1

Julio Poblete

Dr. Yoon

March 10, 2018

Connected Automobiles and Cybersecurity

Abstract:

The birth of smart connected cars has made driving easier for humans. However, connected

cars are still highly vulnerable to hackers. The facility to gain access to a vehicle begins

with the vulnerabilities that exist within the software and hardware of the car. Same as with

mobile devices, connected cars need to be updated periodically, but part of the automotive

industry fails to provide this solution. After doing some research I have found that the main

issue with security in connected vehicles was patching/updating software. Also, the best

way patch/update your vehicle's software is to implement a Wifi receiver in the car that

can connect to your home Wifi and do the updates that way. Many vehicle recalls can be

avoided by using OTA. OTA will not only help to patch security holes but it will also help

to patch against automotive glitches in software that can cause cars to malfunction.

2

Table of Contents

Abstract ………………………………………………………………….... Page 1

Introduction ………………………………………………………...……... Page 3

Automotive Issues …………………………………………………………. Page 4

Solution ……………………………………………………………………. Page 6

Conclusion …………………………………………………………………. Page 11

References …………………………………………………………………. Page 12

3

Introduction

Technology has become a big part in the life of every person in the world. Without

technology humans would still have to communicate through letters or talk directly to the person

whom they want to talk to. Nowadays, for a person to communicate with another they can simply

open an app, type a text message and their message will be transmitted within seconds to the

person they are trying to reach. Technology gave humans a faster and easier way to do

everything in life. Technology has become a big part of everyone’s life and many depend on it.

One change technology brought and that now many humans can’t live without, is transportation.

The birth of smart connected cars has made driving easier for humans. Cars are not like before,

now they are programmed to stop by themselves if they sense a proximity to another car, tell you

if you are driving out of the traffic line, and/or give you directions. What is most impressing is

the cars that can be driven without any human interaction. Yet, with the increasing advance of

technology in cars, original equipment manufacturers (OEM) are facing some challenges when it

comes to cybersecurity. All electronic control units (ECU) of a car are connected via the internal

network of the vehicle. Every new car can be equipped with at least 100 ECUs that control

windshield wipers, steering system, transmission, engine functions, etc. Even with this advanced

technology, connected cars are still highly vulnerable to hackers. The only thing hackers need is

access to the Bluetooth system of a car and from there they will be able to take control of all the

critical ECUs, such as the transmission and steering systems. In order to prevent any hacks from

happening, car manufacturers would need to deploy patches for any type of vulnerability right

away. Unfortunately, car manufacturers have not found a way to safely patch vehicles.

4

Automotive Issues

One of the biggest problems that connected automobiles will face in the upcoming years

is vehicle cybersecurity. As vehicles become more connected and automated, it will become an

easy target for hackers. New cars have sensors installed all around them that can sense their

surroundings, and they were put into place to prevent any accidents. For example, radar sensors

allow cars to be set in cruise control, which maintains the car at a safe distance from other

vehicles. Also, the vehicle to vehicle (V2V) sensors, beam out basic data about their location to

other vehicles on the road, helping it prevent accidents. In my opinion, the biggest improvement

that technology brought to cars is the advanced driver assistance systems (ADAS). ADAS

systems include electronic and software components targeted towards assisting in, enhancing,

and eventually replacing the functions of the human driver. ADAS includes a variety of sensors,

camera, radar, and LIDAR devices to identify the surroundings, determine wheel speed and

angular momentum, etc. (Ray, Chen, Bhadra, & Al Faruque). Self-driving cars will go even

further in prevention and vehicle atomization in order to be able to stop or prevent more

accidents. The downside to the usage of the sensors above is that hackers can hack ADAS in a

connected car and control the anti-lock system in an automobile. This type of attack was put to

the test by two white hat hackers Charlie Miller and Chris Valasek, who created a software to

remotely control a 2014 Jeep Cherokee. These two hackers were able to shut off the Jeep while it

was running on the highway. Since every new car comes with an entertainment system, they

were able to gain access to the Jeep through the entertainment system in the car. Greenberg

stated that even though he did not touch the dashboard, the vents in the Jeep Cherokee started

blasting cold air at the maximum setting, that the radio switched to the local hip-hop station and

began blaring Skee-lo at full volume, and that the windshield wipers turned on, and wiper fluid

5

blurred the glass. This hacking technique is what the security industry calls a zero-day exploit.

