Car hacking has become a universal problem, writes Mike Gillespie of Advent IM.
The FBI recently issued a warning about the threat of car hacking. The vulnerability of vehicles has grown as more systems in modern vehicles have been either web- or Bluetooth-enabled, so this increase in both vulnerability and the resulting exploits, isn’t really surprising to those of us who are used to trying to secure …. well … anything … from the virtual open sewer that is the internet. UK police forces have been warning people for some time about the rise in car theft that didn’t rely on the vehicle being physically forced open.
The warning from the FBI will have surprised a lot of people, though, as many do not see the connection between the device they are using (for a car, in this instance, is the device) and any kind of threat, either to their physical or virtual being. The realisation that their car could be hacked and that the manufacturer had not factored this threat in as part of the innovation is shocking, so people have the right to be surprised, though this level of naiveté surely needs to be addressed as a matter of urgency.
Looking at car hacking, we can loosely group this area into two segments, keyless entry exploit and system compromise. As the grouping suggests, the motivations for these two groups vary and if we are to understand this activity then we need to understand the motives. Keyless entry exploit is the most common crime and according to police statistics is in serious growth (*). The theft of luxury cars and commercial vehicles to order is nothing new. But the scale of theft has risen and organised gangs as well as lone opportunist thieves, operate in this area. Their motive is clearly financial – whether that means fencing the car or it’s parts, or using it for another crime, such as a robbery. However, terrorist cells have also been known to take cars for their operations and also to evade surveillance, so it shouldn’t be assumed the motive for this crime is always financial, it’s just more a common motive.
Compromise of a vehicle’s systems, be that engine management or otherwise, is a more serious and threatening form of attack. It is less common, thankfully and the motives will be different and ultimately more complex but the vulnerabilities that are being exploited are just as real and as such we need to make ourselves aware both as consumers/users but as responsible security professionals. The motives for this kind of attack may include financial of course, but are far more wide-ranging and could include espionage and assassination, distraction, terrorism and corruption. So perhaps looking at the kinds of vehicles implicated might cast more light on the kind of motive. Also never forget the ‘lulz’ – script kiddies will try and crack things for laughs or bragging rights. While it’s outside of most people’s understanding, the kudos that acts of sabotage or disruption bring status-seeking coders, is big and shouldn’t be ignored. The young people who allegedly hacked TalkTalk, did not really want the data they found access to, they just did it. Think climbers and Everest – climbing it because it is there.
Logistical and commercial, private, military, public and R&D test vehicles (not to mention Unmanned Aerial Vehicles, UAVs, aka drones) are all, to varying degrees, potentially exploitable. Probably the most diverse group of motives will be found in the private vehicle group. These car systems may be attacked for a variety of reasons and could include risk to life events. We saw the ‘white hat’ (security researcher) hacking of a Jeep last July, which was subsequently driven immobilised on a highway, with a terrified driver inside. Luckily the two researchers who were carrying out this remote experiment did not allow any harm to come to the ‘driver’ and after the Jeep slid unceremoniously into a ditch, he was completely fine, if not more than a little shaken.
The car had lost all its power and braking system. The researchers in question were engaged on working on steering control too at the time of this experiment. The ‘driver’ had been subjected to icy air conditioning, blurred view owing to the constant activation of screen wash, uncontrolled wipers and very loud music. The piece de resistance has to be the brake and engine though as both were controlled then totally disabled, leaving the vehicle helpless and the driver at massive risk. Conspiracy theorists will be dining out for years on the possibilities this kind of attack provides.
As we all know, there is a vast array of military vehicles and these are of a broad variety of ages and functions. We also know the technology will vary wildly. One thing we do know is that operating systems used that are outdated or no longer supported, can sometimes be a vulnerability in military equipment and some of the vehicles may share this vulnerability. So systems built on XP for instance, will no longer be security patched and so are offering potential entry points for hackers to exploit.
Public vehicles are not immune to hacking or the potential to be hacked and indeed the world has already seen what can happen. In Lodz, Poland four trams were derailed and two made to collide (although it’s unlikely that was his actual intent). Twelve people were injured after a teenager decided to play trains with trams using a modified TV remote control. It’s worth noting that the youth in question carried out physical reconnaissance of tram depots to gain the information he needed to make his remote control a success. In hacking the physical and cyber worlds have more touchpoints than you might think. We know that driverless vehicles are around the corner; we already have drones and the Docklands Light Railway, for instance. The possibility of harm cannot be ignored. If a private vehicle with a driver on board can still be effectively cast adrift in a useless vehicle on a busy highway then we need to be making sure manufacturers are working with researchers to ensure secure vehicles before we move on to wide scale driverless vehicles surely?
Sadly not all manufacturers take that view and the beleaguered VW brand took another blow after its emissions scandal when it was revealed that they had effectively gagged two university researchers who found security flaws in their vehicles, by threatening them with legal action. Not all manufacturers however have taken this approach and Tesla for instance, made an invitation to hack their vehicles and report back findings, for a bounty. This is commonplace in world of technology and it’s good to see it adopted in this way.
It’s hard to definitely say if car crime figures are being driven (forgive the pun) by cyber or keyless attacks, but what is clear is that the threat is real and set to increase unless there is clear dialogue across manufacturers, researchers, police and users.
Note
* Scotland Yard reported plus 8pc growth 2014 vs 2015 including keyless theft, with an average of 16 vehicles reported per day taken including via this method, in the capital.
Pictured, Buick parked on street, near Mount Pleasant sorting office, central London.
