There will be 250 million wirelessly connected cars on the road by 2020 according to Gartner (IT). The technical prognosticators believe that 60% – 75% of them will be capable of consuming, creating, and sharing Web-based data. In light of predictions like these and highly publicized car network attack demonstrations car need more security. Intel (INTC) has established the Automotive Security Review Board (ASRB) to help mitigate cyber-security risks associated with connected automobiles.
An Intel presser says ASRB researchers will do ongoing security tests and audits. They will codify best practices and design recommendations for advanced cyber-security solutions and products. Intel will publish automotive cyber-security best practices white papers, which the company will update based on ASRB findings. Chris Young, senior vice president, and general manager of Intel Security said in the presser.
We can, and must, raise the bar against cyberattacks in automobiles … Few things are more personal than our safety while on the road, making the ASRB the right idea at the right time.
Secure car networks
It is the right time to secure the networks in cars. A study released by Atlanta-based PT&C|LWG Forensic Consulting Services looked at what made cars vulnerable to attacks.
Robert Gragg, a forensic analyst with PT&C|LWG told CSO cars with the highest risk of cyber threat tended to have the most features networked together, especially where radio or Wi-Fi networks are connected to physical components of vehicles.
Today’s modern automobile uses between 20 and 70 computers, each with its own specialized use. The article explains that engine control units oversee a wide array of electronic sensors and actuators that regulate the engine and maintain optimal performance. Vehicle manufacturers use the generic term “electronic control units” (ECUs) to describe the myriad of computers that manage various vehicle functions.
For example, the author says ECUs control vehicle safety functions, such as antilock brakes and proximity alerts. The ECU which governs climate control systems receives temperature data from sensors inside the cabin and uses that to adjust airflow, heating, and cooling.
What is a controller area network
Typically, all of a vehicle’s computer systems can be accessed over a vehicle’s controller area network (CAN) via the radio head unit, a computerized system that runs a car’s or truck’s communications and entertainment system.
Many of today’s modern vehicles can be accessed via cellular, Bluetooth, or even WiFi connectivity. While no easy task, the CSO article says, once a hacker gains access to the vehicle’s head unit, its firmware can be used to compromise the vehicle’s CAN, which speaks to all the ECUs. Then it’s just a matter of discovering which CAN messages can control various vehicle functions.
Car attacks
These attacks can happen at a distance. PT&C|LWG study estimated minimum distances from which a vehicle could be hacked according to the wireless communication protocol it is using. For example, a passive anti-theft system could be access from 10 meters, a radio data system (or radio head unit) could be hacked from 100 meters, a Bluetooth system could be accessed from 10 meters, a smart key from five to 20 meters, and a vehicle equipped with Wi-Fi… well, it could be hacked from anywhere there’s Internet access (rb- I wrote about this vulnerability in 2011).
That may be a problem. Increasingly, carmakers are coming out with vehicles that include Wi-Fi routers for Internet connectivity. PT&C|LWG’s Gragg said.
In more advanced vehicles — the ones that have infotainment systems — wireless security and wireless access points are all connected into the navigation system. So those are more susceptible to hacking because there are just more wireless access points … Anything open to wireless capabilities is susceptible to the hacking.
rb-
In May, both General Motors (of ignition switch cover-up infamy) and the Auto Alliance, the car maker’s lobbyist, testified against a proposed exemption in copyright law that would allow third-party researchers to get access to vehicle software. A decision in that matter could come any day from the U.S. Copyright Office.
The Auto Alliance has also threatened to run to Congress should the Copyright Office rule in favor of the researchers to cover up threats to the consumer, like Volkswagen and GM. The lobbying group calls legitimate researchers attackers in a letter to a Congressional subcommittee investigating the auto industry’s ability to thwart cyber attackers; “Automakers are facing pressure from the organized efforts of technology pirates and anti-copyright groups to allow the circumvention of protected onboard networks, and to give hackers with the right to attack vehicles carte blanche under the auspices of research”.
This would set a dangerous precedent for devices connected to the Internet of Things (IoT) to be unregulated. If the automakers are successful in their DMCA claims, it would be deadly for everyone on the road too.
Who remembers “Unsafe At Any Speed“?
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.