Deus ex Vehiculum: Security in the Age of Computerized Cars

As reported by the Economist: One ingenious conceit employed to great effect by science-fiction writers is the sentient machine bent on pursuing an inner mission of its own, from HAL in “2001: A Space Odyssey” to V.I.K.I. in the film version of "I Robot". Usually, humanity thwarts the rogue machine in question, but not always. In “Gridiron”, released in 1995, a computer system called Ismael—which controls the heating, lighting, lifts and everything else in a skyscraper in Los Angeles—runs amok and wreaks havoc on its occupants. The story's cataclysmic conclusion involves Ismael instructing the skyscraper’s computer-controlled hydraulic shock-absorbers (installed to damp the swaying caused by earthquakes) to shake the building, literally, to pieces. As it does so, Ismael’s cyber-spirit flees the crumbling tower by e-mailing a copy of its malevolent code to a diaspora of like-minded computers elsewhere in the world.

While vengeful cyber-spirits may not lurk inside today’s buildings or machines, malevolent humans frequently do. Taking control remotely of modern cars, for instance, has become distressingly easy for hackers, given the proliferation of wireless-connected processors now used to run everything from keyless entry and engine ignition to brakes, steering, tire pressure, throttle setting, transmission and anti-collision systems. Today’s vehicles have anything from 20 to 100 electronic control units (ECUs) managing their various electro-mechanical systems. Without adequate protection, the “connected car” can be every bit as vulnerable to attack and subversion as any computer network. 

Were that not worrisome enough, motorists can expect further cyber-mischief once vehicle-to-vehicle (V2V) communication becomes prevalent, and cars are endowed with their own IP addresses and internet connections. Meanwhile, car makers are beginning to offer over-the-air updates, using cellular connections, for patching flaws in their vehicles’ software. This makes it easier for attackers to infiltrate not just the odd vehicle, but thousands of them at a time. BMW recently beamed an over-the-air software update to 2.2 million of its customers’ cars. The potential for fleet-wide cyber-attacks ought to have car-makers seriously concerned.

Nor is it just vehicle theft motorists have to worry about. Car hacking can threaten people’s lives, both in the vehicle and outside it. The mind shudders at the thought of malicious code being inserted remotely into the logic of a self-driving car speeding autonomously down the highway.

This is not science fiction. Land Rover recently demonstrated a smartphone app that lets an owner take wireless control of his machine while up to ten meters (33 feet) away from it. The aim, says Land Rover, is to let off-road drivers maneuver their vehicles safely over dangerous stretches of terrain, or to assist urban motorists trying to back a vehicle out of a tight parking spot. Fine, except that such a level of remote control could also make it easier for thieves to steal parked cars, or terrorists to create chaos on the road. 

What is being done to protect vehicles from cyber-attack? Several recent events have stirred legislators into action. Last summer, for instance, during a meeting of automotive engineers and security experts, a 14-year-old schoolboy showed industry experts how to take control of a car remotely using circuitry he had lashed up overnight with $15 worth of parts bought from Radio Shack the day before. The youngster turned the windscreen wipers on and off, locked and unlocked the doors, engaged the engine-start mechanism, and had the headlamps flash to the beat of a tune on his iPhone. “It was mind-blowing,” recounted Andrew Brown, vice-president and chief technologist at Delphi Automotive, a manufacturer of auto parts.

More recently, Consumer Reports, a publication owned by a consumer advocacy and independent testing center in Yonkers, New York, got an eye-opener during a visit to a National Highway Traffic Safety Administration (NHTSA) laboratory. The publication’s editors were surprised when a technician turned off the engine of a test car they were driving using nothing more than a mobile phone. NHTSA has found ways of tampering remotely with door locks, seat-belt tensioning, instrument panels, brakes, steering mechanisms and engines—all while the test cars were being driven. Since its laboratory visit, Consumer Reports has been urging America's Congress to legislate for the highest possible security standards for car computer systems.

