Team-BHP > Technical Stuff


Reply
  Search this Thread
14,234 views
Old 3rd August 2019, 01:15   #1
BHPian
 
jailbird_fynix's Avatar
 
Join Date: Sep 2018
Location: (òÓ,)_\,,/
Posts: 466
Thanked: 3,085 Times
Are 'Connected Cars' vulnerable to cyberattacks?

A consumer advocacy group has warned that automakers are rolling out new vehicles increasingly vulnerable to hackers, which could result in thousands of deaths in the event of a mass cyberattack.

Are 'Connected Cars' vulnerable to cyberattacks?-img_20190802_173849.jpg


In a new report entitled "Kill Switch: Why Connected Cars Can Be Killing Machines And How To Turn Them Off", Los Angeles-based 'Consumer Watchdog' said cars connected to the internet are quickly becoming the norm but constitute a national security threat. The report was based on a 5 month study with the help of more than 20 whistleblowers from within the car industry.

Quote:
All the top 2020 cars have Internet connections to safety critical systems that leave them vulnerable to fleet wide hacks. Cars connected to the internet can be hacked, allowing for outside interference with the car's brakes, engine and other crucial systems.

The experts warn that a fleet wide hack at rush-hour could result in a 9-11 scale catastrophe with approximately 3,000 deaths.

The report recommends cars come with a cheap "kill switch" that can disconnect the safety critical systems from the Internet.



The report said the industry executives were aware of the risk but were nonetheless, pushing ahead in deploying the technology in new vehicles, putting corporate profit ahead of safety. However, the issue is not an unfamiliar one to automakers, who for the past few years have collaborated to minimize cyber security risks.
Quote:
"Consumers should exercise good cyber hygiene in all they do, including properly pairing a phone to a car, deleting phone data from rental cars (if paired), and being active in doing the maintenance and updates as requested for phones and vehicles."

  • Most connected vehicles share the same vulnerability. The head unit is connected to the Internet through a cellular connection and also through the vehicle's CAN (Controller Area Network) buses. Car makers have many economic motivations to connect vehicles to the Internet - from saving money in recalls due to sloppy testing practices by updating vehicle software 'over-the-air' to collecting valuable data on how fast we drive or where we shop.

Are 'Connected Cars' vulnerable to cyberattacks?-img_20190802_235957.jpg



  • While car companies market flashy new features, such as remotely starting cars from smartphones, technologists report the companies are deceiving the public about the risks and by their inability to eliminate them after almost a decade of trying.

Are 'Connected Cars' vulnerable to cyberattacks?-img_20190802_175943.jpg
Are 'Connected Cars' vulnerable to cyberattacks?-img_20190802_175914.jpg
Are 'Connected Cars' vulnerable to cyberattacks?-img_20190803_003935.jpg
Are 'Connected Cars' vulnerable to cyberattacks?-img_20190803_003910.jpg


  • Sometimes, even Auto makers don't know who write their automotive software.

    Most car makers rely heavily on software written by third parties. This includes 'open source' or 'crowdsourced' software like Android, Linux and FreeRTOS. These often comprise of contributions from hundreds of different authors from around the world, and there is usually little accountability for quality or support and lots of reliability issues as well.


Are 'Connected Cars' vulnerable to cyberattacks?-img_20190802_174134.jpg



  • Many more vulnerabilities have been reported to car maker "Bug Bounty programs". But the car industry's response has always been to patch up individual security holes and ignore the design problems that underlie them.

Are 'Connected Cars' vulnerable to cyberattacks?-img_20190802_173939.jpg



  • Viruses can spread from vehicle to vehicle. Malicious WiFi hotspots can infect any susceptible vehicle that passes within range. Cars can also be affected by 'sleeper' malware.

