Connected Cars: A History of Security Vulnerabilities

Chris Poulin, IBM, on Tech Crunch:

A Short History Of Car Vulnerability Research

In 2010, researchers from the University of Washington and University of California, San Diego published a seminal paper proving that once an attacker has physical access to a vehicle, they can compromise every component, from the entertainment system to the electronic control units (ECUs) that operate the engine, brakes and even the steering wheel in modern cars that self-park and sport lane-departure correction.

This research showed that an attacker could use connection points between vehicle systems as an entry point to inject arbitrary commands on the controller area network (CAN) bus to perform activities such as disabling all the engine’s cylinders, locking up one brake pad and disabling all brakes — even when the car was traveling at 40 miles per hour. The researchers even created a CAN bus analysis and packet injection tool, dubbed CarShark.

But the automakers weren’t phased by the research; their view was that an attacker would have to be jacked into your car in order to execute an attack.

In response, these same researchers undertook another study in 2011 to further prove their point, this time centered on how to remotely gain access to the vehicle. The paper enumerated the attack surfaces, including channels that provide remote access: Bluetooth, in-vehicle Wi-Fi, telematics, remote keyless entry and RFID immobilizers, dedicated short-range communications (DSRC) used to communicate between vehicles and the road infrastructure, global positioning (GPS), satellite radio and even tire pressure monitor sensors.

The researchers took the play from the punt to the end zone by remotely compromising a vehicle, then using the techniques they created in their first paper to gain complete control of the car. They even claimed they could compromise the telematics unit by simply playing an audio file over the mobile carrier’s network.

Using another vector, the researchers wrote a mobile phone Trojan that gave them remote access to a driver’s or passenger’s mobile phone, and when paired with a vehicle’s telematics unit, exploited a vulnerability in the Bluetooth firmware. They effectively used the mobile phone as a springboard to pwn the vehicle.

The researchers also compromised a typical diagnostics computer used by many service shops so that when it was connected to the diagnostics port on a vehicle, the computer would infect the vehicle with malware allowing the attackers to control it. In a zombie apocalypse scenario, the researchers even wrote software that could turn cars into a rolling “bot” army that reports back to a command and control (C&C) channel through which a criminal could issue commands.

It would seem that these researchers had proven conclusively that connected vehicle security required retooling, and that the consequences could have a major impact on customer confidence and safety. However, without details on the specific vehicles involved in the research, nor publicly disclosed proof of concept instructions, the automotive industry made little public noise about the research.

In fairness, the auto industry may have rallied war rooms and devised plans to amp up security in their automotive products; however, the automotive industry is tight-knit and guards new designs and technology closely. Further, modern automobiles are complex marvels of engineering, and the process of retooling the mechanics and software has to be undertaken slowly, carefully and over a period of many years. Bear in mind that from inception, a new automobile typically takes 5-7 years before it hits the mass market.

And yet, to the general public — and especially to researchers — the silence implied apathy on the part of the automakers. Some in the industry may not fully recognize the broader implications of these results. For example, I spoke to the design manager on the topic of the tire pressure monitoring system (TPMS) vulnerability and he responded with: “So what? All you could do is light up an amber LED on the dashboard.”

Which would be true if all TPMS receivers only had a wire loop that went to the LED in question; however, it’s likely that most of the automakers connect the TPMS receiver to other parts of the in-vehicle network, if for no other reason than to send that data as telemetry back to the predictive maintenance analytics running in the cloud. But let’s not get hung up on the TPMS system: The vehicle threat surface is as broad as the African savanna is to a big game poacher.

Enter Charlie Miller and Chris Valasek, whose 2013 Today Show vehicle hack elicited a collective gasp from the public. Automakers pointed out that such a hack would be unfeasible in real life, as the dashboard is dismantled and there’s a guy sitting in your back seat with a laptop. As is the way with such stories, other shiny objects and celebrity reality television soon overwrote that chunk of the public’s short-term memory, and drivers slid behind the wheel with nary a thought of cars gone wild.

In 2015, Miller and Valasek were back. The widely publicized video of these researchers remotely hacking into a vehicle on the road and ultimately sending it into a ditch struck a chord with the general public that research to date had yet to reach.

To put this in perspective, Recorded Future, which collects intelligence from more than 600,000 sources, including social media and underground forums, queried their data warehouse for mentions of connected vehicle security. As displayed [above], there was a fair amount of chatter when the CarShark exploit was announced, then it exploded around the two Valasek and Miller exploits. The red “bubbles” show the amount of references by date and the milestones are called out. Additionally, references to announced or publicly speculated future events are plotted at the bottom of the chart.