Nissan, General Motors, Tesla – and many other automakers are racing to develop vehicles capable of autonomous driving. While many near-term solutions rely on line-of-sight technology (radar, LIDAR, cameras, etc.) the future, as recently proposed by NHTSA, is V2X. V2X is the term used to describe the collective network of vehicles in motion – vehicle-to-vehicle (V2V) and vehicle-to-infrastructure [V2I].
To address the OMG-hackers-will-crash-us anxiety NHTSA announced an effort on automotive cybersecurity to help establish and share “best practices” for and to the automotive industry. Last week the agency released three more studies to support their effort, known as the Automotive Cybersecurity Research Program.
- Characterization of Potential Security Threats in Modern Automobiles
- National Institute of Standards and Technology (NIST) Cybersecurity Risk Management Framework Applied to Modem Vehicles
- A Summary of Cybersecurity Best Practices
Characterization of Potential Security Threats in Modern Automobiles
This report focused on using current industry practices to establish a framework threat model to identify specific cyber vulnerabilities in the automobile and exam their impact. Here is an example of the proposed matrix:
The report also lists 11 ways in which your vehicle could be attacked. If you suffer from any form of anxiety issue I recommend skipping this part.
A person with physical access to the vehicle attaches a custom device to the OBD-II port. The device has the capability to run a program which can monitor vehicle parameters over the CAN bus and execute the CAN device control service that can send a data packet normally used when building and testing the vehicle, to the EBCM. This could diminish or prevent the use of brakes when a programmed set of conditions takes place if there is linkage to the ECBM through the OBD-II data bus.
A person with physical access to the vehicle installs a wireless interface to the USB port which can remotely send commands to the vehicle data bus such as to activate the vehicle’s horn [6, 7]. This could happen via short range proximity wireless or long range wireless pathways.
Engine Halt Air Bag
An owner installs an after-market radio purchased from a third party, which may come with an on-board malware that can access a vehicle data bus (assuming there is a pathway) that could potentially mimic the air bag deployed message from the inflatable restraint sensing and diagnostic module to the ECM. The ECM reads the forged packet and shuts down the engine at highway speeds.
Portable Device Injection
The owner downloads music from an untrusted source and creates a CD. The downloaded file could contain specific malware that when played sets the dominant state node for the infotainment unit for that vehicle and then uses the infotainment unit to launch a denial-of-service type of attack against the BCM. As the attack takes place, the instrument cluster may freeze in its current state, and when the vehicle is turned off, it may not allow the vehicle to be restarted without communication to the BCM being reestablished first.
The LAN at the service department gets compromised. When an automobile is connected to the dealership’s network via the OBD-II port during the process of providing service, the attacker could install malware that could be exploited later on while using the service department’s computers as a pass through.
An attacker calls the car’s embedded cell number and launches malicious code that defeats the analog to digital modem’s software security challenge via a buffer overflow attack. Once the software modem is compromised, the attacker could gain access to the telematics unit. The malicious code then could cause the telematics unit to connect to an IP address. Once a connection to the IP address may be established, the attacker could use the telematics unit as an entry point to download and run further malicious code, which could execute subsequent attacks that may provide automotive systems false sensor data which could result in erroneous action.
Key Fob Cloning
An attacker exploits vulnerabilities in the theft alarm system to make a clone of a key fob, which provides full access to the car.
Long Distance Keyless Entry Repeater Version
When the vehicle is parked, a team of attackers use loop antennas and wireless repeaters to relay the polling request from the driver’s key fob to the vehicle to get access. The same method could also be used to start the vehicle.
Call Center Fleet Attack
A hacker group gains control of servers at a telematics call center. The hackers then could issue engine disable commands to all cars under their control from the compromised call center.
Car Rental or Lease
A person with access to large number of vehicles that are typically operated by others, such as a rental car employee, could potentially install malware via physical access to the vehicle. The malware could take form in any of the attack types described in this section.
An end-of-line programming station gets compromised with malware. The malware is downloaded into ECUs during the manufacturing process. The malware could be designed to execute under specific conditions and time periods. The malware could take form in any of the attack types described in this section.
Many of these examples you’ve probably heard before, but a few were new to me. I hadn’t considered malware being preloaded into vehicle components at the supplier level or uploaded on the production line. Because we are so focused, at least in the media, on how a person can gain access to a vehicle remotely, I hadn’t considered the various times and places where “bad guys” can get into a car with ease.
NIST Cybersecurity Risk Management Framework Applied to Modem Vehicles
Think of NIST as America’s college of standards – a group of engineers and scientists focused on identifying risks and then developing standards to minimize the exploitation of those identified risks.
The authors had only one recommendation:
Automakers need to establish a “Security Control Catalog” to ensure safeguards and countermeasures are in place to “protect the confidentiality, integrity, and availability of the system and its information.”
A Summary of Cybersecurity Best Practices
To summarize the summary of this summary’s summary – researchers from Volpe National Transportation Systems Center looked at government and non-government systems to find “best practices” regarding safeguards associated with safety-critical electronic control systems. The result was the color-coded graph below that highlights the “life-cycle process” of safeguarding automotive components. Yes, I agree. I have no idea what this says either.
The bread and butter of this report, the part you need to know, is under the “Challenges and Issues,” on page 28.
The transportation mission is currently safety focused not security focused.
There is a perception that there is “No Return on Investment for security.”
IT security best practices are being applied to operational systems (normal approach to cybersecurity – add security measures after fielded.)
Skillsets for cybersecurity tend to lie in the IT core competency and are not w/ developers
While self-driving vehicles and V2V technology has caused a renewed interest in vehicle hacking these reports remind us that cars today are jam-packed with ways in which bad guys could gain access and do very bad things.
Going forward we will likely see new industry standards and efforts by automakers to ensure they have supplier assurances specific to intrusion and, like Toyota, many will start or further-deploy, robust on-board countermeasures for system intrusion and misinformation.
Damned if you do, damned if you don’t
The one part missing from this post, a topic I’ve seen surface again and again in documents from automakers on the topic of connected vehicles – liability.
NHTSA acknowledged a simple fact on V2V – the only way it works is if all cars are connected. The only way to ensure all cars are connected is to make technology mandatory. Now that NHTSA has said V2V will likely be mandatory, automakers have a foundation for liability reform.
Automakers have expressed a need for liability reform before they can comply with a connectivity mandate. They’ve gone as far as comparing V2V to nuclear power saying that precedent exist for a liability reform. In a nutshell automakers and their suppliers don’t want to be held liable if or when a connected component is comprised. As you’d expect statements on liability reform are absent automaker’s pronouncements on self-driving.
Getting back to cybersecurity, if a system is hacked, and liability occurs, is the automaker at fault if there are no standards for automotive cybersecurity? Will there be a new cybersecurity Federal Motor Vehicle Safety Standard? Will NHTSA oversight compliance? These will likely be many more questions that come up as we move towards a more-connected vehicle.
Expect to see a push from automakers on liability reform as we move closer to a V2V mandate. Automakers and suppliers will likely lobby Congress for legislation to provide the industry some form of immunity or additional court relief from liability should these systems fail or not work as intended.