Subscribe

Jeep hack reveals wide security failures

IOT will see many more attacks, recalls and embarrassment across industries.

Jon Tullett
By Jon Tullett, Editor: News analysis
Johannesburg, 29 Jul 2015
Expect more hacks until the industry improves its security: Charlie Miller (above) and Chris Valasek continue to demonstrate vehicle attacks.
Expect more hacks until the industry improves its security: Charlie Miller (above) and Chris Valasek continue to demonstrate vehicle attacks.

Fiat Chrysler has egg on its face, recalling 1.4 million Jeep vehicles after a remote attack was demonstrated which could put motorists' lives at risk. This is a big story, in both impact and scope, and the hapless Jeeps are just the start.

Many ITWeb readers will remember seeing the hackers, Charlie Miller and Chris Valasek, at the ITWeb Security Summit in 2014, talking about this very topic. When I spoke to Miller at the time, he predicted exactly this: "Chris and I aren't that special. We didn't do anything magical - other people are going to do the same thing we did. We're going to see more of this until the industry does something about it."

The tragedy of the Jeep story is not the incident itself, nor the costly and embarrassing recall of 1.4 million vehicles, but that vehicle manufacturers had nearly two years' warning this was coming, including numerous demonstrations, increasingly dangerous hacks, and active efforts by the security industry and hackers to build bridges and effect stronger security.

Despite that, we're now seeing the first mass vehicle recall, with the stark warning that motorists could be in danger. And this is likely to be only the tip of the iceberg. The vulnerable components (Uconnect - a module offering remote software access) are widespread, in many different vehicles, and it's likely we'll see many more recalls, affecting many millions of vehicles and owners, and tremendous cost to everyone concerned. And that's just one component - there will be others.

In fact, there are already others. This year has seen numerous researchers disclosing vehicle flaws. NCC Group in the UK demonstrated an attack on in-car electronics via spoofed digital radio broadcasts. Security firm Trend Micro recently published the results of its investigation into Skoda's SmartGate system, which exposes vehicle telemetry to remote access: Trend Micro discovered vulnerabilities in the SmartGate wireless implementation. A security flaw in BMW's Connected Drive software prompted an urgent patch to be distributed to more than two million vehicles.

Unfortunately, we'll also see malicious hacking. In fact, one of the first incidents in this saga was the vehicular equivalent of Web vandalism, with hackers remotely disabling cars and sounding horns via a third-party component called Webtech Plus. And that was in 2010.

It's also likely we'll see regulatory response. The abject failure of the automotive industry to take security seriously is exactly the sort of thing that spurs regulators into action. We may, for example, see a mandatory air-gap specified between in-car controls and anything with a network component. That's the sort of heavy-handed over-reaching requirement that could severely hinder development of next-generation vehicles like self-driving cars, but regulators will always err on the side of safety, not innovation. If stifling regulations are imposed, you can thank the manufacturer's arrogance for it.

Early warnings

The Webtech incident aside, the first demonstrated vehicle hack of this sort was in mid-2013, though the research began some time before that. Miller and Valasek demonstrated successful attacks against a Toyota Prius and Ford Explorer, tapping into the vehicles' onboard central nervous system to hijack the controls.

The industry, with characteristic hubris, waved away the warnings with vague statements intended to reassure customers and, primarily, shareholders. The attacks were impractical, we were told. They required physical access to vehicles, they said. And, of course, the usual boilerplate holding statement of: "We take security very seriously and are doing everything in our power to protect our customers." As any security professional will tell you, this is a euphemism for: "We're very worried and haven't a clue."

At the time, the attacks required on-board access to the CAN bus - the network that ties together vehicle sensors and controls. Miller and Valasek predicted they would eventually discover a vulnerable, remotely accessible, component that would bridge them remotely into a car.

By August of that year, Miller and Valasek had tested numerous cars, and published a list of the 20 most vulnerable ones. A Def Con talk explored their research into the attack surface within automobile electronics.

In the same timeframe, security researchers including Miller and Valasek had formed a group called "I am the Cavalry" (or The Cavalry for short), which extended an invitation to vehicle manufacturers and other industrial groups like medical equipment vendors and aviation firms, asking them to collaborate on security, offering to share research, with the single end-goal of making their products safer.

The response seemed positive - The Cavalry had numerous briefings with automakers, industry groups including the global Society of Automotive Engineers, and government bodies.

Here we are, recalling millions of vulnerable cars. The industry is still in denial.

And yet, here we are, recalling millions of vulnerable cars. The industry is still in denial. CNBC quoted Earl J Hesterberg, CEO of Group 1 Automotive, saying he felt confident automakers have been monitoring on-board software security for years. "I'm sure this is being looked at today by every auto manufacturer, and they're double-checking and triple-checking," Hesterberg said. "But I wouldn't freak out about this."

Internet of vulnerable things

Car hacking is just one facet of the bigger picture: growing interconnectedness means a greatly swollen attack surface. The Internet of everything is the umbrella term for this evolution, but in reality it's nothing of the sort. What we have today is more "networks of things" - numerous devices using Internet protocols to communicate, yes, but in closed communities. And they tend to be networks after the 1980s style: flat, shared and horribly insecure.

The CAN bus inside a vehicle is a perfect example of this. Designed by Bosch in 1983, security was the last thing on the engineers' minds. Thirty years later, we have Miller and Valasek taking advantage of the facts that communication on the bus is broadcast, unchecked and unauthenticated.

Many other industries are in similar situations. This year saw widespread concern over claims that airliner electronics might be vulnerable to similar attacks. We've seen attacks on critical infrastructure like water systems and power grids. Stuxnet was a case study in how industrial automation can be attacked, even with stringent security controls in place.

Manufacturers and users of Internet-connected automation, whether in a car, a factory, or anywhere else, need to address security and risk as their number-one priority. Not at the expense of functionality - this is one area where the security disciplines of CIA (not the spooks, the triad of confidentiality, integrity and availability) should be the key objectives. Security should follow as a result, rather than being tacked on as a panicked afterthought.

Or you could prepare your organisation for millions of product recalls. As Fight Club's narrator said, for too many organisations, that decision is purely economic: "Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one."

Share