LAS VEGAS – The electronics in cars have become complex computing networks unto themselves, according to researchers at Black Hat Briefings and DEF CON security conferences in Las Vegas this past week (Aug. 3-7).
Monitoring systems, mapping and directions programs, roadside assistance apps, sensors and cameras are but a few of the independent apps and networks controlling today’s automobiles.
Consider that each of these apps uses its own signaling technology and protocols (WiFi, Bluetooth, GPS, cellular, dedicated networks, etc.) to communicate internally, or with other vehicles on the road, and to phone home for updates, and you begin to understand all the access points bad guys can take to control a moving vehicle to cause damage and loss of life.
“Today’s vehicles have more than 100 million lines of code,” says Craig Hurst, who as director of Intel’s transportation division, was at DEF CON tirelessly pitching the new Automotive Security Review Board - see (see https://asrb.org), which he is also executive director of. “Think of today’s vehicles as systems of systems that get much more complex as vehicles get smarter.”
Since 2013, multiple reports have cited that there are more than 100 million lines of code in automotive systems, including in a 2015 NY Times article here: http://www.nytimes.com/2015/09/27/business/complex-car-software-becomes-the-weak-spot-under-the-hood.html?_r=0 .
But with autonomous driving vehicles being developed for tomorrow (think 2020 or a little beyond), the time is now for organizations like the ASRB to promote common standards and best practices across all chip makers, application makers and parts manufacturers that go into the ecosystem of autonomous driving cars.
But that’s a little tricky when the auto makers’ immediate interests conflict with the hackers’ discoveries, something Charlie Miller and Chris Valasek, who work in security at Uber ATC, lamented during their Black Hat press meeting on Thursday, August 4. Their published exploits against their own 2013 Geep Cherokee showed, among other things, the ability to remotely drive the car into a ditch.
During the press con at Black Hat, the researchers laughingly joked that they “paid for the tow truck” to get their car out of that ditch themselves, and added that their exploits have been expensive and time consuming but worth the effort. Then they grew serious and even obtuse when asked about their relationship with the automakers and their ability to affect change. The manufacturers, they said, normally don’t get back to them so they don’t know if they’re affecting change or not.
Despite the friction between manufacturers and hacker researchers, such efforts are indeed driving change, especially when you consider that Miller and Valesek’s hacks on the 2013 Jeep Cherokee led to the recall of more than 1.4 million vehicles. See my 2015 Black Hat/DEF CON blog post here: http://derad.typepad.com/onlinecrimebytes/2015/08/internet-of-interconnected-technologies-or-iit-black-hat-and-def-con-2015.html, about how they brought the same Jeep into Bally’s and demonstrated some of their ‘safer’ remote hacks (locking unlocking doors, etc.
Recalls and updates bring about another serious risk with software-laden passenger vehicles: Along with requiring layers of security within these ‘moving’ vehicle networks, security controls must also consider how to safely update and patch these auto applications when new vulnerabilities are discovered.
Manual recalls are unbearably expensive and traditionally difficult on both makers and buyers. However, updating the software in a moving vehicle could be catastrophic if it requires a system reboot or shut down, like most hardware updates call for today in our phones and hand held devices.
That’s why the National Highway Safety and Traffic Administration (http://www.nhtsa.gov/Research/Crash+Avoidance/Automotive+Cybersecurity), the Automotive ISAC (http://www.autoalliance.org/auto-issues/cybersecurity) and other new groups like the ASRB are working now to protect cars of the future, because those cars are being developed today.
Let’s hope they get it right sooner rather than later: These new vehicles will have more code and variety of apps (almost all chip-based) than some enterprise networks. The last thing we want holding up progress is conflicting standards and protocols that have led to the ages-old interoperability vs best of breed problems that have plagued enterprise security operations to this day.