Thursday, 23 July 2015

Cyber-hijacking: Hackers may try to take the wheel from drivers remotely

As the number of connected devices explodes — from roughly 2 billion in 2010 to an estimated 25 billion by 2020 — security researchers have repeatedly shown that most online devices can be hacked.

Widespread hacks on cars and other connected devices are destined to come, experts say, as they already have to nearly everything else online. It’s just a question of when the right hacking skills end up in the hands of people with the sufficient motives.

“If you’ve learned anything from the Internet, it’s clearly going to happen,” said Kathleen Fisher, a Tufts University computer-science professor and security researcher.

The inherent insecurity of the Internet — an ungoverned global network running on technology created several decades ago — makes it difficult to add effective safety measures now. Yesterday’s flaws, experts say, are being built directly into tomorrow’s connected world.

Among the most vivid examples came this week, when security researchers Charlie Miller and Chris Valasek demonstrated that they could hijack a vehicle over the Internet. By hacking into a 2014 Jeep Cherokee, the researchers were able to turn the steering wheel, briefly disable the brakes and shut down the engine.

They also found readily accessible Internet links to thousands of Jeeps, Dodges and Chryslers that feature a proprietary wireless entertainment and navigation system called Uconnect. Valasek and Miller said they could, by merely typing the right series of commands, hack into these vehicles almost anywhere they might be driving.

Government and industry officials are racing to add protections before techniques like this join the standard tool kits of cybercriminals. In this battle, defensive forces have one clear strength: Connected devices run many types of software, meaning that an attack on one may not work on others. Even cars from a single manufacturer can vary dramatically from one model year to the next.

“They haven’t been able to weaponize it. They haven’t been able to package it yet so that it’s easily exploitable,” said John Ellis, a former global technologist for Ford. “You can do it on a one-car basis. You can’t yet do it on a 100,000-car basis.”

Yet Ellis and other experts fear the race to secure the so-called Internet of Things already is being lost, that connectivity and new features are being added more quickly than effective measures to thwart attacks.

Long development cycles add to the problem. If a hacker-proof car was designed today, it couldn’t reach dealerships until 2018, experts say, and it would remain hacker-proof only for as long as its automaker kept providing regular updates for the underlying software.

Computers on wheels

Cars sold today are computers on wheels. These vehicles can talk to the outside world through remote key systems, satellite radios, telematic control units, Bluetooth connections, dashboard Internet links and even wireless tire-pressure monitors. Security experts call these systems “attack surfaces” — places where intrusions can start.

Once inside, most computer systems on modern vehicles are somehow connected. Researchers who have hacked their way into computers that control dashboard displays, lighting systems or air bags have found their way to ones running transmission systems, engine cylinders and steering controls. Nearly all of these systems speak a common digital language, a computer protocol created in the 1980s when only motorists and their mechanics had access to critical vehicle controls.

The overall security on these automotive systems is “15 years, maybe 20 years behind where [computer] operating-system security is today. It’s abysmal,” said researcher Peiter Zatko, a former hacker who once directed cybersecurity research for the Pentagon’s Defense Advanced Research Projects Agency.

Attackers don’t need to crash cars to cause trouble. A jealous hacker could use a vehicle’s navigation system to track his spouse’s movements while remotely activating the built-in microphone to secretly record conversations that happen in the car. Thieves already are using mysterious “black boxes” that, through the radio signals that control modern entry systems, unlock cars as the crooks walk by.

“Cars are a major part of the Internet of Things,” said Sen. Edward Markey, D-Mass., who filed a bill this week seeking federal cybersecurity standards for cars. “We’ve moved from an era of combustion engines to computerized engines, but we haven’t put into place the proper protections against hackers and data trackers.”

The Alliance of Automobile Manufacturers, a Washington-based group representing 12 major carmakers, said in a statement that the group created an Information Sharing and Analysis Center this month to study cybersecurity issues and share information about threats.

Although Dallas-area dealers know car computers can be hacked, none has reported any incidents with vehicles on their lots.

“No one has even mentioned it,” said Lee Chapman, president of the Dallas-Fort Worth Metropolitan New Car Dealers Association. “I assume at some point it could become an issue because there are some people out there with an evil streak.”

