Security Experts:

Feedback Friday: Industry Reactions to Remote Car Hacking

Researchers Charlie Miller and Chris Valasek have remotely hacked a Jeep by exploiting a vulnerability in the car’s in-vehicle connectivity system.

The experts have demonstrated that a remote attacker can use the vehicle’s 3G data connectivity to kill the engine, turn on the air conditioning, hijack the infotainment system, track the vehicle via GPS, disable the brakes, and take control of the steering.

According to Fiat Chrysler Automobiles (FCA), the vulnerability affects several models that use the Sprint-powered Uconnect feature and have 8.4-inch touchscreen systems. The list includes Ram, Cherokee, Grand Cherokee, Durango, Viper, Challenger and Chrysler models.

FCA released a software update to address the vulnerability just days before the researchers made their findings public. On Friday, the automaker decided to recall roughly 1.4 million affected vehicles to perform the software update.

Expert comments on Jeep hack

Just as Miller and Valasek’s research came to light, U.S. Senators Ed Markey and Richard Blumenthal introduced legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure cars and protect the privacy of drivers.

On the other hand, this experiment has once again raised questions about the legal implications of such research. The EFF said that legislation such as the Digital Millennium Copyright Act (DMCA) must “get out of the way of vehicle security research.”

Experts contacted by SecurityWeek have shared some thoughts on the latest car hacking research, including the impact of the DMCA and other legal aspects, the importance of building secure systems, and possible solutions for mitigating attacks.


And the feedback begins...


Parnian Najafi Borazjani, security researcher at iSIGHT Partners:

“So far, most vehicle hackers are car enthusiasts, researchers, and a few people with the motivation to break into cars or steal them. Currently, security experts seem to be ahead of black hat hackers but that may change soon.

[...]

[Car hacking] is not an easy problem to fix. It is hard to justify the higher price of a vehicle with security features that are not visible to the customer, especially when the actual threat of malicious activity seems uncertain. Car manufactures are in a constant race to provide new features and more connectivity for their customers. However, being first with new technology while properly testing for security flaws remains a challenge.

 

An even bigger challenge is the fact that the controller area network (CAN) protocol, the dominant network protocol in vehicles, was not designed with security in mind. CAN is a broadcast protocol that does not provide a way to authenticate and encrypt data. No matter how much manufacturers secure their software, the protocol is still unsecure. There are changes underway to make the CAN protocol more secure, but it will be a while until it is seen in production vehicles. For now, the key issues are the security of ECU (engine control unit) software as well as in the protocol implementations.”

John Prisco, President and CEO, Triumfant:

“We should not assume that hackers will simply get pleasure or enjoyment from having wireless control over a vehicle’s steering, brakes, transmission or entertainment system. While it’s a great way to demonstrate their tradecraft, there is little to be gained by simply turning a car off; rather, there is a business plan for entrepreneurial hackers at work here.

 

I can see a time where cars will be held at ransom a’la cryptolocker – a ransomware Trojan that requires users pay a fee before receiving the encryption key that will unlock their computers/data. A hacker could actually lock the steering wheel, or cut power from the transmission so that the vehicle could be out of commission. And then charge $500 to the unsuspecting owner if they want to get back on the road. Heck! AutoCrypt could develop an iPhone app that connects to PayPal so drivers can be on their way without much fuss. Who knows, this may be an opportunity for auto insurance companies to make a buck now as well insuring against ransomware.”

Steve Durbin, Managing Director of the Information Security Forum:

“At the ISF, we anticipate that in the next few years, disruption to digital systems will lead to verifiable human deaths. Some of the first deaths will be caused by accidents with smart and self-guided cars, as well as degradation to GPS causing fatal disruption to air, naval and ground transport systems. Hype around ‘cyber deaths’ will grow and incidents that we are seeing today including low-level hacking, data breaches, and even espionage, will seem insignificant by comparison.

