The state of auto cybersecurity: current vulnerabilities in connected vehicles
As the automotive industry adds more software and connections into vehicles, it simultaneously increases the probability of cyberattacks due to vulnerabilities. Right now, the average car has about 100 million lines of software code and 100 electronic control unit (ECUs), both of which provide hackers with a vast attack surface. And those two numbers are expected to expand over the next several years, eventually promoting auto cybersecurity to the forefront of manufacturer and consumer concerns.
The following five paragraphs are excerpted from my chapter in SAE’s Cybersecurity for Commercial Vehicles, titled “Law, Politics, Cyber Security and Data Privacy Issues.” The entire book, edited by Gloria D’Anna is available here.
A Quick Glance in the Rearview Mirror
In 2015, the first widely-viewed public demonstration of remote vehicle exploitation (via the infotainment system) was made by cybersecurity researchers Chris Valasek and Charlie Miller. The two men astonished onlookers by taking control of a Jeep’s dashboard functions, steering, transmission, and brakes from 10-miles away, as the Jeep continued to drive down the highway. Needless to say – this event led to front page coverage around the world.
The potential for that exploit to be repeated on any of the 1.4 million Fiat Chrysler Automobile (FCA) vehicles on the road led to the world’s first cybersecurity safety recall. A year later, the research duo followed up with a local vehicle exploit (via the USB and CAN Bus) showing non-connected vehicles to have vulnerabilities at highway speeds. This revelation answered many naysayers that had sought to downplay the breadth of attack surfaces in legacy vehicles (and narrow industry focus only to the protection of future model years).
The researchers described the work as “extremely difficult, time-consuming, and expensive,” but they had achieved their breakthroughs alone and mostly with self-funding, likely inferring that skilled and full-time adversaries could pull off similar attacks with ease.
Hackers Discover Vulnerabilities in Many Vehicle Makes and Models
Since that first public vehicle hacking demonstration, numerous new vulnerabilities in different manufacturers have been found. For example, Tesla and General Motors (GM); in commercial vehicles, by car thieves using laptops; and most recently in smartphone apps used for keyless entry…hackers do not need to build up their own expertise or experience, instead they rely on tools created by a much smaller group of experts, to download exploits or run them as software as a service (SaaS) from the dark web.
Risks to commercial fleets have also become apparent in recent years. That’s because commercial fleets aggregate large groups of similar vehicle models, making them relatively homogenous targets. The asymmetry of hacking economics means that defenders must defend all attack vectors, but an attacker needs to find just one vulnerability and can use it directly or share with others.
Are Connected Cars Worth the Security Risks?
So here we are in 2018, facing more and more autonomous vehicles in test mode and connected cars in use. With such features as enhanced GPS, location and maintenance live recording, reminders, driving assistance, and Wi-Fi, Mordor Intelligence estimates that 75 percent of the 92 million cars shipped globally in 2020 will be connected.
By definition, a connected car has more control units, computing power, lines of code and wireless connections than a “non-connected” car – all of which make it more susceptible to attacks. By exploiting a weakness, a hacker could take control of the brake or steering systems, show incorrect information on the dashboard dials, or grab driver data.
Frost & Sullivan estimates that cars will require 200-300 million lines of code in the near future. It’s difficult to create bug-free software in the best of circumstances, let alone when dealing with the amount of code required to power autonomous vehicles. More code means more opportunity for bugs and mistakes, such as buffer overflows, which can be exploited. It’s also worth noting that there is no single controlling entity that has cognisance over the source code for all components. Code is written by different developers, tested by a number of entities, and installed by different suppliers. Malware can be included in any step on this supply chain.
Additionally, the increased use of smartphone apps to run certain functions by interfacing with connected cars introduces vulnerabilities, and researchers have already demonstrated a number of weaknesses that can enable scaling of attacks. Then there’s the need for constant updates to the software that runs the various components and systems. Such updates can be overlooked, leaving known glitches unpatched. But even when all software is up to date, hackers are skilled enough to can also infect routine updates.
Go Beyond Traditional Intrusion Detection Auto Cybersecurity
Yes, connected vehicles can enable safety, mobility, and environmental efficiencies – along with entertainment options never once thought possible in a car. But this growing trend of adding components and the software that enables them introduces vulnerabilities that even manufacturers do not understand the breadth of intrusion detection solutions.
We use a patented transformation process to cyberharden vehicle components, reducing opportunities for attackers to inject malware into software modules that control ECUs, CAN BUS, telematics, infotainment, and other systems. It stops attacks that bypass traditional encryption, network, and endpoint solutions – without requiring access to source code or adding software, services, or hardware.
Request our white paper here to learn how we transform embedded software and devices.
This article is written by Simon Hartley, VP of Business Development at RunSafe Security, the pioneer of a patented cyberhardening transformation process designed to disrupt attackers and protect vulnerable systems and devices. Simon is an expert in cybersecurity, mobility and IoT with over 20 years of experience in enterprise software sales, marketing, and product management.