This exploit can target Jeep Cherokees and give the attacker wireless control, via the Internet, to

any of thousands of vehicles. Their code is an automaker's nightmare, a software that lets hackers

send commands through the Jeep’s entertainment system to its dashboard functions, steering,

brakes, and transmission, all from a laptop that may be across the country (Greenberg). Other

researchers were able to hack into a Tesla Model S vehicle and wipe out the speedometer on the

car, control the doors and just as the Jeep, they were able to shut off the car. These vulnerabilities

were patched right away after this test was made public. But what happens if this vulnerability

was exploited by a hacker with malicious intent? Then, this kind of vulnerability in automobiles

can put a person’s life in danger. The main hackable points in a connected vehicle that needs

patches and protection right away are:

● Steering and braking ECU

● Engine and transmission ECU

● Bluetooth

● ODBII

● WIFI and cellular network

The electronic control systems (ECU) of a vehicle are connected via an internal network.

If hackers could get access any vulnerable ECU, for instance, the vehicles Bluetooth system,

they would be able to access the main ECUs that control the braking system, transmission, and

engine. The facility to gain access to a vehicle begins with the vulnerabilities that exist within the

software and hardware of the car. Systems like Bluetooth and Wi-Fi that are built in the car

allows access to the coding in the ECU that runs various important systems in a car. The main

entry point for these attackers is through the Controller Area Network (CAN). The CAN is one

6

of the main networks within a car that allows communication between one component to

another. Ray, Chen, Bhadra, & Al Faruque state that once an attacker gains access to the CAN,

he will have the ability (with the right skill set) to maneuver his way to other buses through the

gateways and other network entry points. Once achieved, the attacker will then be in total control

of the car and can perform malicious tasks like changing the readings on different gauges in the

cluster, such as the speedometer and tachometer. Also, the brakes and steering wheel can tamper

within certain models of vehicles. With adequate knowledge and skills, the attacker can control

the entire car from his current location (Ray, Chen, Bhadra, & Al Faruque).

Solution

After doing some research I have found that the main issue with security in connected

vehicles was patching/updating software. Usually with computers, if a vulnerability is found in

companies, such as Dell and Microsoft, they start pushing updates right away and patching any

security holes that may be used as an entry point for a hacker. But in the automobile industry

patching right away does not happen. The only time a vehicle gets patched is when the

automaker gets complaints of malfunctions from customers. Customers must have proof of

failure to do any patches. Once proof is presented, manufactures recall the vehicle to patch

and/or update the software. But the updating process is very tedious and takes a long time. First,

customers must make an appointment, then take the car to the dealership, and then wait days for

the car to be ready. In some cases, all the update and patching process is left for the customer to

do himself. The customer either receives a CD with the latest software directly from the OEM or

must manually download the software on a USB drive. This update method gives customers the

luxury of updating the radio/infotainment system at their own convenience. But the update

procedure is inconvenient for many because it requires an extensive amount of labor and an

7

excessive amount of time on the vehicle. To successfully update the radio/infotainment system, it

requires the user from 30 minutes to several hours, beginning with the download procedure and

ending with the update confirmation. Not only is the procedure unintuitive, but there is also a

security risk of having the software in the hands of many customers, which increases the

possibility of reverse engineering and uploading a hacked version of the file to the internet.