 

Cyber deaths will result in reputational damage and change customer behavior by potentially discouraging them from buying smart cars or, say, using connected medical devices. Organizations will be forced to manage expectations from product users worried about safety and from shareholders concerned about financial implications of new liabilities. The impact will be felt across numerous sectors, including those that design, own or operate vulnerable cyber-physical systems.

 

As the extent of cyber-physical risk becomes more evident, the information security profession will fundamentally change. It will be forced to broaden its perspective beyond security to embrace the concept of safety. This will require security professionals to maintain their expertise in protecting against malicious hacking, while sharpening their skills to protect against accidents or safety hazards.” 

Bryan Glancey, CTO, Optio Labs:

“The rationale behind this is that DMCA is the most direct law that makes hacking or security research illegal. It protects against reverse engineering and many other things. Basically, what EFF is saying is correct (and very timely with Blackhat/DEFCON coming up) – you can’t find vulnerabilities if you don’t look for them and DMCA stands in the way of a lot of professionals from hacking.

 

This is extremely interesting in Mobile environments as well – everyone knows about ‘jailbreaking’ or rooting of mobile devices, but a lot of this behavior is protected by DMCA. Basically, DMCA acts as a technology legal shield. It’s illegal to test the security vulnerabilities in anything because people that don’t understand the technologies are afraid of those that do understand.

 

A great example of this is CSS, or the Content Scrambling System used for protecting information previously on DVD. To discuss the findings of researchers, or publish the flaws in the security led to legal prosecutions. Which, by the way, was the driver behind DMCA.”

Sergey Lozhkin, Senior Security Researcher at GReAT, Kaspersky Lab: 

“If the reports are correct, the attack proves that it is enough to know the external IP of a target, in order to rewrite the code in the car’s onboard computer and gain control of the vehicle.

 

Vulnerabilities could be found anywhere, where there is an operating system and installed applications. To protect a car, manufacturers should think of the security of cars in the same way that we would approach the security of corporate networks or computers.

 

At Kaspersky Lab, we believe that to avoid such incidents, manufacturers should build the smart architecture for cars with two basic principles in mind: isolation and controlled communications. Isolation means that two separate systems cannot influence one another (for example, the entertainment system shouldn’t influence the control system in the way that it did with the Jeep Cherokee). Controlled communications mean that cryptography and the authentication for transmitting and accepting information from/to the car should be fully implemented. According to the result of the experiment we witnessed, the authentication algorithms were weak/vulnerable, or the cryptography was not correctly implemented.”

Justin W. Clarke, Senior Security Researcher with Cylance:

“It’s exciting that research into automotive component security that is usually veiled by NDAs has been made public. Public disclosure has ignited the public’s interest in this obscure but pervasive topic. As the results of hacks like this could impact the safety of the general public, it’s of the utmost importance that vehicle manufacturers, vehicle component manufacturers, dealers, mechanics, rental agencies, fleet owners, and drivers all take note of vulnerabilities such as these and assess whether and how they should protect themselves from attacks.

 

I worry that sensationalized accounts of these demonstrations may lead to knee-jerk legislation which may have inadvertent consequences. We’ve previously seen this when well-intentioned legislation such as the DMCA effectively outlaw responsible security research even when performed in controlled environments. Additionally, legislation of security and privacy controls may serve to focus limited security resources toward documenting compliance, while ignoring overall security. We saw this and continue to see this with regard to NERC CIP regulations where Electric Utilities in the US are forced to comply with complex requirements which serve as a comprehensive baseline, but still do not ensure overall security. With legislation-upon-legislation forcing each industry's limited resources on compliance requirements, security is essentially being forgotten.

 

Finally, it’s very interesting to me to see a well-known wireless company’s name in the media accounts of this attack. To me it serves as a stark reminder that when we buy a car it’s not simply a Ford Escape or Honda Civic or Tata Maruti, rather it’s an integrated system of components and services which are manufactured and serviced by numerous organizations. It’s only a matter of time until a security vulnerability is identified in a vehicle, resulting in finger-pointing between the company whose emblem is on the chassis, and the company whose name is stamped on an electronic component inside. I have my popcorn ready.”

