Security researchers are applauding the FBI and the National Highway Traffic Safety Administration for warning the auto industry that cars and trucks are vulnerable to internet-based attacks. But, they argue, more needs to be done by the government and car makers to protect drivers.
Last week, in a joint public service announcement, the FBI and NHTSA warned of vulnerabilities tied to smart-car features and aftermarket devices that connect to a car’s electronic control units (ECUs). In some cases, the agencies wrote the vulnerabilities present “an unreasonable risk to safety based on a number of critical factors.”
The PSA was referring to a demonstration by researchers Charlie Miller and Chris Valasek who in August 2015 showed how a 2014 Jeep Cherokee could be remotely controlled over the internet.
“I’m surprised it has taken so long to hear this from the government. This is not a theoretical threat. It’s been over a year since researchers proved this can be done,” said Craig Williams, senior technical leader and security outreach manager for Cisco’s Talos Security Intelligence and Research Group.
As a result of the Jeep Cherokee hack, Fiat Chrysler recalled 1.4 million U.S. vehicles. There have also be a number recent demonstrations of vehicle hacking since. Last month, researcher Troy Hunt was able to remotely hack a Nissan Leaf by exploiting insecure APIs inside a smartphone app that controlled the car. Earlier this month, IDC and the security firm Veracode, released a report that claims when it comes to car hacking it’s going to take three years for automakers to catch up with the number of cyber threats targeting cars today.
The FBI and NHTSA warned of several potential vulnerabilities including ones tied to a connected car’s cellular radio module – citing Miller and Valasek Jeep Cherokee hack. “An attacker making a cellular connection to the vehicle’s cellular carrier – from anywhere on the carrier’s nationwide network – could communicate with and perform exploits on the vehicle via an Internet Protocol (IP) address,” wrote both agencies.
FBI and NHTSA also warned of a growing number of third-party gadgets that connect to a vehicle’s on-board computer system via an ECUs. “While manufacturers attempt to limit the interaction between vehicle systems, wireless communications, and diagnostic ports, these new connections to the vehicle architecture provide portals through which adversaries may be able to remotely attack the vehicle controls and systems. Third-party devices connected to the vehicle, for example through the diagnostics port, could also introduce vulnerabilities by providing connectivity where it did not exist previously.”
“We are at a pivotal moment within the car industry,” said Chris Wysopal, CTO and co-founder of Veracode. He said car makers and the government need to both take a deep breath and assess the real risk of physical harm to drivers when it comes to connected cars. “What’s going to happen when you are going down the highway and someone crashes your car’s operating system and your power brakes go out?” Wysopal said. “These are questions the industry and government need to start asking,” he said.
Wysopal argues that the FBI’s announcement is a good first step, but he is hoping the government will create the equivalent to NHTSA crash-test standards for on-board car computer systems. “Connected-car systems need to be tested in the same way bumpers and airbags are tested to meet government standards,” he said.
Cisco’s Williams said automakers need to take the lead on safety first. “I don’t think this is something that the government can legislate a fix for. It’s something the auto industry is going to have to tackle from the very planning stages of the next generation of automobiles,” Williams said.
“I think the auto industry is running into this problem where they have these cars they need to sell at competitive prices and they haven’t factored into the car’s price that these vehicle computer systems are going to need to be maintained, audited and secured for years to come,” Williams said.
One particular area of weakness, Wysopal said, was the government and the industry’s attention to privacy issues. He said, car makers have a responsibility to set privacy rules an act fast when it comes to designing in-car security to protect on-board data. Wysopal said, in a world where your GPS logs are captured, how you drive is recorded, where you stop for gas, what you do in your car’s infotainment system, new concerns are raised about where that data will end up and how it will be used.