Automotive CybersecurityConnected Vehicle

Hacking of Internet Connected Cars a security threat: Consumer Watchdog

The nonprofit group Consumer Watchdog has issued a report, with the help of car industry technologists, that finds all the top 2020 cars have Internet connections to safety critical systems that leave them vulnerable to fleet wide hacks. The group and experts warn that a fleet wide hack at rush-hour could result in a 9-11 scale catastrophe with approximately 3,000 deaths.

Consumer Watchdog’s report recommends that, as soon as possible, every connected car come with an Internet kill-switch that physically disconnects the Internet from safety-critical systems. It concludes that future designs should completely isolate safety-critical systems from infotainment systems connected to the Internet or other networks.

These are among the main findings of the group’s five month investigation with car industry technologists:

• Most connected vehicles share the same vulnerability. The head unit (sometimes called the infotainment system) is connected to the Internet through a cellular connection and also to the vehicle’s CAN (Controller Area Network) buses. This technology dating to the 1980s links the vehicle’s most critical systems, such as the engine and the brakes. Experts agree that connecting safety-critical components to the Internet through a complex information and entertainment device is a security flaw. This design allows hackers to control a vehicle’s operations and take it over from across the Internet.

• By 2022, no less than two-thirds of new cars on American roads will have online connections to the cars’ safety-critical system, putting them at risk of deadly hacks. Car makers have many economic motivations to connect vehicles to the Internet – from saving money on recalls by updating vehicle software over-the-air to collecting valuable data on how fast we drive to where we shop. While they market flashy new features, such as remotely starting cars from smartphones, technologists report the companies have not prepared for the grave security implications of a connected car fleet.

• Technologists explain that using smartphone technology in cars, technology that was never designed to protect safety-critical systems, is a recipe for disaster. Expert hackers report that time and money are the only things that stand between them and hacking a fleet of cars. Software design practices that result in frequent hacks of everything from consumer electronics to financial systems cannot be trusted in cars, which can endanger not only the lives of their occupants, but also pedestrians and everyone else on the road.

• Connected cars have suffered more than half a dozen high-profile hacks in recent years. All have been benign demonstrations, not intended to cause harm. Hundreds more vulnerabilities have been reported to carmaker “bug bounty” programs. Experts report a hack of American vehicles designed to cause damage is inevitable without better security.

• The car industry’s response when vulnerabilities are exposed is to patch individual security holes and ignore the design problems that underlie them. Technologists have described the practice as attempting to address structural security problems by “using chewing gum and duct tape”.

• Car hacking demonstrations to date have always focused on a single vehicle, but the networked nature of connected cars creates numerous avenues for a fleet-wide attack. Viruses can spread vehicle-to-vehicle. Malicious WIFI hotspots can infect any susceptible vehicle that passes within range. Cars can be infected with “sleeper” malware that wakes at a given date and time, or in response to an external signal, resulting in a massive coordinated attack.

• Security-critical components in cars are black boxes. Even the car makers themselves often do not know the origins of the software they use, nor their true risks. Vehicles from many major carmakers – including Tesla, Audi, Hyundai, and Mercedes — rely heavily on software written by third parties. This includes open source software, like Android, Linux, and FreeRTOS. This software often comprises contributions from hundreds or thousands of different authors around the world, and there is usually little accountability for flaws. For example, FreeRTOS, used in critical systems by Tesla, had major vulnerabilities discovered in October 2018, but Tesla never acknowledged using the software, the vulnerability, or whether it patched the problem.

• The veil of secrecy surrounding automotive software and the ability to update it “over the air” without touching the vehicle lets automakers cover up safety problems and sloppy testing practices. Consumers are driving cars whose systems run on unfinished and under-tested software.
The report recommends numerous steps to safeguard the public, but its simple answer to the problems is that, as soon as possible, carmakers should install 50 cent “kill switches” in every vehicle.

Full Report: https://www.consumerwatchdog.org/sites/default/files/2019-07/KILL%20SWITCH%20%207-29-19.pdf

Source: : Consumer Watchdog

Tags

Related Articles