Matt Clemens, Security Solutions Architect, Arxan Technologies:

“The independent security research debate centers on two issues – consumer safety and automaker privacy. While these two topics are positioned as competing forces, one point should not be overlooked. The real issue – and common ground -- in this debate is the need for greater security assurance and confidence that auto manufacturers are baking into their vehicles the most advanced security protections that mitigate real, demonstrable risks.

 

We have seen an increase in new risks at the application layer that can compromise critical vehicle systems, the integrity of valuable or private vehicle and user information, as well as premium content and payment processing channels. For example, infotainment systems; 3rd party applications & libraries and service / testing tools are key areas of the connected car where unprotected applications can be exploited by hackers if not properly protected.”

Paco Hope, Principal Consultant at Cigital:

"The value of a high-profile stunt like this is that it pierces our veil of disbelief. We don’t want to believe that cars can be hacked this way, and manufacturers are happy to support this belief. The other myth that’s told in the software industry is that securing software is hard. If we paraded participants in the BSIMM or similar industry leaders whose teams build secure software on a daily basis, we could dispel the mindset that making secure software is harder, or more expensive, or requires rare skill. Secure software is possible and the techniques for resisting these attacks are well known.

 

While the skills of the likes of Charlie Miller and Chris Valasek are noteworthy and remarkable, their high-profile stunts could be prevented by a healthy amount of pedestrian and well-understood secure software engineering. The software industry is 60 years old and we know how to build secure software. We’ve written it down, observed the activities in industry, and verified the impact of those activities. The challenge today is to make good software engineering commonplace. Cars today are merely self-powered computers with exotic peripherals like transmissions and brakes instead of laser printers and mice. What we do to secure software in the non-automotive world can be adapted to the automotive world with straightforward effort."

Mark Parker, Senior Product Manager at iSheriff:

“Any computing device is subject to being exploited, whether it be in a vehicle, or the climate control system for a building. The biggest threat with these closed proprietary systems is that there are very few experts that work with each specific device. In cases where a closed device has been exploited, consumers are at the whim of the manufacturer. If widespread attack against a single automobile type was in the wild, the implications on passenger safety and traffic will have a very real impact on commerce as roads, driveways and parking lots are blocked worldwide. Opening these systems up so that responsible security experts can provide solutions is an important step in the right direction.”

David Shearer, Chief Executive Officer, (ISC)2:

"The Fiat-Chrysler Jeep hack is an example of embedded systems with software and hardware infrastructure considerations that both require proactive security design, engineering and implementation throughout the vehicle’s life cycle. Consumers need to demand more from software vendors; however, in the world of the Internet of Things (IoT), consumers need to require more from all manufacturers that produce Internet-capable products and leverage hardware and software. In the case of the Jeep hack, an after-the-fact software patch is too late and only addresses a percentage of the problem.

 

From a hardware perspective, separate and distinct (i.e., air-gapped) physical networks in the vehicle is an example of a better design and engineering strategy."

Rob Sadowski, Director of Technology Solutions at RSA:

“The research results are disappointing but not unexpected. Too many products are designed with security as an afterthought or security requirements absent altogether. In this case, seemingly fundamental best practices, such as physical isolation of entertainment systems and core vehicle control networks, prohibiting remote, public network access to a vehicle, and prohibiting execution of unverified, potentially malicious code were not adhered to or implemented in such a way that they could be circumvented by an attacker.

 

This example is preview of things to come as consumers and businesses deploy more connected devices. Many of the billions of devices that are or are predicted to be deployed as part of the “Internet of Things” will have similar vulnerabilities, with limited protection from similar types of damaging attacks and limited ability to be quickly remediated if vulnerabilities are found.

 

Developers of connected devices need to take a wide view of potential attack vectors, expand their threat models, and take proactive steps to prohibit unauthorized access and control of these devices. Further, there needs to be a capability to rapidly patch vulnerabilities that are inevitable with any software-driven systems. Finally, there needs to be better visibility into these connected device environments in order to detect and respond to attempts to compromise them.” 

