Cybersecurity holes in connected cars leave doors unlocked for hackers

Consumers must demand security and protection standards for the Internet of Things

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The pho­to was jar­ring. A Jeep Chero­kee stalled in a ditch after hack­ers remote­ly dis­abled its brakes.

No one was hurt.

The exper­i­ment in St. Louis last year was a coor­di­nat­ed hack designed and car­ried out by Char­lie Miller and Chris Valasek, secu­ri­ty researchers at Uber’s Pitts­burgh-based Advanced Tech­nolo­gies Center.

Miller and Valasek sought to prove a point that the emerg­ing tech­nol­o­gy of connected—and pret­ty soon, autopilot—cars are full of holes when it comes to cyber­se­cu­ri­ty. They’ve been pre­sent­ing their find­ings at con­fer­ences and events ever since, includ­ing at IDT911’s Pri­va­cy XChange Forum 2016 in Scotts­dale, Ari­zona, in Octo­ber. (Full dis­clo­sure: IDT911 spon­sors

Relat­ed video: Risks rise as the Inter­net of Things expands

Con­nect­ed vehi­cles promise safer and more effi­cient dri­ving expe­ri­ence. But Miller and Valasek’s car-hack­ing exper­i­ments part­ly prompt­ed the Fed­er­al Bureau of Inves­ti­ga­tion, with the Nation­al High­way Traf­fic Safe­ty Admin­is­tra­tion, to go pub­lic in March with a con­sumer warn­ing about the pos­si­bil­i­ty of an attack­er remote­ly exploit­ing vulnerabilities.

And cyber­se­cu­ri­ty issues have come to the fore­front in dis­cus­sions about the pit­falls of the Inter­net of Things as the tech­nol­o­gy rapid­ly evolves. A cou­ple of well-chron­i­cled inci­dents, includ­ing the Jeep, have ratch­eted up con­sumers’ anx­i­ety over the pos­si­ble ero­sion of con­trol over their cars.

The fall­out from the Jeep hack, where­in the secu­ri­ty experts gained con­trol of the car through its enter­tain­ment sys­tem, Ucon­nect, was swift. Chrysler, who owns the Jeep brand, recalled 1.4 mil­lion cars to fix the soft­ware bug. And Sprint, whose net­work was used in Ucon­nect, blocked access to a spe­cif­ic port for the pri­vate IP address­es used to com­mu­ni­cate with the vehicles.

Mean­while, U.S. Sens. Edward Markey, D-Mass., and Richard Blu­men­thal, D-Conn., intro­duced a bill designed to require U.S. cars to meet cer­tain stan­dards of pro­tec­tion against dig­i­tal attacks and pri­va­cy. “In the rush to roll out the next big thing, automak­ers have left the doors unlocked to would-be cyber crim­i­nals,” Blu­men­thal said.

Art Dah­n­ert, man­ag­ing con­sul­tant at dig­i­tal secu­ri­ty firm Cig­i­tal, acknowl­edges the emerg­ing prob­lem but isn’t over­ly alarmed. Unless pro­fes­sion­al­ly coor­di­nat­ed, the cur­rent lev­el of vehi­cle hack­ing gen­er­al­ly requires close prox­im­i­ty to the car, he says. “A lot of it is hype,” he says. “Some of the issues may not affect a lot of consumers.”

Still, con­sumers who own con­nect­ed vehicles—and most new cars are—should be aware of rel­e­vant secu­ri­ty risks and devel­op­ments, he says. Here are some issues to consider.

• Own­er edu­ca­tion. Under­stand­ing how a vehi­cle and some com­po­nents are con­nect­ed to the inter­net is cru­cial. Cars con­tain numer­ous elec­tron­ic units that con­trol a wide range of func­tions, rang­ing from steer­ing and brak­ing to in-car Wi-Fi and diag­nos­tics. These com­put­ers are net­worked and expose pos­si­ble entry points for hackers.

