Answering these questions requires us to think past the high-profile press coverage of vehicle hacking, and look closely at the underlying vulnerability that enables these attacks.
All vehicles are potentially vulnerable
Most press coverage of automotive cyber security focuses on wireless connectivity and remote hacking. The Jeep Cherokee being a prime example. Security researchers Charlie Miller and Chris Valasek used the integrated cellular connection of the vehicle to remotely access its interior network. With that, they could interfere with audio, telematic controls and ultimately disable the vehicle, leaving it in a ditch on the side of the road.
However, wireless connectivity is not a requirement to access a vehicle. There are more mundane vulnerabilities that require only physical access, such as the on-board diagnostic (OBD-II) port. The OBD-II port has been standard in all vehicles since 1996, and is used by mechanics for routine maintenance checks. It’s also used for connecting 3rd party tools such as driver behaviour monitors issued by insurance companies.
Add to this the ever-expanding array of USB connections, either built in, or as part of aftermarket components such as radio head units, and you find your vehicle could be at risk. Even if you have no direct connection to the internet.
What CAN we do about it?
At present, all vehicles are vulnerable to attacks because the in-car, controller area network (CAN) bus is unsecured. The CAN bus is the central nervous system to which all the vehicles core and peripheral components connect.
The key flaw in this network, is that all components (more formally known as electronic control units, or ECUs) which connect to it, can communicate with each other without any form of secure validation. Meaning that if one ECU is compromised, it provides unrestricted access to the rest of the network.
Protecting the CAN makes the most sense because whilst ECUs are the most obvious vulnerability, physical access to the CAN is still a risk. Of course, ECU protection is still an important part of any cyber security approach, but CAN hardening should be considered a foundation from which to build a multi-layered strategy that can help reduce or eliminate effective hacking scenarios.
Attack scenarios are many and varied
Hackers can have many reasons for wanting to gain access to a vehicle. They could range from something as relatively benign as theft all the way up to something as extreme as terrorism. Imagine a kidnap scenario in which a hacker has remotely accessed the navigation system. The driver has entered destination details, which unbeknownst to them have been overridden, taking the driver to a location of strategic advantage to the hacker.
Another scenario of particular concern to automotive companies looking to move into the transport as a service (TaaS) sector, is the possible infection of their fleet with ransomware. In a research paper presented at ESCAR 2017, two teams explored the potential ramifications of a WannaCry style malware attack, which they referred to as WannaDrive.
If a malware programme such as WannaDrive was successfully installed on a compromised ECU with access to the in-vehicle network, it could lock out the driver until a financial payment was made, or worse, permanently lock out the user ‘bricking’ the system, requiring a refit of infected components, or ultimately a complete replacement of the vehicle.
A multi-layered strategy is the ultimate approach
These hacks are not simple or quick, they require intricate knowledge of the networks, and it took Miller and Valasek extensive research and development before they were able to create the hack that they used to exploit the weaknesses of the Jeep Cherokee.
However, once the code is out there, others can build on it. Which is why a multi-layered approach to security is so important. It secures the vehicle from known hacks, and can also remove the incentive to hack, by making it too time and resource heavy for the hacker to consider.
There will always be vulnerabilities as no vehicle can ever be 100% secure, but a very high level can be reached. The key to achieving this is in careful analysis of threats to the vehicle, its vulnerabilities, and approaching each layer as part of a comprehensive whole.
There are four steps to protecting the vehicle
Ultimately each OEM’s requirements will be different, which is why careful analysis is required, but creating a comprehensive strategy can be divided loosely into four steps.
The first step is to protect the CAN bus. Hardening it from attacks and stopping hackers from moving around freely within the network. This layer is probably the most important because in addition to reducing the risk from all other levels, it protects not just against wireless attacks, but also against physical intrusion methods targeted against the CAN bus.
The second step is to ramp up ECU security, making these attack vectors harder to infiltrate and ultimately less attractive to hackers.
The third step is to protect back-end connectivity. Making sure that data transfer between the vehicle and the cloud is not subject to manipulation, snooping or interception.
The fourth and final step is to reinforce Cloud and OEM server security. Making sure that Cloud servers are secure from remote hacking, and that manufacturers in-house servers are protected from both internal and external intrusion so vital vehicle and driver data is kept secure. This will require both a comprehensive review of data handling processes and technical cyber security expertise.