Connectivity Complicates Vehicle Cybersecurity
Print Issue: November 2020
Vehicles today are more like computers on wheels. Each new car and truck on the road comes equipped with numerous electronic control units that provide drivers with enhanced safety features and sensors—including tire pressure monitoring, lane departure notifications, and braking alerts.
Additionally, vehicle manufacturers are offering mobile applications that allow drivers to check diagnostics, lock the doors, and locate their vehicle should they not remember where they parked, all from a smartphone.
But these advancements also create opportunities for malicious actors to compromise the controls in a vehicle. In 2018, vehicle security research group Sky-Go Team, from 360 Group, discovered a vulnerability in the Mercedes-Benz E-Class car that allowed them to unlock the door of a vehicle and start the engine. More concerning, however, was that the vulnerability potentially impacted all Mercedes-Benz connected cars in China—approximately 2 million vehicles.
At USA Black Hat 2020, researchers Minrui Yan and Jiahao Li shared how they were able to infiltrate the Mercedes-Benz system of the vehicle they had access to. And once they were able to access the computer system of the individual vehicle, Mercedes’ back-end server did not request further authentication—allowing the researchers to gain additional access and potential partial control of other vehicles in China, they explained.
Yan and Li documented their work and then submitted it to Mercedes through the vulnerability disclosure program on the company’s website. This set the wheels in motion at Mercedes to mobilize an internal investigation team, communicate with the researchers, and analyze and prioritize fixing the vulnerabilities, said Guy Harpak, head of product security at Mercedes-Benz R&D.
The goal was to have a plan that “within 48 hours we can fix all the vulnerabilities,” Harpak added in the Black Hat presentation. Mercedes was able to do this by setting up selective blocking on its internal servers, which ensured that no one could take advantage of the vulnerabilities while Mercedes fixed them with a minimal impact to customers.
Mercedes forensic teams also “looked at recorded data to ensure there was no evidence of other attackers that were able to exploit the vulnerabilities in the past,” Harpak said.
Mercedes ultimately awarded the Sky-Go Team researchers with an excellence award for notifying the company of the vulnerabilities and working with its security team to address them.
“At Mercedes-Benz, we value the expertise of the security community,” said Adi Ofek, CEO of Mercedes-Benz R&D in Tel Aviv, Israel, and holder of the mandate for car IT security at Mercedes Benz, in a press release. “Therefore, we highly appreciate the knowledge of the Sky-Go Team…. Their efforts and passion are a significant contribution to help further secure our vehicles.”
Security researchers have been at the forefront of highlighting vulnerabilities to vehicles. In one of the most public demonstrations, security researchers took control of a Jeep Grand Cherokee operated on a freeway by WIRED reporter Andy Greenberg in 2015. Their research helped spurred U.S. Senator Ed Markey (D-MA) to introduce legislation to create standards for vehicle cybersecurity—a process that remains stalled in Congress, as of Security Management’s press time.
Before that vulnerability was made public, however, the FBI’s Emerging Technology Team was looking at the ways malicious actors could compromise vehicles, says Robert Lawton, cyber intelligence analyst for the Bureau and a member of the team.
“Once the WIRED article came out—and the possibility for hacking vehicles came to the public’s attention—we began looking at what is the actual potential use for an adversary to do it against a targeted vehicle or against a fleet of vehicles,” Lawton explains.
The FBI’s team does not have access to its own fleet of vehicles for hacking. But it does work to identify threats by reviewing research and sharing information with stakeholders. Those findings are then pushed through to interagency partners—like the U.S. Department of Transportation and the Cybersecurity and Infrastructure Security Agency—and private sector partners—like vehicle manufacturers—to address.
“In the event we come up with a threat, we have mechanisms to share that rapidly,” Lawton says. “A lot of this is identifying the potential of the threat and leveraging our partners and our stakeholders to exchange information.”
This ability to share information was demonstrated in summer 2020 when the FBI issued a Private Industry Notification (PIN) that informed stakeholders in the trucking industry that cyber criminals could exploit vulnerabilities in electronic logging devices (ELDs).
ELDs are required for nearly all drivers and carriers (truck fleet operators) to install in their vehicles. They electronically send inspection reports to the Federal Motor Carrier Safety Administration (FMCSA) and are connected to the vehicle’s electronic control module to track date, time, location information, engine hours, vehicle miles, user identification data, vehicle identification data, and motor carrier identification data.
