Companies target the next car hack attack - Car Matrix

A clear-plastic miniature car makes laps, turning and stopping and starting, controlled by an operator with a joystick. For this demonstration, the little car is equipped with computer hardware typically found in a full-sized car. This toy car isn’t real, but the electronics are.

Using a tablet, a volunteer from the audience gains access to the central electronic control unit of the car and scans for open ports. One pops up on her screen, and she hacks into the car. She’s now able to accelerate, put the car into reverse, or stop—overriding the car’s driver.

Moments later, after a software fix from Karamba Security is enabled, the same attack fails and the car keeps performing its regularly scheduled laps around the miniature model city.

More on Car Tech

This demonstration, repeated multiple times over several days, was on display earlier this month at the Consumer Electronics Show in Las Vegas, where in recent years car tech increasingly has commanded a larger spot on the stage. That includes the latest innovations in the battle against car hacking, where software engineers must constantly compete with cybercriminals.

“The problem for us as a society is we as consumers are calling for more and more convenience,” David Barzilai, executive chairman and co-founder of Karamba, said at CES. “Convenience relies on more connectivity, so we can get services from the car. The more systems that are connected, the more we’re open to attacks.”

Karamba’s software, when it senses a potential threat, restarts a car’s computer. That delays and frustrates the hackers, who can’t gain access. All the while, consumers aren’t aware of what’s happening in their car’s circuitry because the vehicle still operates normally.

Carmakers trying to stave off cyberattacks must work with their own relatively old computer technology and the reality of long product cycles. To help them, software companies such as Karamba, Argus Cyber Security, and Inside Secure are working with automakers to protect their vehicles. These firms displayed their solutions at CES this year.

“In a lot of cars, the technology is from the 1980s,” Yoram Berholtz, business development director at Argus Cyber Security, said at the electronics show. He said that means it’s much less sophisticated or secure than smartphones.  

The auto industry has taken steps to increase security since highly publicized hacking incidents in 2015, says Gloria Bergquist, a spokeswoman for the Alliance of Automobile Manufacturers, a trade group based in Washington. The industry’s information-sharing and analysis center, known as the Auto ISAC, now has 49 active automakers and suppliers working together to identify threats and implement best practices, she says.

“Automakers know their customers care about security, and automakers are taking many protective actions, including designing vehicles from the start with security features and adding cybersecurity measures to new and redesigned models,” Bergquist says.

A Public Hacking

Hackers first publicly took over a car’s key systems in a staged demonstration in 2015. They took control of a Jeep’s steering, acceleration, braking, and climate controls using just a laptop and an internet connection.

Fiat Chrysler Automobiles—which owns Jeep—became the first automaker to recall cars to fix a cybersecurity glitch. In that case, it was a weakness in the vehicle infotainment system made by Harman. A federal court ruling earlier this month allowed a class-action case brought by consumers against both companies to proceed—sending a signal to automakers that cybersecurity weaknesses that are exploited could mean real liability for them down the road. (See “Protect Your Chrysler, Dodge, or Jeep From Hacking.”)

How can hackers access software in cars? Security experts say there are known trouble spots, starting with any place the car connects with the internet—such as built-in WiFi hotspots, data streams, or built-in infotainment apps. Vehicles tend to have multiple, separate computers that control different car functions, known as electronic control units (ECUs). They’re all vulnerable if they’re not secured. The network connecting the ECUs is another potential hacker target. Automakers are working to build firewalls—code that can sense and reject unauthorized attempts to access—around various vehicle processors and networks.

Security controls at General Motors continue to evolve every year to stay ahead of threats, says Tom Wilkinson, a GM spokesman. 

“We look at threats from end to end, from the back office to all aspects of the vehicle and its connected services,” he says. “All aspects of the ecosystem are considered, from the microchip level through the network layers, and to the mobile device and back-office environments.” 

Karen Hampton, a spokeswoman for Ford, says the company doesn’t provide details of its cyberprotections but stressed that the company is committed to protecting its customers.

“We will continue to evolve our processes and policies to ensure transparency, security, and privacy as we expand our offering of connected products and services,” Hampton says. 

The Big Target

Security experts say the most likely near-term threat will be if hackers crack the code to reach millions of vehicles of the same make and model. That could lead to locking owners out of their cars and demanding a multimillion-dollar cash payment from an automaker. This is known as ransomware.

As more parts of the car get digitized to provide services to consumers, there are new worries. Many of today’s cars use apps that can control functions in BMW, Cadillac, Mercedes-Benz, Tesla, and other brands. They give a consumer the power to lock, unlock, or even start the car remotely.

“All I need to do to attack the car is use a known vulnerability,” Asaf Ashkenazi, vice president of product strategy at Inside Secure, a software firm in San Jose, Calif., said at CES. “I don’t need to be an expert hacker. I attack the application here, and now I have access to your car. I can drive it, stop it. I can get in. It doesn’t require any knowledge of the car itself.”

That’s because a hacker can reverse engineer these apps and use them to access to a car, Ashkenazi said. The hacker could also take advantage of any known vulnerabilities of Android and Apple’s operating systems. It’s easier than trying to crack the codes that are specific to a particular make and model of car, he said. After gaining access to the app, the hacker would be able to do anything the owner could do.

The software his company makes prevents hackers from reverse engineering an app, and can detect attacks in real time and stop them, Ashkenazi said. 

Ultimately, it’s automakers, not consumers, who need to harden the targets, says Jerry Gamblin, principal security engineer at Kenna Security, a threat intelligence company based in San Francisco. Ordinary drivers don’t have the expertise to keep up with determined hackers, he says.

“As soon as automakers push this responsibility onto the consumer, we’re lost,” Gamblin says. “In the end, that will make us more vulnerable.”

What Consumers Can Do

Consumers can do some basic things to reduce their cybersecurity risks, according to the software company AVG Antivirus. One of the basics is to keep in touch with your manufacturer and keep your car’s software up to date. Turning off the vehicle’s Bluetooth and Wi-Fi when you’re not using them is another good practice. They also recommend scanning any external USB drives before plugging them into your car’s ports—just like you would do on your home computer before downloading software from the Internet.

The most important thing consumers can do is maintain good, basic “cyberhygiene," says GM’s Wilkinson. That includes using strong passwords for connected devices and not using the same password on multiple accounts. Consumers should update vehicle software as security patches are added, he says. 

Another basic step that many consumers don’t consider: Storing your wireless car keys in a way that blocks their short-range radio signals, says Gamblin of Kenna Security. Some people store them in a refrigerator. Another means is a device known as a Faraday Bag.

Hackers have been able to intercept the radio signals from a wireless fob by using cheap computers built just for that purpose, Gamblin says. From a driveway, they can use the signal to essentially create a duplicate key on their computer.

“They clone your key, then they can walk up to the car and drive it away,” Gamblin says, because the car thinks the laptop is another certified key fob.

Ford’s Hampton doesn’t recommend storing your key fob in the refrigerator or freezer because it can shorten the device’s life span.

Hampton recommends resetting your in-vehicle entertainment system to its original factory settings if you rent or sell your car. Until it’s reset, it will maintain connections to your phone and personal information.

Correction: This version has been updated with the correct title for Asaf Ashkenzai. He is Inside Secure's vice president of product strategy.