Hackable software in the driver’s seat

SAN FRANCISCO—Cars and computers have an increasingly close yet complicated friendship. Specialized software now connects to everything from the brakes to the steering wheel to the door locks to the radio. And in newer models, it likely connects to the Internet too.

So what are the chances that your car is going to get hacked? What kind of havoc could a car hacker wreak? And what are automakers doing to make their cars, including those designed to drive autonomously, more resistant to hackers?

Car manufacturers are doing more than they used to, but still not enough, says Stefan Savage, a 2017 MacArthur Foundation “Genius” grant recipient and a professor at University of California at San Diego who specializes in car hacking. That could put drivers and pedestrians at risk of injury or even death, he says. And in the meantime, it impacts drivers’ privacy.

Today’s challenges include “bringing the automotive industry up to snuff with where normal desktop PC software was, and applying those lessons back into the automotive space,” he says. “It’s going to take a long time for us to feel confident that these things are safer.”

Part of the problem, says Deirdre Mulligan, co-director of the University of California at Berkeley Center for Law and Technology and professor at UC Berkeley School of Information, is that the software running in cars—especially self-driving vehicles—is easy to manipulate.

“There’s been a very spotty and uneven learning curve,” when it comes to securing car software, says Mulligan, who joined Savage and me at the second Enigma Interviews event here last Wednesday, organized by Usenix and co-sponsored by The Parallax, New Context, Javelin Research, and Avast (which also sponsors this site.)

Driving our conversation was the potential security of connected cars, which crashed through headlines in 2015, when two security researchers hacked a Jeep Cherokee and disabled its brakes as it zoomed down a public highway at 70 mph. The hack led Chrysler to recall 1.4 million cars.

“There’s a ton we could do to make cars more secure. The tech exists; it’s more a question of the will.”—Kathleen Fisher, former DARPA manager, computer science department head, Tufts University

Nearly at the same time, hackers from the University of Washington and UCSD, including Savage, revealed that General Motors spent five years recalling and fixing 4.5 million Chevy Impalas because of security vulnerabilities in its OnStar navigation system.

Last year, German hackers were able to remotely unlock and start 24 different car models, thanks to a key fob hack, and BMW exposed car owner data and a remote car entry hack through its Web portal. The Keen squad of the Chinese tech giant Tencent hacked into Tesla’s Model X in both 2016 and 2017, and hackers exposed car infotainment systems for leaking personal car owner data in November.

There have also been several publicly exposed instances of people maliciously fooling the sensors guiding self-driving cars, or of car owners crashing when switching between a semi-autonomous driving mode and a fully manually driving mode.

Savage says carmakers have been slow to acknowledge the importance of long-held computer security basics, such as over-the-air updates to patch vulnerabilities. And they’ve been slow to improve security because they don’t always own the software code that runs on their cars.

“There are like a hundred different companies that write the code that then all gets integrated, and the car company doesn’t have that code. It’s not their code; they have a bunch of boxes that they try to get to work together through testing, but they have 20 different microprocessors and 15 different operating systems, and year to year, it may change,” he says. “It is a little bit of a nightmare from an assessment standpoint.”



READ MORE ON THE INTERNET OF THINGS

For decade-old flaws in voting machines, no quick fix
Critical systems at heart of WannaCry’s impact
Time for a Department of the Internet of Things?
The long reach of Mirai, the Internet of Things botnet
Hackers call for federal funding, regulation of software security
Shut the front door: The state of the ‘smart’ lock
5 questions to ask before buying an IOT device
Living on the edge of heartbreak: Researcher hacks her own pacemaker


University of Washington security researcher Karl Koscher, who worked on the GM hack alongside Savage, says the software and hardware components that go into modern cars are so complex, not even manufacturers are aware of everything in them.

“When we told GM about the Impala vulnerabilities,” he says, the company said it “didn’t have the firmware for the components. The radio firmware maker was out of business…It’s eye-opening to realize that the OEMs don’t know what is in their vehicles. They’re relying on suppliers to get security right.”

Most automakers contacted for this story didn’t respond to requests for comment. Volkswagen’s U.S. division said in a statement that the company takes the security of its customers and vehicles “very seriously,” and that “electronic and mechanical security measures are continuously being monitored and improved.” It also said it’s supportive of “legitimate” computer security research on its car.

General Motors, which Savage cited as one of the more responsive car manufacturers, with respect to cybersecurity threats, told The Parallax that it has changed its security philosophy completely since Savage’s team first contacted it in 2010.

“Now our security is security by design,” says Joe Buck, the director of autonomous cybersecurity at GM. “Security is inclusive in a lot of the conversations, as development goes along.”

GM employs between 80 and 100 people on its cybersecurity team, and has an internal “red team” that tries to hack its computer systems, Buck says, with the support of the company’s CEO, Mary Barra, and its board of directors. “We could stop a vehicle launch, if we had to.”

GM also uses a bug bounty program, launched in 2016, to bring in independent researchers to find security flaws. And Buck says the company is looking to move beyond the car’s legacy electronic switchboard, known as the Controller Area Network, or CAN bus, which wasn’t designed with security protocols in mind and thus has been relatively easy to hack. It’s starting to explore installing Ethernet in its vehicles to enable encrypted communications between electronic components, he says.

“The problem is that money is what drives the automakers. If they can save a few cents, they will go with what’s cheap instead of what’s secure.”—Roderick Currie, security researcher

“It will be more robust than its predecessors,” Buck says.

While car-hacking experts applaud such moves, they say most major car manufacturers are still in the slow lane, when it comes to vehicle computer security.

Roderick Currie, whose 2015 SANS Research Institute paper on car hacking laid out the basics of computer security vulnerabilities in cars, says he doesn’t expect “real change” until something happens that “hits the pocketbooks of manufacturers.”

Carmakers “aren’t doing enough to take the risks seriously. We’re seeing on almost a monthly basis headlines where there’s some kind of a hack demonstrated, or the [car’s computer] protocols are insecure,” Currie says. He points to the continued use of the CAN bus as one of the top security risks in cars.

“There is no native way to secure the CAN bus. I understand that it’s not cheap to replace, and the problem is that money is what drives the automakers,” he says. “If they can save a few cents, they will go with what’s cheap instead of what’s secure.”

Securing code for cars is not impossible, says Kathleen Fisher, who oversees the computer science department at Tufts University. As a manager at the U.S. Defense Advanced Research Projects Agency, she had started and managed the HACMS and PPAML programs, which were instrumental in developing hacker-resistant computer code.

Fisher says car manufacturers should look to variations of the software she helped develop at DARPA, which demonstrably protected code powering a quadcopter against a red team, for inspiration on how to secure their vehicles.

“There’s a ton we could do to make cars more secure,” she says. “The tech exists; it’s more a question of the will.”

While improving software and adopting computer security best practices are major milestones for carmakers, they don’t address ethical dilemmas or potential vulnerabilities surrounding artificial intelligence and machine learning in autonomous vehicles, Mulligan says.

A hacker with few coding skills could trick the computer brain of a self-driving car into “thinking that a stop sign is actually a speed limit sign,” she said on stage. And if we don’t debate such issues now, publicly, “it’s going to be left up to individual software engineers or car manufacturers to make decisions about how cars behave.”