Connected Car Security: A Holistic, Proactive Approach.

18 May, 2016

 

Well before a highly publicized Jeep hack last year raised C-suite and board-level concern over the cybersecurity of connected cars, my firm was contracted by a prominent automaker to perform a confidential “ethical hacking” exercise. We staged a nation-state style attack of the enterprise, and after many weeks of work with a large team, achieved complete control such that we would have been able to interfere with corporate and manufacturing networks and interactions with the vehicles.

 

Welcome to the cyber criminal’s new territory: the expanding and dynamically changing “attack surface” of the connected car, that is, the totality of the potential points of unauthorized entry. The good news is that hacking in this space requires very advanced skills and significant funding, so your average “script kiddie” won’t be taking over connected cars any time soon. The bad news is that well-funded and skilled adversaries are seen

to be turning their attention to car companies and cars, having already hit most other industries.

 

Now, even as the auto industry works to better understand cyber threats against connected cars, it can take three immediate steps to mitigate its risks (and customers’ physical danger): understand the attack surface, continually assess the threat actors, and take a holistic approach to cyber governance.

 

CONNECTIVITY COMPOUNDS RISK

 

Automobiles are rapidly integrating new digital technology to improve the driving experience and the connected lives of occupants on board. However, the downside of increasing connectivity and functionality is that doing so expands the automotive attack surface. This creates a potentially dangerous situation, given the opportunity for criminals to make a lot of money through exploits directed at connected cars, their manufacturers, and their networks.

 

To date, it has been mostly security researchers who have hacked con- nected cars. For instance, researchers fashioned a hack against the On-Star mobile application, exploiting a security aw to unlock cars and start engines remotely.1 Other researchers used publicly available GPS simulators to overwhelm faint GPS signals from space with a higher-strength, fake signal that could have misdirected a vehicle or sent false information to vehicle trackers, such as eet operators.2 In the Jeep hack mentioned above, two ethical hackers hired by Wired magazine spent four months fashioning a “zero day”3 attack against the vehicle. First, they in ltrated its cellular connectivity. Then, they moved laterally to compromise the backbone of the car’s electronics, called the controller area network bus (CANBus). Then they tapped the systems connected to the CANBus that control starting, stopping, accelerating, and steering. This enabled the hackers to completely control the car while a Wired editor drove (or at- tempted to drive) the vehicle.4

 

Even though security researchers do not have malicious intent, public revelation of the vulnerabilities they nd can result in enormous costs to connected car companies. For example, the Jeep hack resulted in a recall of approximately 11 million vehicles, and Chrysler’s stock dropped 6.4% the  day after the recall, before rebounding.

 

In the future, connected cars will undoubtedly be targeted by financially-motivated criminals, hacktivists, and people meaning to cause physical harm to drivers. Some of this has already begun to happen. For example, hackers have cracked the code on a keyless entry system used by multiple manufacturers.5 Police say the hack was used to steal approximately 6,000 cars in London in 2014.6

 

STEP 1: UNDERSTAND THE ATTACK SURFACE

 

Managing the cyber risk of connected cars begins with an understanding that the connected car’s attack surface is broad and continuously changing. The attack surface includes the connected car company’s corporate and manufacturing networks, mobile applications, dealerships and third parties with trusted connections back to those networks, the vehicle itself, and aftermarket applications such as insurance and performance dongles that plug into the connected car’s systems.

 

This provides vast opportunity for attackers and requires that car companies take on an integrated ap- proach to managing cyber risk across all of these environments rather than in silos.

 

• Corporate networks: With their multiple public-facing components – including Internet connectivity, websites, remote e-mail access, and corporate wireless access points – carmakers’ corporate networks may well represent the easiest way in for attackers. On these networks are assets attackers may covet: personally-identifying information about customers, gateways to the manufacturing network, potential connectivity to safety systems and other industrial controls, sensitive corporate e-mail, manufacturing know-how, or material non-public information, to name a few. Trusted third party connections extend the attack surface to a company’s partners and vendors, and hackers have been seen exploiting such third-party connections in other industries.

 

• Manufacturing networks: Car manufacturing networks may not have direct connectivity to the Internet, but attackers will look to access manufacturing systems by gaining a beachhead on the corpo- rate network and then pivoting to the manufacturing network. Once on the manufacturing network, attackers may seek out manufacturing specs or other valuable intellectual property, attempt to disrupt operations or destroy equipment, or seek to corrupt software in order to introduce backdoors they can use to remotely control the cars.

 

• Cars: Connected cars have connectivity through cellular, wireless, Bluetooth, and infrared (key fob) technologies. Attackers will attempt to connect to the car through one of those technologies and then pivot along the car’s network to reach the components that help them execute their plan, whether that be to control some aspect of the car, corrupt the information owing to the car (like GPS information), or simply nd and publicize a set of vulnerabilities.

 

• Aftermarket networks: The numerous applications hosted within connected vehicles present poten- tial vulnerabilities through which hackers can access and take control of connected cars. Aftermarket devices and utilities signi cantly expand the attack surface and increase its dynamic nature. Consumer-installed or connected mobile apps, and aftermarket add-on devices often have their own Internet connectivity and their own vulnerabilities, completely out of the manufacturer’s control. Not only might these add-ons be hacked, but their regular use ups the possibility that hackers could manipu- late car owners online for example – “socially engineering” them to insert already-hacked devices into their cars. 

