- October 14, 2015
- Info notes
Connected cars are to cars what smartphones are to phones: they embed an ever-increasing number of popular technologies allowing devices inside the car to connect to other devices within or outside the car. Unsurprisingly, these technologies introduce security risks related to the integration of technologies often developed by third-parties. More worryingly, the broadening of the attack surface with embedded Bluetooth enabled and internet connected devices makes them increasingly vulnerable to malicious actors.
As a result, if car security focussed historically mostly on theft prevention, this new paradigm brings security closer than ever to safety, as numerous headlines over the first half of 2015 highlighted.
An increase in reported issues related to car cybersecurity
Until recently, reported incidents related to car cybersecurity were sporadic and either marginal or negligible. As of 2015 though, ENISA has noted a sharp increase in the number of reported incidents, from simple bugs to daunting cyber attacks.
On theft issues first, the hack of the BMW key fobs made the news in 2012 yet manufacturers still face difficulties securing it, as demonstrated by the reclaim of 65 000 Range Rovers on 13 July 2015. A similar issue was also reported in April 2015, involving a 17$ amplifier supposedly increasing the query range of cars' keyless systems, so that key fobs in one's house could open the "amplified" car parked in the garage.
While these attacks require physical access to the surroundings of the car, distant attacks are also appearing: on 31 July 2015, a vulnerability was revealed on the remote car application for General Motor (GM) and BMW vehicles allowing vehicles to be unlocked over the internet.
This same vulnerability also had an impact on data protection as attackers were able to track the car's movements. Even more disturbing, dysfunctions or attacks against the car's critical elements are no longer science fiction; the line between car security and safety is thinning.
On 2 July 2015, Ford reclaimed over 400,000 cars because of a software bug in the body control module which could prevent the engine from being turned off. On the opposite end, the vulnerability mentioned above on the GM remote car application allowed malicious actors to start the engine remotely. In February 2015, 2.2 million BMW were claimed back because their windows could be lowered, with the vehicle in motion, by sending malicious data to the car infotainment system's SIM card. Lastly, on 21 July 2015, Chrysler had to reclaim over 1.4 Million cars after security researchers managed to takeover via Internet practically all of a Jeep's systems: driving wheel, brakes, accelerator, engine ignition, windows, radio, and all this with the driver sitting in the car, at full speed on the highway.
So far the automotive industry has responded to these new risks in various ways, mostly in a reactive way, notably by claiming cars back or patching vulnerable applications. These solutions are visible and possibly quite costly, and definitely a nuisance to the customers.
In this light, manufacturers are trying to find alternatives, such as Chrysler which, faced with a massive reclaim campaign, decided to send owners of vulnerable vehicles a USB key to plug directly in the car. From a security point of view, the risks introduced with the impossibility to guarantee the origin of postal mail and hence the USB keys led many to raise an eyebrow.
Such quick fixes end up creating more problems than they solve, as those trackers put in place by insurance companies to deter thieves, which introduced new vulnerabilities used by the latter to unlock the cars even more easily, or even to activate the brakes remotely… Even more questionable, other manufacturers engaged legal action to silence researchers who found vulnerabilities, in the illusory attempt to achieve security by obscurity.
On the positive side, following the Jeep hack mentioned above and before deciding to send USB keys, Chrysler cooperated with the security researchers who broke the story, to develop a patch. Improving the patching regime is definitely needed, and Tesla has actually implemented over-the-air updates so that its cars can now be updated via wifi when parked at home. Although few would question the practicality of such update rollout method, the security of the architecture supporting it will require appropriate standards to limit the possibility of mass infection via a malicious firmware update.
Trivial but apparently still worth mentioning, investing in security by design in the production process, will prove, just as in the software development industry, the most viable option in the long run. In this light, Tesla again proves to be pushing the market forward as it has started recruiting cybersecurity experts to involve them early on in the development of their cars. It has even just launched a vulnerability disclosure bounty programme, similar to those of Google or Microsoft.
The shift required for the automotive industry to tackle cybersecurity risks should build upon recognised security by design methods used in the software development industry for years, such as in-depth defence or network isolation, but also security mechanisms for the patching regime such as encrypted OTA updates.
The latest news on car cybersecurity indicate that at least parts of the automotive sector have dived into the connected world without the processes required to guarantee both the security and by extension the safety of their customers. Relying upon proven security principles, in the design, management and patching phases is a necessary step before diving into the soon-to-be-a-reality world of autonomous cars.
In 2016, ENISA will release a study on the threats against smart cars, paving the way for a serious discussion on minimum security requirements in the automotive sector. Also in 2016, ENISA will analyse the current legislative challenges with regards to autonomous cars.
About “Info Notes” from ENISA
With the “Info Notes” series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the “Info Notes” series (firstname.lastname@example.org).