Lawrence Munro, Director at Trustwave:

"The recently discovered exploits have popularized several serious vulnerabilities within the production of cars, the likes of which have only been seen previously in other fields of computerization. This should come as no surprise to the security community at large (although most will be impressed with the actual implementation) as it’s the latest in a series of automotive security exposés. Given that the protocols used in many ‘auto-hacking’ cases are reasonably standard and well documented, it’s almost an inevitability that a security flaw would be found, or already exist that could lead to a serious compromise. In addition to this, Internet enabling a vehicle and maintaining physical access between the systems that use the web, and critical systems such as braking and steering is inherently a bad idea.

 

The creators of such systems (and IoT devices in general) should make educated assertions as to whether the benefits outweigh the risks of Internet enabling a car. Should they deem that the features this gives consumers outweighs the potential impact of abuse, they should segregate critical systems (such as steering, braking and transmission) from those that are Internet enabled. Manufacturers as well as the end user auto companies should also incorporate security testing during the development, production and active phases of the IoT product and ecosystem surrounding it to continuously identify and remediate security vulnerabilities that could lead to a breach.”

Ivan Shefrin, VP of Security Solutions at TaaSera:

"As society marches inexorably toward the Internet of Things (IoT), this week's timely demonstration of remote automobile hacking highlights the risks of depending on manufacturers to think of every possible security risk, and the need to look beyond traditional access or patch management controls to address the inevitable vulnerabilities and safety issues. Just like enterprise networks, it’s not enough to try to keep the bad guys out by building higher walls and moats. Instead, we need to assume that our devices will be hacked, plan for the worst and learn to manage the risk.


Corporate networks today are moving quickly to implement Breach Detection Systems (BDS) on the inside of their networks to complement security controls at the perimeter. We need a similar BDS for the Internet of Things that examines the pattern and sequence of behaviors. Such automated real-time software will need to examine every vehicle system, application and network behavior to determine if legitimate reasons exist for events occurring without driver intervention. Through such real-time pattern recognition and behavioral analysis, we can work toward a safety system that notifies the driver, warns law enforcement and potentially even brings the vehicle to a controlled stop at a safe location."

Adam Harder, Director of Mobile Engineering at Endgame:

"Automobile computer systems that connect through the phone network have avoided deep scrutiny from the security community for three reasons: Test equipment and test devices are really expensive, the protocols and architectures are proprietary and obscure, and the devices don’t allow run time introspection.

 

That dynamic is now changing. Open source radio test equipment like GNURadio is leveling the playing field, and the research community has caught up quickly, developing greater knowledge of cellular infrastructure and implementations. The community is now tackling the hard work of reverse engineering target devices and exploiting vulnerabilities.The designers of the system in the Jeep didn’t think the remote-control system could be compromised. This assumption is now demonstrably false."

Andrew Braunberg, Research Director at NSS Labs:

"This hack really highlights how unprepared most manufacturers are to secure these types of products that are becoming components of the Internet of things. Hacking automobiles provides a vivid example of the dangers, but cars are only one of many products that are now Internet enabled and therefore increasingly vulnerable. This research is important and could well provide the spark to get momentum behind better security practices among the automobile manufacturers. I do believe it could have been done without the drama of stalling a vehicle on an active highway, however." 

Norm Laudermilch, Chief Operating Officer at Invincea:

"The announcement of the Jeep hack highlights what we should have already intuitively known: IOT is not a future technology; it’s here today with little or no security, and that presents a real threat to our physical safety.


And the problem is not limited to cars either. Our home security systems, thermostats, and smoke/fire detectors are also likely vulnerable to similar attacks, highlighting that failures in security aren’t just about the loss of personal data anymore. Traffic light control systems, the management of our mass transit infrastructure – same thing. Security has to be an intrinsic part of every electronic system we build today, or people will die. The sooner manufacturers realize this, the safer we’ll all be."

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.