Vulnerabilities / Threats

5/22/2015
09:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Hacking Virginia State Trooper Cruisers

Working group of federal agencies and private industry launched by the state of Virginia is studying car vulnerabilities and building tools to detect and protect against vehicle hacking and tampering.

A new public-private working group in the Commonwealth of Virginia is testing how state trooper cruisers could be sabotaged via cyberattacks. Virginia Governor Terry McAuliffe this week announced the new initiative, which is aimed at protecting the state's public safety agencies and citizens from hacks against vehicles.

The project team studying Virginia State Police vehicles includes the US Department of Homeland Security's Science and Technology division, the US Department of Transportation's Volpe Transportation Systems Center, the Virginia Department of Motor Vehicles, the University of Virginia, Mitre Corp., Mission Secure Inc. (MSi), Spectrum Comm, Kaprica Security, Digital Bond Labs, and OpenGarages.

Virginia of late has become a hotbed for car-hacking research, with the recently completed crash-test of prototype sensor-based technology initially created for protecting US military drones. The pilot simulated cyber attacks on cars to take control over the braking, acceleration, and collision avoidance features in the vehicles. Late last month, Virginia also became the first state to establish its own Information Sharing and Analysis Organization (ISAO) for cyberattack threat intelligence-sharing.

The state's car-hacking project, which will run for 90 days, also aims to come up with low-cost technology that can help law enforcement identify if a vehicle or other "mechanized equipment" has been hit by a cyberattack when an accident or other incident occurs, and to find ways for consumers and public safety officials to detect and prevent such threats to vehicles and consumer devices; as well as to identify economic development opportunities in this field for the state.

The project is studying two models of Virginia State Police vehicles -- the 2013 Ford Taurus and 2012 Chevrolet Impala. The research is mostly focused on hacks that would require physical access to the vehicles, much like the initial car-hacking research by Charlie Miller and Chris Valasek, but will also include some remote attacks.

The concern is that criminal or terrorist groups, for example, could physically tamper with state police vehicles to hamper investigations or assist in criminal acts by messing with the car's acceleration, or deploying airbags while the vehicle is driving at a high speed, for example, says David Drescher, president of MSi, a member of the project team. "What we're going to be doing is carrying out … these attacks on a car to show that yes, you can cut off the engine [via] the CAN bus," for example, Drescher says.

"The primary focus is on the attacks themselves, rather than how they are delivered. Our primary attack will be through the OBDII port," with various tethered tools or a device that connects to the OBDII port and transmits via Bluetooth or WiFi, he says.

The researchers may also simulate a remote RF-based attack test as well, he says. But since the State Trooper vehicles being tested are older models and not as networking-equipped, the remote testing may be limited to things like Bluetooth and tire pressure-monitoring system attacks that other researchers have already revealed.

[A researcher finds security holes in Flo the Progressive Girl's car plug-in Snapshot insurance policy product. Read Security MIA In Car Insurance Dongle.]

"The next phase is looking at protections, and then a cyber scorecard," a sort of Consumer Reports-style scoring system for how cybersecurity-ready a vehicle really is, he says. That will draw from and build on a similar project by Volvo and others, he says.

Drescher says other states and localities are taking an interest in Virginia's project. The project will conclude in July, with an assessment of the possible hacks of the vehicles and as well as a report on technologies for detecting a cyberattack on a vehicle. "Today we have no way to know if a car was" hacked, Drescher says. "We're going to see if there's a way to collect more data across the CAN bus" for forensics and detection purposes, he says.

The project also will build a database of car vulnerabilities that includes its findings as well as those from previous car-hacking research including that of the University of Washington, Miller and Valasek's work, as well as research from OpenGarages and Digital Bond, and others.

State officials were quick to note that the car-hacking project is a preventative measure, and not a reaction to any imminent threats. "This initiative is not meant to alarm anyone," said Virginia's secretary of Public Safety and Homeland Security Brian Moran. "The threat of 'car hacking' is rare, but recognizing that the technology already exists for such criminal and dangerous activities to occur is the first step towards protecting our Commonwealth and its citizens from future harm."

Drescher says the concern is that as such attacks become automated or "industrialized," tools will land in the market that simplify them such that a non-sophisticated attacker could execute them.

"High-tech systems now used in most automobiles are opening up potential new avenues for cyber attacks,” Gov. McAuliffe said. "Thanks to the continuing efforts of the Virginia Cyber Security Commission and Virginia Cyber Security Partnership, we have the opportunity to lead the nation in the establishment of safeguards protecting the vehicles of Virginia’s 5.8 million licensed drivers."

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/22/2015 | 10:38:41 PM
Direct vs. Remote a non-issue
Fundamentally, access is access.  Car security researchers have shown that direct access and remote access don't matter that much -- and that a great deal of havoc can be wreaked either way.
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...