As military vehicles become increasingly dependent on electronics and computers, much as are commercial cars and trucks, program managers must take cybersecurity needs into account. A recent experience documented in Wired makes the potential risks chillingly clear.
Vehicle electronics, or vetronics, are a vital aspect of today’s military transport. In 2010, the Army initiated the Vehicle Integration for C4ISR/EW Interoperability (VICTORY) standard in an attempt to increase vetronics interoperability. Contractors responded with open standards architecture, data bus-centric designs and comprehensive kits for new vehicles and retrofits.
Andy Greenberg, a senior writer for Wired, allowed hackers — security engineer Charlie Miller of Twitter and Chris Valasek director of vehicle safety research at Ioactive — to take over his Jeep Cherokee just to show what they could do.
At first, the attackers took over systems that allowed them to annoy him without causing real danger. They blasted cold air from the vents, tuned the radio to a hip-hop station at high volume and turned on the windshield wipers.
And then, the attackers killed the Jeep’s transmission.
“Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape,” Greenberg recalled, in Wired. “At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.”
Despite the moment of real danger in that last event, this cyberattack was benign, a demonstration of the vulnerabilities that the “Internet of Things” make possible. The hackers, briefed Greenberg beforehand on what they planned to do. Greenberg simply called Miller and Valasek and they gave him his transmission back.
The dramatic test had a quick effect. On July 24, Fiat Chrysler Automobiles, which makes the Jeep Cherokee, announced that it will recall 1.4 million cars and trucks to protect them from cyber security attacks.
Related: Read more about the recall
While Greenberg’s experience was voluntary, he did nothing to make his Jeep more vulnerable to the attacks; more malicious hackers could use the seam exploits for much darker purposes. Miller and Valasek, in an effort to push the auto industry to accelerate efforts to improve security, plan to release the code that they used against Greenberg’s Jeep at the Black Hat security conference starting August 1 in Las Vegas,Fortune reports.
Whether or not military vehicles are at equal risk depends on the vehicle, said cybersecurity expert and C4ISR & Networks blogger Kevin Coleman.
Some military vehicles are based on, or use, systems from common vehicles, and are as vulnerable, he said. “However, the fact that many military vehicles are limited production runs compared to commercial vehicles (means) there is far less chance of some of the intricate details getting out” to be used by attackers. “That is, of course, unless our military leaves them behind, they are captured or they are sold off to the public.”