How to Cut the Cybersecurity Risk of Cars

A Short Guide to Preventing Cars from Being Hacked

The cybersecurity risk is growing as the IoT intersects with the automotive industry. But security tactics that have proven indispensable in the military and consumer electronics industry are also valid for the car industry, according to automotive connectivity pioneer Covisint.

Written by Brian Buntz
1st June 2016

The advantage of having a human behind the wheel of a car is that, if your wireless connection goes down, you don’t get so confused that you don’t know what to do. “You might take the wrong route and have to ask for directions, but you can still maintain control over the vehicle. But if a connected car loses connectivity and doesn’t know where it is, it stops. It is done. It is not going to figure it out on its own,” says Dave Miller, Chief Security Officer of Covisint (Detroit) in an interview ahead of TU-Automotive Detroit. The company has itself developed a cloud platform to help automotive companies securely connecting vehicles in the cloud.

The security risks are increasing as new cars begin to feature a growing number of autonomous features. While autonomous driving technology is still its infancy, computers have already taken over an increasing number of functions in cars. There is, for instance, adaptive cruise control that automatically adjusts a car’s speed to keep pace with vehicles in front. And a growing number of automakers are rolling out cars with “steer-by-wire” functionality, which replaces the mechanical linkages between the steering wheel and the wheels with electric signals.

Last year, Wired rocked the automotive industry with an article and accompanying video demonstrating how easy it was to hack a Jeep Cherokee. The vehicle’s engine, brakes, windshield wipers, and stereo system were all capable of being controlled remotely via a cellular connection. Even the Jeep’s steering could be controlled under certain circumstances. The story ultimately led to a recall of 1.4 million vehicles to address a vulnerability with the vehicles’ dashboard computers. A March 2016 alert from the FBI and National Highway Traffic Safety Administration about the growing risk of remote security exploits in cars also mentioned the incident.

The risk of cybersecurity exploits is growing as automakers rush to add new connectivity features to cars while powerful companies like Google, Uber, Mercedes-Benz, Nissan, Audi, and BMW are working to make autonomous driving technology mainstream.

Here are some of the chief factors driving cybersecurity risk in cars in the near term. Where appropriate, specific advice is provided on how carmakers can address them:

1. Don't Prioritizes New Features over Security

Consumer demand is increasing for cars with sleek infotainment systems and connectivity options while they are apparently not overly worried about the possibility of their car being hacked. To be fair, it remains more of a theoretical threat at this point. “That is often the way a capitalist system works: you generate excitement about this new thing, and then you figure out the areas of vulnerability and find ways to fix it,” Miller says.

But white hat hackers have already demonstrated the potential risks, and it is possible that attacks like ransomware could hit the automotive industry soon. “I think in the short term, ransomware could be the most likely attack that we have to deal with. Think about an email that says: ‘your car is inactive, and you can’t use it ever again unless you pay me x amount of money,’” Miller says. In a way, car owners would be especially vulnerable to attacks like ransomware. “It is not like with my phone or even my computer where I can backup all of my pictures and files. I don’t know how you backup a car from that standpoint,” he adds.

2. Watch Out for Weak Security Links

When the cybersecurity experts Charlie Miller and Chris Valasek hacked a 2014 Jeep Cherokee for Wired, they did so after discovering a method to jump from the car’s infotainment bus directly to the command and control bus. Hackers use this general strategy all of the time on the Internet. (They explain how they did so in the video below.) “First, they attack the most vulnerable surface for the purpose of being able to attack more valuable things later. That is what happened with the RSA attack; it is what phishing attacks are,” Dave Miller says. “I convince you to do something that seems benign even though what I am getting is the next specific.”

For carmakers, this requires assuming that every access surface is can be attacked and thinking of ways to protect all of them. “You protect the low-level stuff to the same degree you protect the higher level stuff,” Miller says. “You never know what they are going to do and the methodology they are going to use if they are looking at a lower priority system to get to a higher priority system.”

3. Don't Be Lax with Permissions

Traditionally, carmakers have given people who connect to automobiles a level of access that is similar to root access on a computer. “If you log in to a vehicle’s data bus, you have traditionally had a kind of always-on access,” Miller says. “The car is essentially saying to the user: ‘if you can invoke me, then you must be OK.’”

