Security and Connected Cars
Modern cars are not just electromechanical vehicles anymore. With every generation, they adopt more and more sophisticated digital technologies in order to increase fuel efficiency, safety and comfort levels. Cars are becoming more and more like computers on wheels. At Kaspersky Lab, we see several potential security issues when it comes to connected cars and the infrastructure they generally communicate with (or will start communicating with in the near future). With that in mind, we believe it is important, to share our expertise with car vendors, and developers of infotainment devices (head units), vehicle-to-vehicle and vehicle-to-infrastructure solutions.
But first, here are some facts worth considering:
- The connected-car market is growing at a five-year compound annual growth rate of 45% — 10 times as fast as the overall car market;
- Gartner estimates that a quarter of a billion connected cars will be on the roads by 2020;
- Some 98 percent of cars will be connected to the Internet by 2020;
- Even low-cost car manufacturers already offer a number of connected services. Not to mention premium car brands;
As you can see, the industry is moving at a rapid pace. But as with many other new technologies, connectivity solutions for cars are not always developed with security in mind. Until recently, the probability of a remote cyberattack against a car directly, via a web-interface or mobile app wasn’t even considered as something to include in the risk model for a connected service. But since 2010, several researchers around the world have been repeatedly highlighting real security issues either in in-car systems or in the infrastructure a car is communicating with.
Threat Vectors
A connected car can be attacked remotely via a wireless protocol or through physical access to the car’s ports (OBD-ll or USB). Another potential point of entry is via the infrastructure the car is communicating with, such as the web-resources or different telecommunication services enabled in the car.
A successful attack against a connected car or infrastructure will typically manifest in the following four ways: damage to the car, damage to the manufacturer, harm to the car’s owner and/or misuse or theft of the owner’s data.
Examples of car security issues revealed by researchers:
2015: Hackers remotely kill a Jeep on the Highway
2016: Researchers hack Tesla Model S with remote attack
2017: Android Phone Hacks Could Unlock Millions of Cars
The security issues revealed by researchers highlight how wide the attack surface is for a connected car.
1. Physical safety
- Attacks against cyber-physical components leading to the malfunction of crucial car systems, including brakes, engine and autopilot systems.
Such attacks require a lot of preparation and technical expertise from the attacker’s side; however they may potentially bring the most devastating consequences. Nowadays, models produced even by the same manufacturer are technically different from one another, so a potential attacker would have to do all the work from scratch each time. However, the car industry is moving towards the unification of components and platforms that cars are built on. This may potentially lead to a situation where an exploit-set written for one model may become applicable to several other models.
2. Security of the physical property
- Attacks against car security systems leading to car-theft
Attacks can compromise car alarm systems, especially for those cars utilizing mobile apps, which allow attackers to arm and disarm car alarms via a smartphone. There are theoretical and real-life examples of such attacks.
For example, two real cases of computerized car theft are:
Case 1: https://www.voanews.com/a/us-car-thefts/3454284.html
Case 2: https://fortune.com/2016/07/06/heres-how-hackers-use-laptops-to-steal-cars/
- Attacks against embedded car security systems (like infotainment) leading to the malfunction of these systems
These attacks suggest hackers can compromise the software running on a car’s internal devices, such as its infotainment systems, through a rogue software update delivered over the air or through a removable device. Such attacks can result in financial losses for the car manufacturer and car owner. An example could be a ransomware attack against car infotainment.
At Kaspersky Lab we are aware of proof of concept projects around attacks like this against the head-unit of a car. In order to not give the attackers direction, we will not disclose the names of the brands affected by a ransomware vector until it is fixed.
This vector also suggests an even deeper and more sophisticated attack. The head-unit (infotainment system) is always connected to the telematics block, and some other important blocks (e.g. CAN-bus), serving as a communication node to critical car components. The vulnerable head-unit may therefore become an entry point for hackers targeting critical car systems.
3. Security of user data
- Attacks against client-side components of connected car infrastructure e.g. remote control mobile apps or web-based client services, leading to the compromise of car’s physical security and the privacy of its user.
Such attacks can give an attacker access to the account of the owner of a connected car and via a fake mobile app they will be able to unlock the doors, and/or track their geo location and other personal information.
Kaspersky Lab’s own research, conducted in 2017, has proven the workability of this type of attack. Moreover, while gathering intelligence on underground forums Kaspersky Lab researchers have found advertisements of malicious users offering from 200 to 300 dollars per activated connected car account and selling these accounts.
- Attacks against non-critical car systems leading to the compromise of a user’s privacy (built-in car microphone and/or camera)
Such attacks may result in the owner or passenger of a car becoming the subject of unauthorized surveillance. This is a purely theoretical vector so far, but technically there is an opportunity to create a malicious implant that would spy on car owners and passengers via their microphone or cameras.
4. Security of vehicle-to-vehicle (v2v) and vehicle-to-infrastructure (v2i) communications
- Attacks against v2v systems leading to road-accidents
Multiple V2V solutions are in development now, suggesting that there will be an exchange of data between cars. If one of the nodes in this network is compromised and starts issuing incorrect data, other nodes may be misled and driven into collision. These security issues should be addressed properly in the development stage.
