Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/6/2015
04:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Car-Hacking Prototype Passes Crash Test

Sensor-based technology--with military drone roots--created to detect and automatically stop cyberattacks on cars.

Technology initially created for protecting US military unmanned aerial vehicles--aka drones--from cyberattacks soon will be available to help protect cars from hacking as well.

Researchers from the University of Virginia and Perrone Robotics recently completed a pilot track-test of cyberattacks on vehicles using prototype sensor technology from startup Mission Secure Inc. (MSi). They simulated cyberattacks on cars that attempted to take over the braking, acceleration, and collision avoidance features of the vehicles. Perrone provided the autonomous ground vehicles for the track tests, which implemented MSi's sensors in the vehicles to detect and stop the cyber-sabotage of the cars.

The technology basically monitors for anomalous behavior by a car's automated functions, and automatically corrects, for example, any malicious acceleration activity. It's based on research and technology by UVA and the Department of Defense for protecting UAVs, which MSi in turn is developing into a commercial product for the auto industry called Secure Sentinal.

As part of the test pilot, the researchers programmed a wireless key FOB to trigger the cyber attacks on the unmanned cars, which were tested both with and without MSi's prototype sensors. The sensors were able to detect the attacks on those functions and automatically take back control of the vehicle function under attack.

The potential for car hacking, or hackers wresting control or manipulating networked and automated features in newer-model cars, was demonstrated two years ago by security researchers Charlie Miller and Chris Valasek who pioneered some of the most eye-popping car-hacking research to date. The pair purchased a 2010 Toyota Prius and the 2010 Ford Escape and tore apart the dashboards of the vehicles to learn how the various automated features were networked and run, and ultimately wrote code to control the electronics that run the steering wheel, brakes, and other functions. Last year, they published a report that evaluated the most hackable vehicles by a hacker with no physical access to the cars.

Since then, members of the security industry have been working to school the automobile industry on cyber security vulnerabilities in cars, and worries over possible car attacks have even hit home on Capitol Hill, as Sen. Edward Markey recently published a report on how cars could be vulnerable to hackers.

MSi plans to roll out a commercial version of the so-called Secure Sentinal product sometime next year, says David Drescher, CEO of Charlottesville, Va.-based startup.  "Like seat belts and airbags, this would be a standard security feature" in future cars, he says. Secure Sentinal sensors are 3-inch by 3-inch, self-contained processors that ultimately will communicate via the car's CANbus network and also have the option to communicate wirelessly to a Secure Sentinal management console.

MSi has been meeting with automotive OEMs, Drescher says, and two of the largest tier-1 suppliers to the automakers have been inquiring about the anti-hacking sensors. He says he and his team believe automakers will adopt a core technology such as MSi's that would also be adaptable to new attack threats and techniques.

[Not all car security flaws can be patched simply -- or at all. Read BMW's Software Security Patch A Sign Of Things To Come.]

Chris Valasek, who heads up the vehicle security research practice at IOActive, says MSi's sensor concept is interesting and would likely work. The challenge, though, is selling the carmakers, he says.

"Getting them to put anything that's not theirs, or their suppliers', into their vehicles is a tough sell," says Valasek, who notes that there are other ways to detect bad behavior without sensors, such as an intrusion detection system sitting on the car's CANbus network.

There's also the issue of different car models employing features like adaptive collision control differently, he says.

"The concept is great … But adding more things that could potentially go wrong in a car" will be tough to convince carmakers, he says.

Making the technology affordable and flexible enough to adjust to new forms of attack is key, MSi's Drescher concurs. "$15 per car for each solution is a target one former CEO of a big three automaker indicated would be feasible" for an affordable anti-hacking solution in a car, he says. "At some point, these features will become standard and either passed on to the consumer, or be absorbed like the cost of a seat belt and air bags."

He says his firm also has been investigating how to apply the technology to different vehicle models, and it appears to be "feasible" to work across different makes and models, he says, and should be "replicable and scalable."

The car-hacking sensors also gather forensics information about an attack.

Barry Horowitz, chair of UVA's Systems and Information Engineering Department, led the initial DoD-sponsored research on embedded security that led to the sensor technology effort. He says securing physical systems is a bit more straightforward than securing logical systems: "Cyberattacks on physical systems are much more bounded than they are on information systems," Horowitz says. "There are only so many things you can make them do, and they are bound by the laws of physics ... If you go fast, your position changes a lot," for example, he notes.

Detecting malicious activity requires establishing the baseline parameters, for instance. "I don't park a car at 80 miles per hour," he says. "There are things you can do that are anticipatory" to prevent attacks, says Horowitz, former CEO of Mitre Corp. and developer of the collision avoidance system prototype that later became the FAA's TCAS system.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/9/2015 | 8:34:39 AM
Re: This is great but...
That would be one (non) killer app if it it did!
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/9/2015 | 8:34:14 AM
Re: This is great but...
LOL, @Jason! I think that's a whole other hack. 
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
4/9/2015 | 5:45:47 AM
This is great but...
Does it also work for my teenagers? :)
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/8/2015 | 9:32:37 AM
Re: Good to hear that the auto industry is paying attention to security researchers
I think consumers will have a big role in this, especially as more connected cars roll off the assembly lines. We're all intrigued with the bright shiny new technology the auto industry is building into cars. But for most drivers, the paramount issue is safety. And it's a no-brainer that the increased connectivity adds a lot of risk..
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/8/2015 | 9:17:59 AM
Re: Good to hear that the auto industry is paying attention to security researchers
@GonSTL, you're absolutely right about the segementation issue with car features, which also applies to the IT world. It's hard enough to get app developers to build with security in mind, but maybe the public safety issue here will drive carmakers to think differently about security.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/8/2015 | 9:13:23 AM
Re: Good to hear that the auto industry is paying attention to security researchers
I'm glad they are paying attention, but as the article stated, automobile manufacturers tend to resist putting something in their cars that they or their supply chain did not produce. I do believe that they will relent though, if the technology proves itself viable in a larger test. The thing that still bothers me is that in many cars, the computer systems all share a common bus. Manufacturers really need to look at segmenting the various computer systems to provide some sort of isolation with hierarchical security. Automobile informatics is no different than any other IT infrastructure, so it stand to reason that automobile manufacturers should also follow established practices that lead to increased security. There is no magic amulet that protects all IT systems. Those systems should be designed from the start with security in mind.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/7/2015 | 5:13:14 PM
Re: Good to hear that the auto industry is paying attention to security researchers
I think it will be the automaker suppliers who drive this--they already have led some initial security research efforrts and initiated efforts for a threat-intelligence sharing platform for their industry: http://www.darkreading.com/analytics/threat-intelligence/automobile-industry-accelerates-into-security/d/d-id/1297313

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/7/2015 | 5:05:17 PM
Good to hear that the auto industry is paying attention to security researchers
A step in the right direction but lots of speed bumps on the way (Sorry about the mixed metaphor!)
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.