This scene sounds like it could come out of a Hollywood thriller: A police officer driving his car suddenly loses control. It’s been taken over by a hacker, who has control of the steering wheel, the brakes, the accelerator, the door locks. He’s gained access to the radio system. Most likely, the hacker has malicious intentions.
Is this scene actually possible? As research in the past few years demonstrates, yes, most definitely. As vehicles become more complex and connected, they become more vulnerable to vehicle cybersecurity attacks. And it’s not just physical vehicle control we’re talking about — at risk are also access to databases the vehicle is connected to, privacy of in-vehicle conversations and calls, and the location of every connected vehicle in an entire fleet.
But is hacking a true threat, and what can fleets do about it?
Hacking a Police Car
Researchers have been exploiting vehicle vulnerabilities to determine just how much of a threat it is, and to discover solutions. In 2015, two researchers hacked a Jeep Cherokee in a highly publicized project, leading to a recall of 1.4 million vehicles.
Also in 2015, a group of organizations working on cybersecurity hacked into Virginia State Police (VSP) vehicles — a 2012 Chevrolet Impala as well as a 2013 Ford Taurus, according to Dark Reading, a cybersecurity news site. Researchers physically tampered with the vehicles and were able to remotely control the gearshift, instrument panel, and engine, as well as opening the trunk and locking and unlocking doors. They also accessed the vehicle via Bluetooth and compromised key fobs.
In response to recommendations from the Virginia Cyber Security Commission, Governor Terry McAuliffe called for a public/private voluntary working group to explore issues surrounding cybersecurity as related to the VSP. A group consisting of representatives from various public and private organizations, including VSP, MITRE Corporation, and the University of Virginia, conducted the nine-month study.
The group publicly demonstrated more than 15 different attacks on a patrol car that could be done from outside the vehicle. The project’s goal was to determine how to know if an attack had happened and how to fix it, said Barry Horowitz, chair of the Systems and Information Engineering Department at UVA, who worked on the VSP project and also works with the U.S. Department of Defense on addressing cybersecurity for physical systems.
The main takeaway from the project, he said, is awareness.
“The VSP gained a much increased understanding of their cybersecurity issues. They would tell you — and it’s true — that they are not vulnerable to cyberattacks that might be initiated through their police radio systems. However, they did not have full knowledge of other ways that the car could potentially be accessed,” he explained.
He added that the police also became more aware of the role the vehicle’s OBD-II port plays with regard to cybersecurity attack risks.
“It could take a short time for a capable attacker to gain access to the OBD-II port in a car, assuming that they can gain physical access to the car,” Horowitz said.
The findings may sound scary, but Karen Jackson, the Commonwealth of Virginia’s Secretary of Technology, said fleet managers and the public shouldn’t panic. The demo was done by a group of researchers and engineers putting a lot of effort into the project and isn’t something somebody driving by a vehicle could easily do.
“Car hacks are not something that’s a commonplace occurrence,” she said. “And so the idea behind the group that’s been doing the work, the awareness that we continue to build, is really just meant to be a conversation starter, so that as we move to next-generation vehicles, we start to look at those sorts of evolutions in car capabilities,” she said.
As vehicles become more complex and connected, they become more vulnerable to vehicle cybersecurity attacks.
How to Get In
There are between 30 and 40 different wireless entry points on any current car, said Glenn Atkinson, vice president of product safety at Geotab, a telematics provider. In addition to physical access, hackers can get in the system via Bluetooth and a key fob, as Horowitz explained. Other entry points include Wi-Fi and cellular systems, the radio system, the tire pressure monitoring system, and even playing a corrupted CD.
There’s information available that will allow people to hack a vehicle, including a handbook on how to do just that.
“It depends on your background, but I definitely don’t think it’s hard,” said Craig Smith, author of “The Car Hacker’s Handbook” and CEO of consulting firm Theia Labs. Smith has a security background and has worked for the government as a defense contractor.
And although a hack may be difficult, once it’s done once, it becomes much easier, said Daniel Miessler, director of advisory services for IOActive, the company responsible for the Jeep Cherokee hack.
“What’s difficult three years ago often becomes extremely trivial within a year or two. The attacks build upon each other,” he explained. “The community of both black hat and white hat hackers improve and they teach each other.”
