Connected cars present a new hacking risk.
It has been nearly three years since cybersecurity researchers rattled the auto industry and government officials by remotely commandeering control of a Jeep Cherokee and manipulating its steering, braking, and throttle inputs.
But, since that feat became public knowledge in July 2015, auto executives have only doubled down on their ambitions to embed modems in vehicles and connect them with the outside world. The latest report from Gartner, a global technology consulting firm, says there were 65 million connected vehicles on the road in 2017 and forecasts that the number will spike to 220 million worldwide by 2020. But as automakers gear up for this influx of connectivity, exactly how they plan to protect cars from hackers is unclear.
A new report issued this week by PwC underscored that threats are evolving, and while automakers understand them better than they once did, not all are ready to effectively counter them. “While automakers have stepped up their game to meet consumer demand for connected cars, some are inadequately addressing the cyber risks inherent in mobile connectivity,” according to the accounting firm’s report.
Dan Sahar, a vice president with Upstream, an Israel-based automotive cybersecurity startup, is more blunt, saying that automakers are locking in their production plans for 2020 with few or even no safeguards in place.
“The witching hour is here,” he said.
That was underscored late last month, when researchers at Keen Security Lab said they found 14 separate vulnerabilities in several BMW Group makes and models, six of which allowed remote access. Those security flaws could let hackers access BMW’s ConnectedDrive remote services, infotainment units, and the CAN bus, which controls essential communications between vehicle systems.
The exploit was another reminder of the variety of ways that vehicles are ripe for hacking. And it was timely—Keen Security announced its exploits only days after Upstream held an event called the Carmaggedon Challenge at its headquarters in Herzliya, Israel, at which white-hat researchers probed and discussed their latest findings. Among those in attendance was Charlie Miller (pictured at right above, along with Upstream co-founder and CTO Yonatan Appel), one of the two researchers responsible for those Jeep Cherokee findings three years ago.
Upstream has taken a novel approach to thwarting these attacks. Instead of protecting individual cars, the company is focusing on guarding the back-end servers of automakers where information on vehicle diagnostics, infotainment, and hundreds of other data points harvested from vehicles is stored. Where connectivity can be a pipeline between vehicles and the automakers’ back-end systems, most automakers and automotive cybersecurity companies are approaching security by putting a digital gate around individual cars; Upstream concentrates on the other end of the data stream.
“When we saw this space, we saw it as the next big compute platform, rather than just automotive,” Sahar said. “It’s transforming into a new beast that is a lot bigger than just a car. It has a service infrastructure and application layers built on top of it.”
By monitoring the back end, Upstream’s software can ingest data from an entire fleet, understand what the normal data flow between the cloud and cars looks like, create shadow representations of that data, and quickly identify anomalies. Upstream’s methods are a nod to its founders, who come not from an automotive background but from the IT realm and with experience in the Israel Defense Forces’ Intelligence Corps. The company received $9 million from a Series A round of funding that closed in December.
“Connected and semi-autonomous vehicles are already a reality, so it’s a matter of when, and not if, these self-driving technologies will be deployed at scale,” said Izhar Armony, general partner at Charles River Ventures (CRV), one of the venture-capital companies that contributed to the funding. “Upstream’s engineers were the first to solve how to protect connected cars and autonomous vehicles using the cloud, crucial for near-term and future deployment of automotive cybersecurity at the fleet level.”
Focusing on the car itself, in many respects, makes sense for other companies. But one drawback is that it’s hard for automakers back at their headquarters to know if a car has been compromised. A 2014 report commissioned by Sen. Ed Markey (D-Massachusetts), titled Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, found that only two auto manufacturers could describe any capability either to detect or “meaningfully respond to” an infiltration in real time. Most said they rely on antiquated technologies that could not be used for the purposes of identifying a cyberattack.
It’s not known how those specific capabilities have evolved in the interim—generally, the industry has sought to decrease risks by forming a working group, the Auto Information Sharing and Analysis Center (Auto-ISAC), in which auto manufacturers and major suppliers share threat intelligence and evaluate known infiltrations. But the PwC report notes that automakers could use cloud-based services such as Upstream’s to aggregate data and track attack vectors.
“All the automakers and suppliers understand the risk is there,” said Ray Telang, a co-author of the PwC report and the company’s automotive lead on cybersecurity issues. “I think there’s a maturing that still needs to happen to increase focus on the connected-vehicle perspective and the operational perspective. It’s a never-ending battle.”
If it’s difficult for automakers to detect when one of their cars has been compromised, it’s just as difficult for a car to detect whether the back-end server it’s accustomed to connecting to has been breached. Should malicious actors infiltrate the back end, they could potentially infect an entire fleet rather than a single car.
In a worst-case scenario, a hacker could gain control of multiple vehicles and create a cascading series of crashes, a sequence that grows more plausible with the rise of self-driving vehicles operated in ride-sharing fleets. In more everyday breaches, a hacker could gain access to the payment records of a customer stored on back-end servers or, perhaps more troubling, launch a cyberattack that would send ransomware to thousands of automobiles and turn them into vehicular bricks until automakers or car owners pay for their release.
Ransomware attacks have already crippled hospitals around the United States, and more recently, the city of Atlanta spent $2.6 million on emergency efforts to respond to an attack that sought $50,000 in payment. With the potential for lucrative hacks, many fear that the automotive realm is the next logical target.
“And as a hacker, they’ll discover that they don’t want to use it on one car. Why apply it to one car? So ransomware will grow,” Sahar said. “So what we want to do is essentially extend the perimeter and have a bird’sA-eye view of an entire service. Not just the car, but how the connectivity and applications around it are all behaving. The solution is to go up and create a data platform that sits in the automotive cloud.”
It’s an unconventional approach that stands out at a time when any security is in short supply.
Author – Pete Bigelow
Courtesy of Car & Driver