Connected Cars Are The New Attack Vector

Smart devices are connecting to just about everything that runs on electricity to the Internet. However often these devices are not very cyber secure. These smart devices are often dispatched with outdated and inadequate security measures. This creates all sorts of new avenues for cyber-attacks, and one of the most concerning is attacks on smart vehicles. 

While a hack of a home smart device might lead to nothing more than an invasion of privacy or a botnet attack, hacks of connected cars could be used for terrorism and assassinations.

Are Cyber-Attacks on Connected Cars an Inevitability?
A new report from Los Angeles-based group Consumer Watchdog helps to bring the threat to connected cars into focus.
The problem is tied into one that is endemic with smart devices – they tend to ship with inadequate security. Sometimes they are properly secured from the beginning. In other cases, there is no way to patch their firmware once a vulnerability develops.
One would think that something that could be weaponized in the way a vehicle can would have more of a security focus, but the new report makes clear that is not the case. 

The report, which bears the grim but appropriate name “Kill Switch”, consulted with engineers and technologists in the automotive industry for five months to assess how vulnerable the average vehicle is to hacking. Bear in mind that the study focuses on the tens of millions of standard vehicles currently operating on American highways, not self-driving cars.

The worrying central finding is that the majority of the 2020 line of vehicles from the top 10 auto manufacturers will be connected to the Internet and will also be vulnerable to cyber-attacks. Most of these vehicles are about to go on the market in the fall.

Current and Future Threats
At present, there are about 50 million vehicles in the United States that have Internet connectivity. That’s about 20% of all vehicles on the road. That percentage will sharply increase starting with the 2020 model year due to a commitment by all of the major manufacturers to add connectivity features to many new models going forward. 

Ford, GM and Toyota plan to have all of their vehicles connected to the Internet starting with this upcoming model year. That would mean about 17 million new “connected cars” on American roads each year.

The report has a particular focus on the potential mass cyber-attacks. When an exploit is discovered in one vehicle type, or perhaps even in one manufacturer’s software that is deployed through many of their models, it could be used to quickly gain control of millions of vehicles.

There is a potential threat to all aspects of the vehicle. Acceleration could be ramped up remotely, and brakes could be disabled or engaged suddenly. It is even possible for steering to be controlled remotely under the right circumstances. The window and door locks could also be engaged by an attacker.

The main vulnerability cited by the report is the “head” system of these vehicles, which is primarily used for infotainment systems, GPS navigation and various “creature comfort” features linked to smart phone control. 
Though they are screening these risks from the public, industry executives have acknowledged them as “high” and “difficult to detect” in mandatory disclosures to investors. 

Some expert hackers consulted for the report said that “time and money” were the only barriers to compromising connected cars. In addition to the vulnerable head units, there is concern about the software being used at the core of the various automotive systems. Manufacturers often contract this software from third parties, and some of it is based on open-source systems with little method of holding authors accountable and unknown security risks.

Cars can be Killing Machines
The report projects that if a “fleet-wide” attack were to occur, 3.75 million connected cars would be infected and over a quarter of a million drivers could be on the road at the time of the attack. This would lead to over 130,000 injuries and 3,000 deaths. The estimated death toll would be slightly greater than that of the September 11 attacks, making this a valid national security concern.

So what can be done about connected Car Hacks?
Consumer Watchdog suggested one immediate measure to guard against cyber-attacks on connected cars, the mandatory installation of a manual “kill switch”, estimated to cost about 50 cents per vehicle, that would entirely disconnect the car from the Internet and any local networks when engaged. 

In addition to disabling remote control of the car, this would allow for quicker national recovery in the wake of a fleet attack that leaves the safety status of a manufacturer’s connected cars in doubt for an extended period.
Additionally, the report recommends that CEOs should sign formal statements accepting legal liability for the cyber security status of their connected cars and that the industry should adopt an agreement to not connect vehicles to wide-area networks until their security is proven against cyber-attacks.

