How the “Connected Car” introduces a broad spectrum of security, safety, privacy, and legal vulnerabilities
The first 3 Telematics Wire issues of 2021 covered AV, ADAS and CV. This issue focuses on huge data generated by these systems and many of the significant positive benefits to the industry and society through the analysis and application of this “Big Data”. As such the authors of this article will not venture into those areas. Rather, we present some cautionary thoughts on the need for robust and holistic security postures to protect this data and the exponential growth in threat surface it introduces for a multitude of stakeholders. For the context of this article, the authors use Connected Car (CC) to refer to all the CV, AV, ADAS, Telematics, Infotainment, cellular, Wi-Fi and other plethora of “connected features” of the modern vehicle.
A high-level overview of the impact to a typical transportation management system (TMS) is shown in figure 1. In the black box is a typical TMS without CC and within the red circles, the points of interaction where CC introduces a large, exponential expansion of the threat surface to the TMS and vice versa.
“The introduction of Connected Car and Big Data offer great benefit to the industry, safety, mobility, the environment, quality of life, and the economy; the flip side of the coin however, is an equally great expansion of risk and vulnerability”
Space will not permit the discussion of potential solutions for protection against these threats; therefore, we will present an overview with a few examples and close with a suggested reading list and resources for specialized assistance. We offer examples impacting System Security, Safety, Privacy, and Liability
System security. System security involves the efforts taken to prevent the discovery and exploitation of vulnerabilities to escalate privileges and expand access to the larger system and its external connection to other systems. With vehicles connecting to intersections and TMS connecting to Big Data entities to share the vehicle data, as depicted in Figure 1 above, the potential for newly opened threat vectors becomes apparent.
~Vehicle System Security: Vehicles systems used to be simple, consisting of body structure, propulsion, driver control, signaling, and comfort/cosmetic. Figure 2
The hacker of those days put sugar in your gas tank. But the modern vehicle can have more than 100 CPUs and millions of lines of code. See figure 2 for a comparison with other control systems. By now, everyone has heard of the Charlie Miller team’s hack on a private vehicle on 3 occasions. The first couple were line of sight in a parking lot. But the lessons learned there along with some online research allowed them to conduct the next exploit from 10+ miles away via satellite comms, to among other things, shut down the engine. My co-author will present the safety impact of that in the following section
~Traffic Management System Security: Traffic signal security was for many years ruled by the “security by obscurity” principle. No one knows what’s in there and doesn’t care. So, we added a simple lock with an industry standard key (author once opened a traffic cabinet in Trinidad with his key) and stuck our collective heads in the sand. Many still exist in this state but agencies have gotten the message and are scurrying to provide a better mouse trap. Even with the best of locks, today’s environment is rife with opportunities for intrusion. One can simply idle nearby and hack in wirelessly or use a connected car to gain access.
The City of Tampa, FL, a forward thinking, innovation-embracing agency, provided a standard traffic signal cabinet configuration for vulnerability testing. A white-hat hacker with no previous knowledge of traffic control systems was quickly able to penetrate the system, determine its use and take full control of the intersection (lab setting), including changing the light cycles and shutting the signal down. Tampa quickly moved to become one of the most protected signal systems in the U.S. as a result. A research project sponsored by the Transportation Research Board in 2019 discovered a vulnerability in one vendor’s software that allowed for green/green conflict override, which is a good segue to my colleague’s section on safety impacts.