Are 'Connected Cars' vulnerable to cyberattacks?-img_20190802_153441.jpg

Are 'Connected Cars' vulnerable to cyberattacks?-img_20190802_153216.jpg

Are 'Connected Cars' vulnerable to cyberattacks?-img_20190802_153304.jpg

Are 'Connected Cars' vulnerable to cyberattacks?-img_20190802_153423.jpg

Are 'Connected Cars' vulnerable to cyberattacks?-img_20190802_153407.jpg

Are 'Connected Cars' vulnerable to cyberattacks?-img_20190802_153349.jpg

Are 'Connected Cars' vulnerable to cyberattacks?-img_20190802_153323.jpg



How plausible does this all sound? Looking forward to valuable inputs from our members. For further reading, PDF of the complete report (49 pages) has been attached to this post (below).
Attached Files
File Type: pdf KILL SWITCH 7-29-19_0.pdf (3.11 MB, 176 views)
jailbird_fynix is offline   (22) Thanks
Old 3rd August 2019, 07:54   #2
BHPian
 
Join Date: Jun 2015
Location: Hyderabad
Posts: 85
Thanked: 281 Times
Re: Are 'Connected Cars' vulnerable to cyberattacks?

Thank you so much for sharing this. Connected cars will be a gold pot for hackers. Finding zero day vulnerabilities and selling them to malicious hackers including governments will be the norm and who then wants to either track people or use the collected data for malicious purposes. Even now with so much of technology (AI and other stuff) we can't protect our websites and smart devices. The best anti-virus, firewall can be bypassed by viruses.
Autonomous car is also a risk when it comes to being hacked.

This reminds me of the scene from fast and furious and Venom (Autonomous car hack) movie




Last edited by atulsian : 3rd August 2019 at 07:57.
atulsian is offline   (3) Thanks
Old 3rd August 2019, 09:56   #3
Newbie
 
SkyWraith's Avatar
 
Join Date: Mar 2019
Location: Kolkata
Posts: 20
Thanked: 99 Times
Re: Are 'Connected Cars' vulnerable to cyberattacks?

This is a very serious issue, considering most of the cars now comes with an infotainment system with Android Auto and Apple Carplay. If not much more forms of connections onboard like we now have with Venue or Tesla or Hector.
If you look at the timeline report of the hacks, the auto industry is not even trying to do anything about this themselves. Let the hackers figure it out and THEN we will just patch that issue(if we can). If the auto industry wishes to move to a more connected and more futuristic ways, where cars drive themselves and autopilot and such, they need to fortify their connections.
Otherwise the scenes from Fast and the Furious and Venom that atulsian posted will not be fiction anymore.
SkyWraith is offline   (2) Thanks
Old 5th August 2019, 00:23   #4
Newbie
 
Join Date: Jan 2019
Location: Thane
Posts: 23
Thanked: 34 Times
Re: Are 'Connected Cars' vulnerable to cyberattacks?

Thank you so much for sharing this issue, and that too in great depth.

It is indeed scary, that as cars progress from being purely mechanical, to electronic commodities. Just like our smartphones/PC's a car or rather any connected device can be tampered with.

Attaching a link to the video of the aforementioned 2015 Jeep Cherokee hack:



However, there would be more stringent industry standards and safety protocols designed for securing the same, but vulnerabilities in systems will always be there.
It kind of scares me to realise that the automobiles we so cherish and love, could potentially be weaponised.
sourishganguly is online now   (2) Thanks
Old 5th August 2019, 03:13   #5
BHPian
 
adi.mariner's Avatar
 
Join Date: Mar 2019
Location: Pune
Posts: 521
Thanked: 1,275 Times
Re: Are 'Connected Cars' vulnerable to cyberattacks?

This thread is a really an eye opener in terms of the vulnerabilities of these "Connected Cars". Also how easy it is (for persons with the right knowledge and tools) to take remote control of the cars by hacking into the systems. Also the data collected by the car companies as regards to the locations, speeds, etc can be misused if in the wrong hands. As it is said, " Data is the next Oil".
adi.mariner is offline   (1) Thanks
Old 5th August 2019, 21:15   #6
Team-BHP Support
 
Join Date: Sep 2010
Location: All over!
Posts: 7,591
Thanked: 18,197 Times
Re: Are 'Connected Cars' vulnerable to cyberattacks?

Where there's internet and programmable software, there's a vulnerability to hacking. While the concerns regarding safety will only get graver as cars get increasingly IoT-enabled, I don't think anyone, be it the manufacturers or regulatory bodies have really been able to fathom the depth and width of this risk.