Conversely, consider how the military delegates security clearances: “You are not going to have the person who is in charge of the USO decide where they the military is going to drop bombs,” Miller says. The level of access is limited or expanded based on the rank of the user.

“If you think about it, cars are similar. You have the infotainment system with one level of permissions, and then there is the command and control system that can do things like activating the brakes,” Miller says.

The automotive industry is starting to create a separation of duties for users that essentially says: ‘You can do these ten things, but you can’t do these other ten things.’

4. Scrutinize Aftermarket Modifications

One of the biggest cybersecurity risks for cars now is aftermarket modifications with some degree of connectivity or wireless functionality. We are familiar with the model where a car automatically pairs to your phone, where the level of control is limited to a Bluetooth connection. Google also has an automotive interface for Android. “Things like that are another thing to secure,” Miller says. “Even if you button down the vehicle and plug in a third-party item that is supposed to allow me to track my kids, that could have software that could be breached.”

Such third-party applications pose a challenge to big automakers because they have no control over them.

“We believe the solution for that is a model that, again, is permission based,” Miller says. A cloud-based security system could be used to verify requests from third-party applications and grant access to those that it verifies. An app could be programmed to provide a list with some things that it wants to do. “The cloud service could then monitor those and say: ‘I don’t understand why this service wants to activate the windshield wipers. It doesn’t make sense. I am not going to give it permission,’” Miller says. “A carmaker could also decide that there is a class or a specific third-party product is suspect. In a case like that, the cloud platform will just say: ‘nope, you don’t get permission to do anything. We think you are malware,’” he adds.

Covisint also recommends that carmakers consider giving some users—whether they be software-based or humans—connectivity only for a limited time period.

5. Consider Dynamic Software Updates

While over-the-air updates have made it easy for consumers to, say, update a smartphone, they are not practical for cars. “If you do it in a car, it becomes tough to decide what is good and bad,” Miller says. “That can be a very dangerous thing because you have opened the ability for the user to do anything.”

Again, the solution here could be to use a central cloud platform to verify pending software updates. “That enables you to do updates dynamically,” Miller says. “You can tell a user: ‘we have determined that this piece of hardware has the possibility of adversely affecting your vehicle experience. Are you really sure you want to install this?’”

Tesla is something of an outlier in the regard that they perform software updates to their vehicles. “This gave Tesla drivers the ability to have a downloaded update make their cars semi-autonomous. That is a pretty impressive upgrade to add to a car without any hardware updates,” Miller says.

But this functionality can also be used to patch security problems. “As vulnerabilities are found, they can say: ‘oh, we are going to increase security here,’” Miller says. “The challenge is that that is easier to do when you are selling $100,00 or $150,000 cars. How you turn that into something where you are selling half a million $30,000 cars is a different story. That becomes more difficult. We haven’t seen the new Tesla Model 3 specs yet but where did they skimp?”

6. Put Safety ahead of Cost

There are often rival camps within a carmaker. The first is charged with doing whatever it can to optimize performance and improve the safety of the company’s cars. The second group seeks to do whatever it can to cut costs to maximize profitability.

“I would argue that there are groups within OEMs that are unbelievably savvy about understanding exactly the issues and the possible architectures that could be set up to mitigate potential risks,” Miller says. “And then there is the group that is looking for the path of least cost.”

While the automotive industry has been steadily adding computing power to cars, it has largely done so with the smallest possible computing power to get the job done. “For quite a while, the automotive industry has been driven by a cost–benefit analysis that doesn’t thoroughly consider the long-term ramifications of the technology that is used,” Miller says. “We are seeing is a large change in that mentality, though. The conclusion is catching on that you have to secure all surfaces—even if it drives up costs.”

In the past, the U.S. government has stepped in when it sees security problems not being thoroughly investigated by auto makers. “They have come in and said in the past: ‘look, we are going to create regulations that say: ‘you need to do crash tests; and by this date, you have to have seatbelts; and by this date, you have to have airbags,’” Miller says.

In the future, the federal government could expand their oversight of automakers to include cybersecurity. “They might come up with a list of vehicles that they deem to be the safest after they attempted to break into them and these are the safest from an IT standpoint, and these are the least safe,” Miller says. “And they will come up with regulations that say that you have to do these standard things and prove that you have that ability.’”