Security and Connected Cars: Threat Not Limited to Autonomous Vehicles

PinIt
Autonomous Vehicles

When it comes to cybersecurity and connected vehicles, you may think of autonomous cars. But the threat is not restricted to self-driving vehicles.

When it comes to cybersecurity and the connected vehicle, people tend to think of the most extreme situations regarding insecure autonomous vehicles. They may think about a terrorist hacking an autonomous vehicle and directing it at a population center, or they think of a kidnapper, finding the car with the president in it and telling it to go somewhere else.

What people don’t realize, however, is that this threat is not restricted to autonomous vehicles. We already live in a world in which the police can ask General Motors’ (GM) OnStar service to force a stolen vehicle to slow down and it is already possible to be in a vehicle and lose control of it to a hacker.  If we want to advance the Internet of Cars, we need to secure our vehicles.

You should remember when tackling cybersecurity that hacks will happen. As long as a door can be opened, hackers will try to pry it open. Nothing is unhackable. A 2015 Duke University/CFO Magazine Global Business Outlook Survey declares that more than 80 percent of U.S. companies had been successfully hacked. The Survey defines a hack as theft of data, changing data and taking private data and making it public. The report claims that larger firms tended to be safer from cyberattacks, but even 60 percent of large firms declared they had been hit.

Your car driven by someone else, as represented by a toy RC car

Your car driven by someone else, as represented by a toy RC car. (Source: Pixalbay.)

Today’s vehicles can already be hacked

There is little reason to believe cars, trucks, or any other device will be safer. A hacker could access a vehicle’s global positioning system (GPS) information and track its travel path. A hacker could also remotely open or lock a vehicle. Already there have been cases in which a connected vehicle was remotely controlled. Two years ago a couple hackers found a vulnerability in Chrysler Jeeps that allowed the hacker to manipulate the air conditioner, change the radio station, control the windshield wipers and wiper fluid, turn off the brakes, and stop the accelerator from working.

[ Related: Why the U.S. Military Is Gung-Ho About Autonomous Boats ]

All this was done over cellular networks. Luckily, the hackers were white hats, or hackers who find computer vulnerabilities and report them before a “black hat” can use them.  Chrysler recalled the “hackable” vehicles. Unfortunately, the hackers went on to find other vulnerabilities a year later, such as the ability to force the vehicle to accelerate or turn the vehicle’s steering wheel. This hack is not as dangerous as the other one discussed above because it requires a device to be connected to the car’s OBD port.

Below is a video of the Chrysler white hats demonstrating their work to a Wired reporter:

Chrysler vehicles are not uniquely vulnerable. In 2010 researchers at the University of California at San Diego and the University of Washington demonstrated they could hack General Motors’ 2009 Chevrolet Impala over cellular networks.

This exploit allowed hackers to remotely control most of the vehicle, with the main exception being the steering wheel. The white hats revealed this exploit only to GM and the National Highway Traffic Safety Administration in the spring of 2010, but did not tell the public about this vulnerability. It took GM about five years to fully fix the vulnerability, and we are lucky no black hat (that we know of) took advantage of this vulnerability.

GM has since developed the capability to update its vehicles’ software “over-the-air,” or download software patches through cellular networks. The vulnerability was finally fixed in the first few months of 2015, when GM distributed its software update over its Verizon network. The researchers were surprised. They thought the cars would have to be recalled (once the 2015 hack was announced, Chrysler recalled 1.4 million of its vehicles). You should note that GM is not the only company that can do this.  Some Ford vehicles are also capable of over-the-air updates (albeit only when the vehicle is near a Ford dealer over Wi-Fi) and Tesla vehicles are capable of receiving over-the-air updates as well.

A Tesla car operating in Autopilot mode, where the car is driving itself- instead of being driven by the person inside or an unseen hacker. (Source: Marc van der Chijs.)

A Tesla car operating in autopilot mode, where the car is driving itself — instead of being driven by the person inside or controlled an unseen hacker. (Source: Marc van der Chijs.)

This is not only a Detroit problem. Last July, Keen Security Lab in Shanghai revealed they hacked a Tesla Model X for the second time. They were able to remotely turn on the brakes, open and close the doors and trunk, and blink the vehicle’s lights in time to the music streaming from the car itself. They performed this attack through the vehicle’s web browser using a number of vulnerabilities over both Wi-Fi and a cellular connection.

[ Related: IoT Technologies: Developers Prefer Java, Worry About Security ]

The Lab, which is owned by the leading Chinese Internet company Tencent, announced the hack only after it gave Tesla the chance to patch the vulnerabilities. There have been other hacks that don’t require attacking the vehicle itself. Jonathan Pelt, a security researcher at Security Innovation demonstrated that he could fool a car’s LiDAR (an expensive sensor that can cost more than $70,000 that is used by connected vehicles to better track its surroundings) using a laser pulse made with off-the-shelf parts that cost only $60. This pulse can trick the vehicle into thinking there are nonexistent objects at a distance of 100 meters (330 feet). Luckily, this was discovered before LiDARs became common or widespread.

When black hats attack autonomous cars

We have been lucky that most of the hacks were done by white hats, but black hats will become a greater threat once more cars are connected. This is also true of connected infrastructure. In a future article, I will explore how hackers can hack the vehicles’ surroundings — the road infrastructure — to cause further mischief.

We need to secure the connected vehicles that are currently being manufactured to make sure we are safe, and before we let autonomous vehicles become widespread. We tend to assume autonomous vehicles will be safe because they will remove human error from the equation. However, if we let cybersecurity take a backseat, few will trust their lives to autonomous vehicles.

People should adopt autonomous vehicles because they will be safer than their manual brethren, but if they are not secure from cyberattacks, the market will suffer and lives will be sacrificed because people will be too scared to ride an autonomous car. If we learn how to make the systems more secure and robust, then we can take that technology and transfer it to other products such as planes and make technology more secure as a whole.

Alexander Soley

About Alexander Soley

Alexander Soley is a consultant with expertise in connected vehicles and cyber security. He has consulted for Dell Technologies on connected vehicle regulation and strategy. He has also worked at JNK Securities, Delta Risk, the European Parliament and the International Diabetes Federation.

Leave a Reply