Automobile Cybersecurity: Growing RiskIncreasing Vehicle Connectivity Could Lead to Hacker Exploitation
A hacker accessing an automobile remotely and taking over control might have seemed like science fiction a few years ago. But as cars become part of the "Internet of Things," the industry is ramping up its efforts to address ever-evolving, and realistic, data security issues.
Cars' wireless connections to the Internet via Bluetooth and wireless hot spots, and in-car applications that are accessible via customers' smart phones, raise the possibility that hackers could, for example, trigger the brakes or obtain personal information about the car or its driver.
In light of new potential risks, General Motors has hired its first chief product cybersecurity officer. Plus, the automobile industry is in the nascent stages of setting up an automobile Information Sharing and Analysis Center to collect and share information about cyber-related threats and vulnerabilities in motor vehicle electronics.
As automobiles continue to become increasingly connected to the Internet, the potential for hackers to gain control of the vehicle or certain systems is much greater, says Chris Valasek, director of vehicle security research at IOActive, a computer security services firm. Valasek, along with another researcher, explored cyber vulnerabilities in automobiles through funding from the Cyber Fast Track initiative through the Defense Advanced Research Projects Agency, or DARPA.
By gaining access to a vehicle's systems, hackers could potentially take private information from the vehicle, such as GPS coordinates or the driver's username and password used for various in-car applications. Also, cybercriminals potentially could obtain control of computers within the car that control certain features, such as cruise control, Valasek says.
"[Through our research], we showed that if you're on the car's computer network, you could send messages to completely stop the car and immobilize it," he says. "If an attacker found a way to break in remotely - through Bluetooth, cellular or an application - and was able to be on the right portion of the car's network, they could stop the car, disengage breaks or steer the steering wheel."
Hackers also could potentially wage a ransomware attack, says JD Sherry, vice president of technology and solutions at Trend Micro. "For example, you can't start your car unless you pay a ransom," he says.
Because of emerging cyberthreats, Sherry says, "it's important for car manufacturers to get in front of this now and design security at the front."
Tyler Shields, a security analyst at Forrester Research, notes: "It's one thing to hack someone's laptop and steal their credit card number. It's something totally different to hack someone's car and take out their brakes when doing 80 mph."
One step the automobile industry is taking to address cyberthreats is the formation of an automobile industry ISAC.
The Alliance of Automobile Manufacturers and the Association of Global Automakers are spearheading the formation of an ISAC to help share information about cyberthreats. ISACs already spearhead information sharing in other sectors, including financial services.
"Despite the absence of reported cybersecurity incidents affecting vehicles on the road to date, we are taking action to prepare for possible future threats," the two organizations said in a recent letter to the National Highway Traffic Safety Administration explaining the initiative.
While the ISAC formation is still in its early stages, both organizations are working toward establishing a mechanism for sharing vehicle cybersecurity information, threats, warnings and incidents among industry stakeholders.
"We're in the early stages of seeking out some of the best [security] experts to develop some kind of structure for the organization, such as the scope, governance and policies," says Wade Newton, a spokesperson for the Alliance of Automobile Manufacturers.
Improving Vehicle Security
In addition to the auto-ISAC, more automobile manufacturers likely will hire security professionals, following GM's lead, says Alan Brill, senior managing director at Kroll Advisory Solutions.
"It's important for companies to act now to designate a senior official to take responsibility for Internet of Things-related issues," he says. "For some organizations, it may be appropriate to select or hire someone with significant experience in dealing with these problems." For others, they may supplement internal resources with external specialist advice, he says.
GM recently promoted Jeffrey Massimilla to the newly created position of chief product cybersecurity officer (see: General Motors Hires Cyber Chief). He previously was an engineering group manager at the company.
Massimilla will head a newly formed corporate unit called Vehicle and Vehicle Service Cybersecurity, says Jennie Ecclestone, a GM spokesperson. "The team will utilize our internal experts and work with outside specialists to develop and implement protocols and strategies to reduce the risks associated with cybersecurity threats."
In terms of security best practices, manufacturers should focus on an outside-in attack approach, says Trend Micro's Sherry. "Do penetration testing against the vehicles in the design process and determine where failure modes are," he advises. "Run the tests against your design process and determine how effective the design of the vehicle is, what the holes are, and what types of controls you can put in place if you missed something in the design process."
The security industry's role should be to help manufacturers identify and repair security vulnerabilities, says Forrester's Shields.
"The security industry should focus on looking for ways that they can contribute their considerable security expertise to proactively helping the vehicle manufacturers to create processes and procedures that introduce security from the design phase all the way through production of the software and hardware that make up the cars," Shields says.
The security of vehicles boils down to organizational awareness, says IOActive's Valasek. "Software companies didn't think about security before and realized how hard it was to bolt on afterwards," he says.