That means even when a flaw is fixed, that knowledge of how the vehicle works is out there, which makes it easier to find additional flaws.
The Issue of Telematics
There is increasing use of telematics in fleet. The federal government mandated the deployment of telematics on new light-duty federal vehicles by the end of 2017. Telematics gives fleet managers more visibility and can allow them to make cost-saving decisions, but it also increases vulnerabilities.
In fact, a 2014 white paper from IOActive called telematics the “holy grail of automotive attacks” because of the broad range.
“Any time you add complexity to a system, you make it easier for attackers,” Miessler said. “You have a more complex car. Then, you add all this functionality to the car. You add an update system, and then you add a telematics system. You’re adding additional systems that we can use to attack.”
Agencies need to be extra careful if the telematics system is connected to a corporate or secure network on the back end, which could allow access to even more data.
“Our research is focused on being able to go from a car to a telematics system, attack the telematics system, and then pivot to other types of systems that it could be connected to,” Miessler said. An attacker could use telematics access to get into employee information or sensitive police data.
When it comes down to security of telematics devices, “You have to exercise discretion here because not all third-party devices that connect to cars are made with the same integrity and the same implementation,” said Atkinson of Geotab. “And so you want to make sure you’re using one from a trusted source.”
Smith said when choosing a telematics vendor, customers should ask how the company handles security issues. How does it fix bugs, push down updates, and respond to issues?
Atkinson suggested customers ask vendors, “Show me what systems you have in place, what your process is to ensure cybersecurity is current and at the best industry practices.”
"Our research is focused on being able to go from a car to a telematics system, attack the telematics system, and then pivot to other types of systems that it could be connected to," Miessler from IOActive said.
He noted that Geotab has both a formal security center and a public technical and organizational security measures statement. Its website includes a list of the company’s procedures and security precautions, as well as important cyber-related commentary. It employs third-party penetration testers and services to identify vulnerabilities ahead of time. The company can also discuss with clients the provisions it takes to maintain its secure environment.
Atkinson added that the provider is looking to better use data to determine patterns and recognize abnormal behavior, which Geotab could do with its 500,000 connected vehicles.
Patti Kreh, new business development manager for SAE International, a global association of engineers, agrees that telematics providers need to be responsible for security, but it’s not all up to them.
“We can’t assume that every single situation has been thought of by the telematics provider, and we have to have good habits. So we’ve got to make sure that if there are passwords that need to be changed, we’ve done that,” she said, adding that passwords should be assigned to each individual and not shared across the staff.
Looking for Solutions
We’re aware of the risks. Hackers are potentially out there right now, trying to re-route refuse trucks, disable patrol vehicles, steal data, and wreak havoc. What’s the industry doing about this, and what’s available to stop them?
In January, SAE released its Cybersecurity Guidebook for Cyber-Physical Vehicle Systems (standard J3061) written by a committee of more than 130 organizations, including OEMs, suppliers, and government officials.
The standard looks at best practices and provides automakers with guidelines to “design [in security] from the beginning. You determine where potential vulnerabilities are, look at the risk association with each of those, and rate them, and then put your plans in place in order to minimize those risks,” Kreh said.
An SAE committee is also working on a hardware security standard (standard J3101) that will define requirements for security to be implemented in hardware for ground vehicles. Kreh said this would be the first of its kind for the auto industry.
Additionally, the automakers launched an Auto ISAC (Information Sharing and Analysis Center) in 2015 to share intelligence and analysis as well as threat information and potential vulnerabilities related to vehicle cybersecurity.
Meanwhile, Horowitz with the University of Virginia is continuing his research in partnership with various groups.
“We’ve been looking at methods for detecting and responding to successful cyberattacks — before they have achieved their desired consequences,” he said.
Horowitz explained it as such: With active cruise control, a sensor will tell the car’s automatic control system if you’re catching up to the car in front of you using the speed you set, and the car will automatically slow down if it is. In a cyberattack, the attacker could speed up the vehicle instead of letting it slow down. The goal is to stop this attack while it’s happening by detecting the illogical command, thereby enabling the driver to stop or slow the vehicle down.