In-car Wi-Fi can be spoofed or accessed by hack­ers in near­by loca­tions. And GPS, Blue­tooth and smart­phones can serve as con­duits for hack­ers wish­ing to tap into the car’s con­trol sys­tem. “If an app that man­ages your sound sys­tem is com­pro­mised, your phone is com­pro­mised,” Dah­n­ert says.

• Updat­ing soft­ware. Soft­ware bugs are inevitable. And vehi­cle own­ers should be vig­i­lant in keep­ing up with updates, recalls and ser­vice bul­letins. Crim­i­nals also may exploit update notices by send­ing fraud­u­lent email that con­tains mali­cious soft­ware. Avoid down­load­ing soft­ware from third-par­ty web­sites or file-shar­ing platforms.

• Lim­it in-car use. Some dig­i­tal bells and whis­tles are bet­ter left turned off when­ev­er pos­si­ble. “I would rec­om­mend that dri­vers learn how to dis­able some of the less used fea­tures of the vehi­cle, espe­cial­ly those that involve remote com­mu­ni­ca­tions like Wi-Fi hotspots and remote start­ing,” Dah­n­ert says. “These steps reduce the footholds that attack­ers use to hack your car.”

• Beware of third-par­ty acces­sories. More third-par­ty devices, such as insur­ance don­gles, car mon­i­tor­ing tools and oth­er telem­at­ics, can be plugged into the vehicle’s diag­nos­tic port and become access points for hack­ers. Car own­ers should check with the secu­ri­ty and pri­va­cy poli­cies of device man­u­fac­tur­ers and look to avoid them if they are from obscure com­pa­nies or deemed untrustworthy.

Some acces­sories also may be prob­lem­at­ic. In August, researchers at the Uni­ver­si­ty of Birm­ing­ham in the U.K. used a piece of radio hard­ware to inter­cept sig­nals from a key fob used in Volk­swa­gens. The sig­nals can be repli­cat­ed to open the doors of mil­lions of Volk­swa­gens dat­ing back to 1995, the researchers claim. “Don’t for­get that it’s not just what’s under the sheet-met­al, but what is in your pock­et that could lead to a prob­lem,” Dah­n­ert says.

• Pit­falls of mod­i­fi­ca­tion. Avid car own­ers are noto­ri­ous for their love of mod­i­fi­ca­tion, using after-mar­ket parts. Those who mod­i­fy their elec­tron­ic con­trol units or wire­less con­nec­tions to enhance their cars’ per­for­mance could be invit­ing cyber­se­cu­ri­ty prob­lems. “Such mod­i­fi­ca­tions may also impact the way in which autho­rized soft­ware updates can be installed on the vehi­cle,” the FBI says.

• Sup­pli­er con­cerns. The advent of autopi­lot cars and dri­ver-assist sys­tems will mud­dle the already com­plex ecosys­tem of car man­u­fac­tur­ers and sup­pli­ers. Height­ened secu­ri­ty stan­dards and prac­tices with­in the con­nect­ed car sup­pli­er ecosys­tem would be need­ed as tech­nol­o­gy evolves, Dah­n­ert says.

Ulti­mate­ly, con­sumers have lit­tle direct con­trol over the man­u­fac­tur­ing and devel­op­ment of the Inter­net of Things in cars. But they can affect the indus­try with their check­books. “Con­sumers need to demand (secu­ri­ty fea­tures) are updat­ed. Don’t buy prod­ucts that are not secured,” Dah­n­ert says.

More sto­ries relat­ed to secu­ri­ty and the Inter­net of Things:
Data secu­ri­ty even more crit­i­cal as Inter­net of Things mul­ti­plies, morphs
Secu­ri­ty must be part of device design as Inter­net of Things evolves
Secur­ing the Inter­net of Things: ‘Side chan­nel attacks’ expose sen­si­tive data col­lect­ed by IoT devices

Posted in Cybersecurity, Data Breach, Featured Story