The message seems to be getting through. In recent weeks, the House Committee on Energy and Commerce has questioned all 17 motor manufacturers that sell vehicles in America, as well as NHTSA itself, about their plans to thwart car hackers. For its part, NHTSA has compiled a 40-page report on how best to deal with cyber-threats on the road. The safety agency has shared its findings with car-makers, but has been understandably reluctant to publicize the counter-measures in detail. 

The problem confronting car-makers everywhere is that, as they add ever more ECUs to their vehicles, to provide more features and convenience for motorists, they unwittingly expand the “attack surface” of their on-board systems. In security terms, this attack surface—the exposure a system presents in terms of its reachable and exploitable vulnerabilities—determines the ease, or otherwise, with which hackers can take control of a system.

In a car, the remote attack surface includes such things as the vehicle’s on-board diagnostics, Bluetooth and WiFi ports, telematic devices like GPS navigation and cellular radios, plus radio-frequency chips in remote entry keys, tire pressure sensors and the like that communicate wirelessly with transponders connected to the vehicle’s Controller Area Network (CAN).

By functioning as a common communications bus, the CAN’s two-wire network for transmitting digital messages around a vehicle allows manufacturers to add features and accessories to a vehicle simply by plugging the additional components into the bus, instead of having to run fresh wires or install additional networks. That makes wiring the innards of cars easier and cheaper.

But by multiplexing signals from different devices on the CAN’s common communications channel, it is possible for vulnerabilities associated with an attack surface to talk to components that perform actual driving functions. For instance, it is not far-fetched to imagine an on-board cellular connection (such as GM’s OnStar network) being tricked into allowing hackers to inject malicious code into ECUs managing, say, the steering, braking or engine controls—courtesy of the shared CAN bus.

By far the best study to date of vehicle security is a survey carried out by Charlie Miller, formerly with the National Security Agency and now at Twitter, and Chris Valasek of IOActive, a security services company based in Seattle. The two researchers examined the remote attack surfaces of 20 popular models on American roads. In each case, they traced the network architecture along with all the computer-controlled features of the vehicles involved. In doing so, they were able to draw conclusions about how vulnerable, in principle, the various vehicles were to remote attack.

Of the half dozen attack surfaces Dr Miller and Mr Valasek analysed in detail for each vehicle, the most vulnerable in all instances turned out to be the on-board Bluetooth feature (“a very reliable entry point for attackers”), a car’s cellular radio service (“the holy grail of automotive attack”), and any browser-based internet connection available (“widely understood by attackers”).

The three most hackable vehicles—in terms of how their network architectures permitted attack surfaces to talk to components performing physical actions—were the 2014 Jeep Cherokee, the 2015 Cadillac Escalade and the 2014 Infiniti Q50. This being litigious America, the automakers concerned quickly found themselves in the legal cross-hairs, as owners sought financial compensation for their vehicles’ perceived vulnerabilities.

One conclusion of the study is that, like computer networks, vehicles need layered defenses, so that penetrating to the heart of the system, though not impossible, becomes increasingly tedious and costly for an attacker. Another obvious suggestion is that automotive networks like the CAN bus, along with its local interconnections, should be designed in a way that isolates ECUs that talk to the outside world from those that control critical functions within the vehicle.

Ultimately, of course, cars are going to need some method of detecting cyber-attacks, and to have the means to neutralize them. In one important way, threat detection is easier in cars than in the networks used in offices. On a CAN bus, for instance, only ECUs are engaged in swapping messages with one another; no gullible humans are involved—as they are in offices—to open back doors unwittingly to phishing attacks from cyber-crooks masquerading as colleagues or customers.

That makes it easier to spot anomalies caused by an attacker’s injected code. To capture the attention of a targeted ECU, a bogus message has to be sent at a much higher rate—anything up to 100 times normal—in order to swamp legitimate messages being received by the processor. A simple device that plugs into a car’s diagnostic port can easily detect such exceptional traffic and instruct the CAN bus to ditch it.

That is a good start. But it does not mean cars can be made immune to cyber-attack. There is no such thing as absolute security. As Dr Miller and Mr Valasek note, even firms like Microsoft and Google have been unable to make a web browser that cannot go a few months without needing some critical security patch. Cars are no different. All the more so once they start communicating with one another, as well as with traffic signs and other roadside equipment.