Even if it does, dealers won’t be able to do much about it, he said.

“The ones who will have to rectify this — if problems do crop up — are the manufacturers,” Chapman said. “They will have to devise the solutions. Also, you hope that legislators will enact penalties that are severe enough to really discourage it.”

Remote access

Scientists from the University of Washington and the University of California at San Diego reported in 2010 that, with physical access to a car, they could control almost any computerized system within it. When some critics questioned the realism of that scenario — if you were in the car, you could simply turn off the engine or hit the brakes yourself, they said — the researchers found a way to do many of the same things remotely.

That same year, a team of General Motors executives met with DARPA officials at the research agency’s headquarters in Virginia. The industry was ailing in the aftermath of the recession, and the executives expressed interest in federal research that might help improve their line of vehicles with new technology.

One of the participants was Zatko, who saw a focus on selling products, not protecting consumers from malicious hackers who might exploit those products.

“There’s no security in cars, and the systems are wide open,” Zatko told the GM executives. “This is an accident, a very bad accident, waiting to happen.”

DARPA, which has no regulatory authority, couldn’t force the auto industry to do anything, but it could nudge it along by supporting research demonstrating the problem. So Zatko arranged for a research contract for Miller and Valasek. They bought two cars — a Toyota Prius and a Ford Escape — and went to work.

Miller and Valasek started by hacking into the vehicles though an onboard diagnostic port. When NBC’s Today show ran startling footage in 2013 showing the hackers overriding the driver’s control — yanking the steering wheel to one side, disabling the brakes and shutting off the engine — the car companies issued pointed statements noting that Miller and Valasek were sitting in the vehicles, not controlling them remotely through the Internet.

So Miller and Valasek set out to prove that they could do the same things from thousands of miles away. This time, they bought a white Jeep Cherokee.

This latest round of research is no less chilling. In a demonstration, Miller had to start the car with his key. But once it was running, he found the vehicle’s Internet address and, while sitting in his office and typing on a laptop, hacked in through the Uconnect dashboard information and entertainment system.

As the Jeep drove in a parking lot nearby, Miller changed the radio station and turned up the volume. He locked and unlocked the doors, and shot wiper fluid onto the windshield.

Then Miller shut off the engine. He briefly disabled the brakes. And he caused the transmission to malfunction, which led the Jeep to lose speed even when the gas pedal was pressed repeatedly. While the car was moving slowly in reverse, Miller turned the steering wheel, causing the Jeep to carve a wide circle through the lot.

Afterward, he said the purpose of such demonstrations was to prompt urgency from automakers: “I don’t want to wait until there are cars crashing on the news every month.”

Miller and Valasek previewed their research for Fiat Chrysler Automobiles, the parent company of Jeep, allowing it time to prepare a software update preventing the techniques they discovered. Dealerships can install the new software, or customers can download it themselves.

Despite the heads-up from the researchers, Fiat Chrysler issued a sharply worded statement Tuesday: “Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems.”

Vulnerable car systems

But beyond the technical challenge of thwarting hackers, Fisher, the Tufts University professor, wonders whether the industry has the right business incentives to improve cybersecurity. Customers typically pay for features they desire, not to avoid theoretical future calamities. That means manufacturers rarely compete with one another to provide the best security, Fisher said.

While government and industry struggle to address cybersecurity, the numbers of potentially vulnerable systems in cars are growing. Miller and Valasek counted 23 computers in a 2006 Prius and 40 in one from 2014.

That trend is accelerating as the auto industry moves toward the introduction of driverless cars. Some of the most advanced vehicles already take control of the steering wheel, gas pedal and brakes in certain situations.

Ellis, the former Ford technologist, argues that outsiders underestimate how poorly suited the industry is to combat the cybersecurity threat.

Automakers don’t build cars so much as assemble them from parts sourced from other companies, whose priorities don’t necessarily include addressing threats that might manifest themselves long after a vehicle is sold.

“Am I scared of this near future? Sure,” Ellis said. “I’m scared because car manufacturers don’t get software. This isn’t a car problem. It’s a software and business-model problem.”

View the original content and more from this author here: http://ift.tt/1TSItEM



from hacker samurai http://ift.tt/1CWA0w4
via IFTTT

No comments:

Post a Comment