Dozens of researchers have now shown that it’s possible to hack in to a car and commandeer its controls. But in the real world, such dire automotive cyberattacks have yet to materialize. That shouldn’t lull anyone into a false sense of security. Both terrorists and hackers pose a serious threat to connected automobiles—and as many as three-quarters of new cars are expected to have internet connectivity on board by 2020, according to John Carlin, assistant attorney general for national security at the U.S. Department of Justice.
Carlin said many vehicles, including self-driving cars, may soon be in danger of having their systems compromised. Also recognizing the problem, the National Highway Traffic Safety Administration (NHTSA) has just issued Cybersecurity Best Practices for Modern Vehicles, a guide for the auto industry.
“We’re on the cusp of a transformation, and the auto industry is at the front of that transformation,” Carlin said. “We can’t make the mistake again of not building in cybersecurity by design on the front end and preventing espionage or loss of life.” One of the most ominous cyber threats to cars could be the use of ransomware, a type of malware that literally locks users out of their systems–in this case, cars—until they pay a ransom to regain control.
This scourge has affected thousands of computer systems, ranging from individual PCs to networks in hospitals and other institutions. In a typical ransomware attack, the user is locked out and his or her data is encrypted or otherwise made inaccessible. Too often, the only recourse has been to pay.
“They want to drive trucks into civilians, and it’s not too much to think they can hack a car and do the same thing.”– John Carlin, U.S. Department of Justice
“The current ransomware business model works well because the attackers ensure that the price paid is well worth the data restored,” explained Tony Lee, technical director at security research firm FireEye. “Can home users put a price on precious family photos or financial documents? Can organizations put a price on critical information necessary to conduct business? If that answer is yes and the price is low enough, the ransom will be paid.”
The same rationale can be extended to vehicles. Approximately 250 million connected cars are expected to be on roads worldwide by 2020, according to a 2015 analysis by technology consulting firm Gartner, making connected cars the next potential market for hackers. These attacks could range from simply locking motorists out of their vehicles to locking them inside; a more ominous scenario would allow hackers to freeze the ignition, essentially “bricking” the car and making it completely unusable.
Stephen Cobb, senior security researcher at security provider ESET, recently coined the term “jackware” to distinguish this specific kind of automotive ransomware. He says that, although it hasn’t yet been encountered, there is little doubt it is already in development.
“The computer systems are designed, features are designed, products are brought to market, and people adopt them,” he said. “On the other side, hackers speculate, probe, develop a proof of concept, attack, and then finally monetize the threat.”
Fleets Might Be a Top Ransomware Target
Ransomware has long relied on social engineering to be successful—disguising itself in what might appear to be a helpful warning to fool unsuspecting users into exposing their operating systems. Think back to warnings you may have received that your computer was infected with a virus and you needed to pay to have it cleaned.
In vehicles, this could appear to be anything from warnings about vehicle warranties and services to notifications that a satellite-radio subscription will soon expire to threats of traffic violations. An unsuspecting motorist could react quickly to such warning, and suddenly find the car locked or worse.
“The bigger threat would be the possibility of disabling the vehicle in some way,” Lee said. “For example, locking the car, disabling the ignition, or engaging the emergency brake. The variety of ransomware will only be limited by the attacker’s creativity.”
If there’s good news, it’s that the effectiveness of any type of this scareware will quickly decline once motorists become aware of the avenue of attack.
Consumer vehicles may not be the primary target for these directed attacks, however. Commercial businesses and government agencies could find themselves on the receiving end of targeted attacks that take out an entire fleet of vehicles. “Fleets and infrastructure act as a multiplier,” Lee said. “For example, if the average individual would pay $20 to regain control of their vehicle, imagine what a car-rental organization would pay–especially when they consider the cost for their loss of business and reputation. For well-organized attackers, this may end up being a numbers game, which may be similar to credit card theft and sale.”
What Auto Execs Can Learn from Aviation
Nearly three-quarters of vehicles sold this year will have a telematics system, according to Colin Bird, senior analyst of automotive technology at IHS Markit, and the likelihood of attacks will increase as more vehicles become more connected. At the same time, vehicle defenses haven’t yet caught up to the potential problems.
“There is no firewall between the telematics and data buses,” Bird said. “Right now, we’ve seen how hackers can take control by accessing the software ports, but they can also use RFID connections and soon it will be through the unprotected telematic systems. Right now, only certain OEMs are being proactive and are starting to install firewalls, but again, most cars have no security in place.”
“For well-organized attackers, this may end up beinga numbers game, which may be similar to credit-cardtheft and sale.” – Tony Lee, FireEye
In catching up, the automotive industry may take a cue from other sectors in the transportation industry. Travel-technology provider SITA released its 2016 Airline Passenger IT Trends Survey, which found that 91 percent of airlines plan to invest in cybersecurity. This came after hackers infiltrated U.S. air-traffic-control systems last year, which grounded planes and put the detailed travel records of millions of people at risk.
In September, an FAA advisory body recommended that cybersecurity measures be taken to ensure that airline systems, as well as aircraft, can’t be hacked. This included calls for future industry-wide standards that would affect everything from aircraft design to flight operations to maintenance practices.
John Carlin, assistant attorney general for national security
The auto industry will have to follow a similar plan, especially since there are already so many aftermarket products that run on proprietary software. Those efforts are underway; the automotive Information Sharing and Analysis Center (Auto-ISAC), a voluntary group of automakers and key suppliers focused on emerging cyber threats, started up in January.
But in the automotive world, the threats may be more complex. Today, a car can have upward of 30 million lines of code, meaning there are increasing opportunities for someone to do the wrong thing. If there’s some solace, it’s that OEMs are using numerous operating systems, which limits the potential for hackers to target systems that are widely adopted. But that’s not as important as another factor, says Lee.
“Operating-system versions will most likely not limit attackers as much as a lack of reliable remote connectivity,” he said. “If exploitation of the vehicle requires physical access, the damage will be more limited than that of a remote exploit. But we do not believe the threat is overstated.”
The DOJ’s Carlin, speaking at the inaugural Billington Global Cybersecurity Summit in July, was more blunt. “Think of the terrible, tragic incident in Nice, where [attackers] used a heavy truck, and we know people are experimenting with autonomous heavy trucks, and it shouldn’t take too much imagination,” he said. “We know terrorists want to kill through experimental and splashy ways. They want to drive trucks into civilians, and it’s not too much to think they can hack a car and do the same thing.”