Attack on Connected Cars Could Could Kill Thousands, Advocacy Group Claims
The cyber threat to connected cars (cars with a connection to the internet) is known and accepted. Now Los Angeles-based Consumer Watchdog (CW) has elevated that threat to one of national security in a new report titled, “Kill Switch: Why Connected Cars Can be Killing Machines and How to Turn Them Off.”
CW claims to have talked to an unnamed but concerned group “of car industry technologists and engineers” in compiling its report (PDF ).
The problem comes from the sheer and growing number of connected cars on American roads. About 20% of cars are already connected to the internet. By 2022, this number will have increased to more than 60%. “The connectivity,” says CW, “is marketed under various names, but a common feature is the ability to control your car from an unlimited distance away using a smartphone app. If you can control your car from any distance, so can a hacker.”
This is not news — but CW is considering the threat not to a single car, but to hundreds of cars simultaneously in a specific area. “A plausible scenario,” it warns, “involving a fleet-wide hack during rush hour in major U.S. metropolitan areas could result in approximately 3,000 fatalities, the same death toll as the 9/11- attack.” It then raises the temperature by mentioning Russia and saying, “we increasingly live in the era of cyber warfare. An attack targeting transportation infrastructure is a growing possibility.”
Meanwhile, the auto industry is doing little, or not enough, to protect a mass attack on the most critical mode of transport, the car, within a critical industry.
Gloria Bergquist, a spokeswoman for the Alliance of Automobile Manufacturers, claims this isn’t so, suggesting that the report is aimed at generating hype ahead of Black Hat next week. There is at least one relevant briefing scheduled at Black Hat: ‘0-days & Mitigations: Roadways to Exploit and Secure Connected BMW Cars’, set for Thursday. The talk is being given jointly by KeenLab (who found the vulnerabilities ) and BMW (who has fixed them).
“Today, cybersecurity is a priority to every industry using computer systems, including automobiles,” continued Bergquist in a statement to AFP. “Automakers are taking many protective actions, including designing vehicles from the start with security features and adding cybersecurity measures to new and redesigned models.”
She added, “Consumers should exercise good cyber hygiene in all they do, including properly pairing a phone to a car, deleting phone data from rental cars (if paired), and being active in doing the maintenance and updates as requested for phones and vehicles.” Security experts often say this is the wrong way around: users should not be required to protect their devices (because many won’t), but should be protected by their devices.
CW suggests that rather than limiting connectivity to the internet for security reasons, the motor industry is continuing to increase it for commercial reasons. The suggestion is that new devices and features are being rushed to market with inadequate security by design. This is exacerbated by the common use of open source software for which the industry has little control.
The connected car is a mobile IoT device, similar but larger and potentially more dangerous than unmanned aerial vehicles (UAVs, or drones). In this latter case, Matt Rahman, COO at IOActive, recently told SecurityWeek, “where is the safety? For example, if you had a high-profile VIP, you could identify that person and crash the drone into his skull.” Similar but greater damage could be done by a, or multiple hacked connected cars.
CW makes multiple recommendations to increase both the security of connected cars, and the safety of people. First and foremost, it recommends that cars have a ‘kill switch’ so that drivers can instantly disconnect from the internet. While this could help in some scenarios, it is not clear in others. “Cars can be infected with ‘sleeper’ malware that wakes at a given date and time,” says the report… “resulting in a massive coordinated attack.” Simply disconnecting from the internet would not solve this.
Other recommendations include greater transparency around safety certifications and testing methodologies; CEOs to be held personally legally liable for the cyber security status of the cars; and “a general standard protocol that cars not be connected to wide-area networks until they can be proven immune to hackers.” That last will be difficult. History tells us that if something has software, it can be hacked; and if it has internet connectivity, it can be hacked remotely. The secret is in making it as difficult as possible.
The final recommendation will be equally difficult. “Future designs will completely isolate safety-critical systems from infotainment systems connected to the Internet or other networks because connecting safetycritical systems to the Internet is inherently dangerous design.” This may simply be unacceptable to, or even impossible for, the industry. CW itself notes, “Car makers have many economic motivations to connect vehicles to the Internet — from saving money on recalls by updating vehicle software over-the-air to collecting valuable data on how fast we drive to where we shop.”
“This is an interesting report,” Dmitry Kurbatov, CTO at Positive Technologies, told SecurityWeek. “in that it contains a lot of criticisms of the industry but few relevant recommendations on how to improve security in connected cars. Yes, there are a few examples of these cars being hacked, but these cases are well organized lab tests rather than real life incidents. And this is the right approach — technologies should be tested and when there is a negative result, these flaws should be fixed. You can never guarantee something will be bulletproof and secured, but you should dedicate the appropriate amount of effort to make it suitable and safe to use.”
Unless all intelligence is removed from cars — and that’s not going to happen — internet connectivity is necessary to update, maintain, patch and secure that intelligence. The only alternative would be the frequent and uneconomic recall of potentially millions of cars, which would be an incentive for the industry to ignore problems — making the cars more dangerous rather than more safe.
“We strongly agree with Consumer Watchdog’s research that connected cars are exposed to attacks and that hacking any car model is a matter of time and resources,” David Barzilai, Chairman and Co-Founder of embedded security firm Karamba Security, told SecurityWeek. “However, we don’t agree with the conclusion that a Kill Switch will ultimately solve this problem cybersecurity issue. A Kill Switch can be hacked too, and deactivated to ensure the success of the cyberattack. Carmakers must raise the bar to hackers, by hardening the safety critical and the externally connected controllers according to factory settings.”
“Ironically, Europe is moving faster than the US to declare de-facto standards that help car manufacturers to protect their driver-assist (ADAS) controllers against cyberattacks,” Barzilai added. “FCA, Audi, BMW, Daimler, and VW recommended in a ‘Safety First’ publication (which was released on July 3rd 2019) to use Control Flow Integrity (CFI) to ensure that deviations from factory settings are automatically detected and prevented and hackers are shut out of the car, without relying on consumers’ reaction.”
Nevertheless, CW says, “If carmakers do not commit by December 31, 2019, legislators and regulators should mandate these protections.”