Connected Automobiles and...
Transcript of Connected Automobiles and...
1
Julio Poblete
Dr. Yoon
March 10, 2018
Connected Automobiles and Cybersecurity
Abstract:
The birth of smart connected cars has made driving easier for humans. However, connected
cars are still highly vulnerable to hackers. The facility to gain access to a vehicle begins
with the vulnerabilities that exist within the software and hardware of the car. Same as with
mobile devices, connected cars need to be updated periodically, but part of the automotive
industry fails to provide this solution. After doing some research I have found that the main
issue with security in connected vehicles was patching/updating software. Also, the best
way patch/update your vehicle's software is to implement a Wifi receiver in the car that
can connect to your home Wifi and do the updates that way. Many vehicle recalls can be
avoided by using OTA. OTA will not only help to patch security holes but it will also help
to patch against automotive glitches in software that can cause cars to malfunction.
2
Table of Contents
Abstract ………………………………………………………………….... Page 1
Introduction ………………………………………………………...……... Page 3
Automotive Issues …………………………………………………………. Page 4
Solution ……………………………………………………………………. Page 6
Conclusion …………………………………………………………………. Page 11
References …………………………………………………………………. Page 12
3
Introduction
Technology has become a big part in the life of every person in the world. Without
technology humans would still have to communicate through letters or talk directly to the person
whom they want to talk to. Nowadays, for a person to communicate with another they can simply
open an app, type a text message and their message will be transmitted within seconds to the
person they are trying to reach. Technology gave humans a faster and easier way to do
everything in life. Technology has become a big part of everyone’s life and many depend on it.
One change technology brought and that now many humans can’t live without, is transportation.
The birth of smart connected cars has made driving easier for humans. Cars are not like before,
now they are programmed to stop by themselves if they sense a proximity to another car, tell you
if you are driving out of the traffic line, and/or give you directions. What is most impressing is
the cars that can be driven without any human interaction. Yet, with the increasing advance of
technology in cars, original equipment manufacturers (OEM) are facing some challenges when it
comes to cybersecurity. All electronic control units (ECU) of a car are connected via the internal
network of the vehicle. Every new car can be equipped with at least 100 ECUs that control
windshield wipers, steering system, transmission, engine functions, etc. Even with this advanced
technology, connected cars are still highly vulnerable to hackers. The only thing hackers need is
access to the Bluetooth system of a car and from there they will be able to take control of all the
critical ECUs, such as the transmission and steering systems. In order to prevent any hacks from
happening, car manufacturers would need to deploy patches for any type of vulnerability right
away. Unfortunately, car manufacturers have not found a way to safely patch vehicles.
4
Automotive Issues
One of the biggest problems that connected automobiles will face in the upcoming years
is vehicle cybersecurity. As vehicles become more connected and automated, it will become an
easy target for hackers. New cars have sensors installed all around them that can sense their
surroundings, and they were put into place to prevent any accidents. For example, radar sensors
allow cars to be set in cruise control, which maintains the car at a safe distance from other
vehicles. Also, the vehicle to vehicle (V2V) sensors, beam out basic data about their location to
other vehicles on the road, helping it prevent accidents. In my opinion, the biggest improvement
that technology brought to cars is the advanced driver assistance systems (ADAS). ADAS
systems include electronic and software components targeted towards assisting in, enhancing,
and eventually replacing the functions of the human driver. ADAS includes a variety of sensors,
camera, radar, and LIDAR devices to identify the surroundings, determine wheel speed and
angular momentum, etc. (Ray, Chen, Bhadra, & Al Faruque). Self-driving cars will go even
further in prevention and vehicle atomization in order to be able to stop or prevent more
accidents. The downside to the usage of the sensors above is that hackers can hack ADAS in a
connected car and control the anti-lock system in an automobile. This type of attack was put to
the test by two white hat hackers Charlie Miller and Chris Valasek, who created a software to
remotely control a 2014 Jeep Cherokee. These two hackers were able to shut off the Jeep while it
was running on the highway. Since every new car comes with an entertainment system, they
were able to gain access to the Jeep through the entertainment system in the car. Greenberg
stated that even though he did not touch the dashboard, the vents in the Jeep Cherokee started
blasting cold air at the maximum setting, that the radio switched to the local hip-hop station and
began blaring Skee-lo at full volume, and that the windshield wipers turned on, and wiper fluid
5
blurred the glass. This hacking technique is what the security industry calls a zero-day exploit.