- Attacks against v2i systems leading to traffic collisions and collapses
V2I solutions suggest that lots of data about vehicles on the roads could be collected, via sensors embedded into infrastructure surrounding the car, and via wireless channels from the car. Compromising one or several of these components can lead to traffic collisions and collapses. In 2016 Kaspersky Lab specialists conducted research which proved the existence of several security issues in public road infrastructure::
https://securelist.com/blog/research/74454/how-to-trick-traffic-sensors/
https://securelist.com/analysis/publications/76060/fooling-the-smart-city/
- Attacks against v2i systems leading to fraud operations
This threat vector is mostly applicable to fleet management solutions. It allows hackers to manipulate data processed by these solutions for purpose of fraud. Attackers can potentially abuse aftermarket car-tracking and management systems in order to steal the vehicle or the goods it transports.
How to secure connected cars
Even though existing potential threats to connected cars are serious, most of them are still more potential than real. For the security and car manufacturing industries this is good news, because we still have time to do things right and securely. Our approach to connected car security includes the following measures:
1. Organizational measures:
- Make cybersecurity a must-have component in the development of each new model;
- Vulnerability assessments should be a must-have component in the life-cycle of each model
- A dedicated security team is a good-to-have resource for modern connected car manufacturers.
2. Technical measures:
- The critical hardware and software components of connected cars and the data exchange between them should be protected from external interference by design. The connected car era is when the cybersecurity of a car’s architecture should be considered from the very start. That’s because when it comes to connected cars, cybersecurity and physical safety is the same thing.
- The data exchange between the cars and their external infrastructure should be encrypted reliably – with a proven open source algorithm.
- End user applications – whether web-based, or mobile, should be protected as reliably as a bank account. The current state of connected car mobile applications is far from ideal, while all technologies capable of addressing the most severe security issues with mobile applications already exist. The best practice here is to consider the development of a connected car.
- Telematics B2B and B2C services should be the subject of serious and regular security assessment – both before the go-to-market stage, and then periodically afterwards, along with any major updates to the IT-infrastructure of the service. Just like any other service that is dealing with web-technologies, connected car services that manage corporate fleets tracking valuable cargo etc. may become a target for criminals seeking for the new ways of illegal profit.
So what are we doing?
At Kaspersky Lab, we’re working closely with several car manufacturers and manufacturers of key connected car components in order to develop technologies that will address all existing cybersecurity issues without hurting the experience, performance and safety of driving – the most valuable things you can get from a car.
To meet the above mentioned challenges, we partnered with AVL Software & Functions, the world’s largest independent company for the development, simulation and testing of powertrain technology for passenger cars. In doing so, we developed a reliable and flexible software platform that allows car manufacturers to develop and implement a Secure Communication Unit (SCU) into their cars, using hardware and additional software components that are aligned with their manufacturing plans. The platform exploits KasperskyOS, that is designed for, and meets the requirements of, embedded devices used in car manufacturing – connected cars in particular.
One of the key objectives is to create a reliable and flexible software platform that will allow car manufacturers to develop and implement a Secure Communication Unit (SCU or Car Gateway) into their cars, using hardware and additional software components that are aligned with their manufacturing plans. Once developed, the proof-of-concept SCU solution will be tested via security-related verification and validation methods. This comprehensive development package will not only produce the technical deliverables needed in the industry, but will also develop new concepts for making car software secure by design.
The role of the Secure Communication Unit is to make connected cars secure by-design, regardless of the third-party software and systems on board. The SCU is a communication gateway control unit, connected to several subnets and/or gateway-controllers to these subnets within the car network, acting as a single secure gateway for incoming and outgoing communication flows. Based on security policy enforcement and strong separation to prevent unwanted contact between various car components, the software helps ensure proper interference-proof communications within the car network.
The trusted software platform of the SCU consists of security components that are trustworthy-by-design. Firstly, the microkernel proprietary operating system (KasperskyOS) is based on well-established principles of security-driven development and specifically designed for embedded systems with strict cybersecurity requirements. KasperskyOS removes the chance of undocumented functionality, and thus mitigates the risk of cyberattacks: even if an unauthorized code is embedded, it will not be executed because, by default, this undocumented functionality is prohibited. Other components include a security policy engine (Kaspersky Security System), defining the particular scope and character of interaction between various components and a trusted channel framework with a set of crypto algorithms, as well as low level protection services based on hardware capabilities.
The platform provides the solution framework for specific customized applications, allowing car manufacturers to develop and implement unique SCUs into their cars, based on particular hardware and additional software components in alignment with their manufacturing plans. The SCU is available for OEMs, ODMs, system integrators and software developers around the world.
Connected cars will become more and more a part of our daily lives, which it’s why it’s important to try to understand future issues and solve them before they become a reality. Wherever possible, the industry must maintain an open dialogue and a collaborative approach. Security and safety go hand in hand.
About the author:
Andrey Nikishin is Future Technologies Projects Director, Kaspersky Lab.