Vehicle Dash, Vehicle Crash. Network Security on the move

By Steve Smith
on 28th July 2015
in Blog, Internet of Things, IoT, Mobile Networks, Network Security, Wi-Fi, Wireless

Home
Vehicle Dash, Vehicle Crash. N...

Vehicle Dash, Vehicle Crash. Network Security on the move

Does your vehicle really need Network Security?

I stumbled across a rather alarming report about vehicle hacking. So much so I did some further digging to see just how serious this was. The fact that the vehicle featured in the report was a Jeep Cherokee struck a particular chord with me as I drive a Grand Cherokee. On this occasion the hack was planned and delivered to demonstrate the results of years’ of research into what could be a huge potential problem.

What exactly is the problem?

I must admit, when I first saw the headline about a vehicle being hacked while doing 70mph on the highway I did wonder if it was a publicity stunt. At worst I thought maybe the hackers had planted a device on the vehicle that enabled them to gain access to one of the many on-board computer systems. Having recently attended a talk on this technology (see blog http://www.astro.co.uk/mobile-mobile-networks-part-1/) I was well aware of the potential number of computer systems on one vehicle. However, what I discovered was actually quite worrying.

The vulnerability of any vehicle in question starts with the attack surface. For vehicles this encompasses a surprising number of ‘features’, including: wireless tyre sensors, dashboard Bluetooth access, cellular access and in car Wi-Fi. The hackers conducting the test gained access to their target vehicle via a 3G cellular network and were able to wreak havoc on the driver from the comfort of their home ranging from forcing the environmental control system to blast out cold air to cutting the engine power while on the highway. While in less dangerous surroundings they even demonstrated disabling the braking system causing the Jeep to roll into a ditch.

Surprisingly, at the time the hackers conducted their test many of these access points enabled the hackers direct access to most or all of the vehicle computer systems including environment controls, locking systems, brakes and engine management. And if this could get any worse, the hackers could even gain access to automated processes such as parallel parking. Although the report said that the hackers could not actually get access to the steering unless the vehicle was in reverse gear.

I couldn’t help thinking about the James Bond film, Skyfall when our hero Mr Bond had to lure his enemy into an environment that could not be hacked including going back to the old Aston Martin featured in the old James Bond in the 60s. When I saw this it was thought provoking but I didn’t realise just how close this was to reality.

“…there are countless numbers of hackers in the world that could switch their focus to automotive or other IoT type targets.”

Those of us that have spent many years in the IT industry have a focus on building secure systems. It wasn’t always like that for us but the benefit we had was the hackers were learning at a similar rate to the experts on the right side of the law. The developers of these modern systems do not have that luxury as there are countless numbers of hackers in the world that could switch their focus to automotive or other IoT type targets.

We shouldn’t be too surprised about the lack of security surrounding the computer systems in our vehicles. This is a huge potential problem for the Internet of Things in general. Many of the developers and manufacturers developing the processors and sub systems to manage our vehicles more efficiently and to provide a better driver and passenger experience are focussed on making these improvements to out smart their competitors. Many of the developers of these systems are now playing catch up to secure their systems and devices. This will mean better segregation between systems – firewalls and warning systems to raise awareness of and possibly prevent an attack – Intrusion Detection and Intrusion Prevention Systems. In addition to this our vehicles will need automated updates for system firmware vulnerability patches that do not depend on a visit to the service centre or any driver intervention.

“…do we follow in the foot steps of James Bond and all go out and buy vintage cars to avoid being hacked?”

Some experts have stated that the risks are relatively low as there is no repetitive financial gain from hacking vehicles. Furthermore, at the time of the report it was very difficult to identify a specific vehicle to attack so an attack on a specific person would be unlikely. However, only two years ago manufacturers did not take vehicle hacking seriously because up until that time attacks required physical access to plant a device on the vehicle. Hacking the Jeep Cherokee mid-journey has proved that vehicles can be compromised via the internet.

So, do we follow in the footsteps of James Bond and all go out and buy vintage cars to avoid being hacked? I won’t be. As much as I like vintage cars I also like the refinements of driving a modern car. The hackers have done a great job of bringing these vulnerabilities to the attention of the vehicle manufacturers. The level of difficulty presented to potential hackers is irrelevant. Securing vehicle systems must be a priority before a cyber-attack on a vehicle – random or specific – results in someone losing their life.

Useful links…

Wired – Hackers remotely kill a Jeep on the highway – with me in it