Car hacking: you ain’t seen nothing yet!
As cars become more connected and with processing power that makes them like computers on wheels, it should really be no surprise that they are now drawing the attention of the hacking community. Steve Rogerson talks to some of the hackers and security experts.
This was brought to light with the now infamous hack of a Jeep Cherokee in which two people took control of the vehicle wirelessly including safety critical functions such as the accelerator.
Any hopes that this may have been an isolated incident have now been well and truly put to rest as it was followed by hacks on the Tesla S and Mitsubishi Outlander. And hackers even discovered the Nissan Leaf electric vehicle could have its heating and air conditioning controlled from a web browser.
Thankfully, so far, these hacks have not been of a malicious intent but have been executed by so-called ‘ethical hackers’, who have carried them out to show the car industry how vulnerable they are - they were meant to be a wake-up call. The aim was to encourage the car industry to take security as seriously as it takes safety, given that these breaches now show the two are intrinsically linked.
The Mitsubishi Outlander hack was carried out by a company called Pen Test Partners. Its researchers discovered that the vehicle used WiFi as its way of connecting with its mobile app. However, as Pen Test researchers found, this had not been done securely.
“The manufacturers have been adding more functionality and for good reasons,” said Ken Munro, a consultant with Pen Test Partners. “But these are being built into vehicle networks that are not as secure as they should be. This could compromise safety systems in the vehicle. As these vehicles start coming onto the second-hand market it gives more people access to explore the security systems.”
He said the car industry needed to follow the lessons learned by the computer industry and start designing security into these from scratch.
“Look at Apple,” he said. “At first the company didn’t acknowledge they had flaws and took a long time to respond to security problems. Now they are great at getting them fixed and getting updates out.”
With the Outlander, the WiFi had been implemented in such a way that a man-in-the-middle attack could be initiated allowing the hackers to disable the alarm system and unlock the door.
“The Outlander connected over WiFi, which meant you could do things like disable alarms,” said Munro. “That is because nobody had considered the security consequences of their approach.”
The company behind the Jeep hack was consultancy IOActive. Daniel Miessler, its Director of Advisory Services, said: “The idea was to find out whether it was possible to affect a vehicle’s control systems over the internet.”
This, though, he said was just the start of “a serious problem”. He said it was “not just about isolated incidents. We are seeing more and more technology being integrated into vehicles. This is just the beginning. These small incidents are just indicators of what is to come.”
The main problem he said was the increase in complexity of modern vehicles. The more complex they are, the more likely there will be bugs that can be exploited. This is what he calls the “attack surface”.
“The car manufacturers need to be looking at this and, if they choose poorly, the attack surface is very large as they want these vehicles to connect to the internet,” he said. “Bringing all this together makes them a very ripe target for attack.”
While now this is just about hacking individual cars, if the world becomes more connected with autonomous vehicles linked in a smart city network, the potential for criminals doing a city-wide hack to create a diversion becomes a real possibility.
“In five to ten years time when everything is connected,” said Miessler, “someone could stop all the large trucks, for example, and cause serious disruption as a diversion while they do something else.”
As to the future, will IOActive be doing any more hacks as it did with the Jeep? Meissler was a little secretive. “We have multiple projects,” he said. “We can’t say which ones but we are still focused on automotive.”
Not surprisingly, given the high profile nature of some of these hacks, security companies have been quick to offer advice and services to the car manufacturers.
“We have a serious problem here,” said Richard Kirk, Senior Vice-President at security firm Alien Vault. “But the Mitsubishi one could have been predicted at the beginning because they used technology you would not use if you thought about security from the beginning.”
The problem now he said was that because of car lifecycles, the “beginning” was actually two to three years ago and there are cars out on the road that were designed before the security problems became an issue.
“That is going to play out,” he said. “I would not be surprised at all to see more because it takes multiple years for the development cycle in automotive.”
Above: the Jeep Cherokee found itself in deep water over security
And he criticised Mitsubishi’s reaction, which was just to tell people to stop using the WiFi connectivity. “That would be like Microsoft telling us to stop using Excel if they found a bug,” he said.
He said the car makers needed to recognise that their connected car systems were as vulnerable as their IT systems and they needed to follow secure design processes. He said they should follow the lead of the online banking industry, which uses groups of security experts. The alternative, he said, was for legislation to force them to do this in the same way it has with seat belts and airbags.
“I think it will be a bit of both of these,” he said. “But I hope the car makers will think about it before legislation because legislation takes time.”
Paul Fletcher, a cyber security evangelist at Alert Logic, said car makers were starting to do things better by adding encryption to some devices, which he described as “a good first step”. However, he said that encryption was resource intensive and that could affect performance and add cost.
“As we move towards self-driving cars, it is all based on application code,” he said. “The car makers are not in the business of developing code, but 90% of the vulnerability is around the code. A lot of the onboard computer systems are not made by the car makers but are subcontracted.”
The problem here he said was that some of these smaller organisations may not have the resources to do the necessary security work and it was up to the car makers to provide them with those resources.
And Lane Thames, Software Development Engineer at Tripwire, believes that too much is being addressed too late because people design systems without understanding the implications of connecting them to a network.
“Cars will be connected to multiple communications networks, and that is where the problems starts,” he said. “Systems that used to be isolated are now connected. People haven’t considered the implications of this. The problems have become much more severe.”
He called for more training and education for the engineers developing these systems. He said security fundamentals should be ingrained in the same way physics and computer skills were ingrained, even from a young age.
“Children are being taught how to programme even at kindergarten,” he said, “so maybe some of the security ideas could be taught at a young age too. Teach them about passwords and how to spot phishing emails at a young age.”
In automotive, he said the industry was moving fast, and in the right direction with several conferences dedicated to security issues.
Above: Mitsubishi discovered security to be a rocky road for the Outlander
“At least the awareness is taking hold in the automotive industry,” he said. “Car makers know safety is critical and that cyber security will impact safety.”
However, he said it was critical that the security was built-in from the beginning so that car makers were not constantly playing catch-up.
“They have to build security into their systems from scratch,” he said, but he warned that there was “no such thing as absolute security. You just have to make more secure systems and to do that you have to design from the ground up.”
He said that although car makers had had a rough start on security he hoped they were now going to jump on this very quickly.
“I have confidence that they will,” he said. “They have the motivation to make that happen, otherwise they could be looking at huge amounts of money in law suits.”
So far, the car industry has been lucky. The hacks that it has suffered have been of the friendly nature - people who just want to help. However, as other industries have discovered, hacking can be damaging and less ethical hackers are out there. The people behind the hacks and security experts alike believe this is only the beginning and that car hacking will become more prevalent. The car industry needs to respond to protect not only its own reputation but the safety of its customers.