 

STEP 2: CONDUCT A COMPREHENSIVE THREAT ASSESSMENT

 

Understanding hackers’ motives helps car manufacturers know their risks. As one of the Jeep hackers said – perhaps disingen- uously – during an August 2015 conference presentation of the exploit: “I’m not going to brag. But we made the stock go down.”7 If the Jeep hack had been pursued for the purpose of stock fraud, it would not be the rst time. Our rm recently investigated an incident in which an organized crime group hacked into servers on which a company staged press releases containing material non-public information. The hackers lurked in the corporate network, maintaining access over time to trade on the ow of infor- mation before it became public. Conceivably, substantial profits could be yielded by taking a short position on a car manufacturer’s stock before driving that stock price down by finding and publishing major connected car vulnerabilities.

 

Likewise, it’s no stretch to imagine “hacktivists” – hackers who are ideologically motivated – pursuing cyber-attacks for anti-globalization, climate change, or other political reasons. Bad actors might also use hacked vehicles as instruments to inflict harm on a targeted basis (in an individual vendetta) or widespread basis (in a terrorist attack). Finally, there is the motivation to gain “bragging rights,” which may seem frivolous, but still happens.

 

STEP 3: ADOPT A HOLISTIC AND DYNAMIC APPROACH TO CYBER GOVERNANCE

 

Cyber “governance” includes not only the organizational struc- tures that underlie the e ort to mitigate risk, but the processes the company has to identify what risks the company faces. By adopting a holistic and dynamic approach to cyber governance, car manufacturers can stay farther ahead of hackers. Despite a vast and changing attack surface, and while attacker motivations are myriad, with proper cyber governance the challenge they pose can be mitigated.

 

Executive commitment combined with the right investments can help put the organization on the path to resilience. Below are some immediate steps to consider:

 

• Proactively go on the hunt: With the range of potential hacker motives clearly discernible, car manufacturers should subscribe to threat intelligence feeds and share threat information within their sector that would align with these threats.

 

• Eliminate cyber governance silos: The automotive ecosystem is highly interconnected. Any connected component’s or de- partment’s vulnerability can a ect all others. That is because the attackers will pivot from one to the next. The Jeep security researchers breached a carrier’s cellular connectivity and then advanced across the car’s systems. In its ethical hacking exercise, Stroz Friedberg also pivoted from environment to environment, illustrating why auto executives must insist on a systematic approach to the security of the interconnected corporate, manufacturing, vehicle management, supply chain, and aftermarket networks that stand behind every connected car. All involved groups should work together to anticipate how attacks might occur. A centralized function, such as the chief information security officer, should be responsible for risk across all of the components and departments. Tabletop exercises that simulate advanced attacks for executive management can raise awareness and reduce siloed behaviors. Cross-component and cross-department security simply cannot be woven into a resilient state without leadership from above the silos.

 

• Challenge your defenses: Instill a culture of security that values routinely exposing vulnerabilities. For example, running ethical hacking exercises in which teams think up novel ways to try to hack the cars, corporate and manufacturing networks, and mobile apps – leads to the identi cation and reme- diation of vulnerabilities, and thus hardens defenses. Independent third parties can play a key role in creatively challenging cyber defenses. “Red teams” elded from third-party cybersecurity experts can ethically hack a company because we study criminals’ behavior, know exactly how they exploit technology and human weaknesses to achieve their goals, and have no intra-corporate political constraints on what code or processes they are willing to break or challenge.

 

• Anticipate future vulnerabilities: Car manufacturers must create a continuous cycle of improvement: identifying, breaking, remediating, and anticipating the next wave of vulnerabilities – only, then, to break in all over again. Just because a connected car is safe today, does not mean it will still be safe three months from now. The scenarios are many. It could be something as quotidian as an insurer or aftermarket company coming out with a new add-on. Or, say that a manufacturer deploys a software update by physically mailing USB drives to its customer list, which hackers preempt by mailing out their own infected drives, packaged to look just like the real thing. Effective cybersecurity requires ongoing threat modeling that allows you to anticipate future “ways in” to connected cars.

 

RESILIENT CYBER GOVERNANCE: KEEPING PACE THROUGH CHANGE

 

The opportunities and challenges that come with increased automobile connectivity are substantial. Cus- tomers clearly want the advantages that onboard connectivity offers, but criminals stand to benefit and are highly motivated. The way to stay ahead of hackers is by adopting a resilience-building cyber governance model that uni es all the players in your ecosystem and continuously considers new cutting-edge exploits as the technology in your connected cars evolves. This kind of governance requires clear commitment from the very top of the organization. 

 

Step 1:

Understand the Attack Surface

 

Step 2:

Conduct a Comprehensive Threat Assessment

 

Step 3:

Adopt a Holistic and Dynamic Approach to Cyber Governance 

 

1. “Researcher says can hack GM’s OnStar app, open vehicle, start engine,” Reuters.com, 30 July 2015, © 2015 Thomson Reuters.
2. “The security fallacy: Seven myths about physical security,” Argonne National Laboratory, 26 October 2010
3. A zero day attack is one that has never been seen before.
4. “Jeep Hacking 101,” IEEE Spectrum, 6 August 2015, © Copyright 2015 IEEE Spectrum.
5. “Hack to steal cars with keyless ignition: Volkswagen spent 2 years hiding aw,” Computerworld, 17 August 2015, © 2015 Computerworld, Inc.
6. “Hackers Force Carmakers to Boost Security for Driverless Era,” Bloomberg Business, 4 August 2015, © Bloomberg L.P.
7. Ibid. 

 

 

For further information, please contact:

 

Paul Jackson, Managing Director, Stroz Friedberg

pjackson@strozfriedberg.com

 

Bill Sims, Managing Director, Stroz Friedberg

bsims@strozfriedberg.com