its entertainment software and subsequently gain control the vehicle’s vital functions. In this case, physical access was needed to carry out the hack and it took security researchers two years to discover the vulnerabilities. Tesla has since issued patches for the flaws using an over-the-air system to update its vehicles’ software, avoiding Fiat Chrysler’s headache of recalling vehicles and sending out USB drives in order to patch their vehicles’ vulnerabilities. Within weeks of the media coverage regarding Tesla’s vulnerabilities, the company announced plans to hire up to 30 full-time hackers responsible for finding and mitigating vulnerabilities.

Grand Cyber-Theft Auto

Also in August, researchers revealed a vulnerability in keyless vehicles that affects the Radio-Frequency Identification (RFID) transponder chips in immobilizers, allowing a hacker to wirelessly start a vehicle. Immobilizers are electronic security devices that prevent a car’s engine from running unless the correct key fob, containing the RFID chip, is within a specified distance to the car. The researchers were able to start a car in less than 30 minutes through a hack made possible by a weak cipher code used by the transponder. The vulnerable Megamos transponder is one of the most common immobilizer transponders, used by Volkswagen owned Audi, Porsche, Bentley and Lamborghini, as well as Fiat, Honda, Volvo, and Maserati. This vulnerability was actually discovered in 2012, but the researchers were sued by the carmakers to prevent them from publishing these findings at the time. Close-range wireless attacks could take place in real-life situations such as at valet parking and car rental lots.

In order to mitigate this vulnerability, car manufacturers are adding additional layers of security to make it more difficult to copy the immobilizers. There is also a tightening of controls on the handling of key credentials and information between the factory and consumer. However, these measures will likely only apply to future vehicles and immobilizers, not those currently on the road. One physical counter-measure for current keyless vehicle drivers is the installation of a mechanical steering wheel lock.

The Road Ahead

GPS Spoofing is also an increasing concern as more companies are developing driverless vehicles, and accurate GPS signals are essential to functionality and safety while traveling. These signals can be spoofed and an attacker can deliver altered maps to a car’s navigation systems, potentially sending a driver in the wrong direction. Security researchers from the University of Texas managed to modify the course of an $80 million yacht and shift it to a potentially dangerous path, while the captain remained oblivious to the changes.

The roof-mounted LIDAR laser system, which enables autonomous vehicles to safely navigate and avoid other cars, pedestrians, or hazardous objects, has also been identified as potential attack vector. A researcher in the UK discovered a vulnerability that simply involves shining an off-the-shelf laser at the LIDAR, which tricks the system into detecting a potential hazard and causes the car to slow down or come to a complete stop.

With the number of ‘connected’ cars on the road increasing every day, and the trend toward driverless vehicles, it is vital to ensure our cars are secure from malicious manipulation. Shortly after the Jeep proof-of-concept hack in July, auto manufacturers took a step in the right direction.  Led by the Alliance of Automobile Manufacturers and the Association of Global Automakers, the auto industry confirmed plans to establish an Information Sharing and Analysis Center (ISAC) to work together on improving cybersecurity for vehicles and their networks. The auto industry ISAC is expected to be up and running by the end of 2015. Furthermore, on Monday, Intel Corporation announced the formation of the Automotive Security Review Board (ASRB) to research and mitigate cyber risks associated with connected automobiles.