Where PC security and Automotive security meet

I visited yesterday the IAA in Frankfurt. IAA stands for International Automobile Exhibition and takes place every year in Frankfurt, Germany.

This is the place where every year the latest cars are being presented but also the newest technologies around cars.

This year it was a lot about mobility, interaction, autonomous parking and driving, interconnectivity between cars and IoT.

I addressed more the car parts suppliers than the car manufacturers. For us it was more interesting to get involved in the devices that are easily and directly attackable. Things like entertainment systems, connected devices of the car, GPS devices,etc..


Challenges:

  • Nobody from the car manufacturers or car parts suppliers wants to openly speak about security.
  • Speaking about security is like causing “bad luck” on them. Why speaking about something that nobody wants to happen? 🙂
  • The most used argument by the car components suppliers was: “Why would anyone hack us/our device? They don’t have anything to gain.”

 

About security in the car

  • Here is the list of things that can happen if a device in the car, or a car, is hacked:
    • Accidents can be caused
      • if the car detects that the speed limit is 50 KMH, a hacker could change it to 100 KMH
      • a hacked navigation system can wrongly route the user to a dangerous path (or even in the wrong way)
      • the entertainment system can be altered to annoy or scare the user and cause an accident
    • Privacy issues
      • A hacked car or navigation system can send its location to hackers and this can be used in many ways
    • Information leakage
      • Once the hacker has access to the PAN (Personal Area Network) via Bluetooth, WiFi or USB, it is possible, depending on the architecture of the solution, to get access to the saved data in the car and in the connected devices:
        • Smartphones
        • Tablets
        • Entertainment system
    • Depending on the architecture of the solution, it can be possible:
      • To access the CAN-BUS to alter the behavior of the car’s systems
        • Alter the Sensors
        • Change the engine’s functionality: acceleration, brakes, gears
        • Alter the way the signaling works
        • Control the lights
        • Control the doors (e.g. : open during  drive)

 

 

How to implement security in a car?

I think that the car and its systems can be better protected against malicious actions in two ways:

  1. Filter suspicious files or data streams to enter the car and its systems.

This way it can be controlled

  • what comes in the car in form of files and streams of data is not malicious: multimedia files, documents, special content that might exploit a known vulnerability in some subsystem of the car.
  • that the updates of the various components are not malicious. The components like entertainment systems, navigation systems (update the maps) and others all need to get updates from some servers (cloud service) via Bluetooth, 3g/LTE or WiFi. It is critical that these files are not exchanged on the way to the car with something malicious.
  • that a special attack blocks systems of the car so that the passengers might get in trouble (think of a DOS)
  1. Block unknown threats by monitoring the behaviour of the car and its subsystems. A system that learns while the car is used in a certain way (and each driver uses it a bit differently) can monitor and detect strange behaviours of the subsystems like:
  • attempts to access of some components to places or other components which they usually don’t need access to
  • sending data to various locations in the Internet
  • receiving data from various locations in the Internet
  • out of ordinary behaviour of the systems, even if they have not been directly accessed

Such a system could alert the driver and advice, for example, to stop the car and allow a purge of these systems: cleanup or restore and reboot.

 

What has to do PC Security with the Car security?

If you read above, it is pretty clear that

1) resembles a lot to the anti-malware software

2) resembles a lot to the HIPS (Host Intrusion and Prevention System)

that hopefully run on your computer. On your PC it can even be that they are just one software which you usually call “Antivirus” software.

In a car, due to its complexity and to the fact that various components come from independent producers, the situation is a bit different.

It can be that each subsystem needs to be protected in a different way.

 

2015-09-23 09.26.54

2015-09-23 09.26.49

Photos: I took these photos with my phone’s camera while walking. It is showing all subsystems of a car, each of them with their own processors. They communicate with each other via the CAN BUS.

 

IMPORTANT: all those lights are attack vectors.

 

Are there differences between PC Security and Car Security?

I think that there are some differences. On PC, many threats can be avoided if the user is aware of the dangers and behaves accordingly: doesn’t click on strange link, doesn’t execute attachments in the emails, etc.

In a car, it is not so easy to see all these things… Have a look above at the many components that have a certain purpose and can do only that.They are all interconnected and I don’t know what can happen if they stop working together or if something starts messing with them.

All those lights above are possible attack vectors. It is not clear if all can be attacked and how and what repercussions can such an attack have on the entire system.

In a PC you have just 3 attack vectors:  mass storage(USB devices, CD/DVD), web, mail. It is simpler to protect them, even if there are so many challenges.

 

Conclusions

Right now the car manufacturers are worried after the hack of the Jeep.They are worried, but to take a real action in the car industry is not something that can be done over night.

In general, a technology reaches mass production after a few years.

Will implementing security in cars also take so long?

The future will show us how this evolves.


© Copyright 2015 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca

Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since year 2000 in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is an independent IT Security Consultant focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

Comments are closed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close