UK Government is offering £2m to boost Cyber Security for Driverless Vehicles 
Now the Government’s innovation agency Innovate UK and the Centre for Connected and Autonomous Vehicles, CCAV, are offering £2m for projects working on cyber security for driverless vehicles.The money will be available for up to five projects, which can involve public sector or academic bodies, in the development of a testing facility.

Innovate UK said any proposals for support should involve ways to measure resilience and maintain cyber security for roadside infrastructure, vehicles and supporting services.

Projects should also provide input specifications for one or more new cyber test facilities and explore opportunities to develop new services. Successful proposals will lead to funding up to £400,000 for project costs, with public authorities or academic institutions eligible to share up to 50%. The competition will be open for applications until 25 September.

CPO Magazine:        PlaceTech

You Might Also Read: 

BMW Cars Can He Hacked:

Cybersecurity In Self-Driving Cars:

US And France To Permit Fully Driverless Cars On Public Roads:

 

 


 

 

« Foreign Cyber Intrusions On The USA
Home Working Can Often Be A Security Threat »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ForeScout Technologies

ForeScout Technologies

ForeScout delivers pervasive network security by allowing organisations to continuously monitor & mitigate security exposures & cyberattacks.

Finjan Holdings

Finjan Holdings

Finjan solutions are aimed at keeping the web, networks, and endpoints safe from malicious code and security threats.

JLT Specialty

JLT Specialty

JLT Specialty is a leading specialist insurance broker. Services offered include Cyber Risks insurance.

RedSeal

RedSeal

RedSeal’s network modeling and risk scoring platform is the foundation for enabling enterprise networks to be resilient to cyber events.

Perseus Cyber Security

Perseus Cyber Security

Perseus provides all-around digital protection for small and medium-sized businesses through state-of-the-art software solutions, flexible online training and emergency response.

SITA

SITA

SITA is a multinational information technology company providing IT and telecommunication services to the air transport industry including vulnerability assessments and managed security services.

DreamIt Ventures

DreamIt Ventures

DreamIt Ventures is an early stage venture fund that accelerates startups building transformative tech products in the fields of Healthtech, Securetech, and Urbantech.

Zeusmark

Zeusmark

Zeusmark are a digital brand security company. We enable companies to successfully defend their brands, revenue and consumers online.

CertiPath

CertiPath

CertiPath create products and services that ensure the highest levels of validation for digital identities that attempt to access customers’ networks.

Sabat Group

Sabat Group

Sabat Group provide relationship-driven information security & cyber security recruiting services.

Cytenna

Cytenna

Cytenna Signal is a suite of SaaS (Software-as-a-Service) products that use AI and machine learning to automatically aggregate the latest information about software vulnerabilities.

Center for Infrastructure Assurance and Security (CIAS)

Center for Infrastructure Assurance and Security (CIAS)

CIAS is developing the world's foremost center for multidisciplinary education and development of operational capabilities in the areas of infrastructure assurance and security.

Cybersecurity Center for Secure Evolvable Energy Delivery Systems (SEEDS)

Cybersecurity Center for Secure Evolvable Energy Delivery Systems (SEEDS)

SEEDS conducts research and develops innovative cybersecurity technologies, tools, and methodologies that advance the energy sector’s ability to survive cyber incidents.

Probity

Probity

Probity Inc. is a certified software development and systems engineering company, providing support to federal government and national defense related clients.

Interactive

Interactive

Interactive are a leading Australian IT service provider with services in Cloud, Cyber Security, Data Centres, Business Continuity, Hardware Maintenance, Digital Workplace, and Networks.

SyberFort

SyberFort

SyberFort offers a suite of SAAS-based platforms designed to fortify your digital defenses including Threat Intelligence and Brand Protection.

Lightpoint Global

Lightpoint Global

Lightpoint Global is a bespoke software development company. We also provide a spectrum of services such as IT consulting, business analysis, QA and testing, and DevOps services.