Attacks/Breaches

4/6/2015
04:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Car-Hacking Prototype Passes Crash Test

Sensor-based technology--with military drone roots--created to detect and automatically stop cyberattacks on cars.

Technology initially created for protecting US military unmanned aerial vehicles--aka drones--from cyberattacks soon will be available to help protect cars from hacking as well.

Researchers from the University of Virginia and Perrone Robotics recently completed a pilot track-test of cyberattacks on vehicles using prototype sensor technology from startup Mission Secure Inc. (MSi). They simulated cyberattacks on cars that attempted to take over the braking, acceleration, and collision avoidance features of the vehicles. Perrone provided the autonomous ground vehicles for the track tests, which implemented MSi's sensors in the vehicles to detect and stop the cyber-sabotage of the cars.

The technology basically monitors for anomalous behavior by a car's automated functions, and automatically corrects, for example, any malicious acceleration activity. It's based on research and technology by UVA and the Department of Defense for protecting UAVs, which MSi in turn is developing into a commercial product for the auto industry called Secure Sentinal.

As part of the test pilot, the researchers programmed a wireless key FOB to trigger the cyber attacks on the unmanned cars, which were tested both with and without MSi's prototype sensors. The sensors were able to detect the attacks on those functions and automatically take back control of the vehicle function under attack.

The potential for car hacking, or hackers wresting control or manipulating networked and automated features in newer-model cars, was demonstrated two years ago by security researchers Charlie Miller and Chris Valasek who pioneered some of the most eye-popping car-hacking research to date. The pair purchased a 2010 Toyota Prius and the 2010 Ford Escape and tore apart the dashboards of the vehicles to learn how the various automated features were networked and run, and ultimately wrote code to control the electronics that run the steering wheel, brakes, and other functions. Last year, they published a report that evaluated the most hackable vehicles by a hacker with no physical access to the cars.

Since then, members of the security industry have been working to school the automobile industry on cyber security vulnerabilities in cars, and worries over possible car attacks have even hit home on Capitol Hill, as Sen. Edward Markey recently published a report on how cars could be vulnerable to hackers.

MSi plans to roll out a commercial version of the so-called Secure Sentinal product sometime next year, says David Drescher, CEO of Charlottesville, Va.-based startup.  "Like seat belts and airbags, this would be a standard security feature" in future cars, he says. Secure Sentinal sensors are 3-inch by 3-inch, self-contained processors that ultimately will communicate via the car's CANbus network and also have the option to communicate wirelessly to a Secure Sentinal management console.

MSi has been meeting with automotive OEMs, Drescher says, and two of the largest tier-1 suppliers to the automakers have been inquiring about the anti-hacking sensors. He says he and his team believe automakers will adopt a core technology such as MSi's that would also be adaptable to new attack threats and techniques.

[Not all car security flaws can be patched simply -- or at all. Read BMW's Software Security Patch A Sign Of Things To Come.]

Chris Valasek, who heads up the vehicle security research practice at IOActive, says MSi's sensor concept is interesting and would likely work. The challenge, though, is selling the carmakers, he says.

"Getting them to put anything that's not theirs, or their suppliers', into their vehicles is a tough sell," says Valasek, who notes that there are other ways to detect bad behavior without sensors, such as an intrusion detection system sitting on the car's CANbus network.

There's also the issue of different car models employing features like adaptive collision control differently, he says.

"The concept is great … But adding more things that could potentially go wrong in a car" will be tough to convince carmakers, he says.

Making the technology affordable and flexible enough to adjust to new forms of attack is key, MSi's Drescher concurs. "$15 per car for each solution is a target one former CEO of a big three automaker indicated would be feasible" for an affordable anti-hacking solution in a car, he says. "At some point, these features will become standard and either passed on to the consumer, or be absorbed like the cost of a seat belt and air bags."

He says his firm also has been investigating how to apply the technology to different vehicle models, and it appears to be "feasible" to work across different makes and models, he says, and should be "replicable and scalable."

The car-hacking sensors also gather forensics information about an attack.

