Vulnerabilities / Threats

5/22/2015
09:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Hacking Virginia State Trooper Cruisers

Working group of federal agencies and private industry launched by the state of Virginia is studying car vulnerabilities and building tools to detect and protect against vehicle hacking and tampering.

A new public-private working group in the Commonwealth of Virginia is testing how state trooper cruisers could be sabotaged via cyberattacks. Virginia Governor Terry McAuliffe this week announced the new initiative, which is aimed at protecting the state's public safety agencies and citizens from hacks against vehicles.

The project team studying Virginia State Police vehicles includes the US Department of Homeland Security's Science and Technology division, the US Department of Transportation's Volpe Transportation Systems Center, the Virginia Department of Motor Vehicles, the University of Virginia, Mitre Corp., Mission Secure Inc. (MSi), Spectrum Comm, Kaprica Security, Digital Bond Labs, and OpenGarages.

Virginia of late has become a hotbed for car-hacking research, with the recently completed crash-test of prototype sensor-based technology initially created for protecting US military drones. The pilot simulated cyber attacks on cars to take control over the braking, acceleration, and collision avoidance features in the vehicles. Late last month, Virginia also became the first state to establish its own Information Sharing and Analysis Organization (ISAO) for cyberattack threat intelligence-sharing.

The state's car-hacking project, which will run for 90 days, also aims to come up with low-cost technology that can help law enforcement identify if a vehicle or other "mechanized equipment" has been hit by a cyberattack when an accident or other incident occurs, and to find ways for consumers and public safety officials to detect and prevent such threats to vehicles and consumer devices; as well as to identify economic development opportunities in this field for the state.

The project is studying two models of Virginia State Police vehicles -- the 2013 Ford Taurus and 2012 Chevrolet Impala. The research is mostly focused on hacks that would require physical access to the vehicles, much like the initial car-hacking research by Charlie Miller and Chris Valasek, but will also include some remote attacks.

The concern is that criminal or terrorist groups, for example, could physically tamper with state police vehicles to hamper investigations or assist in criminal acts by messing with the car's acceleration, or deploying airbags while the vehicle is driving at a high speed, for example, says David Drescher, president of MSi, a member of the project team. "What we're going to be doing is carrying out … these attacks on a car to show that yes, you can cut off the engine [via] the CAN bus," for example, Drescher says.

"The primary focus is on the attacks themselves, rather than how they are delivered. Our primary attack will be through the OBDII port," with various tethered tools or a device that connects to the OBDII port and transmits via Bluetooth or WiFi, he says.

The researchers may also simulate a remote RF-based attack test as well, he says. But since the State Trooper vehicles being tested are older models and not as networking-equipped, the remote testing may be limited to things like Bluetooth and tire pressure-monitoring system attacks that other researchers have already revealed.

[A researcher finds security holes in Flo the Progressive Girl's car plug-in Snapshot insurance policy product. Read Security MIA In Car Insurance Dongle.]

"The next phase is looking at protections, and then a cyber scorecard," a sort of Consumer Reports-style scoring system for how cybersecurity-ready a vehicle really is, he says. That will draw from and build on a similar project by Volvo and others, he says.

Drescher says other states and localities are taking an interest in Virginia's project. The project will conclude in July, with an assessment of the possible hacks of the vehicles and as well as a report on technologies for detecting a cyberattack on a vehicle. "Today we have no way to know if a car was" hacked, Drescher says. "We're going to see if there's a way to collect more data across the CAN bus" for forensics and detection purposes, he says.

The project also will build a database of car vulnerabilities that includes its findings as well as those from previous car-hacking research including that of the University of Washington, Miller and Valasek's work, as well as research from OpenGarages and Digital Bond, and others.

State officials were quick to note that the car-hacking project is a preventative measure, and not a reaction to any imminent threats. "This initiative is not meant to alarm anyone," said Virginia's secretary of Public Safety and Homeland Security Brian Moran. "The threat of 'car hacking' is rare, but recognizing that the technology already exists for such criminal and dangerous activities to occur is the first step towards protecting our Commonwealth and its citizens from future harm."

Drescher says the concern is that as such attacks become automated or "industrialized," tools will land in the market that simplify them such that a non-sophisticated attacker could execute them.

"High-tech systems now used in most automobiles are opening up potential new avenues for cyber attacks,” Gov. McAuliffe said. "Thanks to the continuing efforts of the Virginia Cyber Security Commission and Virginia Cyber Security Partnership, we have the opportunity to lead the nation in the establishment of safeguards protecting the vehicles of Virginia’s 5.8 million licensed drivers."

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/22/2015 | 10:38:41 PM
Direct vs. Remote a non-issue
Fundamentally, access is access.  Car security researchers have shown that direct access and remote access don't matter that much -- and that a great deal of havoc can be wreaked either way.
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.