This exploit can target Jeep Cherokees and give the attacker wireless control, via the Internet, to
any of thousands of vehicles. Their code is an automaker's nightmare, a software that lets hackers
send commands through the Jeep’s entertainment system to its dashboard functions, steering,
brakes, and transmission, all from a laptop that may be across the country (Greenberg). Other
researchers were able to hack into a Tesla Model S vehicle and wipe out the speedometer on the
car, control the doors and just as the Jeep, they were able to shut off the car. These vulnerabilities
were patched right away after this test was made public. But what happens if this vulnerability
was exploited by a hacker with malicious intent? Then, this kind of vulnerability in automobiles
can put a person’s life in danger. The main hackable points in a connected vehicle that needs
patches and protection right away are:
● Steering and braking ECU
● Engine and transmission ECU
● Bluetooth
● ODBII
● WIFI and cellular network
The electronic control systems (ECU) of a vehicle are connected via an internal network.
If hackers could get access any vulnerable ECU, for instance, the vehicles Bluetooth system,
they would be able to access the main ECUs that control the braking system, transmission, and
engine. The facility to gain access to a vehicle begins with the vulnerabilities that exist within the
software and hardware of the car. Systems like Bluetooth and Wi-Fi that are built in the car
allows access to the coding in the ECU that runs various important systems in a car. The main
entry point for these attackers is through the Controller Area Network (CAN). The CAN is one
6
of the main networks within a car that allows communication between one component to
another. Ray, Chen, Bhadra, & Al Faruque state that once an attacker gains access to the CAN,
he will have the ability (with the right skill set) to maneuver his way to other buses through the
gateways and other network entry points. Once achieved, the attacker will then be in total control
of the car and can perform malicious tasks like changing the readings on different gauges in the
cluster, such as the speedometer and tachometer. Also, the brakes and steering wheel can tamper
within certain models of vehicles. With adequate knowledge and skills, the attacker can control
the entire car from his current location (Ray, Chen, Bhadra, & Al Faruque).
Solution
After doing some research I have found that the main issue with security in connected
vehicles was patching/updating software. Usually with computers, if a vulnerability is found in
companies, such as Dell and Microsoft, they start pushing updates right away and patching any
security holes that may be used as an entry point for a hacker. But in the automobile industry
patching right away does not happen. The only time a vehicle gets patched is when the
automaker gets complaints of malfunctions from customers. Customers must have proof of
failure to do any patches. Once proof is presented, manufactures recall the vehicle to patch
and/or update the software. But the updating process is very tedious and takes a long time. First,
customers must make an appointment, then take the car to the dealership, and then wait days for
the car to be ready. In some cases, all the update and patching process is left for the customer to
do himself. The customer either receives a CD with the latest software directly from the OEM or
must manually download the software on a USB drive. This update method gives customers the
luxury of updating the radio/infotainment system at their own convenience. But the update
procedure is inconvenient for many because it requires an extensive amount of labor and an
7
excessive amount of time on the vehicle. To successfully update the radio/infotainment system, it
requires the user from 30 minutes to several hours, beginning with the download procedure and
ending with the update confirmation. Not only is the procedure unintuitive, but there is also a
security risk of having the software in the hands of many customers, which increases the
possibility of reverse engineering and uploading a hacked version of the file to the internet.