Barry Horowitz, chair of UVA's Systems and Information Engineering Department, led the initial DoD-sponsored research on embedded security that led to the sensor technology effort. He says securing physical systems is a bit more straightforward than securing logical systems: "Cyberattacks on physical systems are much more bounded than they are on information systems," Horowitz says. "There are only so many things you can make them do, and they are bound by the laws of physics ... If you go fast, your position changes a lot," for example, he notes.

Detecting malicious activity requires establishing the baseline parameters, for instance. "I don't park a car at 80 miles per hour," he says. "There are things you can do that are anticipatory" to prevent attacks, says Horowitz, former CEO of Mitre Corp. and developer of the collision avoidance system prototype that later became the FAA's TCAS system.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/9/2015 | 8:34:39 AM
Re: This is great but...
That would be one (non) killer app if it it did!
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/9/2015 | 8:34:14 AM
Re: This is great but...
LOL, @Jason! I think that's a whole other hack. 
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
4/9/2015 | 5:45:47 AM
This is great but...
Does it also work for my teenagers? :)
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/8/2015 | 9:32:37 AM
Re: Good to hear that the auto industry is paying attention to security researchers
I think consumers will have a big role in this, especially as more connected cars roll off the assembly lines. We're all intrigued with the bright shiny new technology the auto industry is building into cars. But for most drivers, the paramount issue is safety. And it's a no-brainer that the increased connectivity adds a lot of risk..
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/8/2015 | 9:17:59 AM
Re: Good to hear that the auto industry is paying attention to security researchers
@GonSTL, you're absolutely right about the segementation issue with car features, which also applies to the IT world. It's hard enough to get app developers to build with security in mind, but maybe the public safety issue here will drive carmakers to think differently about security.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/8/2015 | 9:13:23 AM
Re: Good to hear that the auto industry is paying attention to security researchers
I'm glad they are paying attention, but as the article stated, automobile manufacturers tend to resist putting something in their cars that they or their supply chain did not produce. I do believe that they will relent though, if the technology proves itself viable in a larger test. The thing that still bothers me is that in many cars, the computer systems all share a common bus. Manufacturers really need to look at segmenting the various computer systems to provide some sort of isolation with hierarchical security. Automobile informatics is no different than any other IT infrastructure, so it stand to reason that automobile manufacturers should also follow established practices that lead to increased security. There is no magic amulet that protects all IT systems. Those systems should be designed from the start with security in mind.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/7/2015 | 5:13:14 PM
Re: Good to hear that the auto industry is paying attention to security researchers
I think it will be the automaker suppliers who drive this--they already have led some initial security research efforrts and initiated efforts for a threat-intelligence sharing platform for their industry: http://www.darkreading.com/analytics/threat-intelligence/automobile-industry-accelerates-into-security/d/d-id/1297313

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/7/2015 | 5:05:17 PM
Good to hear that the auto industry is paying attention to security researchers
A step in the right direction but lots of speed bumps on the way (Sorry about the mixed metaphor!)
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
How Well Is Your Organization Investing Its Cybersecurity Dollars?
Jack Jones, Chairman, FAIR Institute,  12/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20136
PUBLISHED: 2018-12-13
XSS exists in FUEL CMS 1.4.3 via the Header or Body in the Layout Variables during new-page creation, as demonstrated by the pages/edit/1?lang=english URI.
CVE-2018-20137
PUBLISHED: 2018-12-13
XSS exists in FUEL CMS 1.4.3 via the Page title, Meta description, or Meta keywords during page data management, as demonstrated by the pages/edit/1?lang=english URI.
CVE-2018-20138
PUBLISHED: 2018-12-13
PHP Scripts Mall Entrepreneur B2B Script 3.0.6 allows Stored XSS via Account Settings fields such as FirstName and LastName, a similar issue to CVE-2018-14541.
CVE-2018-1817
PUBLISHED: 2018-12-13
IBM Security Guardium 10 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 150021.
CVE-2018-1818
PUBLISHED: 2018-12-13
IBM Security Guardium 10 and 10.5 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 150022.