Editor’s Note: On April 23rd, 2020, Gilad will be giving a full presentation of this topic in a free webinar hosted by the Automotive Security Research Group. You can register for the webinar on the ASRG website.
Subscribe to the Arilou mailing list for updates!
In Information Technology (IT), and Industrial Control Systems/Supervisory Control And Data Acquisition (ICS/SCADA), zero-day cyber-security events have been the match that lit the fuse of action.
The automotive industry is yet to have its first truly defining event. There have been some shots across the bow (see initial automotive events below), and some clear examples of how bad an attack could be for vehicles (see decisive automotive events below) – but these have generally been attributed to white-hat or ethical hackers.
In other industries, it is not until something drastic occurs – and public or political pressure is applied – that there is any reaction to potential (or actual) threats of cyber-attack. However, it is clear that this is not acceptable for the automotive industry. Public relations, brand loyalty, and customer safety expectations are vital to an OEMs success – preventing critical cyber-security vulnerabilities is incredibly important.
In our first post in October, we walked through a brief introduction of the history of connectivity and networking in IT, and ICS/SCADA industries. This month’s post looks at initial and decisive historical and critical cyber-security events in these areas, and how we can use them to predict potential upcoming attacks on the automotive industry.
Initial Cyber-Security Events
Since initially computers and networks were not conceived with security in mind – and no threats were known – it was easy for hackers to attack those networks. The history of cyber-security began with a research project. In the 1970s, an engineer called Bob Thomas (working for a company called BBN Technologies) realized that it was possible for a computer program to move across a network, leaving a small trail wherever it went. He named the program Creeper, and designed it to travel between Tenex terminals on the early ARPANET, printing the message I’M THE CREEPER: CATCH ME IF YOU CAN
A man named Ray Tomlinson (the same Ray Tomlinson who invented email) saw this idea and liked it. He tinkered with the program and made it self-replicating – the first computer worm. Then he wrote another program, Reaper. Reaper was the first antivirus software and was designed to chase Creeper and delete it.
As harmless and groundbreaking as this sort of programme may have seemed at the time, they have evolved into what amounts to a multi-billion-dollar global criminal industry. It is not just external actors that pose a threat. We are seeing a rise in insider cyber-crime. A high-profile example is Boeing. In 2009, Greg Chung – a Boeing Engineer – was sentenced to 15 years in prison for hoarding over 30 years’ worth of US aerospace and defence documents, as well as passing sensitive data to China.
These devices are extremely reliable and built to last for many tens of years. They were however built with zero cyber-security protection. Most events in this theatre began to occur after 2010. There were no real reported events before this point, although vulnerabilities and exposed weaknesses were already known by that time. Some argue events did occur beforehand, but that they were either unattributed to cyber-attack or were covered up by government agencies.
Given that this is a new area, there are very few known real events in this area. Certainly, nothing that can be pointed to as a clear, malicious, widespread and safety-critical attack on vehicles. The closest to date have been apparently isolated thefts that have involved the hacking of remote key fobs for new vehicles.
Three high profile incidents involving a Range Rover, a BMW, and a Tesla vehicle have made the news. And while still alarming, these events represent only the financial impact of cyber-crime. Action must be taken now to avoid a defining safety-related incident.
Decisive Cyber-Security Events
One cannot point at a specific event that defines the turning point that initiated the modern cyber-security protection effort and its associated industry. However, we can point to some key moments in recent history.
In 2013, former CIA employee and sub-contractor Edward Snowden released stolen information to the press causing a geopolitical incident. In 2014 Yahoo! lost the information of over 3 billion user accounts, and in 2017, WanaCry and NotPetya ransomware crippled public and private systems all around the world. 2018 heralded further attacks, with Equifax failing to patch an Apache Struts vulnerability allowing hackers to gain access to 209,000 customer credit cards.
Year on year, increasingly sophisticated attacks are launched on Ethernet and IP networks. We see both targeted attacks – custom made for specific targets, such as stealing credit cards – and widespread attacks such as phishing and ransomware.
In this field, we have witnessed a few major events that have created awareness and generated some notable traction. The first was Stuxnet, a virus launched against the Iranian nuclear enrichment centrifuges in 2009. Another influential case that cost human lives occurred in 2015 in the Ukraine. This attack, where alleged Russian state actors attacked the electrical grids, caused major blackouts and widespread chaos. In 2018 the Triton virus was launch against a Saudi Arabian oil facility.
There are many known Common Vulnerabilities and Exposures (CVEs) documented on web databases such as those held by MITRE. They show potential attack vectors such as the Denial of Service (DoS) vulnerability on Schneider Electric’s Modicon M221 PLC, now already patched.
While these and other published attacks appear to be sparse events, it may also be possible that many events go unreported. This might be because of attempts to prevent additional collateral damage such as damage to an organization’s public image and reputation, national pride or due to a variety of other reasons. Regardless, such attack severity is very high risk and should be considered a serious threat.
To date, all known major safety-critical events in the automotive industry have been attributed to white hat hackers – ethical hackers demonstrating existing vulnerabilities and exposures in the automotive industry. One can clearly point to the 2015 attack on the Fiat Chrysler Automotive (FCA) Jeep Cherokee as the first high profile attack. Executed by Charlie Miller and Chris Valasek, they were able to take full control of the vehicle, ultimately driving it into a ditch.
Since then, many additional demonstrations have been made. Luckily, despite the extant code, no malicious attacks have yet to be documented, nor have lives or property been damaged. This is, unfortunately, lulling the automotive industry into a false sense of security. There is not enough awareness in the industry, and cyber-security investment in these tight-margin markets is relatively small.
Heavy vehicles and buses are, particularly at risk. Miller and Valasek’s attack on the Jeep Cherokee utilized a vulnerability in the infotainment system to gain access to the CAN, allowing them control of critical systems. Fortunately, most light vehicles use model-specific proprietary implementations which can make opportunistic cyber-attacks too costly in terms of time and resources. However, many heavy vehicles use a common protocol called SAE (Society of Automotive Engineers) J1393 which is based on the CAN bus protocol. Once a heavy vehicle exposure is found, it could be exploited in a large variety of vehicles that use this standard. It is hoped that it will not take a major event – such as a yellow bus plunging off a high bridge – to drastically change the attitudes of the industry. Hopefully, industry and regulators will take the right action, in due time, to prevent such a calamity.
In the third instalment of our IT, ICS SCADA series we will look at the impact of the events described above and each industry’s response.
Sign-up to our newsletter for the latest cyber-security news and receive alerts when we post new content.
If would like to learn more about Arilou’s in-vehicle network cyber-security solutions, you can read more in our solutions pages – or if you would prefer to speak to a representative please reach out to us via the contact us page in the menu above.