Newer car tech opens doors to CIA attacks
Security

Newer car tech opens doors to CIA attacks

The revelation through Wikileaks that the CIA has explored hacking vehicle computer control systems should concern consumers, particularly as more and more cars and trucks roll off assembly lines with autonomous features.

"I think it's a legitimate concern considering all of the computers being added to cars," said Kit Walsh, a staff attorney with the privacy group Electronic Frontier Foundation (EFF). "There's no reason the CIA or other intelligence agencies or bad actors couldn't use those vulnerabilities to hurt people.

"The risk is greater is you're trusting a self-driving vehicle," Walsh said.

Connected cars Creative Commons Lic.

WikiLeaks this week released more than 8,700 documents it claimed came from the CIA's Center for Cyber Intelligence; some of the leaks indicated the intelligence agency had looked at exploiting security vulnerabilities in smartphones, smart TVs and vehicle computer systems.

"As of October 2014, the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks," the Wikileaks post stated. "The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations."

WikiLeaks also linked to meeting notes from 2014 listing "potential mission areas" for the CIA's Embedded Devices Branch. The notes included references to "Vehicle Systems" and "QNX," which is Blackberry's automotive software platform for telematics and in-vehicle infotainment (IVI) systems.

Increasingly, automakers have been adopting QNX. In 2016, for example, Ford announced it was dropping Microsoft as the platform for its SYNC infotainment system and adopting QNX instead. Ford's new SYNC 3, using QNX, was rolled out in new  vehicles last summer.

Automakers have also been enabling over-the-air software updates for vehicles that could allow malicious code to be uploaded to on-board computer systems.

The government's role is to protect Americans

The role of the U.S. government is to explore security vulnerabilities in order to make product manufacturers aware of potential hazards, not exploit them, Walsh said.

In 2014, the Obama Administration assured Americans that a policy called the Vulnerability Equities Process (VEP) would prevent federal agencies from withholding "major" security vulnerabilities from the companies affected by them -- particularly ones that could cause consumers harm. Any security holes that were exploited by security agencies are only supposed to be used in national defense.

bmw i3 autonomous Intel

The BMW i3 autonomous car co-developed by BMW, Intel and Mobileye.

"The agencies are supposed to reveal vulnerabilities so companies can fix them and keep Americans safe. This is an example of a huge agency not following those rules and leaving people exposed to vulnerabilities so they can exploit them," Walsh said. "We've seen this before from the U.S. government."

Last year, a group calling itself the Shadow Brokers released what appeared to be a portion of the National Security Agency's hacking toolset designed to penetrate network firewalls; it included information about several previously unknown security holes, known as zero-day or 0day vulnerabilities.

According to a Reuters report, the NSA toolset was designed to exploit vulnerabilities in widely used networking products produced by Cisco and Fortinet.

Right now, the decision about whether to retain or disclose a vulnerability is theoretically governed by the VEP, but because the policy isn’t binding on the government, it’s toothless, the EFF said in a blog.

Cryptographer and computer security specialist Bruce Schneier said what's needed is government regulation.

"This is a huge problem," he said. "It’s things that affect the world in a direct physical manner and will cause harm to property and life."

Schneier said he has no doubt the CIA explored zero-day vulnerabilities in order to find ways to spy on citizens and assassinate enemies.

connected car autonomous vehicle NHTSA

"I think the worst thing about this is it demonstrates -- just like the Shadow Brokers did -- that the Obama Administration's assurances that the Vulnerabilities Equities Process prioritizes defense was a lie," Schneier said.

According to The Washington Post, the purpose of the CIA's hacking efforts exposed by the Wikileaks posting could not independently verified and the intelligence agency has declined to confirm the activity.

Vehicle cybersecurity has come to the forefront of automakers and legislators after several instances of white-hat hacking showed that vehicles could be remotely hacked and controlled.

A modern car has dozens of computers with as much as 100 million lines of code -- and for every 1,000 lines there are as many as 15 bugs that are potential doors for would-be hackers, according to Navigant Research.

As more vehicle models come equipped with cellular, Wi-Fi and Bluetooth connectivity, experts say they have become more vulnerable to hackers who can remotely gain access, either via wireless sniffing devices or over the internet.

By 2020, there will be 250 million wireless "connected" cars on the road, according to Gartner.

For example, in 2015, security experts Charlie Miller and Chris Valasek collaborated with Wired magazine to demonstrate how they could remotely hack into and control the entertainment system and other more vital functions of a Jeep Cherokee.

Both hackers are experienced IT security researchers. Miller is a former NSA hacker and security researcher for Twitter; Valasek is the director of security research at IOActive, a consultancy.

The hacking demonstration resulted in Fiat Chrysler Automobiles (FCA), the world's seventh-largest automaker, issuing a recall notice for 1.4 million vehicles in order fix a software hole that gave hackers access control over vital functions.

"The flag was two or three years ago when a couple of hackers took over the acceleration and brakes of a car," Scheier said. "If you weren’t woken up then, how is this going to make a difference?"

Based on past behavior, malicious hackers don't typically break into computer systems to harm people; the purpose is to exploit the systems for financial gain, Walsh said. So if the CIA were exploring ways to hack into vehicle computer systems, it wouldn't be for any typical purposes.

"Am I surprised? No," Walsh said. "The idea that you could use hacking into a car to kill someone is something that's been floated around -- but as far as I know we didn't have any conformation that someone who would do it was looking into how to do it."

Schneider isn't surprised, either.

"What do you think the viability is that 20 years ago they looked into ways to manually severe the brake lines of cars and kill people,” Schneier said. "It’s the CIA. It’s their job, so yes, I’m sure they were. I’d be stunned if they weren’t."

IDG Insider

PREVIOUS ARTICLE

«Hackers exploit Apache Struts vulnerability to compromise corporate web servers

NEXT ARTICLE

4K gaming tested: AMD Ryzen and GeForce GTX 1080 Ti for less than Intel's cheapest 8-core chip»
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Should companies have Bitcoins on hand in preparation for a Ransomware attack?