Vehicle Cybersecurity: Where Rubber Meets Code

Article By : IEEE

Take a recent example of Fiat Chrysler's recall of 1.3 million pickups due to a software bug. Imagine if hackers found that code first and began exploiting it.

When it comes to vehicle cybersecurity, forget the old adage about safety in numbers. Just the opposite, for two reasons.

First, as the number of connected vehicles soars, so does their attractiveness to hackers, simply because it’s a bigger pool of potential victims. Second, the amount of telematics hardware and software in each vehicle also is growing, which means more potential vulnerabilities for hackers to exploit.

Today’s vehicles have an average of 100 million lines of code and 60 control units. That’s largely because automotive manufacturers are continually adding safety, entertainment, navigation and autonomous driving features. Another reason is the growing selection and usage of fleet telematics tools, which enable trucking companies, taxi services and other businesses to monitor their vehicles’ performance, driver behavior and cargo condition.

The amount of code in each vehicle will continue to grow exponentially as automakers and aftermarket providers develop even more applications. Every line is a potential opportunity for hackers to exploit. Even the creators of that code struggle to keep up with just debugging, let alone ferreting out weaknesses before hackers find them. One recent example is Fiat Chrysler’s recall of 1.3 million pickups due to a software bug that prevents side airbags from deploying and seat belts from tightening in an accident. At least one death and two injuries have been attributed to the bug.

Imagine if hackers found that code first and began exploiting it, such as by triggering airbags to deploy when the trucks hit highway speeds. Imagine if they did that to an entire fleet of vehicles, such as every van of a certain make and model owned by a major package delivery company. Or imagine if they used other code to enable a ransomware attack on the drivetrain, where the consumers and fleet owners with that model have to pay up to get their vehicles running again.

Many of these and similar scenarios aren’t hypothetical, either. For example, in a proof-of-concept attack involving a Ford Escape and Toyota Prius, hackers remotely disabled the brakes and commandeered the steering wheel. That was four years ago. Since then, vehicles have added even more telematics software and hardware, creating even more potential vulnerabilities.

Old challenges hit the road
Many vehicle cybersecurity challenges and attack vectors aren’t new. Instead, they’re retreads of ones that have plagued PCs, servers and other traditional IT systems.

Take the aforementioned ransomware example. This type of attack has been around for decades, so by now, enterprises and other organizations should be adept at thwarting it. But workplace ransomware attacks are actually rampant and rising, largely because IT departments are stretched thin.

On PCs, for example, they barely have time to patch and update base platforms such as Windows, let alone all of the other applications, such as browsers and PDF readers. Patches and updates that aren’t applied as soon as they’re issued create opportunities for ransomware and myriad other hacks. No wonder a Hewlett Packard Enterprise study found that the top 10 exploits were more than one year old, and 68 percent were at least three years old.

If that weren’t enough, IT departments also are increasingly responsible for supporting additional and emerging technologies. Two respective examples are audio-video (AV) systems such as digital signage and the Internet of Things (IoT) for applications for such as smart building management. AV and IoT devices need to be updated and patched just like PCs and servers to thwart hackers. A key difference is that IT departments have extensive experience with PCs and servers. They’re still learning AV and IoT, which includes understanding their unique vulnerabilities.

A fleet of vehicles is basically a rolling version of that environment. At fleet owners, some department—possibly IT—needs to be responsible for developing and enforcing vehicle cybersecurity policies. To do that, and do it well, they’ll first have to learn the attack vectors and then begin the never-ending task of applying patches and updates to thwart those hacks. That will take a lot of time, people and money, just as it does with AV and IoT.

Some aspects will be out of their control. A prime example is vendor support. For instance, many trucking companies traditionally sold or trade in their vehicles every three to five years because of warranty periods and the way that repair costs mount. But periodically—including today—there are big gluts of used trucks, forcing fleet owners to hang onto vehicles years longer than usual.

The older a vehicle gets, the less likely its telematics vendors will be interested in providing patches and updates for those elderly products. Some of those vendors also will go out of business or be acquired. Unless other companies step in to support their products, fleet owners will have to figure out how to keep those orphans secure on their own.

If any of this sounds familiar, that’s because it is: Just ask any CIO or IT manager who’s struggled to secure systems that are five or 10 years old because the vendors have gone away, been acquired or stopped supporting legacy products.