A new public-private working group in the Commonwealth of Virginia is testing how state trooper cruisers could be sabotaged via cyberattacks. Virginia Governor Terry McAuliffe this week announced the new initiative, which is aimed at protecting the state's public safety agencies and citizens from hacks against vehicles.
The project team studying Virginia State Police vehicles includes the US Department of Homeland Security's Science and Technology division, the US Department of Transportation's Volpe Transportation Systems Center, the Virginia Department of Motor Vehicles, the University of Virginia, Mitre Corp., Mission Secure Inc. (MSi), Spectrum Comm, Kaprica Security, Digital Bond Labs, and OpenGarages.
Virginia of late has become a hotbed for car-hacking research, with the recently completed crash-test of prototype sensor-based technology initially created for protecting US military drones. The pilot simulated cyber attacks on cars to take control over the braking, acceleration, and collision avoidance features in the vehicles. Late last month, Virginia also became the first state to establish its own Information Sharing and Analysis Organization (ISAO) for cyberattack threat intelligence-sharing.
The state's car-hacking project, which will run for 90 days, also aims to come up with low-cost technology that can help law enforcement identify if a vehicle or other "mechanized equipment" has been hit by a cyberattack when an accident or other incident occurs, and to find ways for consumers and public safety officials to detect and prevent such threats to vehicles and consumer devices; as well as to identify economic development opportunities in this field for the state.
The project is studying two models of Virginia State Police vehicles -- the 2013 Ford Taurus and 2012 Chevrolet Impala. The research is mostly focused on hacks that would require physical access to the vehicles, much like the initial car-hacking research by Charlie Miller and Chris Valasek, but will also include some remote attacks.
The concern is that criminal or terrorist groups, for example, could physically tamper with state police vehicles to hamper investigations or assist in criminal acts by messing with the car's acceleration, or deploying airbags while the vehicle is driving at a high speed, for example, says David Drescher, president of MSi, a member of the project team. "What we're going to be doing is carrying out … these attacks on a car to show that yes, you can cut off the engine [via] the CAN bus," for example, Drescher says.
"The primary focus is on the attacks themselves, rather than how they are delivered. Our primary attack will be through the OBDII port," with various tethered tools or a device that connects to the OBDII port and transmits via Bluetooth or WiFi, he says.
The researchers may also simulate a remote RF-based attack test as well, he says. But since the State Trooper vehicles being tested are older models and not as networking-equipped, the remote testing may be limited to things like Bluetooth and tire pressure-monitoring system attacks that other researchers have already revealed.
[A researcher finds security holes in Flo the Progressive Girl's car plug-in Snapshot insurance policy product. Read Security MIA In Car Insurance Dongle.]
"The next phase is looking at protections, and then a cyber scorecard," a sort of Consumer Reports-style scoring system for how cybersecurity-ready a vehicle really is, he says. That will draw from and build on a similar project by Volvo and others, he says.
Drescher says other states and localities are taking an interest in Virginia's project. The project will conclude in July, with an assessment of the possible hacks of the vehicles and as well as a report on technologies for detecting a cyberattack on a vehicle. "Today we have no way to know if a car was" hacked, Drescher says. "We're going to see if there's a way to collect more data across the CAN bus" for forensics and detection purposes, he says.
The project also will build a database of car vulnerabilities that includes its findings as well as those from previous car-hacking research including that of the University of Washington, Miller and Valasek's work, as well as research from OpenGarages and Digital Bond, and others.
State officials were quick to note that the car-hacking project is a preventative measure, and not a reaction to any imminent threats. "This initiative is not meant to alarm anyone," said Virginia's secretary of Public Safety and Homeland Security Brian Moran. "The threat of 'car hacking' is rare, but recognizing that the technology already exists for such criminal and dangerous activities to occur is the first step towards protecting our Commonwealth and its citizens from future harm."
Drescher says the concern is that as such attacks become automated or "industrialized," tools will land in the market that simplify them such that a non-sophisticated attacker could execute them.
"High-tech systems now used in most automobiles are opening up potential new avenues for cyber attacks,” Gov. McAuliffe said. "Thanks to the continuing efforts of the Virginia Cyber Security Commission and Virginia Cyber Security Partnership, we have the opportunity to lead the nation in the establishment of safeguards protecting the vehicles of Virginia’s 5.8 million licensed drivers."