Driving Toward Disaster
When purchasing a vehicle, numerous references are available for consumers on the physical safety of models on the market. Prospective buyers can speak to sales staff about specific safety features, visit the manufacturer’s website to check the number of airbags, reference the Insurance Institute for Highway Safety website, and even watch crash test videos on YouTube to see exactly how the vehicle reacts when crashed into a wall at 30 miles per hour.
But when it comes to learning about the computer systems inside the vehicle, it’s more difficult to find information. “Everyone can go grab a Consumer Reports and get crash test safety ratings,” says Chris Valasek, director of vehicle security research at IOActive—a global security consultancy. “Most people don’t know all the kinds of technology that’s in their cars. They think it’s just purely a mechanical machine, when in reality it’s a bunch of computers that help you drive.”
Over the past few decades, vehicles have become increasingly computerized as manufacturers add more technology to models, such as tire pressure monitoring systems, cruise control, Bluetooth, GPS, and even Wi-Fi hotspot capability. All of these systems depend on electronic control units (ECUs) connected through a controller area network (CAN), like the network in your office building but much more “primitive and simple,” Valasek explains.
Some vehicles contain up to 100 separate ECUs, which communicate with each other by constantly sending messages back and forth that contain small amounts of data, such as “the car lights are off” when driving during daylight hours.
And these messages are vulnerable to interception and manipulation. According to a recent report—Tracking & Hacking: Security and Privacy Gaps Put American Drivers at Risk—by Sen. Ed Markey’s (D-MA) staff, “nearly 100 percent of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.”
These vulnerabilities include being able to access the Bluetooth or OnStar system in the car to eavesdrop on conversations inside the vehicle, to track a vehicle’s movements, and to take control of the basic functions of the vehicle, such as braking, steering, and acceleration.
Additionally, of the 16 auto manufacturers that responded to Markey’s request for information, only two were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real time, and none were able to report on past hacking incidents.
This isn’t the first time these threats have been reported. Many were addressed in previous research, says Terry Berman, senior program manager at MicroStrategy.
“There’s been studies going back at least to 2010 where vulnerabilities in vehicles were identified, so the fact that these manufacturers really haven’t taken the time or energy to address these issues is really disappointing,” he tells Security Management.
One of those studies was conducted by Valasek and his research partner Charlie Miller, a security engineer at Twitter. They received a grant through the Defense Advanced Research Projects Agency (DARPA) in 2012 and used the funds to purchase a 2010 Toyota Prius and a 2010 Ford Escape.
Using a laptop connected to the vehicles, Valasek and Miller sent messages through the CAN to cause the cars to suddenly accelerate, turn, brake, activate the horn, change headlight settings, and modify the speedometer and gas gauge readings. They then shared their findings with Toyota and Ford in hopes of improving the manufacturer’s vehicle cybersecurity efforts, but they were rebuffed when the companies noted that they used a laptop to directly access the vehicles’ computer systems.
“What the companies failed to note is that the DARPA study built on prior research that demonstrated that one could remotely and wirelessly access a vehicle’s CAN…through Bluetooth connections, OnStar systems, malware in a synced Android smartphone, or a malicious file on a CD in the stereo,” Markey’s report said.
Valasek and Miller followed up on their research in 2014 and examined the hackability of 21 different vehicle models. They presented their findings at the Black Hat USA conference last year and released their full report to the public in an effort to raise awareness about vehicle cybersecurity.
“We want not only consumers, but security researchers like ourselves, to start digging more into these vehicles,” Valasek explains. “Hopefully, by publishing this type of material, we can get larger automotive companies and tier-1 suppliers to think about security.”
General Motors (GM), one of the companies surveyed by Markey, declined to comment on the report’s findings. However, spokesperson Laura Toole says the company is taking a multifaceted approach to in-vehicle cybersecurity and is designing vehicle systems so they can be updated with enhanced security measures as potential threats evolve.