“ELDs must also permit wireless connectivity,” according to the PIN. “As a result, ELDs create a bridge between critical vehicle components and wireless data transmission, such that the vehicle components themselves can be accessed remotely through Wi-Fi or Bluetooth.”
This connectivity poses cyber risks to the vehicles that could have physical ramifications. Researchers found that many ELD manufacturers did not follow cybersecurity best practices when creating their products and that they were vulnerable to compromise, the PIN said.
“Researchers demonstrated the potential for malicious activity to remotely compromise the ELDs and send instructions to vehicle components to cause the vehicle to behave in unexpected and unwanted ways,” the Bureau explained. “Although the ELDs are only intended to allow the logging of data from the engine, in practice some self-certified ELDs allow commands to be sent to the truck engine via their connection to the [electronic control module].”
These commands, for example, could be used to affect the accuracy of information displayed on the vehicle’s console display or the vehicle’s functions. And ELDs with more advanced functions and connections could allow cyber actors to gain access to corporate networks to obtain personal information, business records, and vehicle tracking information.
“With that access, financially motivated cyber criminals would also be positioned to install malware such as ransomware, preventing the ELD, the vehicle, or connected telematics services such as dispatching or shipment tracking from operating until the ransom is paid,” according to the PIN.
Prior to 16 December 2019, ELDs were not mandatory in vehicles. That was changed as a measure to make the trucking industry safer, but ELDs were not required to meet any cybersecurity or quality assurance requirements before being installed.
“As a result, no third-party validation or testing is required before vendors can self-certify their ELDs,” the Bureau explained. “Businesses choosing an ELD to use on their networks must therefore conduct due diligence themselves to mitigate their cyber risk and potential costs in the event of a cyber incident.”
The likelihood that a truck’s ELD will be compromised is low, but it is possible; and if malicious actors chose a high priority truck—such as one carrying a load of hazardous chemicals—the ramifications could be extremely high, says Doug Morris, director of security operations for the Owner-Operator Independent Drivers Association (OOIDA).
OOIDA represents more than 160,000 members in the United States and Canada who own or operate more than 240,000 heavy-duty trucks and small truck fleets. When the ELD requirement was being debated by Congress, Morris says OOIDA stressed to lawmakers the need to address the systems’ cybersecurity vulnerabilities—and their potential effect on supply chains.
“One big thing we’ve learned from history is if you want to cripple a country, you can do it by crippling the supply chain,” Morris says.
Since owners and operators have installed ELDs, Morris says OOIDA has received complaints that drivers are experiencing gauge malfunctions, engine revs, and other issues that they traced back to the ELDs.
And when OOIDA has questioned ELD manufacturers about addressing these risks, Morris says they have not been forthcoming.
“There’s nothing to hold the ELD manufacturers to tell the truth,” he adds. “But they’re a manufacturer trying to sell a piece of merchandise and they’re going to tell you whatever they want you to hear.”
OOIDA requested that FMCSA introduce cybersecurity requirements and best practices for ELD manufacturers to follow, but the agency has not taken those steps and has no plans to. This is concerning, Morris says, both for truck operators now and for the future as Tesla and other manufacturers seek to create fully autonomous trucks.
Instead, the FMCSA has focused its efforts on providing ELD security fact sheets, briefing papers, and reminders to drivers and carriers about the need to be vigilant about cybersecurity.
“FMCSA takes matters of cybersecurity very seriously,” an agency spokesperson says. “Since the implementation of the ELD rule in December 2017, the agency has not encountered a cybersecurity breach of ELDs. The agency has issued technical specifications based on best practices industry standards from the National Institute of Standards and Technology.”
In the meantime, the FBI PIN included a list of questions that truck owners and operators should ask their ELD manufacturers, including whether the communication between the engine and the ELD is enforced, were technical standards or best practices followed in the device’s development, has the component had penetration tests, and does the device have secure boot?
“Insecure devices, even if not specifically targeted by cyber criminals, can experience issues in stability or performance resulting from interference or opportunistic infection,” according to the PIN. “An active approach to vetting ELD options before implementation is a small up-front investment of time that mitigates the risk of costly or disruptive cyber incidents in the long run.”