Reconsidering Vehicle Risk In The Era Of Militarized Cyberspace

More than five years ago, Andy Greenberg recounted how hackers had disabled his vehicle while he was driving 70mph in a Jeep Cherokee. The attackers, as a “friendly” demonstration, changed his radio station, turned on his wipers, blasted the AC and switched off the ignition.

Security researchers Charlie Miller and Chris Valasek had exploited vulnerabilities in the manufacturer’s Uconnect wi-fi system to gain a beachhead into the car’s electronic backbone. They then escalated access until they had control of the entire vehicle management system.

Describing the experience in Wired, Greenberg ended with a caution: as an exclamation point, the hackers disabled his brakes and let him roll to a stop in a ditch.

The two researchers changed the automotive cyber-security landscape that day.

The implications of the attack were profound, from a massive recall of vulnerable vehicles to cellular service providers blocking traffic for a specific IP port. That port, when open, could have been used to take over thousands of vehicles remotely using Sprint’s OEM cellular network.

In short, cars and trucks were revealed to be a major new front in cyber-security.

Recent Developments

In 2019, more than 100 Lexus and Toyota vehicles were stolen by hackers using a sophisticated key fob attack. Using an amplifier to “beam” key fob signals to a nearby car, thieves unlocked the vehicles and drove them off, many for overseas resale.

Driving.ca’s excellent illustration depicts two attackers, one near the vehicle and the other near the key fob. You can envision this situation at a dealership or repair shop. By beaming signals between the two systems, the attacker is able to unlock and start the target.

Recently Tripwire listed five concerns that complicate vehicle cybersecurity:

1. Increased attack surface at the vehicle level, including: 5G, IOT sensors, etc.
2. Increased attack surface at the network level, where entire fleets of vehicles may be vulnerable
3. Organizational or cultural resistance to the changing cybersecurity landscape, hampering risk assessments and defense innovation
4. Supply chain and cross-organizational complexities for managing risk
5. Failure to embrace “security by design” during all areas of the vehicle lifecycle

The authors assert that vehicle cybersecurity spending will grow at a CAGR of 21%.

Recognizing the concerns, one media outlet simply recommended that drivers “[d]o not connect devices through Bluetooth to your car” unless given assurances of security by the sellers.

OEMs are Concerned

A recent survey by the Automotive Parts Manufacturers’ Association (APMA) revealed some troubling metrics:

• 30: The percent of APMA members that had a cyber breach in the past year, according to a 2020 survey.
• 68: The percent of APMA members lacking an enterprisewide cyber strategy.
• 50: The percent of automakers described by the cybersecurity ratings provider Black Kite as being at “high risk” of ransomware attacks.
• 150: Number of electronic control units in the average modern vehicle.
• 150 million: The lines of code in the average vehicle today.
• 300 million: The projected lines of code in the average vehicle by 2030.
• $10 million: The estimated value of Toyota and Lexus vehicles stolen by hackers in Ottawa in 2020.

Are These Novel Attacks?

I have not researched these ideas extensively, so they may not be unique. But consider:

• Vehicle Ransomware: the attacker “bricks” (disables) the vehicle until a ransom is paid to unlock the vehicle
• Insurance Fraud Via Remote Control Crash: the attacker forces a vehicle behind it to accelerate, manufacturing a collision and possible damage and injury claims
• Denial of Service, Stop All Traffic or Police Vehicle(s) From Pursuit: attack open ports with network traffic intended to impede nearby (or targeted) vehicle operations
• Open Any Door Via Loss of Trust: change authentication of keyless entry fob and ignition to allow any device to pair

All of these seem feasible given current technologies and potential algorithmic vulnerabilities. Consider, for example, the evolution of cryptographic hashing from 1992’s MD5 to today’s SHA-3. Over that span, we saw mathematical anomalies open new doors for counterfeiting digital signatures.

Embracing a The Complete Spectrum of Vehicle Cyber-Risk

In my view, vehicle manufacturers and their suppliers must all consider a vertically integrated spectrum of risks across the product life cycle. This includes ideation of new products and product features, marketing, differentiating and commodity technologies, global sourcing strategies, manufacturing, service and disposal.

An integrated strategy for assessing risks and addressing gaps in controls will likely prove money well-invested, perhaps many times over.

If you’d like to read the latest Cybersecurity in Automotive report from Capgemini, please email me.