Car #hacking: a #real risk we’re #ignoring when in #fact, we #shouldn’t

Car hacking is here, and it’s a serious threat. Should we panic or instead embrace the level-headed approach, especially since every carmaker is jumping the driverless bandwagon these days?

In the 1994 blockbuster Speed, Annie – played by Sandra Bullock – tries to save her fellow passengers from certain death; the bus they’re travelling in was rigged with a bomb set to explode if the speed drops below 50 miles per hour.

We all know how the movie ends, but unwillingly, director Jan de Bont might have dramatized the first vehicle hacking in its most primitive shape. Remember, that was over two decades ago.

Today, hacking a car has taken a different turn thanks to the miracle of connectivity. Your computer or smartphone is not the only device fitted with Wi-Fi and Bluetooth antennas. In fact, if you own a car that’s been assembled sometime in the past five years, chances are you are using them right now.

And all a cyber attacker sees is a computer on four wheels, because unlike early 1980s ECUs (Engine Control Units), modern cars rely on computer systems that control the brakes, airbags, telematics, and door locks, among other features.

Car hacking is a multifaceted affair
To demystify the topic, I reached out to security experts and researchers Gabriel Cirlig and Stefan Tanase at Ixia.

With half an hour left before the meeting, I’m sitting in my Uber surrounded by a sea of cars. Nothing’s moving, and I’m wondering when will those autonomous, interconnected cars come to the rescue. I finally decide to end the journey and walk the remaining distance.

I call Gabriel, who kindly offers to pick me up from the reception desk – Romanian security guards are a special kind of overzealous individuals – and one minute later, I’m casually greeted by someone dressed like a rockstar.

He offers me a much-needed coffee and a panoramic view on the terrace where they use to smoke during breaks. I’m thinking this urban scenery is enough to make one start smoking.

Stefan joins us shortly with more smiles and a clear ethusiasm to get the interview started. These guys don’t just take their job very seriously. They also love it.

Recently, they hacked into the infotainment system of a Japanese model and presented their findings during DefCamp 8 in Bucharest. What they discovered is very thought-provoking.

For example, the system stored the car’s GPS history, and for every phone, the user connects via Bluetooth, it requested the call database, contacts, SMS and email info.

“It stored them in a file you could access with Notepad or any other text editor and see them one by one, in a list. And if you wanted to correlate information easily, there are tools for that as well, so you could also find out who sent a particular text message and so on,” explained Gabriel Cirlig.

Moreover, the car saved data on braking and acceleration. Some carmakers have come up with ways of protecting this kind of data, but others didn’t pay enough attention, and that’s how the Jeep hacking was made possible.

Also known as the Miller & Valasek remote hack, it proved that an untampered vehicle – a 2014 Jeep Cherokee – could be remotely operated sans physical access to the actual car.

While this wasn’t the hacker duo’s first such successful attempt, it made a bigger splash. Unlike their previous hackings of a Toyota Prius and Ford Escape, it simulated a real-world attack scenario.

“The car’s proximity sensors use the same information highway and since many new cars have assist features – those that brake the car when it detects a dangerous situation – you can ‘tell’ the car or lead it to think there’s an obstacle or a pedestrian ahead so its response will be to brake and stop until the attacker decides otherwise. It’s like ‘tricking’ the car,” further explained Cirlig.

But there’s more. For every model in the Japanese manufacturer’s lineup comes with the onboard GPS pre-activated and it can too be accessed from the car’s computer.

In the right hands, the car can scan, find and log in to every active Wi-Fi nearby.

Moreover, it pins every network on a map so it can track you. Even more worrying, once connected to an active Wi-Fi hotspot it can send the GPS coordinates history to the attacker’s server and can do the same with call history data, for example.

At the same time, this behavior takes place under the radar. “You can’t spot it unless you know what to look for.

But to orchestrate such an attack, one needs the same knowledge and skill as someone who’s familiar with chip tuning work,” added Cirlig. He also thinks the Japanese car company in question is “a hacker’s best friend.”

Just to top things off, hackers don’t seem to be getting enough sleep these days – do they ever?

Stefan Tanase told me he’s looking at a more recent Bluetooth vulnerability called Blueborne.

