Technology Overdrive Understanding the Security Impact that the Advanced Machinery has throughout Infrastructure of the Car Dr. Barbara L. Ciaramitaro, CISSP, CSSLP, PMP Director, Center for Cybersecurity Leadership Walsh College

Brief History of Automobile Technology http://www.theverge.com/sponsored/9104175/onstar-the-evolution-of-automobile-technology-infographic

Brief History of Automobile Technology 1946 – First Car Phone at 80 pounds

Brief History of Automobile Technology 1946 – First Car Phone at 80 pounds

Brief History of Automobile Technology 1946 – First Car Phone at 80 pounds 1958 – Cruise Control

Brief History of Automobile Technology 1946 – First Car Phone at 80 pounds 1958 – Cruise Control

Brief History of Automobile Technology 1946 – First Car Phone at 80 pounds 1958 – Cruise Control 1973 – Air Bag

Brief History of Automobile Technology 1946 – First Car Phone at 80 pounds 1958 – Cruise Control 1973 – Air Bag

Brief History of Automobile Technology 1946 – First Car Phone at 80 pounds 1958 – Cruise Control 1996 – Standardized On-Board Diagnostics 1973 – Air Bag

Brief History of Automobile Technology 1946 – First Car Phone at 80 pounds 1958 – Cruise Control 1996 – Standardized On-Board Diagnostics 1973 – Air Bag

Brief History of Automobile Technology 1946 – First Car Phone at 80 pounds 1958 – Cruise Control 1996 – Standardized On-Board Diagnostics 1973 – Air Bag 1996 – Onstar

Brief History of Automobile Technology

Brief History of Automobile Technology 2000 – In Car GPS

Brief History of Automobile Technology 2000 – In Car GPS

Brief History of Automobile Technology 2000 – In Car GPS 2001 – Blue Tooth Connectivity

Brief History of Automobile Technology 2000 – In Car GPS 2001 – Blue Tooth Connectivity

Brief History of Automobile Technology 2000 – In Car GPS 2001 – Blue Tooth Connectivity 2003 – Crash Avoidance Systems

Brief History of Automobile Technology 2000 – In Car GPS 2001 – Blue Tooth Connectivity 2003 – Crash Avoidance Systems 2008 – On Board WiFi

Brief History of Automobile Technology 2000 – In Car GPS 2001 – Blue Tooth Connectivity 2003 – Crash Avoidance Systems 2008 – On Board WiFi 2008 – On Board WiFi

2015 - The Connected Car

Customers want Connected Cars “A recent global survey of over 14,000 consumers across five continents indicates that car owners are now looking for new models with these technologies integrated as standard. Almost 40% of those questioned said that in-car technology is their first and foremost consideration when purchasing a new car, above the driving performance of the vehicle.” http://click-accenture.com/connected-cars-growing-importance-in-car-technologies/ But they also want safety, privacy and security.

Privacy and Security Concerns http://www.mckinsey.com/industries/automotive-and-assembly/our-insights/whats-driving-the-connected-car

Safety First http://click-accenture.com/connected-cars-growing-importance-in-car-technologies/

Complexity The more complex a computer and software system is, the more vulnerabilities it will have. Today’s car has the computing power of 20 personal computers, features about 100 million lines of programming code, and processes up to 25 gigabytes of data an hour. The average “bug” rate in software development in 1 error in 4,000 lines of code. That translates to 25,000 errors. As we have learned from recent breaches, it only takes one vulnerability in a line of code to open it to malicious attackers. http://www.mckinsey.com/industries/automotive-and-assembly/our-insights/whats-driving-the-connected-car

Complexity Automobiles contain 20 to 100 Electronic Control Units (ECUs). Individual ECUs are responsible for one or more features but must also pass data from one ECU to another through the CAN bus. ECU’s communicate both internally and with the outside world. The ECU’s most at risk from malicious attacks are those that communicate to the outside world. http://www.mckinsey.com/industries/automotive-and-assembly/our-insights/whats-driving-the-connected-car

Connected Car Cybersecurity Concerns “The connectivity necessary for providing the features offered by Connected Cars may pose privacy and security dangers and vulnerabilities. Connected Cars can contain more than 50 separate electronic control units (ECUs) connected through a controller area network (CAN) or other network. Those ECUs communicate with each other and the CAN through use of digital messages called CAN packets. If CAN packets are not authenticated or encrypted, they may be susceptible to remote hacking through the vehicles’ wireless and phone components. This wireless technology may also enable unauthorized access to other systems and data collected by the vehicle, such as location data and potentially payment card data used for dashboard shopping.” http://www.dataprivacymonitor.com/online-privacy/legal-developments-in-connected-car-arena-provide-glimpse-of-privacy-and-data-security-regulation-in-internet-of-things/

Connected Car Cybersecurity Concerns “For decades, cars didn’t have issues with hackers because they weren’t connected to the internet and provided no way to access their internal operating system. “As a result, the auto industry never worried about cyber security and someone taking control of the vehicle from outside,” …” Now, with connected cars wired for everything from voice recognition, Bluetooth, and GPS to eye-gaze tracking and driver monitoring, there are many more ways in and potential for terrifying outcomes.” http://qz.com/461576/here-are-all-the-ways-a-hacker-can-take-control-of-your-car/

Connected Car Threat Vectors http://qz.com/461576/here-are-all-the-ways-a-hacker-can-take-control-of-your-car/

Give Credit for Experts in Vehicle Cybersecurity A Survey of Remote Automotive Attack Surfaces by Charlie Miller and Chris Valasek Car Hacker’s Handbook by Craig Smith (Available through Amazon or other publishers) These and other researchers who have, and continue to, pave the way for us.

