Southeast Michigan is the car capital of the planet. Located in this area are three of the major automobile manufacturers-Ford, General Motors, and FCA (fka Chrysler). Over the years, time has seen changes in the design and functionality of the vehicle. Over the last 80 years, the vehicle has also become exponentially mass-produced (Koscher, Czeskis, Roesner, Patel, & Kohno, 2010) while the generic engineering model had been predominantly static. There has been the gasoline-powered internal combustion engine, four wheels, steering wheel, brakes, etc.
Time has certainly changed this. One notable item has been the significant improvement with technology in general. Computers have improved in processing power and architecture, allowing for these to shrink in size. Vehicles have become constructively a computer on wheels (Behrman & Rauwald, 2015). When the vehicles began to implement more computers into the vehicle, these were built more safely (Pagliery, 2014). These functioned on a basic level with monitoring and reporting. Presently computers and their networks run the vehicle with electronic control units (ECUs) (Koscher, Czeskis, Roesner, Patel, & Kohno, 2010). There have been an increasing number of computers with vehicles. This controls many vehicle functions (steering, braking, acceleration, lights, windshield wipers, etc.).
There are also other vehicle components that are wireless (keyless entry, ignition control, tire pressure monitoring, diagnostic, navigation, and entertainment systems). Each connection provides a portal to attack. The third party devices connected to the vehicle introduces exponentially more vulnerabilities with their connectivity and communication channels. One avenue of exposure and increasing attacks continues to be the on-board diagnostics port (OBD-II) (Rash, 2016) and other devices. These provide for direct and standard access to the internal automobile networks. As an inclination towards this, it is estimated that by 2020, 75% of vehicles shipped will have internet connectivity (Baldas, 2016) and each car would have more than 200 sensors, and by extension this provides for more attack points.
This is related in that the vehicle engineers have embraced this. The engineers have used the added equipment to connect the vehicle even more so. The vehicles not only have the computers and networks, but also added Wi Fi, blue tooth, SMS (short message service), assisted calling, text messages read to the driver, and the driver dictating text messages.
As the attack surface has increased so quickly with the addition of technology in the vehicle, there has been a noticeable lack of focus on the cybersecurity at the same rate. This has manifested itself with the automakers showing a severe lack of appreciation of cybersecurity as applied to vehicles (Perkins, 2015). The systems have been poorly protected (Young, 2015). This malfeasance or relative inaction has allowed vehicle hacking. Specifically, this was defined as someone with a computer seeking unauthorized access to vehicle systems for the purpose of retrieving or manipulating vehicle functionality (FBI, 2016).
There is the potential for someone to remotely control a vehicle by having knowledge of the VIN or other germane data. By extension, as this is possible with one vehicle, what could an attacker maliciously do with a fleet? In theory, the attacker could write and execute a script to find 70% of the active VINs. The attackers could rent the bots for a fleet of vehicle attack. The attack could then be simply executed with the heat being turned on during August on I-75 in metro Detroit, have the vehicles take a 90 degree turn at 5:20pm on a Thursday, or other commands to drain the battery during the workday. On the surface, this may seem moderately mundane or due to the “It won’t happen to me” theory. This can actually be a very serious issue mechanically, legally, and financially with the potential for a recall of hundreds of thousands of vehicles.
With the known and unknown, at this time, vulnerabilities, the attackers may initially test the attack with a limited scope. Later a full attack may be used to extend the attack to its full potential. With a highly motivated attacker, the result could be far reaching and extensive. On an individual basis, an attacker could target someone, track them remotely, and break into the car or trigger it to shut down.
In the alternative, the attack could be with a co-worker or neighborhood child playing a game with the target. This may start as the aforementioned prank and go too far. As an example the family could be at a Detroit Tiger’s game and the object of the prank would be draining the battery.
Learn more about protecting yourself and your company at The National Cybersecurity Institute and be sure to read the next installment of this five part series on hacking vehicles tomorrow.
Charles Parker, II, has been coding since the mid-1980’s, and has been working in the finance, auto manufacturer, and health industries seeking secure solutions for issues for over 17 years. Charles has an MBA, MSA, JD, LLM, and is a doctoral candidate for a PhD in Information Assurance and Security.
Baldas, T. (2016, April 13). Feds: Self-driving cars must be terrorist proof. Retrieved from http://www.freep.com/story/news/2016/04/12/feds-lets-build-terrorists-proof-car-at-least-try/82937200/
Behrman, E., & Rauwald, C. (2015, July 27). Hacked jeep in ditch sends warning to german luxury-car trio. Retrieved from http://www.bloomberg.com/news/articles/2015-07-27/hacked-jeep-in-ditch-sends-warning-to-german-luxury-car-trio
FBI. (2016, March 17). Motor vehicles increasingly vulnerable to remote exploits. Retrieved from http://www.ic3.gov/media/2016/160317.aspx
Koscher, K., Czeskis, A., Roesner, F., Patel, S., & Kohno, T. (2010). Experimental security analysis of a modern automobile. 2010 IEEE Symposium on Security and Privacy. Retrieved from http://www.autosec.org/
Pagliery, J. (2014, June 1). Your car is a giant computer-and it can be hacked. Retrieved from http://money.cnn.com/2014/06/01/technology/security/car-hack/
Perkins, C. (2015, July 31). Hacker discovers a major vulnerability in GM cars, hijacks vehicle functions. Retrieved from http://mashable.com/2015/07/31/gm-onstar-hack/#TXV0RdSrSEqr
Rash, W. (2016, March 20). It’s time to pay attention to connected car cyber-threats. Retrieved from http://www.eweek.com/security/its-time-to-pay-attention-to-connected-car-cyber-threats.html
Young, A. (2015, July 28). Car hacking: Securing experts caution automakers on greater need for cybersecurity and anti-hacking measures. Retrieved from http://www.ibtimes.com/car-hacking-security-experts-caution-automakers-greater-need-cybersecurity-anti-2026472