Imagine it’s 1995, and you’re about to put your company’s office on the Internet. Your security has been solid in the past—you’ve banned people from bringing floppies to work with games, you’ve installed virus scanners, and you run file server backups every night. So, you set up the Internet router and give everyone TCP/IP addresses. It’s not like you’re NASA or the Pentagon or something, so what could go wrong?
That, in essence, is the security posture of many modern automobiles—a network of sensors and controllers that have been tuned to perform flawlessly under normal use, with little more than a firewall (or in some cases, not even that) protecting it from attack once connected to the big, bad Internet world.
This month at three separate security conferences, five sets of researchers presented proof-of-concept attacks on vehicles from multiple manufacturers plus an add-on device that spies on drivers for insurance companies, taking advantage of always-on cellular connectivity and other wireless vehicle communications to defeat security measures, gain access to vehicles, and—in three cases—gain access to the car’s internal network in a way that could take remote control of the vehicle in frightening ways.
While the automakers and telematics vendors with targeted products were largely receptive to this work—in most cases, they deployed fixes immediately that patched the attack paths found—not everything is happy in auto land.
Not all of the vehicles that might be vulnerable (including vehicles equipped with the Mobile Devices telematics dongle) can be patched easily. Fiat Chrysler suffered a dramatic stock price drop when video of a Jeep Cherokee exploit (and information that the bug could affect more than a million vehicles) triggered a large-scale recall of Jeep and Dodge vehicles.
And all this has played out as the auto industry as a whole struggles to understand security researchers and their approach to disclosure—some automakers feel like they’re the victim of a hit-and-run.
The industry’s insular culture and traditional approach to safety have kept most from collaborating with outside researchers, and their default response to disclosures of security threats has been to make it harder for researchers to work with them. In some cases, car companies have even sued researchers to shut them up.
In contrast, Tesla has embraced a coordinated disclosure policy. The company recently announced a vehicle security bug bounty program that offers $10,000 for reproducible security vulnerabilities. Tesla even formally presented vulnerabilities discovered in the Tesla S’s systems at DEF CON. The company’s chief technology officer JB Straubel appeared on stage with the researchers who performed the penetration test of the Tesla S—Marc Rogers of Cloudflare and Lookout Security CTO and co-founder Kevin Mahaffey—in order to present them with Tesla “challenge coins” for their work.
But no one from Fiat Chrysler was anywhere near the stage when Charlie Miller and Chris Valasek presented their findings on Uconnect. And it might be a while before any other carmaker makes a move to embrace the security community in the wake of the Chrysler recall.
It’s not like Miller and Valasek caught Fiat Chrysler by surprise. Miller told Ars that he worked with Fiat-Chrysler throughout his many months of research, advising them of what he and Valasek found. The company had already issued a patch to fix the problems, but it was only a voluntary update to be performed using USB. Sprint moved to block remote access to the network connection on Chrysler vehicles that Miller’s and Valasek’s attack exploited just before the pair revealed their research at Black Hat.
It used to be that car hacking basically meant voiding the factory warranty. As anyone who’s watched enough Top Gear knows, car enthusiasts and “tuners” have used electronic hacks such as “launch control” devices to bypass environmentally friendly settings in engine control systems for some time. Making these kinds of changes can, if you don’t know what you’re doing, “brick” your engine (or worse). But that’s not the sort of thing the general driving public has had to worry about.
The “attack surfaces” of cars that get the most attention are the ones designed to keep people from driving away with cars they don’t own—electronic keyless entry systems or locks, and vehicle immobilizers that use low-power radio to detect the presence of a valid car key before allowing a car to start for example. Both of those types of systems, which use cryptographic keys transmitted by radio from a key or key fob, have been targeted by researchers. Engine immobilizers for a number of luxury brands were successfully attacked as part of a study by researchers at Radboud University (that was suppressed by Volkswagen’s lawyers for two years). Remote keyless entry systems have also been targeted in a number of ways, including signal amplification attacks and brute-force crypto breaking (as detailed in research by Qualys’ Silvio Cesare).