Safety Impacts: As auto OEMs evolve connected vehicle services to enhance the traveler experience and improve safety, manufacturers face the challenge of prioritizing digital security in vehicle design to safeguard those safety advantages. A recent survey partnered by Synopsys and SAE International shows that 84 percent of professionals responsible for assessing the security of automotive components report concerns that “cybersecurity practices are not keeping pace with evolving technologies”.1
Basic security design principles can be relatively simple to implement, yet costly to overlook in terms of lives lost and monetary damages. Consider the recall for 1.4 million vehicles Fiat Chrysler Automotive issued in 2015 after cybersecurity researchers Charlie Miller and Chris Valasek demonstrated how to hack a Jeep Cherokee remotely to disable the brakes, transmission, and steering while driving in reverse. Again in 2016 they showed how connecting to the vehicle OBD-II port granted access to safety subsystems, allowing incredibly dangerous maneuvers to be carried out, such as enabling a parking brake and controlling the steering at high speeds, disabling the brakes at low speeds, even causing the vehicle to accelerate and slam on brakes.3
In 2018 BMW issued a silent over-the-air update to patch 14 vulnerabilities affecting vehicles dating back to 2012 allowing hackers to remotely gain control of CAN buses and execute arbitrary, unauthorized diagnostic requests while gaining local and remote control of the infotainment system.4 The same security research firm exposed flaws that granted remote access to Tesla, an OEM heavily investing on advancing autonomous vehicles.5
Although autonomous vehicles (AV) are expected to significantly reduce crashes, there are legitimate concerns surrounding the over-the-air updates required to maintain the hardware system and features. If hackers can access a vehicle’s safety-critical system today, consider the impact if an attacker gains access to a driverless vehicle operating in a dense metropolitan area or worse, a coordinated attack on an AV trains fleet with multiple passengers. Consider the 20,000 users of the Protrack GPS app who were hacked in 2019, showing how through the app an attacker could remotely shut down vehicle engine.7
Safety continues to be a significant concern in the auto manufacturing design process. Since wired connections can be challenging to implement and impact fuel economy, in-vehicle wireless subsystems continue to increase. This includes sensors for managing pressure and temperature, chemical and gas, position and proximity, and many other sensors rely on Bluetooth or RFID for non-critical features.3
A study funded by the National Security Foundation and Army Research proved that in under a week a vehicle tire pressure monitoring system (TPMS) could be reverse engineered. At 40 meters, a 125kHz activation signal could trigger the sensor to transmit data. Transmissions were sniffed and decoded to create a forged message broadcast to the vehicle. The attack was able to trigger a low-pressure warning light and the central warning light on a vehicle traveling at both 55 km/h and 110 km/h.2
Intentional security means considering the impact of plain-text, unauthenticated messages, factoring in its broadcast range, and making intentional design choices to circumvent such risk. In this scenario, encrypting messages, randomizing the identifier and a checksum on input data would serve to close that open door. It may seem inconsequential, but an alert showing tires are critically low can cause a driver to pull over and there are many reports showing the efforts highway robbers go through to get people to pull over.
This is not just a safety risk. Consider the time and expense of unsuspecting owners who take the vehicle in for service or the cost of OEMs servicing vehicles under warranty. In addition, consider the loss of trust in the auto manufacturer and innovative technology.
Policy reform is needed that considers and defines software as a safety-critical component within a vehicle to be regulated, in addition to the existing material and mechanical regulations that exist over the design and production of automobiles, to ensure public safety.
In 2017 the SELF DRIVE Act introduced the first cyber security regulation in the U.S. but only required “a cyber plan” that explains how the auto OEM identifies, assesses, and mitigates potential vulnerabilities from cyber-attacks or unauthorized intrusions to protect a vehicle from receiving and responding to malicious control commands or fake messages6. The AV START Act in 2018 and the SPY CAR Act of 2019 are new bills, but the drafts have not succeeded yet.8,9
The National Highway Traffic Safety Administration (NHTSA) maintains a database that consumers can access to remain informed on vehicle safety ratings, defects, recalls and more: https://www.safercar.gov
Privacy Impacts: In the U.S., recent court cases have ruled that geolocation over time = PII (personally identifying information). Privacy advocates around the globe have differing concepts on what constitutes privacy, and the trade-off in relinquishing some amount in exchange for safety and efficiency. The author’s direct experience in one connected vehicle project was that a few visitors from Asia were shocked and surprised by the effort put into preserving privacy while Canadian guests felt we had not gone far enough. But even the most stoic about it did recognize that the emerging technologies driving Big Data inherently include the risk of privacy loss.
The U.S. Department of Transportation (USDOT), in deploying 3 pilot CV programs made privacy a key concern, requiring a series of deliverables supporting its preservation. Additionally, an Institutional Review Board was required for ethical oversight of the enrollment and treatment of private citizen participants; further, both the USDOT and the SAE made vehicle anonymization a key requirement in the technical standards for connected vehicles (SAE J-2275, J-2945 and IEEE 1609.x).
Despite these best practices, additional protections had to be considered after a paper was presented during the 2020 TRB annual meeting that demonstrated how previously anonymized vehicles could be re-identified using data visualization tools. This, coupled with concurrent use of metadata and the always evolving hacker community, means that privacy will remain a concern for the foreseeable future. That doesn’t even begin to consider the amount of data motorists are willing to hand over via insurance company data loggers in exchange for a policy discount.
