09/28/2020

As Vehicles Become More Connected, New Methods to Hack Them Emerge

Source: Fleet Management Weekly

Scientists tell us that COVID-19 will be with us forever. Similarly, hacking — benign or malign — is likely to be with us forever. Despite herculean efforts by all the good guys to root out the flaws in parts and systems controlled by software, the results could be, like the virus, catastrophic. Warns Noam Kehati, director of intelligence at SIXGILL, a cybersecurity company, “ As cars get more intricate and interconnected, new methods to penetrate and damage them are emerging and are being explored and discussed in dark and deep web forums. ”Autonomous vehicles (and, as well no doubt, those with ADAS — advanced driver assistance systems) employ millions of code lines, in addition to an assortment of unified systems and instruments, all of which are exposed to potentially being exploited and compromised.

Moreover, vehicles are being connected to the internet at an increasingly rapid pace. Already, more than 20 percent of vehicles in service are connected to the internet. In addition, there are connections via dedicated communications links between other vehicles, the roadway, and the transportation system itself.

Earlier this year, FMW’s Executive Editor Mark Boada interviewed Dan Sahar, vice president of product at Upstream Security, a leading automotive cybersecurity firm. Sahar foresees the possibility of a frightening scenario where, through a single hack, every driver of a particular manufacturer’s vehicle model or of any targeted fleet vehicle could be unable to unlock it or start the engine. It would be a major catastrophe, he noted, especially for a sales or a delivery fleet.

“Think of a FedEx or UPS or Amazon on Christmas Eve, not being able to make deliveries. It would be extremely damaging to them as well as to the entire country. It’s not a wild dream. It’s totally within the realm of possibility if that fleet is connected.”

Indeed. In a Forbes article that FMW linked to in May, “Is Automotive CyberSecurity A National Defense Issue”? asked author, Rahal Razan. He wrote, “With modern over-the-air updates one can turn a fleet of cars into an army of adversarial robots. If you believe this cannot happen, the story ‘Hackers Remotely Kill a Jeep on the Highway—With Me in It,’ by Andy Greenberg may be eye-opening.”

Sahar noted that “Fleet managers are unaware of the danger and lack a sense of urgency because the industry hasn’t yet had its “Equifax moment,”  the theft of the personal data of 147.7 million consumers from the credit rating company’s computers. “Many fleets are aware of the danger, but they think it’s still theoretical.”

This all may have the ring of Dr. Fauci’s warning about the dangers of the virus, but unsettling accounts of the vulnerabilities of vehicles to hacking continue to appear with disturbing frequency. Most recently, TechCrunch reported that at this year’s (virtual) Black Hat Security Conference, “security researchers at the Sky-Go Team, the car hacking unit of security company Qihoo 360, found more than a dozen vulnerabilities in a Mercedes-Benz E-Class car that allowed them to remotely open its doors and start the engine.” Mercedes says that it fixed the vulnerabilities before the cars reached the market, but Qihoo360 says that as many as 2 million E-Class cars could have been affected.

A recent outstanding article in Physics World magazine reprised the history of automotive hacking and looked at the vulnerabilities of the autonomous cars that are edging closer to reality. Many of the features of so-called Level 5 (self-driving) are also available in Levels 3 or 4, but require the driver to be in charge, or take charge in critical instances.

Self-driving cars have been an auto industry dream since the 1920s when a remotely controlled car was piloted through New York City and other cities. They were controlled by radio signals from a non-driverless car following closely behind. GM’s Futurama exhibit at the 1939 World’s Fair, featured self-driving cars that were directed by a wire buried in the roadway.

These efforts continued over the years and ultimately used cameras and sensors. At the same time, in the 1970s, computer code began to be introduced to car systems. Vehicles began using electronic control units, or ECUs, according to the Physics World account, “to control increasingly complicated electronic systems. Since then, the number of ECUs has soared, with cars sold today including anywhere from 70 to 150 such devices. They monitor the crankshafts and camshafts; they deploy airbags; they receive and relay signals from flat tires and emptying gas tanks. Importantly – especially to hackers – they talk to each other via the Controlled Area Network, or CAN bus, which essentially functions like a nervous system for the car.”

That opened the door wider to hackers, and soon with nearly all vehicles connected to the internet, access may be virtually unlimited.

In the past ten years, Fleet Management Weekly has featured 66 articles on cybersecurity, and now, with the push for autonomous, or near-autonomous vehicles, we will keep an ever closer watch on this critical area.