And it can start with something very simple: be it, the telematics devices that Insurance companies are offering or even the keycards/apps that rental companies ask you to use to unlock cars.

We might discuss just connected cars here but the concern gets more pronounced when you think about autonomous driving where how the car drives is determined by software with minimal human input.
libranof1987 is offline   (1) Thanks
Old 8th August 2019, 00:07   #7
Senior - BHPian
 
Join Date: Jun 2015
Location: Chicagoland
Posts: 2,983
Thanked: 6,851 Times
Re: Are 'Connected Cars' vulnerable to cyberattacks?

Honestly, I don't think people would attack single individuals unless the attacker is crazy or wants to play a prank on the victim.

However, picture this: in the year 2050 where all the cars & other vehicles are connected. When a country with a conflicting ideology just has to hack into the systems and disable them. Seems far fetched, but can be a form of terrorism to bring the country to a grinding halt. Reminds me the TV series Black Mirror.
landcruiser123 is offline   (1) Thanks
Old 8th August 2019, 09:32   #8
BHPian
 
PearlJam's Avatar
 
Join Date: Sep 2009
Location: Bangalore
Posts: 631
Thanked: 1,653 Times
Re: Are 'Connected Cars' vulnerable to cyberattacks?

My humble opinion about this is - this article borders on fear mongering and should be taken with a pinch (if not more) of salt.

First of all, there are enough critical systems already existing online today that, we use without blinking an eye. From your bank accounts, Mutual funds, CDSL/NSDL depositories, online land records, overseas investments, stock broker links, and so on. Not to mention your extremely private information like emails, and hospital records are also online. Theoretically, an online scam could financially wipe you off completely! But we assume that these systems are now stable enough, with enough checks and balances, and all security holes ironed out over a period of time.

Coming to connected cars - Yes, there would be genuine gaping security holes in the initial days. After all, no version 1 software is bug free. There might be a "flood" of exposes as people try to "hack" into these systems to compromise them. But my assumption is that these would be fixed and ironed out quickly. Over a period of time, these systems should then be as safe (or as dangerous) as other systems in use today.
PearlJam is online now   (3) Thanks
Old 8th August 2019, 11:21   #9
Team-BHP Support
 
Join Date: Feb 2004
Location: Bangalore
Posts: 14,840
Thanked: 27,790 Times
Re: Are 'Connected Cars' vulnerable to cyberattacks?

Am sure at this moment, someone will be trying to hack an MG Hector
ajmat is offline   (2) Thanks
Old 8th August 2019, 12:50   #10
BHPian
 
TheLizardKing's Avatar
 
Join Date: Jul 2013
Location: Mumbai
Posts: 428
Thanked: 1,319 Times
Re: Are 'Connected Cars' vulnerable to cyberattacks?

Quote:
Originally Posted by PearlJam View Post
My humble opinion about this is - this article borders on fear mongering and should be taken with a pinch (if not more) of salt.

First of all, there are enough critical systems already existing online today that, we use without blinking an eye. From your bank accounts, Mutual funds, CDSL/NSDL depositories, online land records, overseas investments, stock broker links, and so on. Not to mention your extremely private information like emails, and hospital records are also online. Theoretically, an online scam could financially wipe you off completely! But we assume that these systems are now stable enough, with enough checks and balances, and all security holes ironed out over a period of time.

Coming to connected cars - Yes, there would be genuine gaping security holes in the initial days. After all, no version 1 software is bug free. There might be a "flood" of exposes as people try to "hack" into these systems to compromise them. But my assumption is that these would be fixed and ironed out quickly. Over a period of time, these systems should then be as safe (or as dangerous) as other systems in use today.
It is definitely NOT fear mongering. And the analogy you use is not the right one, because all the systems you mentioned are properly secured and data (both stored and in transit) is also encrypted in most cases. Also, there are legal safeguards in place to protect you in case of online fraud. On the other hand, if your vehicle is hacked while you are doing 100 kmph on the highway, you will probably not live to tell the tale. A difference of orders of magnitude between the two, don't you agree?