(Dakroub & Cadena). In my opinion, this process patching is very primitive. We have smart cars
that have access to the Internet and we are still updating software in the car by taking it to the
dealership, which causes millions of dollars in losses for automakers. These types of recalls
increased from under 5% in 2011 to 15 % by the end of 2015. J.D. Power and Associates, the
major global marketing information systems, listed 189 separate software recalls in the past 5
years affecting more than 13 million vehicles. Volvo recalled 59,000 cars due to a software issue
that caused the engine and the electric system to shut down while the car is in motion. Honda
recalled 350,000 vehicles due to a glitch in the parking brake software. GM recalled 4.3 million
cars due to a software issue that blocks the airbags from deploying during an accident. All these
recalls could have been avoided if there were an over the air (OTA) software updates. OTA not
only helps to patch against security holes but also helps to patch against automotive glitches in
software that can cause cars to malfunction.
What is over the air update? OTA is a wireless delivery of new software or data to any
mobile device. Usually, wireless carriers used this OTA to deploy software updates and patches
for vulnerabilities. How can OTA benefit the automotive industry? Same as with mobile devices,
connected cars need to be updated periodically, but the automotive industry fails to provide this
solution. Connected vehicles can now access the Internet by using your smartphone to sync with
the vehicle, 3G/4G services, and Wi-Fi hotspots. OTA technology would give automakers a
8
convenient way to deploy updates and patches to their vehicles. For example, in the case
presented above where a 2015 Jeep Cherokee was hacked, Jeep had to recall all these Jeeps and
patch their software to prevent any hackings from unwanted individuals. On the other hand,
Tesla used the Over the Air update to patch their systems, there was no need for a recall and
Tesla saved millions of dollars by using OTA. Now, Tesla is the only automaker company using
OTA. Tesla vehicles regularly receive Over the Air updates that patch any security vulnerability
and adds new features to the onboard software in the vehicle. For OTA to work in a vehicle, the
car must have access to the internet, but not every internet connection is secured nor is fast
enough. Syncing a smartphone to your vehicle will give you access to a non-secure network
connection. The connection process from your smartphone to your vehicle leaves some gaps that
hackers can take advantage of. Once hackers get a hold of the connection, they can intercept and
inject malicious code into the car while is doing the update. 3G/4G connection, you can say that
3G/4G is a secure way of connecting to the internet because the service is being provided by
cellular companies. However, there have been very small successful cases of people hacking into
the 3G/4G connection. The disadvantage of this type of connection is that is very slow and
would take a long time to update. The best way patch/update your vehicle's software is to
implement a Wi-Fi receiver in the car that can connect to your home Wi-Fi and do the updates
that way. Most cars do not have this capability as of now, yet, Tesla is the only company that
allows their vehicles to connect to your home Wi-Fi. But before we start using our home Wi-Fi,
we must first secure our home network. The first step to secure your home connection is ditching
you ISP provided router and buying a more secure router/ firewall that can implement security at
a home network. If this is not possible and you want to keep the ISP router, my suggestion is to
add a firewall to your existing home network that can provide security. Securing home networks
9
is already being done and not because of connected automobiles, but mostly because people want
to be secure at home without any incident of getting hacked. The next step would be connecting
your vehicle to your Wi-Fi and start the update process. Using your home Wi-Fi there is no need
to worry about security nor speed, as home networks now can go up to 200 Mbps. I work as an
IT consultant and I set up many firewalls or replace home routers with more secure routers for
homes. So, my point to this is that this type of security is already in place in home networks so
why not use it to update/patch connected automobiles? The image below shows speed rates and
security issues with each type of network connection.
