Automobile Cyber Security

11072914671?profile=RESIZE_400xWith hundreds of thousands of dollars on the line at the Pwn2Own Hacking Competition, a group of hackers from Synacktiv, an offensive security company, had quite the incentive to display the cybersecurity weaknesses of Tesla's Model 3.  Tesla, a company famous for its lacking public relations but also for its technology, actually volunteered the Model 3 for this hacking test, in an effort to explore just how vulnerable modern cars are.  And the short answer is that all cars, even Teslas, are generally vulnerable.

The team at Synacktiv was able to compromise the Model 3's infotainment through Bluetooth, ultimately gaining access to the top level of internal code.  Everything besides the Autopilot system was available for hackers to disrupt remotely.  This involuntary adjustment of lighting, maps, and music may seem diminutive for roadway safety, but it sets a dangerous precedent for the future of connected cars.[1]

11072914499?profile=RESIZE_584xTesla full self-driving option

TESLA - Tesla's participation should be cautiously praised for furthering automotive cybersecurity prowess, though the company isn't exactly known for keeping its customers' data safe.  A new privacy breach lawsuit against Tesla has illuminated a lack of virtual safety even from within, and consumers are starting to catch on to a new venue of cybersecurity considerations.  Of course, cars aren't just a frame, an engine, and wheels anymore but rather a system of electrical systems.

But if other OEMs are at a similar risk of penetration, should consumers spend their waking hours worrying about the cybersecurity of their vehicles?  Is their personal information safe?  And will a compromised navigation system drive them into nearby bodies of water?

Dustin Childs, head of Threat Awareness, Zero Day Initiative at Trend Micro, says consumers shouldn't panic about these issues, mostly because they can't do much about it alone.  However, Childs says cybersecurity is set to be a defining factor for the auto industry, as manufacturers develop new infotainment and tech features at a rapid pace.

11072915266?profile=RESIZE_584xNavigation device

"In the next five to 10 years, we will see something big in automotive security that happens and hopefully it's just a big recall.  It's more likely than not that something will happen very negatively when it comes to automotive technology," Childs tells Autoweek in an interview.

The systems at risk will vary by vehicle and the kind of threat, though a few key features are of particular interest to both sides of the cybersecurity spectrum.  As most modern vehicles feature advanced driver-assistance systems and even some semi-autonomous capabilities, experts' worst fear is that bad actors will maliciously disrupt the movement of a vehicle.

This problem may be exacerbated by the slow shift away from hydraulically connected vehicle controls, as computer-operated drive-by-wire style controls could be more susceptible to remote attacks.  The infiltration of navigation systems even poses a significant risk for stalking and targeted theft.  Of course, your personal data and information are always at risk, and a connected vehicle provides yet another entry point.

Alternatively, there are some gray-area reasons for hacking into the infotainment of your vehicle.  For example, Childs says subscription-based features like heated seats or certain screen functions could be easily jail-broken, allowing consumers to skirt monthly payments for already installed features.  This could also allow for the integration of custom functions or displays from the infotainment screens, like those who stream videos from their Tesla.

In either case, these virtual intrusions pose a challenge for automakers, who are now tasked with creating a mechanically and technologically sound product.  In order to build virtually secure vehicles, you need to understand how bad actors actually get in.  And Childs says that Bluetooth, WiFi, and other external connections like charging ports are often to blame, given these systems are designed to connect with other devices.  "Obviously, the systems need to talk to each other, but we need to make sure that it's the right systems giving the right messages, and there's not an opportunity for a threat actor to send the wrong messages and the wrong communications between the systems," Childs explains.  "In a way, it's a bit like the Titanic, in that it was designed so that water could come in and then be stopped."

11072915092?profile=RESIZE_584x2023 Cadillac Lyriq interior

Childs says these kinds of infiltrations are happening now, and it will likely only get worse as cars get more advanced.  The National Highway Traffic Safety Administration concurs as it has already recorded 1.4 million vehicles impacted by a 2015 cybersecurity recall.  Furthermore, the federal agency issued a 24-page memo on best practices for automotive cybersecurity, with a primary focus on the mitigation of safety-critical risks and containing intruders.

Even so, manufacturers continue to roll out new, personalized tech features, in order to stay competitive in a fierce market.  For example, Hyundai's Ioniq 6 will feature a Metaverse connection while the Polestar 3 and Volvo EX90 boast internal electronics from Nvidia, Luminar, and Qualcomm.  All of these features make up the selling points of these models, whether for safety reasons or modern social media connectivity, but they might also offer an entry point for hackers too.

In fairness to every automotive manufacturer, it's obvious that cybersecurity is massively important, with many automakers employing specific cybersecurity engineering teams. And it's not a problem with a clean, easy solution either, given the complexity and mystery factor of potential future attacks. Despite this, Childs says he doesn't want consumers to be driven away from technology by fear, because it's not a bustling dark market just yet.  "Really, more than anything else, it's profitability. Right now, there's no money in taking out these cars," Childs says. "If there comes a time where a threat actor can really figure out how to monetize their research, even in a negative light, then it's much more likely to pop out."

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

[1] https://www.autoweek.com/news/technology/a43554143/cybersecurity-auto-industry-hacking/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Resources

 

CASE STUDIES