[BreachExchange] Threat to the auto industry from hackers

Audrey McNeil audrey at riskbasedsecurity.com
Wed May 17 20:44:29 EDT 2017


In the recent WannaCry ransomware attacks, one fact that never got
highlighted is the threat to the automotive industry. There exists a
genuine threat to the auto industry from hackers. They can get into your
companies and they can get into your cars. A news story we carried shows us
how a manufacturer was affected by the recent cyberattack. The
Renault-Nissan Alliance was not the only one to be threatened, I presume.
I’m sure, several other auto companies may have been hit but haven’t
disclosed what transpired.

Most automobile companies anyways don’t have a secure and strong IT
infrastructure that can protect themselves from cyberattacks. Renault and
Nissan clearly came out and addressed the issue with a security plan but
how many others did, we may never know. The fact, however, remains that the
auto industry is vulnerable to risks. In the future these risks will grow
as more digital technologies make their way into cars, posing stronger
cybersecurity issues.

There lies the other big challenge – most manufacturers are extremely
positive about introducing digital technologies into their cars, but very
few are aware of how to protect their cars from digital threats. ‘Can a car
be hacked?’ I don’t necessarily have the answer to that, but I could
presume that if a cell phone can be hacked today, then an automobile is
already a victim or will shortly be. How would you get into a car’s
systems? It could be through the internet services – manufacturers provide
in certain cars services that create a wireless hotspot for instance or
provide internet radio. How secure these connections are is anyone’s guess?
Then there is the Bluetooth connection or through a third-party device like
an on-board diagnostic equipment, hackers have enough routes to get into a

Even if a car is not directly hacked into, the potential exists to hack
into a system at a vendor level. Insert a malicious code and then wait for
it to come into action at a predetermined time. It sounds like science
fiction, but what Volkswagen did to escape emissions tests, using a hack
that worked intelligently to detect when it was being tested for emissions
and applied a different rule to lie its way through the test, wasn’t
science fiction.

There is also a genuine and serious potential for a remote car hacking
situation. Charlie Miller and Chris Valasek are two very famous security
researchers who managed to hack a Jeep in 2013. They made it stop, steer
and accelerate remotely. It sparked off a 1.4 million vehicles recall by
Chrysler to fix the issue. Several other researchers have likewise showed
instances of being able to control a car remotely. However, the automotive
industry lobby is still loathe to admit that cars can be hacked and have
shown an equal number of reasons as to why it can’t be done.

The point, however, is that we are quickly progressing towards an age that
is highly dependent on electronics to function. And electronics can be
manipulated. In its simplest form we, as consumers, hack our cars to
provide better efficiency or performance using on-board chips. These chips
alter the basic functions of the car’s ECUs and give it a completely new
set of instructions. With more systems coming under an electronic umbrella,
you have keyless entry and ignition, steer by wire, brake by wire, adaptive
cruise control, adaptive suspension, launch control, hill descent,
electronic stability control, traction control, pedestrian detection
systems, and so much more. We are building an ecosystem for autonomous
driving, but is that system secure?

Recently a bunch of Beijing-based security researchers demonstrated a hack
that made a car believe its key was within proximity and unlocked the car,
even though the owner was several feet away from the car. They created a
device that copied the signal from the key when it lay in the owners
pocket, amplified it, using a radio signal transmitted it several hundred
feet away allowing them entry into the car as well as access to its
ignition system. The device cost around Rs 1,500.

That is theft, but what happens if hackers can remotely gain access of your
car when you’re driving and plough it into unwary pedestrians. Amplify this
by a thousand times, use a multi-axle truck weighing several hundred more
kilos instead of a car, steer it into a larger gathering like the one in
Nice, France, and you now have a genuine terror threat!

Having said that, hacking cars is not as easy as it sounds or as I may make
it out to be. It requires a fair amount of effort to break into a car’s
systems at this point of time. Don’t dismiss the notion entirely, but
still, sleep easy!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170517/f39fad0d/attachment.html>

More information about the BreachExchange mailing list