GM is leading this effort through the creation of its Vehicle and Vehicle Services Cybersecurity organization. “These experts work with outside specialists to minimize risks of unauthorized access to vehicles and customer data,” Toole explains. “This team also leads GM’s participation in industrywide efforts to develop and implement defensive measures and strategies to reduce cybersecurity risks.”
Ford and Toyota—who also answered questions for Markey’s report—did not respond to requests for comment.
Along with vehicle cybersecurity vulnerabilities, Markey’s report also found that vehicles are collecting information about drivers. This includes the physical location of the vehicle at regular intervals, the last location where the vehicle was parked, vehicle speeds, and distances and times traveled, among other things.
Markey’s report found that customers are not made “explicitly” aware that their data is being collected, and when they are, “they often cannot opt out without disabling valuable features, such as navigation.”
This data is stored in a variety of ways, including onboard vehicles where it cannot be wirelessly retrieved or in a central location where the data is wirelessly transferred. Nine of the 11 surveyed companies also said they contract with third-party companies to provide the data-collecting features that they offer, three of which in turn license third-party companies to transmit and store data associated with the features.
However, Markey’s report found that most manufacturers did not describe “effective means to secure the data” they collect. “In the case of onboard storage, no manufacturer described any security system to protect that data, and several of them noted that no security measure is needed since accessing data would require a hardwire connection.”
Of the manufacturers who wirelessly transmit vehicle data, only six companies responded: five provided vague responses naming encryption, passwords, or general IT security practices; and only one “specifically mentioned that they designed their systems to limit the transfer of personally identifiable information.”
In November, the Alliance of Automobile Manufacturers—which represents 12 of the companies surveyed for Markey’s report—announced new privacy principles, including increasing consumer awareness of privacy practices through owner manuals and company websites, protecting drivers’ sensitive information, and outlining the limited circumstances where driver data will be shared.
These steps show that manufacturers are committed to protecting consumer privacy, Markey’s report says, but the impact of the principles depends “in part on how the manufacturers interpret them.” This is because the transparency efforts are unclear and may go unnoticed by consumers, guidelines for consumer choice only address data sharing and not data collection, and “the guidelines for data use, security, and accountability largely leave these matters to the discretion of the manufacturers.”
These steps might also not be enough to prevent legal action. In March, Dallas attorney Marc Stanley filed a class action lawsuit in California against Toyota, Ford, and GM for failing to ensure that their vehicles function properly and safely, free from defects, when it comes to cybersecurity.
“Because defendants failed to ensure the basic electronic security of their vehicles, anyone can hack into them, take control of the basic functions of the vehicle, and thereby endanger the safety of the driver and others,” the lawsuit alleges.
Markey has also proposed taking action against auto manufacturers by introducing legislation cosponsored with Sen. Richard Blumenthal (D-CT). That legislation would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards to secure cars and protect drivers’ privacy.
“We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century,” Markey explained in a statement.
His proposed standards include requirements that all wireless access points in cars be protected against hacking and evaluated through penetration testing, that all collected information be secured and encrypted to prevent unwarranted access, and that manufacturers or third-party firms be able to detect, report, and respond to real-time hacking events.
Markey also called for a cyber dashboard to inform consumers how the vehicle protects drivers beyond the minimum standards he’s proposed, similar to how fuel economy is labeled on new vehicles today.
In the meantime, Berman says individuals who are high-value targets, like executives and diplomats, should consider the cybersecurity of the vehicles they’re being transported in. Vehicles may need to be digitally hardened—just as they are physically hardened with bulletproof glass and armor.
“There are probably measures that can be taken to reduce the vulnerability of the vehicles, but it would require specific modifications to the vehicle to harden it in the same way that you would harden it physically,” he explains. “Take a look at the communications that the vehicle is capable of and look at the potential for eliminating those devices, or disabling them, for vehicles that are being used to transport high-value targets.”
To read in Spanish, click here.