Is a Car really Hackable? According to Miller & Valasek there are 3 steps to malicious attacks against automobiles: Remotely gaining access to an internal automotive network through available vulnerabilities commonly in the wireless, cellular or Bluetooth connected ECU’s. Bridge the malware message from the one or more compromised ECUs to the internal target ECU. Attack the target ECU to cause it to behave in an unsafe manner.

Is a Car really Hackable? One question, according to researchers, is the ability of an external attacker to cross into the internal vehicle network. Vehicles have multiple CAN networks that house their own ECU’s There are specific ECU’s that bridge communications between various CAN networks The real threat may come from aftermarket devices particularly in the area of telematics.

Is a Car really Hackable? Credit to Craig Smith and the Car Hacker’s Handbook

The Connected Car – Remote Attack Vectors Diagnostic OBD2 Port

The Connected Car – Remote Attack Vectors Diagnostic OBD2 Port Diagnostic tools are often connected to internal wireless networks. When breached, the diagnostic tool can be used for transmission of malicious code.

The Connected Car – Remote Attack Vectors Bluetooth

The Connected Car – Remote Attack Vectors Bluetooth Bluetooth is considered to be one of the most viable attack services due to the complexity and wide use.

The Connected Car – Remote Attack Vectors Telematics, Cellular and WiFi http://blog.rogerscorp.com/2014/12/

The Connected Car – Remote Attack Vectors Telematics, Cellular and WiFi “This is the holy grail of automotive attacks…” http://blog.rogerscorp.com/2014/12/

The Connected Car – Remote Attack Vectors Internet / Apps Miller & Valasek, A survey of remote automotive attack surfaces,

The Connected Car – Remote Attack Vectors Internet / Apps Access to the Internet now opens the automobile to a number of well known attacks through the web browser and malicious applications. Miller & Valasek, A survey of remote automotive attack surfaces,

The Connected Car – Remote Attack Vectors Cyber – Physical Features (Park Assist, Adaptive Cruise Control, Collision Prevention, Lane Keep Assistance) Miller & Valasek, A survey of remote automotive attack surfaces,

The Connected Car – Remote Attack Vectors Cyber – Physical Features (Park Assist, Adaptive Cruise Control, Collision Prevention, Lane Keep Assistance) These features connect physical vehicle response to external stimuli gathered through a variety of sensors and communication channels. These access points can be accessed to cause cyber physical malfunction. Miller & Valasek, A survey of remote automotive attack surfaces,

How hackable is your car? ++ = more hackable - = less hackable Miller and Valasek’s findings represented in a single chart. A plus sign represents “more hackable,” a minus sign “less hackable.” Credit: Charlie Miller and Chris Valasek

More Concerns - Terrorism “Driverless cars are vulnerable to hackers who could bring cities to a standstill, steal cars remotely or even commit deadly terror attacks, experts have warned.” http://www.telegraph.co.uk/news/science/11243376/Driverless-cars-could-be-hacked-by-terrorists-warn-transport-experts.html

More Concerns - Ransomware “…The worse-case scenario is that multiple vehicles could be infected from a single source, and the manufacturer is then held to ransom. The infection could start in multiple ways: with a compromised app that drivers download, or through a batch of components that have embedded malware that is not detected when the vehicles are manufactured, or even with social engineering…” http://www.networkworld.com/article/2972234/microsoft-subnet/drive-a-dumb-car-but-buy-tesla-stocks.html

More Concerns - Litigation “Class actions alleging claims based on privacy and security issues related to Connected Cars have already been filed. … The plaintiffs alleged that the CAN system is susceptible to being hacked, which could allow for the collection of data stored on the CAN system and for the control of certain vehicle functions such as steering, braking, and acceleration. The plaintiffs asserted claims for express and implied breach of warranty, fraud, false advertising, and violations of consumer protection laws.” http://www.dataprivacymonitor.com/online-privacy/legal-developments-in-connected-car-arena-provide-glimpse-of-privacy-and-data-security-regulation-in-internet-of-things/

The Future “The market for Connected Cars is projected to reach $54 billion in the next two years. It is estimated that by 2020 there will be 250 million Connected Cars on the road, and about 90 percent of new vehicles in Western Europe will be connected to the Internet.” http://www.dataprivacymonitor.com/online-privacy/legal-developments-in-connected-car-arena-provide-glimpse-of-privacy-and-data-security-regulation-in-internet-of-things/

Questions? Please feel free to contact me at bciara2@walshcollege.edu Good resources to begin your education journey: A Survey of Remote Automotive Attack Surfaces by Charlie Miller and Chris Valasek Car Hacker’s Handbook by Craig Smith (Available through Amazon or other publishers)