Coming to connected cars, if you read the article, you will see that the timeline starts as early as 2010, so it is definitely not "initial days". When it comes to technology, 9 years is an era! Also, the main thrust of the research is to highlight the unwillingness of the automobile industry to address the issue at a fundamental level, while just sticking to issuing patches once bugs are discovered. This is not at all surprising given the safety track record of the automobile industry over the years, be it exploding airbags (Takata) or unintended acceleration (Toyota). That, in my opinion, is the REAL problem we need to worry about.
TheLizardKing is offline   (1) Thanks
Old 8th August 2019, 13:59   #11
BHPian
 
PearlJam's Avatar
 
Join Date: Sep 2009
Location: Bangalore
Posts: 631
Thanked: 1,653 Times
Re: Are 'Connected Cars' vulnerable to cyberattacks?

Quote:
Originally Posted by TheLizardKing View Post
And the analogy you use is not the right one, because all the systems you mentioned are properly secured and data (both stored and in transit) is also encrypted in most cases. Also, there are legal safeguards in place to protect you in case of online fraud. On the other hand, if your vehicle is hacked while you are doing 100 kmph on the highway, you will probably not live to tell the tale.
...
Coming to connected cars, if you read the article, you will see that the timeline starts as early as 2010, so it is definitely not "initial days". When it comes to technology, 9 years is an era!
In general, I agree with the concerns.

But let is us put this in perspective. A very small percentage of cars today are electric. So there is not much seriousness from the manufacturers, nor a priority as of today to fix any of these. The owners are still a relatively small group that has no bargaining/pressurizing powers. But as the adoption increases, I have absolutely no doubt that all these concerns will be addressed, because there will be demand from more and more consumers for accountability and security (I'm not using safety - since that would mean other things like airbags and build quality). All the technology for IP security already exists today. It is just a matter of implementing them.

Regarding the analogy - Please note that we went through a very similar phase in the internet/online world. Initial deployments of production software was much more "loose" in terms of security. There was much more scope for frauds, since the software developers themselves were not used to writing secure code. But as more and more people moved to the online world, these were quickly tightened. We have much more use of cryptography, https, and other technologies today.

I would say that all these concerns, though valid, and just transitionary.
PearlJam is online now   (2) Thanks
Old 8th August 2019, 16:25   #12
BHPian
 
Join Date: Oct 2007
Location: Bangalore
Posts: 593
Thanked: 1,129 Times
Re: Are 'Connected Cars' vulnerable to cyberattacks?

Quote:
Originally Posted by PearlJam View Post
My humble opinion about this is - this article borders on fear mongering and should be taken with a pinch (if not more) of salt.

First of all, there are enough critical systems already existing online today that, we use without blinking an eye. From your bank accounts, Mutual funds, CDSL/NSDL depositories, online land records, overseas investments, stock broker links, and so on. Not to mention your extremely private information like emails, and hospital records are also online. Theoretically, an online scam could financially wipe you off completely! But we assume that these systems are now stable enough, with enough checks and balances, and all security holes ironed out over a period of time.

Coming to connected cars - Yes, there would be genuine gaping security holes in the initial days. After all, no version 1 software is bug free. There might be a "flood" of exposes as people try to "hack" into these systems to compromise them. But my assumption is that these would be fixed and ironed out quickly. Over a period of time, these systems should then be as safe (or as dangerous) as other systems in use today.
You are forgetting something important here. Your banks, Online land records and all other systems are continuously being targeted and a very minute percentage always gets through the security systems. As an end user, why you did not get affected is because these organizations were able to stop further attacks and were able to restore their services pretty quickly. A few seconds or a few minutes of a successful attack do not generally affect the end users much and we always have a backup to restore from.
Now consider a few seconds or a few mins of a successful attack against an internet connected car cruising on a highway. We could only pray that the attack do not target your braking or other vital functions of your car. And if it does and an accident happens, the technology can only restore the car, not the humans affected by the accident.

I work as a Digital Forensics consultant and I am yet to see an organization that was not affected. By the nature of my job, I will never get to see a 100% secure organization
Holyghost is offline   (4) Thanks
Old 8th August 2019, 18:25   #13
BHPian
 
Prowler's Avatar
 
Join Date: Jul 2008
Location: Madras
Posts: 770
Thanked: 1,301 Times
Re: Are 'Connected Cars' vulnerable to cyberattacks?