(Darkroud & Cadena)
10
This solution consists of having two main parts, the first part would be having a full
inventory/database of all cars and their models. Next, the system would have to scan the vehicle
for all onboard ECUs and search the database for any updates. This process not only would help
with updates but would also scan the vehicle for any issues within the software. The second part
of this process would be pushing out the update/ patch to the vehicles that need it. This process
would be carried out by client device installed in the vehicle. This client device would have to be
connected to the internet to push the updates. Once an update is ready at the client device, a
warning would show up on the dashboard to tell the driver that the car needs to install critical
patches. People are already used to this kind of process, it happens all the time with all your
mobile devices. You do not need to be a software developer or a trained technician to do these
updates, the only thing a person would have to do is schedule a time to run the update in the
vehicle. Not all updates are equal, some will be for critical updates that would have to satisfy a
recall or to patch a security hole in the car. Whereas other are for minor and less important
updates that can be postponed and ignored by the owner of the vehicle. This system gives car
manufactures a way to deploy any security patches, which can be forced out to a whole fleet of
vehicles or can be downloaded and installed by owners at their own convenience. It goes without
saying that all vehicles getting OTA updates would have to be in standby position and not
moving. Being able to push out software updates that can fix bugs or exploits rapidly, is a much
better option than the lengthy process of taking your car to the dealership. OTA implementation
will cost millions of dollars to automakers, but not having OTA updates is already costing the
double amount of money in lawsuits and expensive recalls. In order to prevent monetary loses,
the entire system they are using now would have to change to make OTA happen. Therefore,
why not implement this system now.
11
Conclusion
Securing vehicles from cyber attacks can be very expensive for automakers but it’s a
necessity for people. Automobile networks are equipped with more and more technology but the
security of such technology is minimal in automobiles. Vulnerabilities within vehicular networks
need to be patch right away because when a hacker hacks into your computer and mobile device,
they may steal data, pictures, documents, contacts list, important files, etc., but if the hacker
attacks your car, then you can be put in a situation of life and death. It is clear, that the effect of
cyber attacks in vehicles is an important issue that needs to be a dealt with now. Patches and
updates are the first things that automakers must consider changing. They must leave aside the
old system of doing recalls for software updates and implement OTA updates. OTA technology
can eliminate system failures and reduced vehicle recalls by remotely addressing system
malfunctions and patching any security holes in the car. It is also, a flexible way for automakers
to push out updates since the only thing a car needs is a connection to the internet. The best way
to get internet connection in your car is by connecting your vehicle to your home network. After
implementing firewalls, your home network is the most secure way to apply any updates and it is
also the fastest way, if you rather use a 3G/4G network just keep in mind that it may take longer
to update because of the slow speed that offers. Smart vehicles or autonomous vehicles are the
future of automobiles and by 2020 we will see a high number of vehicles on the roads.
12
References:
● Dakroub, H. and Cadena, R., "Analysis of Software Update in Connected Vehicles," SAE
Int. J. Passeng. Cars –Electron. Electr. Syst. 7(2):2014,
● Ray, S., Chen, W., Bhadra, J., & Faruque, M. A. (2017). Extensibility in Automotive
Security. Proceedings of the 54th Annual Design Automation Conference 2017 on - DAC
17. ● Rizvi, Syed, Jonathan Willett, Donte Perino, Tyler Vasbinder, and Seth Marasco.
"Protecting an Automobile Network Using Distributed Firewall System." Proceedings of
the Second International Conference on Internet of Things and Cloud Computing - ICC
'17 (2017).
● Steinmetz, Katy. "Forget the Distant Future, Smarter Cars Are Already Here." Time, vol.
187, no. 8, 07 Mar. 2016, pp. 58-67. EBSCOhost,
search.ebscohost.com/login.aspx?direct=true&db=aph&AN=113323734&site=ehost-live.
● Taub, Eric A. "Your Car's New Software Is Ready. Update Now?" The New York Times.
The New York Times, 08 Sept. 2016. Web. 11 Mar. 2018.
● Greenberg, Andy. "Hackers Remotely Kill a Jeep on the Highway." Wired. Conde Nast,
03 June 2017. Web. 11 Mar. 2018.