“The approach that I have taken toward addressing cybersecurity for physical systems is that there are so many potential ways to attack these systems, so that the goal of our work has not been to stop attacks from occurring, but instead to develop a set of new solutions that recognize them when they occur, but before they have physical impact,” he explained.
He is also working with VSP and other state police departments around the country in supporting a consortium initiated by the National Institute of Standards and Technology (NIST) that will collect and share information related to vehicle cybersecurity. He anticipates this consortium will also address best practices regarding deployment of telematics, including how to reduce risk should police departments choose to purchase such systems.
Horowitz said a critical long-term step to improving vehicle cybersecurity is workforce education. The University of Virginia is engaging with the Business-Higher Education Forum to develop a project directed toward enhancing education focused on cybersecurity for physical systems.
The National Highway Traffic Safety Administration (NHTSA) is researching cybersecurity challenges and has partnered with various agencies and companies to do so. The U.S. Department of Transportation’s Volpe Center and the Department of Homeland Security’s Cyber Security Division are both specifically studying cybersecurity among government vehicles.
There are companies offering products that harden electronic control units (ECUs) against foreign code, which would come installed in the vehicle.
Smith said companies that make products that connect to the diagnostic port have stepped up their security game in the past year. They’re beginning to look at third-party audits and reviews to ensure security.
Despite these measures and more, security is never guaranteed, much like on the internet.
“That’s the name of the game with security, basically making it increasingly more difficult for people to do the wrong thing. You’re never actually going to get to complete security,” Miessler with IOActive said.
How to Protect Your Fleet
For a public agency worried about vehicle cybersecurity, there’s nothing you can buy and add to your vehicle to make it more secure. However, there are other preventive measures to take.
The FBI issued a public service announcement in March listing several ways vehicle owners can minimize their vehicle cybersecurity risks: ensuring vehicle software is up to date; being careful when modifying vehicle software; exercising discretion when connecting third-party devices to the OBD-II port; and being aware of who has physical access to the vehicle.
Smith warned fleet managers not to overlook physical attacks, especially as it relates to devices connected via the diagnostic port. Drivers can check the port to see if something unauthorized is connected.
Miessler said fleet managers should know and understand the technology in the cars and what type of data that technology has access to.
“The police fleet is a really good example. They often have multiple computer systems on board. Different computer systems might be able to talk to different locations. You might be able to call up federal data. You might be able to call up local data. This is sensitive law enforcement data that you pull up on citizens. What else is being connected to the car as well? What are the bridges between that system and the car’s systems?” he explained.
They should also be aware of the classification of data to restrict access only to those who need it. Passwords and PINs create another barrier for hackers, he added.
The Future of Vehicle Cybersecurity
Horowitz identified the Virginia State Police’s concern of how to determine whether a vehicle is being hacked, especially if an officer comes to the scene of a collision. Right now, that determination is hard to make.
“The only thing we record right now is event disaster recovery stuff, which is more around a wreck…but nothing from a software perspective,” Smith said. “Nothing to say, ‘Well, the reason they’re accelerating so fast is because something was sending an acceleration signal that wasn’t the physical gas pedal.’ ”
A technician wouldn’t be able to determine this, but Smith thinks in the future, diagnostic tools might be able to tell whether software has been tampered with. And that’s essential to determine fault if, say, an unexplained acceleration leads to a collision. Does fault lie with the driver, is it a vehicle malfunction, or is it an external cyberattack?
Some may fear that publicly available research will provide ammunition for malicious hackers, but those working on these projects say research is essential.
“The idea is you bring sunshine onto the issues so that over time, those issues can be remedied,” said Jackson of the Commonwealth of Virginia.
Smith agreed: “Being in security, I’ve learned over the years that if you come out and talk about security-related issues publicly, they get fixed. If you keep them to yourself, other people still know about them, but that’s where things get used more maliciously,” he said.
Researchers, ethical hackers, OEMs, and software providers are racing to find solutions, and Atkinson from Geotab believes these efforts will prevail.
“We’ve been at this now a few years. Within a few more years I think cybersecurity around vehicles will be at such a level — and the resiliency and recovery plans will be at such a level — that the risk will have been diminished considerably,” he said. “That’s the way I see them changing, but that doesn’t let you take the foot off the pedal right now in terms of the work that needs to be done to get the entire industry up to the same playing field.”