Taking the Threat Seriously
Cars, like many other everyday objects, are now more connected to wireless networks than ever before – and this has caused a corresponding rise in the potential for them to be targeted by hackers. The Cipher Brief spoke to Yoni Heilbronn of Argus Cybersecurity, a firm that specializes in cybersecurity for vehicles. His main take away: cars are only going to increase their connectivity, and so industry will need to continue engaging with the cybersecurity community in order to protect both cars and consumers.
The Cipher Brief: Why would a malicious actor target a vehicle for a cyber attack, and what types of vehicles are likely targets?
Yoni Heilbronn: Luckily, all known exploits until now have been whitehat in nature—exposed in order to raise awareness. However, there are a slew of reasons why a hacker would potentially want to target a vehicle: hacktivism, theft, pranks, ransom, assassination, and mass consequence events are all possible motivations for targeting a vehicle or a fleet of vehicles.
Motivating factor(s) may affect how a hacker attempts to send malware to a vehicle, but any vehicle with embedded or aftermarket connectivity is potentially at risk. Some of the components that make up a car’s “attack surface” are the bluetooth connection, telematics unit, tire pressure monitoring system (TPMS), dedicated short range communication (DSRC), and embedded cellular connectivity (3G, 4G, LTE, etc.). However, no matter the penetration vector, the effects of car hacking can be anything from manipulating the instrument panel and sound system to having your location tracked to losing control of the safety critical functions such as steering and braking.
What should really draw attention is the sheer number of connected vehicles that are entering the market. Some estimates see almost half a billion connected cars on the road by 2020.
TCB: How would you characterize the cyber threat for vehicles? How has this threat changed over the last few years?
YH: Connectivity enables original equipment manufacturers (OEMs) to offer useful functionality to consumers. However, whereas connectivity brings consumers useful and entertaining services, there are many instances in which security is overlooked. An example of this was about two years ago when Argus became the first company to expose a vulnerability in an aftermarket telematics dongle used to provide, for example, usage based insurance (UBI) pricing models. Argus made a responsible disclosure to the vendor and together, a joint statement and solution was announced.
So what has happened is that there is significant demand for the services connectivity can provide, and the industry is racing to offer those services. However, those services have not necessarily been vetted from a cyber security point of view. Recent events, such as the Jeep Cherokee hack, have provided stark reminders of the potential costs of inaction.
At the moment, we would say that the industry is taking the threat seriously and engaging with cybersecurity firms to properly address the issue.
TCB: In 2015, two cybersecurity researchers received a significant amount of news coverage for hacking a Jeep while it was being driven. How have incidents like this changed the threat landscape for automobiles? How has industry responded to growing awareness of cyber vulnerabilities in vehicles?
YH: OEMs, Tier 1s, and aftermarket connectivity providers have all had to invest in the remediation of exposed vulnerabilities. That being said, the Jeep Cherokee that was sent into a ditch from a laptop has become a sort of watershed moment in the industry. This event led to an estimated billion-dollar cyber-recall for parent company FCA.
The Jeep hack was a turning point—that moment when the industry realized cybersecurity was not just a theoretical threat. Removing the notion that remote cyber exploits were purely theoretical in nature, to the OEMs, the Jeep case was especially far-reaching because of the potential threat to consumer safety the event implied in addition to the onerous financial and reputational damages it caused.
Another sign the industry is making tangible steps to focus on cyber security in vehicles is the formation of the Auto Information Sharing and Analysis Center (ISAC). Like the Aviation ISAC formed a year before it, the Auto ISAC is already acting as a forum in which car makers and the automotive industry as a whole can share information and act quickly in response to emerging threats. Currently, the Auto ISAC represents 77 percent of car sales in the United States and in the near future, will open up membership for suppliers and other industry stakeholders, such as telecommunications and technology companies.
TCB: How do you see the cyber threat for vehicles changing over the next 10 years? What factors are driving these changes, and why?
YH: Argus sees the industry changing in profound ways. Connectivity is at the heart of that change and will be an enabler for a whole array of products and services. It will also facilitate the implementation of autonomous driving. However, just as the services offered get more sophisticated, so too will the attacks on vehicle networks.
Technologies, such as vehicle to vehicle (V2V) and vehicle to infrastructure (V2X) communication, will further enrich and complicate the auto-transport environment. The sophisticated data streams enabling these technologies will surely make our roads safer, but the more data we send to and from vehicles (and to and from the infrastructure that governs their movements) increases the potential for attack. Carmakers and the industry at large need to stay ahead of these threats.
More sophisticated media content, navigation data, telecommunications, and even personal banking information into and out of vehicles, makes our livelihoods and safety dependent on the proper implementation of cyber security in automobiles. Moreover, without cyber security for in-vehicle networks and on out-of-vehicle communications, autonomous driving simply cannot be implemented safely.
TCB: What can be done to better protect vehicles from cyber-attacks? Is there a role for the government in this area?
YH: The good news is that there is still much that can be done. Cyber security has played only a small role in the vehicle development process up until now. Important to this is the engagement between the industry and the cyber security community. At the end of the day, car manufactures are great at building vehicles and can benefit from the decades of experience gained through traditional cyber and network security practices. Implementing those cyber best practices in the vehicle design process is made possible through partnerships, such as those Argus has with many car makers and suppliers.
What’s important to note is that there is no silver bullet to cyber security—you’ll want multiple “bullets” in your “magazine.” A multi-layered approach is necessary to properly address all aspects of the complex environments in which cyber threats could originate.
So, although we are in the middle of a serious period of engagement with the industry, the automotive and cyber communities can be helped by the government. We’ve already seen the introduction of the SPY Car Act in the U.S. Congress, which aims to set generally accepted standards for cyber security in vehicles. This was a positive step. Other forums, such as the Auto ISAC and the Society of Automotive Engineers (SAE), can help in finding the proper methods to address the problem and in setting the bar for security on wheels for years to come.