A well-publicized hack of a 2014 Jeep Cherokee earlier this year by security experts working with Wired magazine resulted in the recall of 1.4 million vehicles by Fiat-Chrysler Automobiles, a hasty (and successful) network-level fix pushed out by Sprint to address the vulnerability, and the catapulting of security to a much more prominent place in industry discussions – and consumer awareness.
At the heart of the vulnerability was that both the vehicle infotainment system and its control systems were wirelessly connected via the cellular network, and the infotainment system allowed the control systems to be commandeered remotely. Although drive systems of connected cars are of paramount security concern because of the potential for human lives to be at risk, there are other vulnerabilities that can come from hacking the connected car: researchers recently were able to use Wi-Fi sniffers to track a vehicle’s location using 802.11p connectivity that can be used for vehicle-to-vehicle and vehicle-to-infrastructure communications. Wireless door locks can also be vulnerable – one hacker developed a proof-of-concept device that costs less than $35.
Martin Hunt is an automotive industry practice lead for BT Global Services, which provides security solutions as well as an ethical hacking service that assesses vulnerabilities, and penetration testing. He told RCR Wireless News that vulnerabilities in the connected car include:
- USB, SD, DVD (multimedia).
- The on-board diagnostic and OBD-II connector (first required in vehicles in 1996, this must be installed within three feet of the driver and not require any tools to be exposed) or other proprietary connectors.
- Wi-Fi, 3G/4G cellular connectivity and Bluetooth.
- Remote control (keyless entry).
- IrDA interfaces – infrared to support tire pressure.
- Tire pressure management system, which are often wirelessly readable.
- Plugin outlet (hybrid/electric cars only).
Arxan, which provides application protection in verticals including the connected car, recently outlined its view on vehicle vulnerabilities and said they include vehicle-to-vehicle communications, vehicle-to-Internet (802.11p) and vehicle-to-device, including both wired and wireless connectivity. The company judged the most hackable points to be mobile applications, infotainment systems and the OBD-II port, with wireless locks assessed as moderately vulnerable to hacking.
Alon Atsmon, VP of technology strategy at Harman, which works with many of the top automotive brands to implement infotainment systems, said entry points into the connected car are proliferating – but it isn’t enough to simply protect those points. The car’s system and networks must be protected as well. Harman has developed what it calls a “5 plus 1” strategy around security that encompasses secure hardware, including some silicon isolated from other parts of the system; a hypervisor, for which Harman acquired software management company Red Bend earlier this year; policy-driven operating system access control; application sandboxing and network-level protection. The “plus one,” Atsmon explained, is the ability to update cybersecurity for the connected car OTA, in the same way that smartphones are updated, so that vehicles do not have to be physically recalled in order for a newly identified security vulnerability to be addressed.
In the case of the Jeep hack, the hackers had been sharing information on their work with Fiat-Chrysler prior to the hack being publicized, according to Wired, and Fiat-Chrysler quietly began to offer a software update – but ultimately, its UConnect computer system had to be updated via USB. The update required owners to download a fix over the Web and transfer the data via USB drive, take the car to a dealer or wait for Fiat-Chrysler to mail them a USB with the update as part of the recall. The network-level fix means even cars that don’t get updated have some protection, but getting new software on 1.4 million vehicles with no over-the-air update capability is a massive task.
Atsmon said that consumers will develop expectations for security, which might involve either embedded or after-market offerings – and, he says, automotive companies are already making cybersecurity an integral part of their offerings and their expectations for vendors.
“I don’t see a program without it right now,” Atsmon said. “It’s going to be a must-have in any car, and the manufacturers have been fast to react to that and willing to invest. I see a very healthy response.”
