Monday, March 13, 2017

Will 2017 Be the Year Ransomware Attacks Cars?

That's what Andy Davis, transport assurance practice director at NCC Group (Manchester, the U.K.) thinks.  The NCC Group is an information assurance firm that specializes in software escrow and verification, along with cyber security.  Davis belongs to a technical steering committee of FASTR (Future of Automotive Security Technology Research), an industry group founded to foster cross-industry collaboration on automotive security technology.

The article, "Your Money or Your Brakes" in today's EE Times newsletter focuses on the growing implications of so much software in cars; software that's so badly protected.  How much software?  FASTR presents this:
100 MILLION LOC and almost 100 ECUs in a luxury vehicle?  That definitely needs more software assurance than the industry seems to be doing, but most importantly, that software needs to be inaccessible except to the service centers that work on the cars.  The problem is car buyers are so acclimated to their smartphones and internet-connected computers that they expect software upgrades to "just happen".  It's inconvenient to schedule time to bring your car to a dealer so that some system can be upgraded, and users prefer the so-called "over the air" software patches.  The problem is that systems that are open to the outside world are an invitation to disaster.
The very nature of a vehicle today has been altered by consumers who want a car to be like a smartphone, explained Davis.

They demand cars with more functions and features, just like smartphones, so they can run new applications. Fine, but most new features go into vehicles “without rigorous security assessment,” Davis explained.

Consider a smartphone app that can unlock a car. It’s a convenience feature. But every time such smartphone apps are integrated into vehicles, it’s an open invitation for ransomware. The attack surfaces in vehicles – available for hackers to play with – are many. Cellular, WiFi and Bluetooth network connectivity and their protocols can be all penetrated, said Davis.
So what sort of attack are we talking about?
Picture yourself in your car. You’ve turned on the engine, and a message pops up on the dashboard.” The message says, “This car has been hacked. Pay up XXX dollars in the next Y days, or we won’t allow you to start the car.”

This could be a very simple attack. It could be a bogus message. But you can’t help but wonder what will happen the next time you hit the ignition. Will it start? Will it blow up? Will it crash intentionally into someone else?

“Few drivers would take the chance.” said Davis. Most likely, they would get out of their car and simply walk away, because those ransomware messengers “are inducing fear.” Ransomware typifies an aspect of “social engineering” – in the hacking sense --designed for psychological manipulation.

There is a second scenario, said Davis, that “can be more lucrative but potentially riskier.” Hackers could go directly after car manufacturers for extortion. They’d play “a reputational angle,” he said. Of course, the bigger the car OEM they target, the greater law enforcement’s involvement, which could result in the hackers’ capture.
Imagine you get into your new high-end car to go to work and you get that message.  Now what?  Unlike Davis, I don't think people would just walk away from their car.  I think they'd call the dealers in outrage.  If a large percentage of the people with that model car were to call their dealer, it would backlog the dealers ability to shut the systems down and replace them.  If the dealers themselves aren't crippled by the same attacks.  Yet the auto industry appears completely unprepared for something like this to happen.
For years, traditional automotive engineers maintained that car hacking was far-fetched. They offered two reasons. First, they said, it’s “not possible” to pull it off without physical access. Second, there’s no way to make money from hacking a car. Granted, penetrating a car is no trivial task. It would take hours of work and expert knowledge.
The well-publicized 2015 Jeep attack (which led to a recall of 1.4 million vehicles) blew away the first shibboleth.  With automotive ransomware emerging, the second article of engineering faith stands on shaky ground. What if instead of demanding hundreds of dollars from car owners to get use of their cars, the ransomeware authors said, "pay us $25 and we'll leave you alone"?  With the choice of something small like 25 or $50 weighed against weeks or months waiting to get the car into the dealer, would most people pay that? 

Given how big the threat is, how prepared are the carmakers?  EE Times reports on a few surveys in the industry, and while about half of the respondents think hackers are "actively attacking" automobiles, less than half think their companies are taking the threat seriously. 
When we asked Davis why car OEMs remain so casual about cybersecurity, he said that he doesn’t think that’s the case. Rather, the challenges among traditional OEMs are more cultural. The engineers working on components at a carmaker are not the same as those who work in IT.

Blame, he added, falls on the internal communications and priorities set by car OEMs. Do car OEMs/ executives expect automotive hardware engineers to be software developers or security experts? Probably not.
Personally, I find the conclusion uncomfortable
The bottom line is that “it takes a real world incident” for the whole industry to take automotive cybersecurity seriously. The world’s first ransomware aimed at vehicles might finally be the industry’s wake-up call, Davis concluded.
There's an unfortunate saying in the aviation business that the regulations are written in blood; nothing gets changed until a big "real world incident" with a large body count happens.  Sounds just like that. 

I drive an '09 Explorer, and while it has an early version of Sync in it, the only way to update its software is to go to the dealer and pay them.  I don't think it's reachable from the outside.  When Borepatch talks about car security, he always ends up suggesting we return to the old iron with no electronics whatsoever.  The only car I had with no electronics was my '72 Pinto.     


  1. A few years back I bought a new Jeep and I had chosen options unavailable from stock so they had to build it for me. I begged then to not build it with a smart key. But that was not an option. I also asked for no air conditioner which they assured me they could do but it was built and delivered with AC. My feeling is that it isn't the customer demanding all the electronics but rather the auto companies doing it to meet all the various governments mandates.

    1. I have no problem driving pre-electronics cars. They are even fun to work on, especially when they give you an excuse to use your mill to make a part that can no longer be found in a junkyard (not a problem if you pick a popular make).

      Half my fleet might be susceptible to EMP, half is not, and none are network-capable. I like it that way.

  2. It may be time to buy a fleet of tow trucks and start looking for that beachfront villa in the south of France.....

  3. Only if you really like Muslims, Nosmo King.

    And do you remember that the crowd which hacked the Jeep said it would have been almost as easy to hack the Cadillac Escalade? Do you understand that said Escalade is just a GMC Yukon XL with different trim? And that the Yukon XL is just a GMC Yukon with different trim and a Chevy Suburban with different trim and a Chevy Tahoe with different trim? And a GMC Sierra with different trim? And oh, by the way that goes for the 1500 and the 2500 and the 3500? And don't forget it's also the Chevy Silverado with different trim? In all three versions - 1500, 2500, and 3500 - as well?

    Do you understand that combination is the single largest selling "vehicle" in the US market? The Ford F150 wins on straight brand name sales, but Ford simply does not have the cross-branding of GM. If they had chosen to hit GM instead of Jeep, they could have put them out of business. But then again since GM was recently Government Motors, "Law Enforcement" across this country would have made their lives hell. That is what you get when the government weaponizes its enforcement entities.