A report presented this week at the Black Hat USA conference in Las Vegas detail which vehicles are most vulnerable to hacker attacks via a car’s Bluetooth, telematics or on-board phone applications.
The most hackable vehicles include the 2014 Jeep Cherokee, the 2015 Cadillac Escalade and the 2014 Toyota Prius. The most secure cars include the Dodge Viper, the Audi A8, and the Honda Accord, according to an interview the researchers had with Dark Reading.
The World’s Most Hackable Cars
darkreading.com – If you drive a 2014 Jeep Cherokee, a 2014 Infiniti Q50, or a 2015 Escalade, your car not only has state-of-the-art network-connected functions and automated features, but it’s also the most likely to get hacked.
That’s what renowned researchers Charlie Miller and Chris Valasek concluded in their newest study of vulnerabilities in modern automobiles, which they will present Wednesday at Black Hat USA in Las Vegas. The researchers focused on the potential for remote attacks, where a nefarious hacker could access the car’s network from afar — breaking into its wireless-enabled radio, for instance, and issuing commands to the car’s steering or other automated driving feature.
The researchers studied in-depth the automated and networked functionality in modern vehicle models, analyzing how an attacker could potentially access a car’s Bluetooth, telematics, or on-board phone app, for example, and using that access to then control the car’s physical features, such as automated parking, steering, and braking. Some attacks would require the attacker to be within a few meters of the targeted car, but telematics-borne attacks could occur from much farther away, the researchers say.
Not surprisingly, the vehicles with fewer computerized and networked functions were less likely to get attacked by a hacker. “The most hackable cars had the most [computerized] features and were all on the same network and could all talk to each other,” says Miller, who is a security engineer at Twitter. “The least hackable ones had [fewer] features, and [the features] were segmented, so the radio couldn’t talk to the brakes,” for example.
The 2014 Infiniti Q50 would be the easiest of all to hack because its telematics, Bluetooth, and radio functions all run on the same network as the car’s engine and braking systems, for instance, making it easier for an attacker to gain control of the car’s computerized physical operations.
Different vehicles had different network configurations: Some had Bluetooth on a separate network than the steering and acceleration systems.
The researchers say the 2014 Dodge Viper, the 2014 Audi A8, and the 2014 Honda Accord are the least hackable vehicles. They ranked the Audi A8 as the least hackable overall because its network-accessible potential attack surfaces are separated from the car’s physical components such as steering, notes Miller. “Each feature of the car is separated on a different network and connected by a gateway,” he says. “The wirelessly connected computers are on a separate network than the steering, which makes us believe that this car is harder to hack to gain control over” its features.
By contrast, the 2014 Jeep Cherokee runs the “cyber physical” features and remote access functions on the same network, Valasek notes. “We can’t say for sure we can hack the Jeep and not the Audi, but… the radio can always talk to the brakes,” and in the Jeep Cherokee, those two are on the same network, he says.
Update: A Chrylser spokesperson told Dark Reading its vehicles come with security features already, and the company is working on new security features as well. “Chrysler Group takes seriously the issue of cyber security. Our vehicles are equipped with security systems to help minimize the risk from real-world threats and we have multiple engineering teams dedicated to developing new security features,” the spokesperson said in a statement.
“Chrysler Group will endeavor to verify these claims and, if warranted, we will remediate them. However, we support the responsible disclosure protocol for addressing cyber security threats. Accordingly, we invite security specialists to first share with us their findings so we might achieve a cooperative resolution. To do otherwise would benefit only those with malicious intent,” he said.
Worries over the cyber security of cars is gaining traction ever since Miller and Valasek’s 2013 DEF CON car-hacking research, where the pair demonstrated how they were able to hack and take control of the electronic smart steering, braking, acceleration, engine, and other functions of a 2010 Toyota Prius and 2010 Ford Escape. That research focused on what a bad guy could do if he could get inside the car’s internal network, and the researchers physically test-drove the hacks they discovered.
While the pair didn’t get much response from Ford and Toyota after providing the carmakers with detailed documentation of their findings, the automobile industry meanwhile appears to be waking up to the potential cyber risks to cars: The Alliance of Automobile Manufacturers and the Association of Global Automakers last month announced plans to address growing concerns over security weaknesses and vulnerabilities in new and evolving vehicle automation and networking features. The industry is now forming a voluntary mechanism for sharing intelligence on security threats and vulnerabilities in car electronics and in-vehicle data networks — likely via an Auto-ISAC (Information Sharing and Analysis Center).
IPS “under the hood”
Meantime, there are ways to potentially lock down these advanced features in today’s modern vehicles. Miller and Valasek have built a prototype device that detects and stops a cyber attack. They describe it as a sort of intrusion prevention system (IPS) inside a car that would detect that an attacker that had broken into the car’s networked radio, and stop him from sending the braking system a message to lock up, for example.
“It’s a device you could plug into the car to stop any of the attacks we’ve done and that others have done,” says Valasek, who is director of security intelligence for IOActive.
The researchers in their Black Hat presentation will show video clips of the prototype and how it can stop an attacker. The device basically plugs into a vehicle’s diagnostic port.
“It’s mostly about an algorithm that detects attacks and prevents them,” Miller says. “You could put it under the hood.”
Miller and Valasek say their work studying security weaknesses in vehicles is an attempt to get ahead of the threat: The risk of your car getting hacked today is relatively low. And it doesn’t mean you shouldn’t buy a car loaded with technology, they say. “This is really an opportunistic attack,” Valasek says. “It takes a lot of time, effort, dedication, and money to figure out how to perform one of these attacks and to succeed doing it. Joe Consumer doesn’t have to worry, but if you’re a high-profile person with a lot of technology in your vehicle, it’s something to consider.”
