<< Back to article Print this page Loading page, please wait...

Are you afraid your car will be taken over?

A consortium was recently created to make sure that your car stays on the road and in your control.

Ryan Francis (CSO (US))
23 February, 2017 22:46

In 2013 Charlie Miller and Chris Valesek showed how easy it was to take over a connected car. It was a monumental moment that made the auto industry stand up and take notice of the vulnerability of the connected cars they manufactured.

Miller and Valesek were not maliciously running cars off the road, but they did give demonstrations so that the auto industry would begin to take security seriously. As seen in this video, the two researchers had the capability through their laptops to shut down the vehicle's engine on the highway or spew window washing fluid onto the windshield, which could startle an unsuspecting driver to perhaps jerk the wheel and hit another car. They identified more than seven major categories of remote attack surfaces, based on their study of 20 models (2014 to 2015) from different car manufacturers.

To help give the auto industry a bit of a hand, FASTR (Future of Automotive Security Technology Research) recently released a manifesto, Toward Tomorrow’s ‘Organically Secure’ Vehicle, declaring its organizational and industry intentions to help enable the future of automotive security innovation. Formerly “Automotive Security Review Board” (ASRB) and founded by Aeris, Intel Security and Uber in 2016, FASTR is facilitating industry-wide collaboration to drive cybersecurity across the entire automotive supply chain.

FASTR is a neutral, nonprofit consortium that seeks to enable innovation in automotive security with a vision of self-healing vehicles. It is working to deliver the actionable applied and theoretical R&D needed to drive systematic coordination of cybersecurity across the entire supply chain and ensure trust in the connected and autonomous vehicle.

The number of connected cars is set to explode. Gartner, for example, predicts there will be 250 million connected cars on roadways by 2020. But FASTR says mass adoption of autonomous vehicles won’t happen without trust that these cars are cyber-secure.

Craig Hurst, FASTR’s executive director, said the societal benefits of connected and autonomous cars promise to be profound. However, with connectivity comes certain inherent risks, he warns. “Nearly every wireless communications interface in vehicles today has vulnerabilities,” he said.

The nature of the exploding complexity of modern vehicle computing is creating a “system of systems” that introduces dependencies across systems — meaning, a laptop connected to the internet, connected to poorly secured TCU (telematics control unit), connected to the brakes, he said.

“Security needs to be considered from an expansive, diverse perspective from the onset of vehicle system architecture design,” Hurst noted. “We are moving from a current state of limited but expanding vehicle connectivity (telematics, infotainment, etc.) to a highly complex, fully connected environment including vehicle to vehicle (V2V), vehicle to infrastructure control (V2I), or, more generally, vehicle to everything (V2X).”

He added that the attack surfaces of today’s connected vehicle goes beyond its in-vehicle systems to also include the increasing range of external networks to which the vehicle connects, including Wi-Fi, cellular, GPS (global positioning system), digital broadcast radio, service garages, toll roads, drive-through windows and gas stations.

Some systems shown to be vulnerable also include remote keyless entry, unsecured Wi-Fi hotspots, OBD-II (on-board diagnostic system) and USB. Intel Security in 2015 released a white paper in which it listed many of the most hackable and exposed attack surfaces on a next-generation car. Once a hacker has access via one of these entry points, injection of controller area network (CAN) messages may be possible, to manipulate other systems in the vehicle — even safety-critical systems, Intel noted.

“In the years ahead, the connected vehicle will come to rely more and more on external systems and networks to support new services and interactions. Plus, telemetric data analytics are evolving from concentrating mostly on vehicle performance and location to focus on more sensitive consumer experience and personal data such as 3D facial recognition, passengers in attendance, contextual voice processing, payment history and details, and driving habits,” Hurst said.

He hopes that through FASTR’s efforts, contributors to the organically secure vehicle of the future can work together on architectures and greenfield approaches and drive the agile, iterative research.

The manifesto states that holistic security is going to have to be an intentional and proactive undertaking from the outset of the design phase, and an OEM’s entire supply chain must be guided to adopt security best practices and produce technology components that are trustworthy. Arriving at a secure vehicle will demand innovation in process and management, as well as creation of more secure embedded systems.

Automotive OEMs are experts at building cars through their supply chains, and, today, they basically fuse together automotive security across disparate components, Hurst said.

“In fact, the complexity of legacy automotive control and bus systems — they have historically been dedicated systems operating independent of one another — has been viewed as a significant deterrent to hacking,” he said. “But a different approach to automotive security clearly is required moving forward, because of the many, many concurrent and significant changes that are playing out as we move toward the connected and autonomous car in the future.”

Taking over more than just the vehicle

The automobile will have a significantly expanded cyber-attack surface. Focus on automotive security will continue intensifying rapidly among industry and government, FASTR believes. The adoption of technology into modern vehicles without rigorous Security Design Lifecycle methodologies applied in a “system-of-systems” approach will create risks.

They are not just talking about the risk of loss of life if someone else took control of a car, but the risk of identity theft, as thieves would have a window into a driver’s habits. The location of the car could provide unique information of when someone will be home or perhaps what bank they frequent.

Forecasts call for 250 million connected cars on roadways by 2020. Analysis points to the market for partially and fully autonomous vehicles to approach $77 billion in 2035, with perhaps 12 million fully autonomous units being sold annually around the world, according to the report "Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” that was created by Massachusetts Sen. Ed Markey's staff.

“If an advanced connected or autonomous vehicle was compromised, one risk category would be personally identifiable data, such as home address, navigation and route history, communications logs, current location and route, etc. In addition, sensors may provide an interesting attack target to remotely access cameras outside and inside the vehicle, as well as microphones (both integrated in the vehicle and connected within the vehicle, such as in the case of a smartphone),” Hurst said.

