Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/22/2015
09:30 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Hacking Virginia State Trooper Cruisers

Working group of federal agencies and private industry launched by the state of Virginia is studying car vulnerabilities and building tools to detect and protect against vehicle hacking and tampering.

A new public-private working group in the Commonwealth of Virginia is testing how state trooper cruisers could be sabotaged via cyberattacks. Virginia Governor Terry McAuliffe this week announced the new initiative, which is aimed at protecting the state's public safety agencies and citizens from hacks against vehicles.

The project team studying Virginia State Police vehicles includes the US Department of Homeland Security's Science and Technology division, the US Department of Transportation's Volpe Transportation Systems Center, the Virginia Department of Motor Vehicles, the University of Virginia, Mitre Corp., Mission Secure Inc. (MSi), Spectrum Comm, Kaprica Security, Digital Bond Labs, and OpenGarages.

Virginia of late has become a hotbed for car-hacking research, with the recently completed crash-test of prototype sensor-based technology initially created for protecting US military drones. The pilot simulated cyber attacks on cars to take control over the braking, acceleration, and collision avoidance features in the vehicles. Late last month, Virginia also became the first state to establish its own Information Sharing and Analysis Organization (ISAO) for cyberattack threat intelligence-sharing.

The state's car-hacking project, which will run for 90 days, also aims to come up with low-cost technology that can help law enforcement identify if a vehicle or other "mechanized equipment" has been hit by a cyberattack when an accident or other incident occurs, and to find ways for consumers and public safety officials to detect and prevent such threats to vehicles and consumer devices; as well as to identify economic development opportunities in this field for the state.

The project is studying two models of Virginia State Police vehicles -- the 2013 Ford Taurus and 2012 Chevrolet Impala. The research is mostly focused on hacks that would require physical access to the vehicles, much like the initial car-hacking research by Charlie Miller and Chris Valasek, but will also include some remote attacks.

The concern is that criminal or terrorist groups, for example, could physically tamper with state police vehicles to hamper investigations or assist in criminal acts by messing with the car's acceleration, or deploying airbags while the vehicle is driving at a high speed, for example, says David Drescher, president of MSi, a member of the project team. "What we're going to be doing is carrying out … these attacks on a car to show that yes, you can cut off the engine [via] the CAN bus," for example, Drescher says.

"The primary focus is on the attacks themselves, rather than how they are delivered. Our primary attack will be through the OBDII port," with various tethered tools or a device that connects to the OBDII port and transmits via Bluetooth or WiFi, he says.

The researchers may also simulate a remote RF-based attack test as well, he says. But since the State Trooper vehicles being tested are older models and not as networking-equipped, the remote testing may be limited to things like Bluetooth and tire pressure-monitoring system attacks that other researchers have already revealed.

[A researcher finds security holes in Flo the Progressive Girl's car plug-in Snapshot insurance policy product. Read Security MIA In Car Insurance Dongle.]

"The next phase is looking at protections, and then a cyber scorecard," a sort of Consumer Reports-style scoring system for how cybersecurity-ready a vehicle really is, he says. That will draw from and build on a similar project by Volvo and others, he says.

Drescher says other states and localities are taking an interest in Virginia's project. The project will conclude in July, with an assessment of the possible hacks of the vehicles and as well as a report on technologies for detecting a cyberattack on a vehicle. "Today we have no way to know if a car was" hacked, Drescher says. "We're going to see if there's a way to collect more data across the CAN bus" for forensics and detection purposes, he says.

The project also will build a database of car vulnerabilities that includes its findings as well as those from previous car-hacking research including that of the University of Washington, Miller and Valasek's work, as well as research from OpenGarages and Digital Bond, and others.

State officials were quick to note that the car-hacking project is a preventative measure, and not a reaction to any imminent threats. "This initiative is not meant to alarm anyone," said Virginia's secretary of Public Safety and Homeland Security Brian Moran. "The threat of 'car hacking' is rare, but recognizing that the technology already exists for such criminal and dangerous activities to occur is the first step towards protecting our Commonwealth and its citizens from future harm."

Drescher says the concern is that as such attacks become automated or "industrialized," tools will land in the market that simplify them such that a non-sophisticated attacker could execute them.

"High-tech systems now used in most automobiles are opening up potential new avenues for cyber attacks,” Gov. McAuliffe said. "Thanks to the continuing efforts of the Virginia Cyber Security Commission and Virginia Cyber Security Partnership, we have the opportunity to lead the nation in the establishment of safeguards protecting the vehicles of Virginia’s 5.8 million licensed drivers."

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/22/2015 | 10:38:41 PM
Direct vs. Remote a non-issue
Fundamentally, access is access.  Car security researchers have shown that direct access and remote access don't matter that much -- and that a great deal of havoc can be wreaked either way.
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...