car-sec
Security

Connected cars: The dangers posed by hackers

This is a contributed piece from Andy Rowland, Head of Customer Innovation, Energy, Resources and Automotive at BT

 

Cars, like many components that are now part of the Internet of Things, were never intended to be widely connected, consequently they are inherently insecure. Given that the lifecycle of an automobile is considerably longer now, even if hackers don’t currently have the upper hand in terms of understanding connected vulnerabilities, they will in the near future.

What this translates to is the need to recognize that connected cars, while great innovations in technology, must be well-understood. The most immediate threat in this scenario affects not only the fully-autonomous vehicles of tomorrow, but the connected cars we are buying today.

Taking control of the infotainment system

The starting point for a hacker is likely to be the infotainment system, for two reasons: a) in many cases it interfaces directly to the car’s internal networks that communicate with safety systems b) there is a lot of published information available on the operating systems, firmware updates, and the backup paths, all of which can be exploited by a determined individual. This information has to be published by OEMs to allow independent garages to work on their cars, often by law.

A well-informed hacker, with some persistence can do everything from taking over the infotainment system, increasing radio volume to maximum, changing the SATNAV destination, or more seriously, interfere with the cars electronic systems and cause it to drive erratically. Car networks send packets of instructions with IDs that tell the receiving system what to do. The system will always respond to the packet with the lowest ID, if you inject data packets set to zero, you could effect a DDOS type attack, what we call an Arbitration Hijack.

Hacking multiple vehicles

The worse-case scenario is that multiple vehicles could be infected from a single source, and the OEM is then held to ransom. The infection could start with a compromised app that drivers download, a batch of components that have embedded malware that is not detected when the vehicles are manufactured, or social engineering for example, dropping a few USB sticks outside a franchised workshop, so that malware gets onto diagnostic PCs, which then infects all of the vehicles brought in for servicing that week.   

Steps to securing the car

To secure a car you need to consider three stages. First, the attack surfaces, and there are many. Examples include the various internal/external interfaces to the vehicle, the dealership and the systems that communicate with the car over the air, just to name a few. Second, you then need to carry out both code reviews, and penetration testing to cover web applications, mobile and wireless interfaces, the vehicle itself and social engineering. Finally, you need a platform that can analyze vehicles CAN bus data quickly to spot for outliers indicative of an emerging threat. And you need some sort of secure gateway in the car to harden the CAN bus networks, and identify and pass potential exceptions to the platform for analysis.  

In terms of who is best placed to secure the connected car, you need somebody who is independent and has extensive experience in more mature security markets like financial services. Currently automotive OEMs are working largely in security silos, they don’t want to discuss what they are doing and certainly not with other OEMs. We feel this approach is intrinsically flawed. When dealing with hackers you need as much shared intelligence as possible, for example if BT sees something new, we will pick up the phone to talk with our counterparts at AT&T, Verizon, OBS, etc., and they do the same. This approach is key to keeping one step ahead, if you let commercial rivalries get in the way you’ve failed.

It’s important to remember that whether we’re talking about the connected cars of today or the autonomous vehicles of the future, the attack surfaces are similar. So while technology evolves, if we work to stay informed we can be prepared for any type of threat to our vehicles.

PREVIOUS ARTICLE

« What's the point of 5G?

NEXT ARTICLE

3 ways the cloud can help the UK university clearing process »
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

How to (really) evaluate a developer's skillset

Adrian Bridgwater’s deconstruction & analysis of enterprise software

Unicorns are running free in the UK but Brexit poses a tough challenge

Trevor Clawson on the outlook for UK Tech startups

Cloudistics aims to trump Nutanix with 'superconvergence' play

Martin Veitch's inside track on today’s tech trends

Poll

Is your organization fully GDPR compliant?