As reported by Dark Reading: If you drive a 2014 Jeep Cherokee, a
2014 Infiniti Q50, or a 2015 Escalade, your car not only has
state-of-the-art network-connected functions and automated features, but
it's also the most likely to get hacked.
That's what renowned researchers Charlie Miller and Chris
Valasek concluded in their newest study of vulnerabilities in modern
automobiles, which they will present Wednesday at Black Hat USA in Las Vegas.
The researchers focused on the potential for remote attacks, where a
nefarious hacker could access the car's network from afar -- breaking
into its wireless-enabled radio, for instance, and issuing commands to
the car's steering or other automated driving feature.
The researchers studied in-depth the automated and networked
functionality in modern vehicle models, analyzing how an attacker could
potentially access a car's Bluetooth, telematics, or on-board phone
app, for example, and using that access to then control the car's
physical features, such as automated parking, steering, and braking.
Some attacks would require the attacker to be within a few meters of the
targeted car, but telematics-borne attacks could occur from much
farther away, the researchers say.
Not surprisingly, the vehicles with fewer computerized and
networked functions were less likely to get attacked by a hacker. "The
most hackable cars had the most [computerized] features and were all on
the same network and could all talk to each other," says Miller, who is a
security engineer at Twitter. "The least hackable ones had [fewer]
features, and [the features] were segmented, so the radio couldn't talk
to the brakes," for example.
The 2014 Infiniti Q50 would be the easiest of all to hack
because its telematics, Bluetooth, and radio functions all run on the
same network as the car's engine and braking systems, for instance,
making it easier for an attacker to gain control of the car's
computerized physical operations.
Different vehicles had different network configurations:
Some had Bluetooth on a separate network than the steering and
acceleration systems.
The researchers say the 2014 Dodge Viper, the 2014 Audi A8,
and the 2014 Honda Accord are the least hackable vehicles. They ranked
the Audi A8 as the least hackable overall because its network-accessible
potential attack surfaces are separated from the car's physical
components such as steering, notes Miller. "Each feature of the car is
separated on a different network and connected by a gateway," he says.
"The wirelessly connected computers are on a separate network than the
steering, which makes us believe that this car is harder to hack to gain
control over" its features.
By contrast, the 2014 Jeep Cherokee runs the "cyber
physical" features and remote access functions on the same network,
Valasek notes. "We can't say for sure we can hack the Jeep and not the
Audi, but… the radio can always talk to the brakes," and in the Jeep
Cherokee, those two are on the same network, he says.
Worries over the cyber security of cars is gaining traction
ever since Miller and Valasek's 2013 DEF CON car-hacking research, where
the pair demonstrated how they were able to hack and take control of
the electronic smart steering, braking, acceleration, engine, and other
functions of a 2010 Toyota Prius and 2010 Ford Escape. That research
focused on what a bad guy could do if he could get inside the car's
internal network, and the researchers physically test-drove the hacks
they discovered.
While the pair didn't get much response from Ford and Toyota
after providing the carmakers with detailed documentation of their
findings, the automobile industry meanwhile appears to be waking up to
the potential cyber risks to cars: The Alliance of Automobile
Manufacturers and the Association of Global Automakers last month announced plans
to address growing concerns over security weaknesses and
vulnerabilities in new and evolving vehicle automation and networking
features. The industry is now forming a voluntary mechanism for sharing
intelligence on security threats and vulnerabilities in car electronics
and in-vehicle data networks -- likely via an Auto-ISAC (Information
Sharing and Analysis Center).
IPS "under the hood"
Meantime, there are
ways to potentially lock down these advanced features in today's modern
vehicles. Miller and Valasek have built a prototype device that detects
and stops a cyber attack. They describe it as a sort of intrusion
prevention system (IPS) inside a car that would detect that an attacker
that had broken into the car's networked radio, and stop him from
sending the braking system a message to lock up, for example."It's a device you could plug into the car to stop any of the attacks we've done and that others have done," says Valasek, who is director of security intelligence for IOActive.
The researchers in their Black Hat presentation will show
video clips of the prototype and how it can stop an attacker. The device
basically plugs into a vehicle's diagnostic port.
"It's mostly about an algorithm that detects attacks and prevents them," Miller says. "You could put it under the hood."
Miller and Valasek say their work studying security
weaknesses in vehicles is an attempt to get ahead of the threat: The
risk of your car getting hacked today is relatively low. And it doesn't
mean you shouldn't buy a car loaded with technology, they say. "This is
really an opportunistic attack," Valasek says. "It takes a lot of time,
effort, dedication, and money to figure out how to perform one of these
attacks and to succeed doing it. Joe Consumer doesn't have to worry, but
if you're a high-profile person with a lot of technology in your
vehicle, it's something to consider."
They say they are conducting this research now ahead of the
game and before it gets easier for attackers to exploit these car
network and automation features -- a window that they think could close
in the next five years.
The researchers -- who at Black Hat will provide more
details of their findings and release their paper on them -- have
provided carmakers the report. They're hoping the car companies will
take the threat seriously and offer ways to lock down weaknesses and
vulnerabilities as well as technology to detect and deflect an attack.
No comments:
Post a Comment