A hacking incident led to the recall of 1.4 million Dodge, Jeep, Ram and Chrysler vehicles (Image: Joe Raedle/Getty)
A FEW weeks ago, a small team of security researchers gathered near a car outside one of their company’s buildings. Then they hacked it. The team did not need to physically connect to the vehicle or even enter it – they simply jacked in over Wi-Fi. When they did, they soon found an unexpected vulnerability.
“There was a route through to the vehicle network where the more sensitive, safety critical systems are,” explains Andy Davis of NCC Group, an information security specialist based in Manchester, UK. He says his team could have used this breach to fiddle with the car’s automatic braking.
It is the kind of penetration test that NCC Group and their partner SBD, an automotive security specialist based in Milton Keynes, UK, do for car companies all the time.
Their work will no doubt increase with the news last month that security researchers remotely killed the engine of a Jeep while it was on the road. It resulted in the recall of 1.4 million vehicles by Fiat Chrysler, which owns Jeep.
Car companies are busy tackling the security issues associated with increasingly high-tech, connected cars. Those in the industry point out that corporations remain highly secretive about this work for fear of inspiring criminals or competitors.
“Most manufacturers know there is a problem and they’re working on solutions, but no one will go public with it,” explains Martin Hunt, who works in automotive penetration testing for BT. Hunt points out that hackers are often able to gain control of crucial functions in a car – such as braking, steering or switching the engine on and off – through surprising means. A common example is via the in-car “infotainment” system.
“Quite often these systems are interconnected via a central control unit. If you can get into one you can get into another,” says Hunt, pointing out that practically every function in a car is nowadays connected. This has led to a broadening of what is known as the car’s “attack surface” – the number of ways it could be hacked.
Although there are no reported cases of criminals using such techniques to maliciously send cars off the road, Davis thinks that exploits that could be quickly monetised – such as unlocking and stealing parked cars – may soon appear.
US-based security researcher Josh Corman has set up an initiative, I Am The Cavalry, to improve the public safety of various technologies. He and others have developed a framework to help vehicle manufacturers better adjust to the threats of hacking.
One suggestion is “black boxes” that can record the details of any successful vehicle hacks, allowing for diagnostics and patches to be developed more quickly afterwards.
But the rapid pace of change in the car sector means that security solutions can lag way behind the vulnerabilities introduced by the latest innovations. “They’re adding attack surfaces at a rate of one a year but telling me it’ll take five years to secure them,” says Corman. “We have a lot of catching up to do.” - newscientist.com
No comments:
Post a Comment