IoT
8/15/2018
05:14 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Miller & Valasek: Security Stakes Higher for Autonomous Vehicles

Car hacking specialists shift gears and work on car defense in their latest gigs - at GM subsidiary Cruise Automation.

No '80s-era Adidas tracksuits. No video of a hacked Jeep Cherokee slowing to a crawl from 70 mph on a highway after losing its acceleration power. No steering-wheel hijacked Jeep stuck in a muddy ditch. This time, famed car hackers Charlie Miller and Chris Valasek came purely as defenders - rather than hackers - of automobile security.

Valasek and Miller, now both principal security architects for autonomous-vehicle manufacturer Cruise Automation, at Black Hat USA last week mapped out the key issues surrounding securing this new generation of driverless cars, based on their past three years working in the self-driving vehicle industry collectively for Uber, Didi Chuxing, and now Cruise, of which General Motors is a majority owner.

"We have a unique perspective ... we've done a bunch of car hacking," Miller said in an interview in Las Vegas prior to his and Valasek's presentation. "In the last three years, it's all been all about protecting" cars from attack, he says.

His and Valasek's 2016 hack of the Jeep Grand Cherokee steering at speed was at least physically defendable, he says: Such a remote attack on an autonomous vehicle would not be. "The moment we turned the steering wheel, we [the driver] had a shot at resisting the attack. But in the future, there's not going to be steering wheels and brakes, so you're completely reliant on the car to drive itself," Miller says of autonomous cars. "So the stakes are even higher."

The goal of their driverless car security work, they say, is not about sniffing out the most or least hackable self-driving cars, but to make hacking them too much work for an attacker to bother doing. "[It's] how to make the ROI [return on investment] so low for an attacker that it's not worth doing," Valasek explains.

Among the devices they're helping secure are the tablets that serve as the human interface to the autonomous vehicles. Reducing the potential attack surface found in many of today's modern driver-run cars is a goal: if Bluetooth is unnecessary, it shouldn't be included, for example.

"There's always going to be vulnerabilities in code. So if you don't need something, take it out," Miller says. If the vehicle needs Bluetooth, for instance, it should have as few ways as possible to take data from the outside world to the car, he says.

Ethernet is the communications network infrastructure of choice for autonomous vehicles, the researchers say. And the key is isolating connected components from components that control the vehicle. "For example, the communications module should not have a direct connection to the CAN bus and should not be the same as the main compute module. Likewise, the tablets should be isolated as much as possible from more trusted components of the vehicle," Miller and Valasek wrote in a white paper they published last week.

Autonomous vehicles do come with some inherent advantages security-wise: since they're owned and deployed by a service in many cases, that provider also handles monitoring and maintenance of its fleet. The cars return to a garage each day where they get checked or fixed, and their software can be updated, while traditional cars rarely get software updates.

If a problem is detected in a self-driving car, it can be remotely powered down, or returned to the garage. In addition, the vehicles come with custom communications modules rather than a standard Web interface.

Threats

Among the possible remote threats to an autonomous vehicle, they say, are attacks on: the listening service in its communications module; remote assistance features; and on the infotainment system, for example. An attacker also could target the vehicle's fleet management service, or its software update service.

On the local side, Wi-Fi, Bluetooth, and tire pressure-monitoring systems could be targeted, as well as sensors in the vehicle. But Miller and Valasek say the biggest concern is a remote attack that could result in an attacker physically controlling the vehicle.

"We know what to do. We know what's on the line," Valasek says of their security work.

"It doesn't matter if it's Cruise, Waymo, or Uber - the hack of a driverless vehicle is bad for everybody," he says. "We want to share our thought process here. We don't want anyone to have incidents."

The new security advancements being forged in autonomous cars likely will trickle down to traditional driver cars, too. "Once [security] is in the firmware, it will be easy to do in regular cars," Valasek says.

Meanwhile, Cruise has not yet rolled out its autonomous vehicle models nor has it provided a timeframe for the release.

"We're the pre-flight [security] check," Valasek says.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/16/2018 | 10:34:45 AM
The horror of it all
Let's look a few years down the road (no pun) and we start to have self-flying commercial aircraft.  It's out there and can happen, we already have auto-pilots.  Now put terrorist into this mix and you have something awful.  Disclaimer - been there on September 11 - 101st floor of the south tower. 
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
Cybercriminals Think Small to Earn Big
Dark Reading Staff 3/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.