Southeast Michigan is the car capital of the planet.
Located in this area are three of the major automobile manufacturers-Ford,
General Motors, and FCA (fka Chrysler). Over the years, the time has changed
the design and functionality of the vehicle. The vehicle’s design has become
more aerodynamic, these have become larger, and the materials have been
changed. Over the last 80 years, the vehicle has also become exponentially
mass-produced (Koscher, Czeskis, Roesner, Patel, & Kohno, 2010). The generic
engineering model had been predominantly static. There has been the
gasoline-powered internal combustion engine, four wheels, steering wheel,
brakes, etc.
Time has certainly changed this. One notable item has
been the significant improvement with technology in general. Computers have
improved in processing power and architecture, allowing for these to shrink in
size. This is yet another example of Moore’s Law. Initially, the early
computers would take up entire building floors. These have decreased to a
machine that fits on your lap comfortably with much more processing power.
Vehicles have become constructively a computer on wheels
(Behrman & Rauwald, 2015). When the vehicles began to implement more
computers into the vehicle, these were built more safely (Pagliery, 2014).
These functioned on a basic level with monitoring and reporting. Presently
computers and their networks run the vehicle with electronic control units
(ECUs) (Koscher, Czeskis, Roesner, Patel, & Kohno, 2010). These have been
an increasing number of computers with vehicles. This controls many vehicle
functions (steering, braking, acceleration, lights, windshield wipers, etc.).
There are also other vehicle components that are of interest which are wireless
(keyless entry, ignition control, tire pressure monitoring, diagnostic,
navigation, and entertainment systems). Each connection provides a portal to
attack. The third party devices connected to the vehicle introduces
exponentially more vulnerabilities with their connectivity and communication
channels. One avenue of exposure and increasing attacks continues to be the
on-board diagnostics port (OBD-II) (Rash, 2016) and other devices. These
provide for direct and standard access to the internal automobile networks. As
an inclination towards this, it is estimated that by 2020, 75% of vehicles
shipped will have internet connectivity (Baldas, 2016) and each car would have
more than 200 sensors, and by extension this provides for more attack points.
This is related in that the vehicle engineers have
embraced this. The engineers have used the added equipment to connect the
vehicle more so. The vehicles not only have the computers and networks, but
also added Wi Fi, blue tooth, SMS (short message service), assisted calling,
text messages read to the driver, and the driver dictating text messages.
As the attack surface has increased so quickly with the
addition of technology in the vehicle, there has been a noticeable lack of
focus on the cybersecurity at the same rate. This has manifested itself with
the automakers showing a severe lack of appreciation of cybersecurity as
applied to vehicles (Perkins, 2015). The systems have been poorly protected
(Young, 2015). This malfeasance or relative inaction has allowed vehicle
hacking. Specifically, this was defined as someone with a computer seeking
unauthorized access to vehicle systems for the purpose of retrieving or
manipulating vehicle functionality (FBI, 2016).
There is the potential for someone to remotely control a
vehicle by having knowledge of the VIN or other germane data. By extension, as
this is possible with one vehicle, what could an attacker maliciously do with a
fleet? In theory, the attacker could write and execute a script to find 70% of
the active VINs. The attackers could rent the bots for a fleet of vehicle
attack. The attack could then be simply executed with the heat being turned on
during August on I-75 in metro Detroit, have the vehicles take a 90 degree turn
at 5:20pm on a Thursday, or other commands to drain the battery during the
workday.
On the surface, this may seem moderately mundane or due
to the “It won’t happen to me” theory. This can actually be a very serious
issue mechanically, legally, and financially with the potential for a recall of
hundreds of thousands of vehicles.
With the known and unknown, at this time,
vulnerabilities, the attackers may initially test the attack with a limited
scope. Later a full attack may be used to extend the attack to its full
potential. With a highly motivated attacker, the result could be far reaching
and extensive. On an individual basis, an attacker could target someone, track
them remotely, and break into the car or trigger it to shut down.
In the alternative, the attack could be with a co-worker
or neighborhood child playing a game with the target. This may start as the
aforementioned prank and go too far. As an example the family could be at a
Detroit Tiger’s dame and the object of the prank would be draining the battery.
References
Baldas,
T. (2016, April 13). Feds: Self-driving cars must be terrorist proof. Retrieved
from http://www.freep.com/story/news/2016/04/12/feds-lets-build-terrorists-proof-car-at-least-try/82937200/
Behrman,
E., & Rauwald, C. (2015, July 27). Hacked jeep in ditch sends warning to
german luxury-car trio. Retrieved from http://www.bloomberg.com/news/articles/2015-07-27/hacked-jeep-in-ditch-sends-warning-to-german-luxury-car-trio
FBI.
(2016, March 17). Motor vehicles increasingly vulnerable to remote exploits.
Retrieved from http://www.ic3.gov/media/2016/160317.aspx
Koscher,
K., Czeskis, A., Roesner, F., Patel, S., & Kohno, T. (2010). Experimental
security analysis of a modern automobile. 2010
IEEE Symposium on Security and Privacy. Retrieved from http://www.autosec.org/
Pagliery,
J. (2014, June 1). Your car is a giant computer-and it can be hacked. Retrieved
from http://money.cnn.com/2014/06/01/technology/security/car-hack/
Perkins,
C. (2015, July 31). Hacker discovers a major vulnerability in GM cars, hijacks
vehicle functions. Retrieved from http://mashable.com/2015/07/31/gm-onstar-hack/#TXV0RdSrSEqr
Rash,
W. (2016, March 20). It’s time to pay attention to connected car cyber-threats.
Retrieved from http://www.eweek.com/security/its-time-to-pay-attention-to-connected-car-cyber-threats.html
Young,
A. (2015, July 28). Car hacking: Securing experts caution automakers on greater
need for cybersecurity and anti-hacking measures. Retrieved from http://www.ibtimes.com/car-hacking-security-experts-caution-automakers-greater-need-cybersecurity-anti-2026472
No comments:
Post a Comment