Cyber threats against cars are here to stay, experts say
Losing control over your vehicle is a very frightening experience. The video of a driver helplessly cranking the wheel while his Jeep Cherokee drove into the ditch, remotely controlled by a hacker duo, scared the world. This orchestration, in the headlines as recently as past August, should have been the last wake-up call for automotive electronics designers: Car can get hacked, and they should move quickly to lock any hackers out. At the Cyber Secure Car industry meeting this week in Dresden, experts from the automotive value chain, the academic research community and the electronics and software industry discussed the current position of the car industry in terms of cyber security, hacker motivations and practices and potential measures to make cars more secure and – since in the car security is equivalent to safety – safer.
Carmakers and their suppliers urgently need to make themselves knowledgeable about the risk, this was the unanimous position of the presenters. Given the average age of the cars out on the streets of some ten years, currently only a small percentage of this “installed bas” already possesses a wireless interface to the outside world. But the number of connected cars will increase steeply over the next decade, and malicious attacks will increase in parallel, predicted Florent Frederix from the Online Trust and Cyber Security unit of the European Commission’s Directorate-General for Communications Networks, Content and Technology.
But there is no need to wait for the connected car, already all contemporaneous vehicles have some kind of wireless interface that can potentially used for an attack. “There are more than 50 attack points in the connected car ecosystem”, said Mike Parris who oversees the Secure Car Division at British telematics and automotive security consultancy SBD. “Any point of the ecosystem can be hacked”. Like Frederix, he highlighted the parallelism of the connected car with the Internet of Things. “After Stuxnet (the computer virus that infected and damaged the Iranian uranium centrifuges) it became aware to the criminal scene that such a sophisticated hack is possible”, he said. “The threat of real-world hacking is a ticking time-bomb”. Parris went so far to say that “there are only two types of cars: Those who have been hacked and those who will be hacked”, only slightly modifying a quote of FBI director Robert Mueller in 2012. “There is a perfect storm brewing”.
The presenters contributed a wide range of potential gateways and opportunities for hackers. Starting with WiFi and Bluetooth connections of today’s vehicles or compromised infotainment systems, they made clear that hackers would certainly be able to find many open doors to enter a vehicle’s electronic systems. A preferred primary target is the head unit of the vehicles from where hackers can work through to ADAS and safety-critical systems. Besides wireless interfaces, lidar sensors are prone to attacks: Trials have shown that it is relatively easy to generate “fake cars” in the lidar echoes, misleading the automatic steering systems. Since lidar systems are regarded as widely indispensible for automated driving scenarios, this property could emerge as a serious roadblock to automated driving. According to Parris, even intrusion attempts through the DAB radio receiver have been documented.
It is not only the wireless interfaces that can be used to enter a car and inject malicious software and unwanted functions. Stefan Nürnberger from the Center for Security, Privacy and Accountability (CISPA) in Saarbrücken (Germany) which performs penetration tests on cars, contributed an interesting hacker entry point: During tests on an existing luxury car, they found that the folding mirrors were directly connected to the vehicle’s CAN bus. For a malicious person it would have been easy to break off a mirror to gain access to the CAN bus.
Likewise, the OBD and OBD-II diagnostics interface is a major entry point for attacks due to its completely open and unprotected nature. While some might argue that it is necessary to have physical access to the vehicle to connect to the OBD interface, this is not really a strong protection: Malicious software can be contained in OBD dongles available on the market for connectivity and insurance applications. The list of vulnerabilities could be continued. The point is that with a car becoming a computer – or rather, a system of interconnected computers – they face much the same problem as the PC, with all its concomitants.
So the question is: How can the problem be solved, what does the automotive industry need to do to keep the hackers at bay? “The good news is: other industries have been to this point before” said Dominik Wee, partner at consultancy McKinsey. Another good news is that, according to Wee, 83 percent of the OEMs are aware of the threat. The less good news is that the majority has no clue yet what to do; only 41 percent of the respondents have cybersecurity teams up and running. Wee suggested that the auto industry should adopt the security approach from the IT industry, with a tiered approach. Paul Wooderson, Senior functional safety and cyber security engineer at engineering consultancy Horiba Mira, sketched the measures from the engineering perspective. He advised establishing a development process that takes into account the cyber threats. “You should treat the car as a part of the Internet of Things”, he said. Specific restraints and requirements of the automotive design, such as the long design cycle and the complex supply chain, must be taken into account like technical factors such as limited microcontroller resources, real-time capability and scalability. Basically, his suggestions amounted to adding the security as additional aspect into the known V model.
Several presenters unanimously regarded wireless upgrade capability of in-car software (OTA) as indispensable to counter the cyber threats. On top of that, there were suggestions for direct technical measures to solve the problem. Koji Nakao, Research Executive Director of Japan’s Network Security Research Center, suggested a multi-level security architecture that embraces messeg verification, trusted boot of ECUs, authentication of communications in and around the car, message filtering (to prevent DoS attacks) and Fault tolerance. This approach is currently discussed in the relevant working group SG-17 of the ITU-T standards organisation. In addition, Nakao suggested to adopt the lightweight cryptography described in ISO/IEC 29192 in cars: It would suit to apply data encryption on the CAN bus even for time-critical real-time safety applications, he said, and it would not overburden the micro controllers in the ECUs.
In any case, no single measure would be sufficient to attack the entire problem. In demand is a holistic approach, many experts agreed. Plus, the security issue will persist. “You can’t fix it once and for ever”, warned Frederix. “You will always see new challenges”.