This article is more than 1 year old

Jeep breach: Scared? You should be, it could be you next

Why the hell connect cars to the net anyway?

Cyber carjacking

We put it to Valasek that various other kinds and years of cars might have the same software as in the Jeep hack and therefore might also be vulnerable.

"That's completely plausible,” Valasek told El Reg in response to our questions. “We only know about FCA [Fiat Chrysler Automotive] vehicles, but this [Uconnect] device could be in anything really.”

The Uconnect system allows motorists to start their engines, unlock doors or flash their headlamps via their computer or the Uconnect Access smartphone app from anywhere.

Miller and Valasek, whose research is partially being funded through the US military's DARPA research arm, are due to demonstrate their hack against an unaltered Jeep Cherokee at next month's Black Hat conference in Las Vegas.

“Starting with remote exploitation, we will show how to pivot through different pieces of the vehicle's hardware in order to be able to send messages on the CAN [a car's Controller Area Network] bus to critical electronic control units,” the talk promises to explain. “We will conclude by showing several CAN messages that affect physical systems of the vehicle.”

The essential problem is that safety-critical systems are no longer air-gapped from the rest of the vehicle network.

The Jeep hack revealed what was possible but more may follow. The stunt demo has, at the very least, put other car manufacturers on notice. The Miller and Valasek hack is particularly impressive but not entirely unprecedented; other researchers demonstrated a remote attack against an unnamed vehicle back in 2001, as a post by John Zorabedian on Sophos’ Naked Security blog notes.

Cyber dashboard

Car security specialists Argus Cyber Security said both manufacturers and US legislators are alive to the threat. A Senate bill to improve car security standards and protect consumers from security and privacy threats to their motor vehicles was tabled this week.

“The bill, called the 'Security and Privacy in Your Car Act of 2015' or the 'SPY Car Act of 2015' would set standards and a 'Cyber Dashboard' rating system, mandating car manufacturers to detect and respond to a hacking attacks in real-time,” explained Yoni Heilbronn, marketing veep at Argus Cyber Security.

The proposed law would introduce a binding framework to current voluntary industry activities.

Argus’s technology is “ready-to-embed and provide car manufacturers with a real-time Cyber Dashboard, providing them with real-time overview of their fleet's cyber health and with the ability to detect new threats and quickly respond to cyber attacks,” according to Heilbronn, who added that the technology has already been tested and approved by the US Department of Transportation.

Argus's technology is designed to promote car connectivity without compromising on security. Other car security startups are likely to use the now all-too-real risk of car hacking to market their technology.

Airgap

However, security guru Bruce Schneier expressed doubts about whether technology offers an answer to car connectivity security risks.

“Honestly, I'm not sure our security technology is enough to prevent this sort of thing if the car's controls are attached to the internet,” Schneier said in a blog post.

Marta Janus, a security researcher at Kaspersky Lab, also questioned the need to connect cars and other vehicles to the public net, arguing the risks that creates are more detrimental than the small benefits offered.

“Everything connected to the net is prone to attacks and is potentially hackable,” Janus commented. “When it comes to transportation, such as cars, trains and airplanes, the consequences of a successful breach can be infinitely more serious than a computer or mobile device hack, as people's lives are directly at stake.

“We should definitely reconsider the concept of the Internet-of-Things, and think carefully about which devices should be a connected to one another. Obviously, computers, smartphones and tablets would be next to useless without an internet connection," she added.

"But what is the real advantage of having a car with access to the net? For navigation and remote door opening, a centralised online system isn’t necessary. Even for the few convenience features that would be impossible without net connection, are they really worth the dire risk of being hacked?," Janus asked.

Transportation – together with industrial systems and other critical infrastructure – shouldn't make use of public net at all, according to Janus. “Instead, they should build separate networks, featuring unique and custom-made secure protocols to reduce the risk of potentially fatal hacking,” she said.

More about

More about

More about

TIP US OFF

Send us news


Other stories you might like