Complacency is the forerunner of defeat. Unless you wake up and act now it might be too late. They say in our domain, the safest computer is the one with no outside connection.
At the moment, cars have separate CPU for separate jobs connected by CAN Bus. The Engine management ECU may talk to its Brake management ECU as the situation needs.
Now the problem is as long as the communication is internal, there is no threat from the Net. But the moment you allow the outside world to connect to your Car, you open a Pandora's box.
Many OBD devices talk to a central server to pass on engine data which ostensibly was intended to warn the owner of possible issues. This is mostly one way as the central server can't change the engine parameters (hopefully) from afar.
Bottom line is I don't want my fridge to place an order for a food by itself. I would be all the more paranoic, if my car starts communicating with the outside world. Then a Kill Switch may be the only solution.
Prowler is offline   (1) Thanks
Old 9th August 2019, 08:14   #14
BHPian
 
Join Date: Jan 2019
Location: UK,IND, AUS
Posts: 102
Thanked: 173 Times
Re: Are 'Connected Cars' vulnerable to cyberattacks?

Quote:
Originally Posted by Holyghost View Post
..A few seconds or a few minutes of a successful attack do not generally affect the end users much..
Yes, time factor is crucial here. Its another risk that needs to be part of equation (no/minimal recovery window available). A large truck, losing it's controls only for a few seconds at a traffic light can create havoc !
Unless the communication is one way only(read only access),there will always be a risk.
You can increase the cost of a hack (i.e. make it unattractive for a hacker), however making an absolutely secure system is always work in progress ( you discover the vulnerabilities and patch your systems)

Last edited by RaviK : 9th August 2019 at 08:20. Reason: Added more content
RaviK is online now  
Old 9th August 2019, 11:54   #15
BHPian
 
DudeWithaFiat's Avatar
 
Join Date: Jan 2012
Location: Trivandrm/Kochi
Posts: 473
Thanked: 855 Times
Re: Are 'Connected Cars' vulnerable to cyberattacks?

Quote:
Originally Posted by PearlJam View Post

All the technology for IP security already exists today. It is just a matter of implementing them.
That is the biggest myth of cyber-security. The just a matter of implementing them is the biggest and most probably the permanent hurdle. And there are people motivated enough out there whose only joy and job seem to be discovering zero-day vulnerabilities. Even nation-states are vulnerable. Iran's nuclear program was substantially affected by a worm called Stuxnet - and even now, 9 years after it happened, no one knows for sure who was behind it. So, there are people motivated enough.

Quote:
Originally Posted by PearlJam View Post
Regarding the analogy - Please note that we went through a very similar phase in the internet/online world. Initial deployments of production software was much more "loose" in terms of security. There was much more scope for frauds, since the software developers themselves were not used to writing secure code. But as more and more people moved to the online world, these were quickly tightened. We have much more use of cryptography, https, and other technologies today.

I would say that all these concerns, though valid, and just transitionary.
It is another subject of discussion that even after this initial phase, most software developers still write code that is lousy in terms of security.

I think what makes the situation grave is that the Cybersecurity of a car is maintained by an average Joe who drives or owns the car. There are no cyber-security professionals guarding this data-centre (your car). Your car which will be more of a computer in the next few years to come, and with insecure cyber practices , it would be as vulnerable as your laptop. (Yes, your laptop or desktop is actually more vulnerable than you think it is).


Quote:
Originally Posted by Holyghost View Post
Now consider a few seconds or a few mins of a successful attack against an internet connected car cruising on a highway. We could only pray that the attack do not target your braking or other vital functions of your car. And if it does and an accident happens, the technology can only restore the car, not the humans affected by the accident.

I work as a Digital Forensics consultant and I am yet to see an organization that was not affected. By the nature of my job, I will never get to see a 100% secure organization
Agreed 100%.

Last edited by DudeWithaFiat : 9th August 2019 at 11:57.
DudeWithaFiat is offline  
Reply

Most Viewed
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Copyright ©2000 - 2024, Team-BHP.com
Proudly powered by E2E Networks