Author: Jeff Davis
Date: Jun 10, 2018
Any connected device can be compromised. When we think of vulnerable devices, we immediately think of our phones, laptops, IoT devices, and even enterprise databases. We are moving into a world where our transportation system – cars, trucks, traffic lights, and trains – are becoming vulnerable as well. Before we go much further with this discussion, let’s make it clear that this is a good thing. Connected and autonomous cars can save lives, money, and energy. Advancements in automotive technology will allow us to enjoy our commutes and make our drives safer. Make no mistake, we want this technology to become a reality and the norm for all. However, despite all the potential benefits, advancements in automotive technology and connectivity carry the same risks that we currently associate with our laptops and phones, all of which are a cause of significant concern for car manufacturers. The threats to privacy, safety, and theft are real and at the center of concern for the transportation industry writ large. So how can we, as an industry, utilize our collective resources better to meet this threat?
According to Motherboard, a GrayHat Hacker going by the name L&M recently broke into thousands of accounts belonging to the users of two GPS tracker apps iTrack and ProTrack. They were able to monitor the location of tens of thousands of vehicles in countries like South Africa, Morocco, India, and the Philippines. The hacker even had the ability to turn off some car engines while they were in motion.
How exactly was L&M able to accomplish this? It turns out that all the iTrack and ProTrack customers had been given a default password of “123456” when they signed up. L&M was able to use brute-force, an attack method that enabled him to test a large number of common usernames through each app’s API. By writing a script to autofill multiple usernames and the default password, they were able to automatically break into thousands of accounts and extract sensitive data. Some of this data included the name and model of the GPS tracking devices used, the devices’ ID numbers, usernames, real names, phone numbers, email addresses, and physical addresses. L&M stated that they wanted to bring this security risk to these companies’ attention so they can better protect their customers – a common GrayHat tactic.
Cybercriminals are quick to exploit new technologies, and as more valuable personal data and financial transactions take place on a vehicle the more valuable the target becomes. With value comes innovation, and criminals can be very innovative. They will exploit every weakness in the system, including the most insecure: the humans operating the system. This specific incident involving GPS tracking apps serves as a reminder of the potential consumer challenges that come with sophisticated technology. However, what we see is that the consumer cannot be expected to take steps for security, especially when it does not directly affect them. This is not the first time we have seen this. The 2016 DDOS attack, using bots created through a series of IoT devices, effectively paralyzed the internet. This too was done using default passwords and the attack itself did not affect the overall function of the devices. This is important because it shows the true flexibility of IoT cyberattacks.
Another example of criminal innovation is exploiting personalized technology. Keyless ignitions are on the rise and now come standard in more than half of the 17 million vehicles sold annually. However, a recent report found that 230 of 237 keyless models tested could be opened using a relay attack, which utilizes a device that wirelessly transmits signals from one location to another, like from near the front door of your home (where many car keys may be) to the vehicle. This tricks the vehicle into unlocking its doors and allowing the cybercriminal to take off in the car.
A survey of auto manufacturers from Synopsys and SAE International found that 62% of respondents think it is likely that malicious attacks on their software, automotive components, and/or technology will happen within the next 12 months. Even though connected cars are becoming more common, there still isn't enough data to understand the automotive industry's ability to address the software security risks of connected vehicles. And as we move toward autonomous vehicles powered by artificial intelligence, machine learning, and connectivity, the importance of automotive cybersecurity is even greater in order to prevent new entry points for malicious actors.
Today’s vehicles are equipped with hundreds of processors that control everything from a car’s safety systems to steering, acceleration, and more. This means vulnerabilities in the software of a car can put the physical safety of the vehicle’s occupants and others at risk. And a majority of the industry is reacting to this. The creation of the Automotive Information Sharing and Analysis Center (Auto-ISAC), development of key cybersecurity roles within manufacturers and suppliers, and the widespread adoption of the National Institute of Standards and Technology (NIST) Cybersecurity Framework and consensus on ‘best practices’ to follow are all positive steps from an industry determined to protect its customers.
The question is how do we do this better? It begins with a culture of understanding cybersecurity from design to production, much the same way that the industry understands safety. This requires a great deal more work than most really understand. It requires agreements that do not penalize anyone in the supply chain for identifying vulnerabilities. It means that everyone in the value chain from suppliers to assembly plants understand the risks, how to identify them, protect against them, detect problems, respond to incidents, and most importantly, how best to recover. It means creating an understanding that a secure system – a train, a city’s infrastructure, or a car – starts with secure parts and consistent security practices. That security should be a part of every buying decision, and that each decision either mitigates risk or increases it.
Those reading this article that truly understand cybersecurity can identify from the paragraph above the five elements of the NIST Framework, but how many within your value chain can? Do your product managers realize that the operating systems they purchase create a base level of security? Or that the supply chain practices of their chip provider have the potential to either reduce or increase the risk and liability of their organization?
Making security into a primary part of our practice creates efficiency. It must be a part of every level of the supply chain, the back-office practices, and the actions of every employee of an organization, and across the entire transportation network. As we discussed earlier, there is only so much that can be expected from the consumer; therefore, the products, software, and people that make up the actual ‘system’ need to ensure that it is prepared and can react to human error. Over the coming months, BlackBerry will be producing a series of articles, webcasts, and podcasts to examine seven areas to reduce risk across the transportation ecosystem: securing the supply chain; evaluating trusted components and trusted relationships; isolating functions; continued monitoring and health checks; rapid response and incident management; life cycle management; and maintaining a security culture.
In the race for self-driving cars, building consumer trust is just as important as building the technology. And for the general public to accept and ultimately adopt autonomous vehicles en masse, there needs to be trust in the technologies, trust in their advantages and of course, trust that the companies building them (and profiting off of them) will act responsibly. We encourage executives, CISOs, and product managers from across the public and private sector to join in the discussion in the coming months as we put forth a multifaceted approach on how we as an industry get there together.