Cybersecurity Snapshots #5 - Automobile Cybersecurity is a Big Issue

Cybersecurity Snapshots #5 -

Automobile Cybersecurity is a Big Issue

Cars are becoming more connected than ever, and should, therefore, meet the highest level of security, safety, and performance. However, that is not always the case. As cars have become more connected and have more autonomous features, they are extremely susceptible to malicious cyberattacks and could potentially be weaponized by adversaries. Cars today have up to 100 Electrical Control Units (ECUs) and more than 100 million lines of code, which is a large attack surface. Auto manufacturers also source ECUs from many different suppliers, which means that no one player is in control of or even familiar with all of a vehicles source code. In the future, cybersecurity needs to be embedded in the first stages of the car's design before they are manufactured.

For a number of years, researchers have been able to find vulnerabilities in cars that would make them susceptible to adversarial attacks. Researchers have been able to gain remote access to vehicles by exploiting software vulnerabilities in General Motors’ On-star and Bluetooth systems. The researchers were able to take physical control over the vehicles, such as controlling the display on the speedometer, controlling the brakes, and shutting off the engine. Jeep Cherokees, for example, were found to be vulnerable through exploitation of the Wi-Fi password. The car's Wi-Fi password was generated automatically based upon the time that the head unit was turned on for the first time. This is a relatively secure way to generate a password because it is based upon the date and time down to the second, which would give the password many potential combinations. Researchers found that if an adversary knew the year and month of manufacture, then the number of possible combinations was reduced to 15 million. Adversaries would then most likely assume that the head unit was turned on during the day, which would reduce the number to 7 million combinations. Once the researchers were able to crack the car's Wi-Fi password, they were then able to change the radio system, the volume, and track the car via its GPS navigation system. The head unit is not connected to the CAN Bus (the internal network), but the researchers were able to communicate with it via a connected component, the V850 controller. They were able to reprogram the V850 controller with a firmware update over the car's Wi-Fi connection. Once this was completed, they were able to send commands to the CAN Bus and were able to control the car remotely. Researchers could control everything including the engine, transmission, steering wheel, and brakes. The researchers reported this issue to Fiat Chrysler, which led to a recall of 1.4 million cars.

In another example, researchers were able to take control of a Tesla Model X brakes remotely, open the trunk and the doors, and control the radio. They were able to hack the vehicle through Wi-Fi and cellular connections using malware, which was sent to the car’s web browser in a series of circuitous computer exploits. The researchers notified Tesla, and Tesla fixed the vulnerabilities within two weeks. In 2020 researchers discovered a flaw in Tesla Model 3's web interface. The interface had a denial of service (DoS) vulnerability. In order for the adversary to exploit the systems’ vulnerability, a user would have to go to a malicious webpage. If they went to a webpage that had been compromised, using the central display, it could allow the attackers to disable the speedometer, web browser, climate controls, turn signals, navigation, autopilot notifications, and blinker notifications along with other miscellaneous functions from the main screen. The user would still be able to drive the car. Tesla was notified, and has since patched the flaw.

The National Highway Traffic Safety Administration (NHTSA) suggests that automotive companies take a multi-layered approach to cybersecurity by focusing on a vehicle’s entry points, both wireless and wired. The NHTSA also suggests that all automotive companies have a risk-based prioritized identification and protection process for self-critical vehicle control systems. The automotive companies should also be able to timely detect and rapidly respond to potential vehicle cybersecurity incidents on America’s roads. Architectures, methods, and measures need to be designed with cyber resiliency in mind and must be able to facilitate rapid recovery from incidents. NHTSA also suggests that information be shared across the automobile industry to facilitate the quick adoption of industry-wide lessons learned.

In an encouraging sign, the automobile industry is starting to take cybersecurity more seriously. NHSTA encouraged the formation of Auto-ISAC, which is an industry group that emphasizes cybersecurity awareness and collaboration across the automotive industry. Recently the Auto-ISAC released a comprehensive set of best practices for automotive cybersecurity. Automakers are planning for these guidelines to serve as the foundation for industry-wide cybersecurity standards. Several OEMs from Tesla, GM, and Fiat Chrysler, have also established a new “bug bounty” program, which rewards individuals that find and report security flaws in their cars’ software, to fortify their systems against vulnerabilities. The bug program has been helping automobile companies with finding a multitude of flaws. In 2019, Tesla rewarded researchers $10,000 through their bug bounty program called Bugcrowd. The researchers discovered a stored cross-site scripting (XSS) vulnerability that could have been exploited to obtain vehicle information. The automotive industry will continue to take cybersecurity more seriously in the future and will need to be able to adapt to the ever-changing forms of cyberattacks that could affect their automobiles. They will also need to be expedient when patching flaws found, because the longer the flaws go un-fixed, the more likely a successful cyberattack will be executed, which could cause injuries or deaths.