Advances in automobile technology are enabling attacks, but that industry is not ready for security and updates.
Speaking in a well-publicised presentation at the Black Hat conference in Las Vegas, Charlie Miller and Chris Valasek claimed that this time they were able to present at this conference after completing more of a study of automotive technology, and identifying common flaws. Last year’s proposed talk was rejected and presented at the Def Con conference instead.
Miller, a security analyst at Twitter, claimed that of the 15 cars they looked at, most were done visually and were from 2014. He said: “Each car is hardened in its own way. You can send messages to the Electronic Control Unit (ECU) and get the ECU to do something.”
The cars they looked at were: Audi A8; Honda Accord LX; Infiniti Q37 and G35; Jeep Cherokee; Dodge Ram 3500; Chrysler 300; Dodge Viper; Cadillac Escalade (2015); Ford Fusion; BMW 3-Series and i12; Range Rover Evoque and Sport; and the Toyota Prius.
Valasek, director of vehicle security researchat IOActive, said that all cars do not have computers, and their research was not the first, as the University of Washington had done a similar compromise of the ECU to send diagnostic messages to lock the brakes.
Miller said that last year it only focused on “plugging into a car”, but this year it looked at wider features. He said: “We were looking at steps and before we looked at the car, we used public information to determine how hard it was to hack a car. We saw how big the attack surface was – Bluetooth communications, app stores and cellular communications. With a bigger attack surface it is easier.”
Valasek said: “Cars are the same as software; we don’t see people writing exploits for them and they may be something of a soft target. Bluetooth has a viable attack surface, but no one is writing perfect Bluetooth stacks any time soon.”
He also described cellular telematics as the “holy grail”, while an expansion of “infotainment” modules and app stores will open cars up to attacks, as they are using simple web browsers and applications.
Valasek said: “There are great features which make you safer, as the Q50 feature can brake, accelerate and keep you in your lane. But why can we as a security industry not promote change within organisations? Security considerations are hard to do.”
Miller said: “Some cars have remote things on the same network and some do not. Car hacking is hard, but with more ECUs, there is more complexity in the network.”
Valasek added that with more technology, there are more problems. “In car apps need to get on as people know how to exploit these things, don’t know if it is engineering but the biggest take away is patching problems but for cars it is really hard and manufacturers usually just send a letter in the mail,” he sai
d,
“If release an exploit for in-car Bluetooth, it is costly to send letters in and tell the owner to bring the car to the dealership for an update. If an exploit comes out it will be hard to get it fixed, and next will be to do over-the-air updates.”
To protect cars, Miller said that they need to be considered as a “secure remote endpoint” and think about making it hard for an attacker. “Software for automobile should be safe and if you pop the ECU, you have got the keys so it is a losing battle.”