from Hacking – an Overview
Whereas there is no silver bullet that can protect against all possible cyber attacks, the industry should adopt a wide variety of processes and products in order to make the world a safer place.
If a physical device is connected to the internet, it can be targeted with a cyber attack. Thus, with tens of millions of connected cars on the road today – and hundreds of millions of them expected to be by 2020 – threats to the safety and privacy of motorists, passengers, bystanders and private as well as corporate property already exist and are set to grow substantially.
While connectivity can be (and already is being) used to make us safer, more productive and entertained while in transit, it creates an attack surface through which to access the vehicle’s delicate controller area network (CAN) bus. Once inside, hackers may be able to send commands to the vehicle from a remote location in order to, inter alia, steal private and corporate data, track individual vehicles or entire fleets and hijack non-safety and safety-critical functions – imagine losing the ability to steer or brake while speeding down a highway!
Looking forward, by 2020, virtually all manufactured vehicles will come with embedded, tethered or smartphone mirroring connectivity. Already in the first quarter of 2016, cars accounted for one-third of all new cellular devices. No longer a pipe dream of futurists, car connectivity has pervaded the automotive industry and recent whitehat hacks of both private cars and commercial vehicles prove the ever-present danger.
Luckily, customer safety and satisfaction are the foremost concerns for automakers. As such, like a baby fresh out of the womb, connected cars will get constant oversight and protection too. Original Equipment Manufacturers (OEMs), Tier 1s, regulatory bodies, insurance companies, technology companies, telecommunications providers and organizations affected by the new attack landscape are all working to strengthen the industry’s cybersecurity posture.
Due to the dynamic and developing threat environment, the stakeholders are taking a multitude of approaches. For example, the aforementioned entities are collaborating in groups such as the newly formed Auto-ISAC, which recently published a best practices guideline for cyber security on wheels and amongst themselves to integrate cyber security into the entire vehicle lifecycle – from concept through production, servicing and decommission.
National governments have also taken note of the emerging public safety implications of vehicle connectivity. For example, bills such as the 2015 Spy Car Act, proposed by US Senators Markey and Blumenthal, as well as the Security and Privacy in Your Car Study Act of 2017 demonstrate past focus on vehicle cyber security by US regulators. Most recently in the US, the House of Representatives unanimously passed the SELF DRIVE Act while the US Senate Commerce, Science, and Transportation committee unanimously passed the AV START Act. Both proposed bills would make cyber security a necessary component of any automated driving system.
In the United Kingdom as well, lawmakers have published their Key Principles of Vehicle Cyber Security for Connected and Automated Vehicles while a recent European Commission proposal would see the EU Cybersecurity Agency (ENISA) create EU-wide certificates, similar to labels that are currently used for food safety, for trusted energy, transport and other networks, as well as new consumer devices, like connected cars. Additionally in the EU, the 15 Europe-based car, van, truck and bus manufacturers of the European Automobile Manufacturers Association published their Principles of Automobile Cyber Security which provides an overview of the policies they’ve adopted.
Over the past few years, relevant government agencies have also produced reports and guidelines such as the Cyber Security and Resilience of Smart Cars by ENISA and the Federal Guidance for improving Motor Vehicle Cybersecurity, NHTSA and Vehicle Cybersecurity and Automated Driving Systems (ADS): A Vision for Safety 2.0 by the US NHTSA.
In 2013, heavy duty trucks and commercial vehicles transported over $11.5 trillion of goods in the US alone. A pillar of the American and world economies, the trucking industry is powered by connectivity technologies that improve fleet efficiencies, streamline deliveries, reduce down time, fuel costs and more. These technologies also hold the promise of pushing profit margins through new innovative functions such as platooning, accident avoidance, preventative maintenance and lowering driver turnover rates.
Although critical to the competitiveness of trucking and commercial fleet operators, connectivity makes these vehicles and their operators lucrative targets for hackers naturally motivated by the money. But money isn’t the only factor influencing the appeal of cyber attacks on trucks – the common communication standard, J1939, in widespread use amongst trucks and many other commercial vehicles, makes it possible for cyber criminals to craft “one size fits all” attacks that are instantly scalable. This puts fleets responsible for trillions of dollars of goods at risk as the financial incentive is clear and developing attacks is actually easier than in consumer cars.
Moreover, in the same way consumers expect advanced services powered by connectivity without having to give up safety or privacy, fleet operators need functions such as routing and remote diagnostics just to stay competitive; fuel, driver wages and maintenance costs account for approximately 62% of all trucking expenses. Connected truck technologies promise to reduce all three.
The benefits of truck connectivity are driven by the transfer of vast amounts of telematics data over the Internet through a component known as the telematics gateway unit (TGU). However, as the TGU communicates with the outside world, it exposes truckers and fleet operators to would be hackers. Researchers have even shown how to access and compromise personal and corporate information governing payroll, delivery schedules, the in-truck network and more.
As thousands of these truck TGUs can be found and accessed without any authentication on the public Internet, the industry should move swiftly to retrofit aging fleets devoid of any security apparatus and to bake cyber security into the entire development cycle and lifespan of future truck lines.
Watch: Consumer Reports explore car hacking
from inside a government test lab