From simple tools for transportation or racing, cars have turned into just another gadget. And it is exactly this transformation that now makes cars just as vulnerable to cyber-crimes as any other networked device.
But exactly how dangerous it is to own a technologically advanced car in today's day and age? How serious attacks committed against one can be for the owners and their possessions? And, ultimately, can a malicious force take complete control over a car, possibly endangering one's bodily integrity?
These are some of the questions we tried to find answers to by talking to Asaf Ashkenazi, Chief Strategy Officer at Inside Secure, a company that specializes in providing security solutions for mobile and connected devices.autoevolution:
As the number of connected cars is on the rise, some have begun wondering how far could a hacker go, with today’s tech, when attacking a vehicle. We know a car can be unlocked, started and perhaps even driven remotely with the right tools, but what other risks are there?Asaf Ashkenazi:
Many cars are equipped with GPS, which allows hackers to remotely track vehicles in real time. If the car has an anti-theft mechanism, hackers can disable the car remotely whenever they chose to. It’s important to point out that all of the above attacks, including unlocking and starting the car remotely, can be done without needing to hack the car itself and without any technical knowledge of the car hardware or software.
Many of today’s cars have a smartphone app that allows users to remotely access and control their vehicle. All that a hacker needs to hack is the car’s smartphone app. Unlike hacking a vehicle, which requires a deep understanding of the car’s systems and access to information specific to the make and model, hackers can attack a smartphone app using standard smartphone hacking tools that are widely available on the darknet.
In more extreme cases, hackers can attach vulnerabilities in the vehicle’s systems and take control over different functions, including acceleration, braking, and steering. However, these kinds of attacks are much more complicated and difficult to perform. There are only handful of highly skilled hackers who can develop and execute them. Moreover, these attacks often require physical access to the car. autoevolution:
From speed limitation devices to the self-driving features of the Tesla Autopilot, there are countless computer systems working together in cars. What is the most vulnerable onboard system of a modern day car when it comes to hacking?Asaf Ashkenazi:
It is not necessarily the system that determines the risk level, but it is how accessible the system is that makes it more vulnerable. A successful attack is not enough, it also needs to be scalable and easy to deploy. This usually means remote access to the car via a wireless interface. If this interface is also connecting to the internet, then even better. Anyone with internet access can attack the car from anywhere in the world. The more connected the car, the more vulnerable it becomes.
Modern cars are becoming more and more connected. Many cars have their own built-in cellular modem, which keep cars always connected to the internet. Cars are also connected to the internet indirectly via our smartphone, and in the future, when vehicle-to-vehicle and vehicle-to-infrastructure communication will become widely used, cars will be exposed to numerous attack vectors.
This will require car makers to re-think their security strategy. Instead of focusing on protecting software interfaces, they will have to protect all software components from reverse engineering and modifications, establish better separation between different sub-components to contain exploits, and monitor and identify attacks in real time. autoevolution:
Currently there’s virtually no new car that doesn’t have at least Android and Apple integration. Are systems such as these vulnerabilities for a car?Asaf Ashkenazi:
In order to attack a car, a hacker needs a way into the car’s system. Fifteen years ago, this mostly meant access to the car physical interfaces, such as the OBD interface. Today, there are more remote entry points, including wireless interfaces, which dramatically increase the car’s attack surface. This attack surface also includes peripheral devices such as Android and Apple smartphones.
Car manufacturers cannot solely rely on the security of Apple and Android software components; they also need to implement firewalls within the car to make sure that a compromise in a peripheral component is limited and confined to the functionalities of the peripheral system. They need to make sure that Android and Apple components are not used to attack other vehicle subsystems, including critical subsystems. This is not trivial to do as all subsystems have some level of interaction.autoevolution:
We already see car companies buying into technology startups as means to create better and safer systems for the vehicles they make. Should they also develop specialized departments against cyber crimes?Asaf Ashkenazi:
Many car manufacturers already have special product security teams. It is important that these teams not only look at the vehicle perimeter, but also the security needs of the car’s extensions, such as the smartphone apps and cloud services today’s cars rely on.autoevolution:
Car-related cyber crimes are not yet events that make the headlines, but the number of such incidents is on the rise. What carmaker/car is currently the most targeted by attacks? What kind of attack is the most widespread?Asaf Ashkenazi:
We do not comment on specific carmakers or car models; however, we can say that most carmakers recognize that cybersecurity should be taken seriously. Unfortunately, this does not always translate to direct actions or actions in the right direction. Carmakers are not always aware of all the risks and do not necessarily address security vulnerabilities based on the risk level.autoevolution:
Aside from relying on the safety systems put in place by carmakers and their partners, what measures can we, the drivers, take to protect ourselves against an attack?Asaf Ashkenazi:
As consumers, we should add cybersecurity concerns and questions to our car buying decision process. The same way we examine a car model’s safety rating, reliability and performances, we need to show concern about the cybersecurity of the car.
Unfortunately, there are not yet ratings for the cybersecurity level of the car model, and consumers do not have many tools to examine the security level of the car they buy. As more and more consumers ask about cybersecurity, more car manufacturers will pay attention to the risks. After all, it took about 40 years to begin standardizing car safety (it was only in 1966 that the United States congress authorized the federal government to set safety standards for new cars), and another 30 years for seatbelts to be widely accepted (in the U.S. seat belts became widely accepted in the 1990s).
Hopefully we learned the lesson and it won’t take another 60 years to seriously address cybersecurity concerns.