Legal Impacts: The Autonomous Vehicle Summit (San Diego, 2020) presented a mock trial involving the malicious hack of a fleet of autonomous semi-trucks that resulted in concurrent loss of control of all active fleet vehicles on the road upon reaching a zero day event. Author Johnson was called as an expert witness for the plaintiff and 2 others were called by the co-defendants. The plaintiffs argued that the OEM for the vehicles and control system were liable because they chose over the air (OTA) broadcast as the media for firmware upgrades and that the fleet owner was also liable because they did not properly protect the system which re-broadcast those updates to the trucks, nor did they have a way to override the remote lockout control system. The defendants both argued that the hacker (an unidentified co-defendant assumed to be a nation/state) had conducted such a sophisticated attack that no reasonable prevention was available or practical.
In the author’s view (perhaps biased), the pre-scripted arguments leaned heavily in favor of the defendants. However, despite that, 2 of the 4 empaneled juries levied at least some portion of liability (10% and 15%) upon the OEM and fleet owner. This is a good indication that liability issues will continue to evolve as rapidly as the technology itself and both legislators and Courts will be hard pressed to keep up.
“2 of the 4 empaneled juries levied at least some portion of liability (10% and 15%) upon the OEM and fleet owner”
As the authors have presented only a small sample of the admittedly large potential for vulnerability, and no deep dive on potential solutions due to space limitations, we do offer the below list of sources referenced and some starting points for further reading.
- Synopsys, Inc., SAE International. 2018. Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices.
- Ishtiaq Rouf, Rob Miller, Hossen Mustafa, Travis Taylor, Sangho Oh, Wenyuan Xu, Marco Gruteser, Wade Trappe, and Ivan Seskar. 2010. Security and privacy vulnerabilities of in-car wireless networks: a tire pressure monitoring system case study. Proceedings of the 19th USENIX conference on Security (USENIX Security’10). USENIX Association, USA, 21.
- Mordor Intelligence. 2020. Wireless Sensors Market – Growth, Trends, COVID-19 Impace, and Forecasts (2021 – 2026). Retrieved from: https://www.mordorintelligence.com/industry-reports/wireless-sensors-market
- Keen Security Labs. 2018. Experimental Security Assessment of BMW Cars. Retrieved from: https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Assessment_of_BMW_Cars_by_KeenLab.pdf
- Keen Security Labs. 2017. New Car Hacking Research Remote Attack Tesla. Retrieved from: https://keenlab.tencent.com/en/2017/07/27/New-Car-Hacking-Research-2017-Remote-Attack-Tesla-
- 115th Congress. 2017. H.R. 3388 SELF DRIVE Act. Retrieved from: https://www.congress.gov/bill/115th-congress/house-bill/3388/text#toc-H23AFE3D58CA64E6DA0C6189D566BF453
- IEEE. 2019. How Can Autonomous Vehicles be Protected Against Cyber Security Threats. Retrieved from: https://innovationatwork.ieee.org/how-can-autonomous-vehicles-be-protected-against-cyber-security-threats/
- ENISA GOOD PRACTICES FOR SECURITY OF SMART CARS, November 2019 www.enisa.europa.eu
- Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices, SAE and Synopsis, 2018 www.ponemon.org
- Beyond Car Hacking: The Cyber Threat Landscape for Automotive Companies www.insights.com
- National Highway Traffic Safety Administration. (2016, October). Cybersecurity best practices for modern vehicles. (Report No. DOT HS 812 333). Washington, DC: Author. https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/812333_cybersecurityformodernvehicles.pdf
Steve Johnson, CISSP, CVP
Connected Vehicle Program Manager and National Cybersecurity Practice Lead
A recognized international thought leader in connected vehicle technology and cybersecurity, Steve was the program manager for the USDOT CV Pilot deployment in Tampa, FL and currently provides cybersecurity consulting to State and Local Transportation Agencies.
Jess Baker, SEP
Emerging Technology and Mobility Solutions Practice Lead
Jess is a thought leader and technical lead of a practice providing national consulting to State Departments of Transportation and Toll Agencies on matters of connected and autonomous vehicles, mobility as a service and cyber-physical security.
Published in Telematics Wire