Hacking The Connect Car – Fact vs. Myth

I’ve been thinking a lot about security and the connected vehicle. It
started quite some time ago when I worked at Toyota. I was involved in
helping investigate and secure embedded telematics systems and I know
first hand how very, very seriously automotive OEMs take the
responsibility. But I also know there is a tremendous amount of fear
mongering and sensationalism around the topic.

I was fortunate to be an advisor to the LA Auto Show’s Connected Car
Expo and our most heated discussions were around what constitutes a real
threat to connected cars. We made sure we brought in real experts to
deliver real solutions to real threats. It is actually harder than you
think. (here is a video clip from the cyber security session if you’re
interested.)

Late last week, I moderated a panel at the Auto Tech Council on cyber
security. The panel description included the statement:

“…very real risks of a runaway vehicle must be reduced…”
I take umbrage with that statement. Serious umbrage.

I despise that kind of marketing because it is part of the sensational,
FOX NEWS style hype, scare mongering, bullshit that is way too prevalent
in our society. I yearn for civilized, rational debates with informed
citizens and learned experts. I want open minds, empathy, intelligence,
objective information, and baby unicorns. I personally aim to create
space where people can be rational and differing opinions actually
heard.

I asked my two experts, Thorsten Held from whiteCryption and Lucas Crowe
from Telecommunications Systems to define HACKING. Keep in mind, I am
talking about a type of specific hacking and cyber security associated
with when you put wireless communications technology into a vehicle.

The definition of hacking the experts gave was excellent. Lucas said,
“Hacking is doing anything the device/system is not supposed to do.”

Fairly broad, but immediately understandable. I tend to think of
hacking as doing something malicious. And I think most people thinking
about hacking in the negative. To get down to brass tacks, I asked each
expert to rank each of the following treats from 1 to 10 for their
possibility today:
• Wirelessly opening a car door and/or trunk
• Wirelessly moving a vehicle
• Monitoring a vehicle’s location, wirelessly
• Stealing data wirelessly from a vehicle about a vehicle
• Stealing data wirelessly from a vehicle about a driver
• Injecting malicious code wirelessly
• Wirelessly triggering an airbag

It was agreed that all of these types of threats are not immediately
worrisome or even possible, especially the wireless physical
manipulation of the vehicle. It was agreed that data breaches were far
more likely. For that reason, I am defining the hacking of a connected
car into two types:
1. Stealing data wirelessly, a data breach
2. Wirelessly controlling the vehicle

While we did not talk about it in this panel, I recognize that the
cellular modem in connected vehicles could be breached for using the
wireless capabilities, ie. free calling. I know that mobile network
operators are concerned about wireless cars being hacked for access to
their networks, but I’m putting that fear to the side, for now.

Which gets me on to the real worry about the hacking of wireless cars –
FEAR. And I agree the fear is real. McKinsey conducted a consumer
survey [insert link here] of 2,000 new car buyers in Germany, US,
Brazil, and China. A full 54% of responders are afraid that people can
hack into their cars and manipulate it. The manipulation example given:
braking system!

I personally do not believe the fear is well founded. Hollywood aside,
I believe and the security experts confirmed, to wirelessly hack a
vehicle’s engine controls – braking, steering, acceleration, etc – is
incredibly hard and simply not feasible at this time.

We did discuss several types of hacks and I found this topic
fascinating. There is denial of service attack, hacking in-app
purchases, ransom attacks, and fame messaging. Fame messaging is more
of a prank than a malicious attack. It involves someone (presumed very
juvenile) seeking fame and recognition, inserts a message on the screen
of connected vehicles, writ large. It could be something as simple as
“You’ve been punk’d!”

Initially, I blew off this type of “hack” as absurd. But the more I
reflected on a fame message attack, the more I realized how incredibly
effective at generating wide spread panic and concern an innocuous hack
of this nature would be. It would effectively mean that someone was
able to obtain critical keys from inside an OEM to write to a head unit.

I asked the experts how likely it is that a hack comes from inside the
OEM, from a pissed off employee or lack controls. They both agreed
whole-heartedly that is could be a very likely scenario. My husband
pointed out to me that the best way to hack a bank account is to asker
the owner for the password. I am sure the OEMs have some kind of
universal keys to write to head units remotely. I am assuming that
these universal keys are locked down, encrypted, and protected like Fort
Knox.

But I could be wrong.

As frequent readers will know, I am a huge fan of over-the-air updates
and think it offers the greatest value for owners and automotive OEMs.
And I am well aware that the ability to read and write to the vehicle
systems opens legitimate security concerns. When asking Thorsten and
Lucas if there were different concerns based on the type of
connectivity, they said yes…and the biggest concern was not for
embedded units engaged in OTA, but rather from the smartphone being
tethered to the head unit. That did not surprise me at all…except of
course, I think any malware that you bring into your vehicle will not be
able to propagate into the vehicle systems. Engineers sandbox
smartphone connectivity and I think that will be true for Apple’s
CarPlay and Google’s Android Auto.

I really tried to get the experts to get very specific about the real
risks and the real solutions. A few concerns I threw out included lack
of sufficient CAN BUS protection, weak authentication, poor protocols,
etc. The farthest either went was to elaborate on concerns regards
vehicle to infrastructure types of hacks. The story goes, the
government uses Wifi to broadcast to vehicles traffic and emergency
information. These systems are hacked and cars are told to stop or get
off the road causing snarls and general mayhem. Yawn.

What we all did agree upon was bug bounties are likely not to be the
only or best solution. There was real agreement from the security
experts and the audience that a collaborative automotive group should be
formed to share vulnerabilities, threats, incidents, problems,
solutions, etc. And I know there is an effort underway through the
global automotive alliance to form an ISAC, which stands for information
sharing and analysis center.

There was not wide spread agreement that the federal government should
be involved from a reporting or transparency perspective! Surprise!
The experts thought it was a great idea, but the faces of the folks who
work for automotive OEMs was priceless. It was moments like that, that
make me really love moderating panels!