They say they are conducting this research now ahead of the game and before it gets easier for attackers to exploit these car network and automation features — a window that they think could close in the next five years.
The researchers — who at Black Hat will provide more details of their findings and release their paper on them — have provided carmakers the report. They’re hoping the car companies will take the threat seriously and offer ways to lock down weaknesses and vulnerabilities as well as technology to detect and deflect an attack.
Automobile Industry Accelerates Into Security
Industry looking at intelligence-sharing platform or an Auto-ISAC in anticipation of more automated, connected — and vulnerable — vehicles.
Another day, another ISAC — and this time it’s the automobile industry.
darkreading.com – The Alliance of Automobile Manufacturers and the Association of Global Automakers today officially announced plans to address growing concerns over security weaknesses and vulnerabilities in new and evolving vehicle automation and networking features that could put cars at risk for nefarious hacking. The industry is in the process of forming a voluntary mechanism for sharing intelligence on security threats and vulnerabilities in car electronics and in-vehicle data networks — likely via an Auto-ISAC (Information Sharing and Analysis Center), the officials say.
The auto industry’s move toward an ISAC comes on the heels of that of the retail and oil and natural gas industries, which recently formed ISACs for their respective industries. While retail and oil & natural gas have faced a wave of real-world threats and attacks on their systems, carmakers for the most part so far have been mostly faced with research demonstrating possible attacks. The heat is on, however, because by 2017, more than 60% of new vehicles will be connected to the Internet, auto industry officials say.
Researchers Charlie Miller and Chris Valasek last year at the DEF CON hacker conference elicited some nervous laughter among attendees as they showed witty but sobering evidence on video of how they were able to hack and take control of the electronic smart steering, braking, acceleration, engine, and other functions of the 2010 Toyota Prius and the 2010 Ford Escape. Their research follows that of 2011 work by the University of Washington and the University of California-San Diego, where academic researchers found ways to hack car features via Bluetooth and rogue CDs, among other tricks.
Miller and Valasek’s work was about looking at what could be done if a bad guy hacker could get inside the car’s internal network, and they also released their tools during the conference to help promote further study of vehicle vulnerabilities.
The researchers didn’t get much response from Ford and Toyota, despite providing the carmakers with their white paper on their research and reaching out to the companies.
[The Retail Industry Leaders Association (RILA) rolls out a retail ISAC following the National Retail Federation’s (NRF) announcement of an intel-sharing platform. Read Dual Retail Cyber threat Intelligence-Sharing Efforts Emerge.]But today’s announcement — which was made at a press briefing at this week’s Cyber Auto Challenge security event, where students work with automakers and government agencies on secure system design and programming as well as hands-on application — appears to be a big step forward for the auto industry when it comes to factoring in the cyber security implications of new car features and functions. Ford and Toyota are both members of the Alliance for Automobile Manufacturers, and Toyota is also a member of the Association of Global Automakers.
Rob Strassburger, vice president of vehicle safety and harmonization at the Alliance of Automobile Manufacturers, says the goal of the first phase, a cyber security policy working group, is to provide an interim forum for security researchers to share their findings. “Longer-term, we’ll be doing the work of governance and scope that would lead to an ISAC to look at vulnerabilities, assess them, and issue alerts,” Strassburger says. “All actionable information our members then act upon.”
Even so, Miller says he and Valasek were not part of the discussions that apparently led up to the plans for intelligence- and threat-sharing in the auto industry. “Anything that helps shed light on the security issues in the auto industry is nice although I think, as a researcher, the problem isn’t in sharing our research but rather in getting manufacturers to make changes based on it,” Miller said in an email exchange. “We have had no problem getting our research out in the media, etc., but I don’t necessarily think the industry has been particularly responsive to the changes we’ve suggested they take, or if they have been, they haven’t included us in the discussion. I tend to think the industry thinks they know what they are doing and don’t necessarily need outside help from folks like us.”
The working group will look at a formalized Auto-ISAC or other type of program for sharing intel, says Mike Cammisa, director of safety at the Association of Global Automakers. “We will exchange vehicle-related cyber security information” among automakers, their suppliers, and government agencies as well, he said. “The goal is to continue to enhance the driving experience while maintaining the integrity of these systems.”
Andrew Brown, vice president and chief technologist at Delphi Automotive PLC, a components supplier to automotive systems, says cyber security threats are bound to increase over time, as more automation and connectivity is added to vehicles. “As such, that represents an increased opportunity for those who may want to do harm to vehicles and the systems we provide,” he said. “As a tier 1 supplier, we recognize we alone can’t develop solutions and approaches to mitigate threats… It’s important to have an industry-wide approach to cyber security issues, and it has to be initiated with the OEMs.”
Valasek says car manufacturers and their suppliers tend to be a fairly closed group. “While getting a consortium started is good, the real battle is what to do upon a breach. Pretending like they can develop a perfect system without flaws isn’t the answer,” he said in an email exchange. There’s no such thing as a bug-free system, he says.
More Reading:
Car Hackers Release Tools
Researchers who hacked Toyota Prius and Ford Escape hope to foster future ‘car-in-a-box’ model for tinkering with vehicle security issues – darkreading.com
Dark Reading
Cyber security’s comprehensive news site is now an online community for security professionals, outlining cyber threats and the technologies for defending against them
Black Hat
Is the most technical and relevant global information security event series in the world. For more than 16 years, Black Hat has provided attendees with the very latest in information security research, development, and trends in a strictly vendor-neutral environment.