Poorly secured connections either between vehicles or between vehicles and the data center will create threat surfaces with significantly larger risks, including fleets and broad system data and analytics. “Payment and transaction data is of particular sensitivity, obviously, and security measures should be directly proportional to the risks,” he said.

Here are some of the significant obstacles that the automotive ecosystem is facing, with a direct focus on trust in security:

Trust in data confidentiality — Vehicle and operator data must not be divulged without the permission of the operator.
Trust in data and system integrity — Vehicle and operator data must not be compromised or altered.
Trust in data and system availability — Vehicle and operator data must be available to the systems and services that rely on them.

To safeguard privacy, Intel noted that hardware must use encryption and cryptography, along with reducing code vulnerabilities by embedding pointer-checking functionality into hardware. Other items that must be addressed are message authentication, enforcement of predictably holistic behavior of all systems, and firewalls to block unapproved and inappropriate messages, and alert security systems about any invalid attempts.

Intel’s report also said that data privacy and anonymity of personally identifiable information (PII) is now leaving the confines of the vehicle, requiring appropriate privacy controls and anonymization of data. Data privacy has two aspects: confidentiality of personal data and leaking of data outside the consumer’s control.

“Cybercriminals have been known to attack and steal data. This includes not only stored personal information, such as address books or credit cards, but also style of driving, current location, previous destinations, and other telemetry. For data leakage, there is a need for new methodologies to justify what data is stored, securely store data, destroy data upon consumption, and protect against unauthorized access,” Intel wrote.

“Since cars are left unattended most of the time – roughly 90 percent – it doesn’t make much sense to store data directly in the vehicle or to let the vehicle be the decision maker about external commands,” said David Miller, CSO for Covisint. “Instead, all vehicle data should be located outside of the vehicle and in the cloud, where it can be secured and where decisions can be made by owners at any time – and with autonomous vehicles coming fast, this is becoming even more important.”

FASTR’s manifesto

The manifesto says that accelerating the realization of tomorrow’s organically secure vehicles demands tangible research deliverables today — reference architectures, proofs of concept and other theoretical and applied research — that would help automakers reduce risks and liabilities, foster trust in autonomous vehicles and accelerate the safety and quality-of-life benefits that these vehicles promise.

Communication channels must be protected among vehicles and devices, within the communications infrastructure and within the data center.

What can be done

Defense in depth — Threat modeling, vulnerability assessment, security architecture, trusted supply chains and cybersecurity assurance are needed throughout all layers of automotive security.
In-vehicle systems — Platform boot integrity and Chain of Trust, secure storage for keys and data, secure communication, secure debug, tamper detection and protection from side channel attacks, etc.
Connectivity and the cloud — Fast cryptographic performance, device identification, isolated execution, message authentication, etc.
End-to-end use cases — Over-the-air updates, intrusion detection and prevention systems, anomaly detection, network enforcement, certificate-management services, anti-malware and remote monitoring, biometrics, etc.
Hardware security features — Multi-layered defense in depth demands security features in the silicon. Hardware-hardened, trusted execution environments, secure boot, secure key storage, crypto accelerators, hardware virtualization, etc. are critical to the overall security integrity of the vehicle architecture.
Vehicle Security Design Lifecycle — Implement formal and predictable processes to ensure compliance with security policies. An intentional and proactive approach to consolidation and interconnection of vehicle systems must be present from the outset of design, and it must continue right through to the production and operation stages. Best practices for production processes must contribute to design components being correctly implemented. Code reviews, component-level and system-level penetration tests, continuous validation of security assumptions, inbound and outbound materials processes, maintenance and upgrade plans and feedback loops for continuous learning and improvement are key for clearly linking implementation back to secure design properties.
Threat intelligence — Threat analysis and risk assessment must continue throughout the life of the organically secure vehicle. Techniques such as over-the-air software or firmware patches and upgrades can help quickly close vulnerabilities (and reduce recall costs). Threat intelligence can help prioritize cybersecurity threats by associated risk and illuminate appropriate incident response.

Cars are often lasting around 15 years, much longer than the life of most software and even computer hardware. As seen with Microsoft’s patches, the company will often end-of-life its support of the software, which in the case of vehicles could leave them left vulnerable to attacks.

Markey’s report stated that the proliferation of these technologies raises concerns about the ability of hackers to gain access and control to the essential functions and features of those cars and for others to utilize information on drivers’ habits for commercial purposes without the drivers’ knowledge or consent, the report stated.

“Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile. A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data.”

Intel says that cars have also increased connectivity, adding many functions common to smartphones, such as cellular data and voice functionality, web browsers, online games, and entertainment.

Some examples of the connected car includes:

Advanced driver assistant systems (ADAS): Smart lighting control, adaptive cruise control, lane departure warning, and parking assist.
Advanced fleet management: Real-time telematics, driver fatigue detection, and package tracking.
Smart transportation: Vehicle-to-infrastructure communications, such as smart intersection, traffic light control, collision avoidance, and traffic management. This type of usage often involves frequent interactions between vehicles and transportation infrastructure.
Autonomous driving: The ultimate goal of the next generation of vehicles is that driverless cars become a reality to achieve zero fatalities and/or collisions.

Intel wrote that while the safety designer is adding in crumple zones, airbags, proximity detection and automatic braking systems, the security designer is also building in layers of protection, seeking to isolate a threat before it can affect vehicle operations. The vehicle security architect has a collection of security tools to choose from, ranging from encryption of critical or private data to isolation of software components by function.