Vulnerabilities / Threats
5/22/2015
09:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Hacking Virginia State Trooper Cruisers

Working group of federal agencies and private industry launched by the state of Virginia is studying car vulnerabilities and building tools to detect and protect against vehicle hacking and tampering.

A new public-private working group in the Commonwealth of Virginia is testing how state trooper cruisers could be sabotaged via cyberattacks. Virginia Governor Terry McAuliffe this week announced the new initiative, which is aimed at protecting the state's public safety agencies and citizens from hacks against vehicles.

The project team studying Virginia State Police vehicles includes the US Department of Homeland Security's Science and Technology division, the US Department of Transportation's Volpe Transportation Systems Center, the Virginia Department of Motor Vehicles, the University of Virginia, Mitre Corp., Mission Secure Inc. (MSi), Spectrum Comm, Kaprica Security, Digital Bond Labs, and OpenGarages.

Virginia of late has become a hotbed for car-hacking research, with the recently completed crash-test of prototype sensor-based technology initially created for protecting US military drones. The pilot simulated cyber attacks on cars to take control over the braking, acceleration, and collision avoidance features in the vehicles. Late last month, Virginia also became the first state to establish its own Information Sharing and Analysis Organization (ISAO) for cyberattack threat intelligence-sharing.

The state's car-hacking project, which will run for 90 days, also aims to come up with low-cost technology that can help law enforcement identify if a vehicle or other "mechanized equipment" has been hit by a cyberattack when an accident or other incident occurs, and to find ways for consumers and public safety officials to detect and prevent such threats to vehicles and consumer devices; as well as to identify economic development opportunities in this field for the state.

The project is studying two models of Virginia State Police vehicles -- the 2013 Ford Taurus and 2012 Chevrolet Impala. The research is mostly focused on hacks that would require physical access to the vehicles, much like the initial car-hacking research by Charlie Miller and Chris Valasek, but will also include some remote attacks.

The concern is that criminal or terrorist groups, for example, could physically tamper with state police vehicles to hamper investigations or assist in criminal acts by messing with the car's acceleration, or deploying airbags while the vehicle is driving at a high speed, for example, says David Drescher, president of MSi, a member of the project team. "What we're going to be doing is carrying out … these attacks on a car to show that yes, you can cut off the engine [via] the CAN bus," for example, Drescher says.

"The primary focus is on the attacks themselves, rather than how they are delivered. Our primary attack will be through the OBDII port," with various tethered tools or a device that connects to the OBDII port and transmits via Bluetooth or WiFi, he says.

The researchers may also simulate a remote RF-based attack test as well, he says. But since the State Trooper vehicles being tested are older models and not as networking-equipped, the remote testing may be limited to things like Bluetooth and tire pressure-monitoring system attacks that other researchers have already revealed.

[A researcher finds security holes in Flo the Progressive Girl's car plug-in Snapshot insurance policy product. Read Security MIA In Car Insurance Dongle.]

"The next phase is looking at protections, and then a cyber scorecard," a sort of Consumer Reports-style scoring system for how cybersecurity-ready a vehicle really is, he says. That will draw from and build on a similar project by Volvo and others, he says.

Drescher says other states and localities are taking an interest in Virginia's project. The project will conclude in July, with an assessment of the possible hacks of the vehicles and as well as a report on technologies for detecting a cyberattack on a vehicle. "Today we have no way to know if a car was" hacked, Drescher says. "We're going to see if there's a way to collect more data across the CAN bus" for forensics and detection purposes, he says.

The project also will build a database of car vulnerabilities that includes its findings as well as those from previous car-hacking research including that of the University of Washington, Miller and Valasek's work, as well as research from OpenGarages and Digital Bond, and others.

State officials were quick to note that the car-hacking project is a preventative measure, and not a reaction to any imminent threats. "This initiative is not meant to alarm anyone," said Virginia's secretary of Public Safety and Homeland Security Brian Moran. "The threat of 'car hacking' is rare, but recognizing that the technology already exists for such criminal and dangerous activities to occur is the first step towards protecting our Commonwealth and its citizens from future harm."

Drescher says the concern is that as such attacks become automated or "industrialized," tools will land in the market that simplify them such that a non-sophisticated attacker could execute them.

"High-tech systems now used in most automobiles are opening up potential new avenues for cyber attacks,” Gov. McAuliffe said. "Thanks to the continuing efforts of the Virginia Cyber Security Commission and Virginia Cyber Security Partnership, we have the opportunity to lead the nation in the establishment of safeguards protecting the vehicles of Virginia’s 5.8 million licensed drivers."

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/22/2015 | 10:38:41 PM
Direct vs. Remote a non-issue
Fundamentally, access is access.  Car security researchers have shown that direct access and remote access don't matter that much -- and that a great deal of havoc can be wreaked either way.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.