The article, "Your Money or Your Brakes" in today's EE Times newsletter focuses on the growing implications of so much software in cars; software that's so badly protected. How much software? FASTR presents this:
The very nature of a vehicle today has been altered by consumers who want a car to be like a smartphone, explained Davis.So what sort of attack are we talking about?
They demand cars with more functions and features, just like smartphones, so they can run new applications. Fine, but most new features go into vehicles “without rigorous security assessment,” Davis explained.
Consider a smartphone app that can unlock a car. It’s a convenience feature. But every time such smartphone apps are integrated into vehicles, it’s an open invitation for ransomware. The attack surfaces in vehicles – available for hackers to play with – are many. Cellular, WiFi and Bluetooth network connectivity and their protocols can be all penetrated, said Davis.
Picture yourself in your car. You’ve turned on the engine, and a message pops up on the dashboard.” The message says, “This car has been hacked. Pay up XXX dollars in the next Y days, or we won’t allow you to start the car.”Imagine you get into your new high-end car to go to work and you get that message. Now what? Unlike Davis, I don't think people would just walk away from their car. I think they'd call the dealers in outrage. If a large percentage of the people with that model car were to call their dealer, it would backlog the dealers ability to shut the systems down and replace them. If the dealers themselves aren't crippled by the same attacks. Yet the auto industry appears completely unprepared for something like this to happen.
This could be a very simple attack. It could be a bogus message. But you can’t help but wonder what will happen the next time you hit the ignition. Will it start? Will it blow up? Will it crash intentionally into someone else?
“Few drivers would take the chance.” said Davis. Most likely, they would get out of their car and simply walk away, because those ransomware messengers “are inducing fear.” Ransomware typifies an aspect of “social engineering” – in the hacking sense --designed for psychological manipulation.
There is a second scenario, said Davis, that “can be more lucrative but potentially riskier.” Hackers could go directly after car manufacturers for extortion. They’d play “a reputational angle,” he said. Of course, the bigger the car OEM they target, the greater law enforcement’s involvement, which could result in the hackers’ capture.
For years, traditional automotive engineers maintained that car hacking was far-fetched. They offered two reasons. First, they said, it’s “not possible” to pull it off without physical access. Second, there’s no way to make money from hacking a car. Granted, penetrating a car is no trivial task. It would take hours of work and expert knowledge.The well-publicized 2015 Jeep attack (which led to a recall of 1.4 million vehicles) blew away the first shibboleth. With automotive ransomware emerging, the second article of engineering faith stands on shaky ground. What if instead of demanding hundreds of dollars from car owners to get use of their cars, the ransomeware authors said, "pay us $25 and we'll leave you alone"? With the choice of something small like 25 or $50 weighed against weeks or months waiting to get the car into the dealer, would most people pay that?
Given how big the threat is, how prepared are the carmakers? EE Times reports on a few surveys in the industry, and while about half of the respondents think hackers are "actively attacking" automobiles, less than half think their companies are taking the threat seriously.
When we asked Davis why car OEMs remain so casual about cybersecurity, he said that he doesn’t think that’s the case. Rather, the challenges among traditional OEMs are more cultural. The engineers working on components at a carmaker are not the same as those who work in IT.Personally, I find the conclusion uncomfortable
Blame, he added, falls on the internal communications and priorities set by car OEMs. Do car OEMs/ executives expect automotive hardware engineers to be software developers or security experts? Probably not.
The bottom line is that “it takes a real world incident” for the whole industry to take automotive cybersecurity seriously. The world’s first ransomware aimed at vehicles might finally be the industry’s wake-up call, Davis concluded.There's an unfortunate saying in the aviation business that the regulations are written in blood; nothing gets changed until a big "real world incident" with a large body count happens. Sounds just like that.
I drive an '09 Explorer, and while it has an early version of Sync in it, the only way to update its software is to go to the dealer and pay them. I don't think it's reachable from the outside. When Borepatch talks about car security, he always ends up suggesting we return to the old iron with no electronics whatsoever. The only car I had with no electronics was my '72 Pinto.