At the close of 2014, Gartner (News - Alert) forecast that 4.9 billion connected things will be in use this year, up 30 percent from last year, and will reach 25 billion by 2020. The Internet of Things (IoT) has become an over-used buzz term, but it’s also an undeniable reality, and as such, is making a disruptive impact across all industries, especially when it comes to cybersecurity.
The growing IoT attack surface was well spotlighted at Black Hat 2015 this month in Las Vegas, where hacks of both a connected Jeep Cherokee and a Tesla Model S illustrated connected car woes—and sparked a conversation about how IoT security flaws should be handled. When things that were previously never connected suddenly become connected, tried-and-true industry approaches that were never developed to accommodate the digital age suddenly can’t keep up.
“Like many other manufacturing sectors, the automotive industry appears to have fulfilled the predictions of many security experts and underestimated the challenges of deploying secure systems in today’s challenging operating environment,” said Stephen Cobb, senior security researcher with ESET (News - Alert), in an emailed comment to media.
Case in point: the connected Jeep hack. Security researchers Chris Valasek, director of vehicle security research at IOActive (News - Alert), and Charlie Miller, the well-known Twitter researcher recently asked an unsuspecting journalist from WIRED to take a car for a spin on the freeway—and then commenced messing around with him.
They cranked the radio to 10, pushed the AC full-blast, turned on the windshield wipers, and, best of all, uploaded a pic of their smiling faces to the in-dash “infotainment” screen. At their Black Hat talk on the development of the compromise, they also showed videos of the remote control of the vehicle’s brakes and steering, as well as the ability to lock and unlock the doors—all remotely. Worse, because they were able to take over the Control Area Network (CAN) using the car’s internal 4G connection, they demonstrated that the hack could be affected on millions of targets at once, from thousands of miles away—just by running a search online for vulnerable vehicles.
The hack took months and months to perfect, and requires specialized know-how and equipment, but should still discomfort anyone looking into buying a connected car—particularly considering that the initial compromise was done using very simple scripts.
"We took over the infotainment system and from there reprogrammed certain pieces of the vehicle so we could send control commands," Valasek said. "It takes a lot of time skill and money. That isn't to say that there aren't large organizations interested in it."
Vulnerable vehicles include the 2015 model of the Dodge Ram pickup, Dodge’s Challenger and Viper, and the Jeep Cherokee and Grand Cherokee SUVs. So, U.S. auto giant Chrysler has mounted a fix, using that well-worn groove of the auto industry: a vehicle recall. In fact, Chrysler is recalling 1.4 million cars in all, and is in the process of mailing all affected drivers a USB stick to patch the problem entirely. Meanwhile it has also pushed an over-the-air update to some vehicles to block unauthorized remote access.
The Chrysler news follows a Ford (News - Alert) recall for a software bug affecting 433,000 2015 Focus, C-MAX and Escape vehicles. The flaw means that drivers may not be able to turn off the engine, even if they remove the ignition key. And earlier in the year, BMW was forced to roll out a patch for a security flaw that could have allowed hackers to open the doors of some 2.2 million vehicles after a security researcher showed how he was able to intercept network traffic from certain BMW, Mini and Rolls Royce models and send commands telling the cars to lower their windows or open their doors. That too was done via recall.
Cameron Camp, security researcher at ESET, pointed out that recalls are very rarely effective.
“I have a Jeep Grand Cherokee with a faulty fuel tank, for which there’s a recall, and I've ignored it for years,” he explained. “Even if Fiat Chrysler issues a recall, that’s much less effective than a patch that gets pushed. Think if you had to bring your computer in to have Microsoft (News - Alert) install a patch. Sure, they’d pay for it, but the patch rate will be abysmal. The problem is that many automobiles aren’t set up to have an effective patch cycle, so they’ll have some catching up to do, and that’s just on newly sold automobiles.”
And what happens if a car is sold to another owner?
“People keep computers for a few years, but cars for decades,” Camp said. “So when would an automobile company declare ‘end of life’ for supporting legacy cars that are found to have hackable defects, for which we’ve seen proof-of-concepts that would have millions of potential targets for things like opening the doors and starting them up and driving off?”
There are signs that automakers may be coming to terms with the realities at play in all of this. Also at Black Hat, the Tesla Model S was shown to be hackable. Elon Musk’s high-end electric vehicle was done in by Kevin Mahaffey, co-founder of the security firm Lookout, and Marc Rogers, principal security researcher at CloudFlare, who were able to upload a Trojan back-door via a physical Ethernet connection. Once installed, they could ping it remotely and perform a number of actions, including turning the car on and off remotely, braking if the car is moving under 5 MPH, and shifting into neutral at higher speeds.
In stark contrast to mainstream automakers, Tesla has already begun pushing an over-the-air patch that will automatically fix the issues. It also, earlier in the year, kicked off a bug bounty program.
“Our security team works closely with the security research community to ensure that we continue to protect our systems against vulnerabilities by constantly stress-testing, validating and updating our safeguards,” Tesla said in an official statement.
Of course, cars aren’t alone in the world of connected things. Black Hat showcased other areas of IoT that we should be worried about. A trio of researchers gave a talk about the vulnerabilities of Internet-connected switches used in industrial environments, including how to damage a steel mill blast furnace or shut down a nuclear reactor—remotely. And, attacks against devices that monitor the pumping systems in gas stations, how to control a self-aiming, computer-aided rifle, and a virtual attack on a chemical plant were all showcased.
But with connected cars becoming such a mainstream reality for many consumers, perhaps it’s here that IoT security will first start in earnest.
“Modern vehicles are computers on wheels, and are increasingly connected and controlled by software and embedded devices,” said consumer group I Am the Cavalry, in an open letter to car manufacturers. “These new technologies enable innovations designed to increase vehicle safety and bring other positive features. Vehicle-to-vehicle communication, driverless cars, automated traffic flow, and remote control functions are just a few of the evolutions under active development.”
It added, “New technology introduces new classes of accidents and adversaries that must be anticipated and addressed proactively. Malicious attackers, software flaws, and privacy concerns are the potential unintended consequences of computer technologies driving this latest round of innovation. The once distinct worlds of automobiles and cybersecurity have collided. In kind, now is the time for the automotive industry and the security community to connect and collaborate toward our common goals.”