It lets an attacker remotely access the infotainment system through the Bluetooth stack on the car’s operating system. Worst part: it can happen while the car is moving, with passengers still inside, if the Bluetooth connection is active.

“Even cooler,” he detailed, “on some models, you can make the car duplicate the attack against other vehicles it shares the road with, spreading like a worm whenever an ‘infected’ car meets another in traffic.”

Now think of how intensely is the automotive industry trumpeting a future of transportation based on vehicles that are permanently connected to one another, exchanging information and “talking” to each other, and how someone with the right knowledge could raise an army of cars and wreak havoc.

Naturally, this is just a hypothetical, least-desired but yet not entirely impossible scenario. As Tanase puts it, “the near future is very interesting for this area, with IOC – Internet Of Cars – coming up. We might not realize it now, but this is big, and things can change very swiftly in a few years.”

Therefore, we must ask: can these vulnerabilities be avoided? The two white hat hackers believe that since future software engineers are not taught to write code with security in mind – something which they’ve only started teaching in university over the past few years – on many occasions the written code isn’t necessarily security-focused.

Simply put, people did not perceive such attacks as possible until now because they didn’t exist. It’s the same with PCs and web apps. For example, programmers could see vulnerabilities only when their creations went live and started being attacked.

“Another significant issue is that carmakers employ contractors who are based in other countries. They just get the infotainment system wrapped as a project, so they don’t see the big picture and have no clue on how will the system be integrated with the car’s other functions – Bluetooth, music, radio – so, breaches show up.”

Hold on, is it all bad news?
No, not really, but we shouldn’t deny the fact that people’s lives are at stake here. And while there might not be too much hype around the topic of in-car cyber security, these issues must meet a solution.

“The automotive world has an advantage over the PC or smartphone industry: it abides by a set of regulations, like airbags, ABS and other safety-related aspects. But I’m expecting a rise in interest for cybersecurity,” Tanase added.

Perhaps in a few years’ time we’ll see assessment programs that don’t limit evaluation to just how a car handles itself during a handful of impacts, but also its ability to fend off (or not) hacking attempts – like the equivalent of Euro NCAP’s crash tests.

“I think we can’t afford to repeat with cars the same mistakes we made with PC or smartphones. And this is a problem that must be solved by the carmaker and not the end user,” added Tanase.

“I think the topic of cybersecurity will be a long, standalone chapter in a large set of regulations when it comes to driverless cars.”

Solution-wise, an ounce of prevention is worth a pound of cure. That is, software design created with security in mind. Which means requirements should extend beyond the usual suspects: features, graphics and behavior.

Moreover, companies should focus less on cutting costs and invest more and allocate more funds to this area to improve software, algorithms and computing power.

Gabriel Cirlig says that “in security, you need the broadest vision you can get on the field, because taken separately, everything looks secure.

Think of your apartment’s heating system – the problem isn’t the central unit itself, but the valves, junctions, piping and so on. Not the main unit, not the radiators, but what connects them.”

What people can do for starters is realize their car works a lot like their smartphone.

But many tend to dismiss the update notifications they get on laptops and phones, and this is partially the developer’s fault for not implementing efficient update mechanisms that don’t require user interaction – see Tesla’s OTA system, for example.

Owners should also make a habit out of requesting updates and patches from the carmaker. Or, a set of laws could force them to take their cars to a periodical test – think of UK’s MOT, but focused on infotainment vulnerabilities.

On the one hand, Stefan Tanase considers that “even more important, updates should be cost-free, although most of them [carmakers] will charge the user. As I see it, this should be a right bought by the customer, but an obligation on the carmaker’s behalf.”

On the other hand, Gabriel Cirlig is more pessimistic and believes that as long their device works, people don’t care if it can host malware or it can provide a platform for cyber attacks.

“Things won’t speed up until the first hack-related physical crime occurs, when someone’s car catches a worm or ransomware, the car then stops on the highway and another car crashes into it, causing victims.”

As it turns out, commitment is required from both camps. Manufacturers should pay more attention to security, provide updates more often because what they do is, in fact, patching up their initial mistakes.

On the flipside, the public should take a logical, dismay-free approach. Owners must ask themselves some questions, then figure out that although unlikely, a deftly executed cyber attack could, potentially, cost their lives.