Vehicles most vulnerable to hacking revealed
2014 Jeep Cherokee and Infiniti Q50 top list of vehicles most vulnerable to hacking, according IOActive security professionals presenting at 2014 DefCon. But, what could hackers actually do if they took control of your car? Read on to find out…
FOR ONE WEEKEND, every year, the world’s ‘best’ hackers meet in Las Vegas, US for DefCon. Indeed, more than 15,000 attendees showed up to hear presentations on everything from breaking passwords to evading government surveillance.
The one presentation that has the automotive world buzzing, however, was by Dr Charlie Miller and Chris Valasek who presented their paper detailing the vulnerabilities in some vehicle Electronic Control Units where they communicate with internal systems while also communicating with the outside world.
This presentation builds on the duo’s presentation at DefCon 2013 where they outlined the methods and codes used to take control of both a 2010 Ford Escape and 2010 Toyota Prius. That paper, Adventures in Automotive Networks and Control Units outlined step-by-step the methods and codes needed to breach security in the car’s software and then, pretty much, do whatever they wanted, from turning the vehicles on and off, to operating the brakes and steering and even changing both the odometer and speedo readings.
At the time, the researchers said: “The hope is that by releasing this information, everyone can have an opened and informed discussion about this topic,” the researchers wrote. “This will lead to safer and resilient vehicles in the future.”
“Automobiles have been designed with safety in mind,” Valasek and Miller wrote. “However, you cannot have safety without security.”
Indeed, in one example, the researchers outlined how it was possible to immobilise the brakes on the Ford Escape by accessing and transmitting code via the CAN that told the vehicle to “bleed the brakes”.
“During the bleeding, the brakes cannot be used. You cannot physically depress the brake pedal. Again, this can only work when the vehicle is moving rather slowly, say less than 5mph (8km/h). But, even at these low speeds, the brakes will not work and you cannot stop the vehicle … This really works and caused me to crash into the back of my garage once,” the researchers wrote.
Fast forward to now, though, and Miller and Valasek have released A Survey of Remote Automotive Attack Surfaces, saying: “Modern automobiles consist of a number of different computer components, called Electronic Control Units (ECUs). Each automobile contains from 20-100 of these devices, with each ECU being responsible for one or more particular features of the vehicle. For example, there is an ECU for seatbelt tightening, one for monitoring the steering wheel angle, one to measure if a passenger is in the car, one to control the ABS system, and so on. These ECUs need to pass data to one another so they can make decisions on how to act.
“Some ECUs also communicate with the outside world as well as the internal vehicle network. These ECUs pose the biggest risk to the manufacturer, passenger, and vehicle. The options available to attackers will be influenced by the different remote endpoints offered, the topology of the vehicular network, as well as safety features programmed into the various ECUs under consideration.
“This paper attempts to analyze numerous automobiles varying in production year to show how remote attack surfaces have evolved with time and to try to quantify the difficulty of a remote attack for a variety of different automobiles.”
While not an exhaustive list of vehicles, the researchers looked at a broad range of vehicles from the all-new 2014 Jeep Cherokee through to a 2014 BMW 3 Series and right the way through to a 2006 Toyota Prius.
While you no doubt want to head over and read the report, the nub of it was that the most hackable cars the researchers looked at were the 2014 Infinity Q50, 2014 Jeep Cherokee and the 2015 Cadillac Escalade. The least hackable cars were the 2014 Dodge Viper, the 2014 Audi A8 and the 2014 Honda Accord.
Results, the researchers said, were based on three factors: the size of a wireless “attack surface” in a car, like keyless entry systems, Wi-Fi and Bluetooth; the network architecture of a car and how much access is possible to get to critical systems; and the “cyberphysical” features of a car, like lane and parking assist and automated braking.
While the researchers didn’t actually hack into the cars they did look at their vulnerability to attack, saying “it does provide some objective measure of the security of a large number of vehicles that wouldn’t be possible to examine in detail without a massive effort”.
So, how’d the car makers respond? Well, slowly. Infiniti US spokesperson, Kyle Bazemore told WIRED that Miller and Valasek didn’t actually hack a Q50, but that “As the potential for ‘hacking’ into the electronic systems of all automobiles may grow, we will continue to integrate security features into our vehicles to help protect against cyber-attacks”.
A spokesperson for Chrysler on the subject of the 2014 Jeep Cherokee’s potential vulnerability said the company will “endeavor to verify these claims and, if warranted, we will remediate them … We support the responsible disclosure protocol for addressing cyber security threats. Accordingly, we invite security specialists to first share with us their findings so we might achieve a cooperative resolution. To do otherwise would benefit only those with malicious intent”.
Repeating their call for carmakers to do more to foil hackers, the duo even presented a prototype device that could be fitted to a car to monitor and block suspicious commands.
Let us know what you think, should we start include car vulnerability ratings in the same way we do with crash safety ratings? See you in the comments.