(Dakroub & Cadena). In my opinion, this process patching is very primitive. We have smart cars

that have access to the Internet and we are still updating software in the car by taking it to the

dealership, which causes millions of dollars in losses for automakers. These types of recalls

increased from under 5% in 2011 to 15 % by the end of 2015. J.D. Power and Associates, the

major global marketing information systems, listed 189 separate software recalls in the past 5

years affecting more than 13 million vehicles. Volvo recalled 59,000 cars due to a software issue

that caused the engine and the electric system to shut down while the car is in motion. Honda

recalled 350,000 vehicles due to a glitch in the parking brake software. GM recalled 4.3 million

cars due to a software issue that blocks the airbags from deploying during an accident. All these

recalls could have been avoided if there were an over the air (OTA) software updates. OTA not

only helps to patch against security holes but also helps to patch against automotive glitches in

software that can cause cars to malfunction.

What is over the air update? OTA is a wireless delivery of new software or data to any

mobile device. Usually, wireless carriers used this OTA to deploy software updates and patches

for vulnerabilities. How can OTA benefit the automotive industry? Same as with mobile devices,

connected cars need to be updated periodically, but the automotive industry fails to provide this

solution. Connected vehicles can now access the Internet by using your smartphone to sync with

the vehicle, 3G/4G services, and Wi-Fi hotspots. OTA technology would give automakers a

8

convenient way to deploy updates and patches to their vehicles. For example, in the case

presented above where a 2015 Jeep Cherokee was hacked, Jeep had to recall all these Jeeps and

patch their software to prevent any hackings from unwanted individuals. On the other hand,

Tesla used the Over the Air update to patch their systems, there was no need for a recall and

Tesla saved millions of dollars by using OTA. Now, Tesla is the only automaker company using

OTA. Tesla vehicles regularly receive Over the Air updates that patch any security vulnerability

and adds new features to the onboard software in the vehicle. For OTA to work in a vehicle, the

car must have access to the internet, but not every internet connection is secured nor is fast

enough. Syncing a smartphone to your vehicle will give you access to a non-secure network

connection. The connection process from your smartphone to your vehicle leaves some gaps that

hackers can take advantage of. Once hackers get a hold of the connection, they can intercept and

inject malicious code into the car while is doing the update. 3G/4G connection, you can say that

3G/4G is a secure way of connecting to the internet because the service is being provided by

cellular companies. However, there have been very small successful cases of people hacking into

the 3G/4G connection. The disadvantage of this type of connection is that is very slow and

would take a long time to update. The best way patch/update your vehicle's software is to

implement a Wi-Fi receiver in the car that can connect to your home Wi-Fi and do the updates

that way. Most cars do not have this capability as of now, yet, Tesla is the only company that

allows their vehicles to connect to your home Wi-Fi. But before we start using our home Wi-Fi,

we must first secure our home network. The first step to secure your home connection is ditching

you ISP provided router and buying a more secure router/ firewall that can implement security at

a home network. If this is not possible and you want to keep the ISP router, my suggestion is to

add a firewall to your existing home network that can provide security. Securing home networks

9

is already being done and not because of connected automobiles, but mostly because people want

to be secure at home without any incident of getting hacked. The next step would be connecting

your vehicle to your Wi-Fi and start the update process. Using your home Wi-Fi there is no need

to worry about security nor speed, as home networks now can go up to 200 Mbps. I work as an

IT consultant and I set up many firewalls or replace home routers with more secure routers for

homes. So, my point to this is that this type of security is already in place in home networks so

why not use it to update/patch connected automobiles? The image below shows speed rates and

security issues with each type of network connection.

(Darkroud & Cadena)

10

This solution consists of having two main parts, the first part would be having a full

inventory/database of all cars and their models. Next, the system would have to scan the vehicle

for all onboard ECUs and search the database for any updates. This process not only would help

with updates but would also scan the vehicle for any issues within the software. The second part

of this process would be pushing out the update/ patch to the vehicles that need it. This process

would be carried out by client device installed in the vehicle. This client device would have to be

connected to the internet to push the updates. Once an update is ready at the client device, a

warning would show up on the dashboard to tell the driver that the car needs to install critical

patches. People are already used to this kind of process, it happens all the time with all your

mobile devices. You do not need to be a software developer or a trained technician to do these

updates, the only thing a person would have to do is schedule a time to run the update in the

vehicle. Not all updates are equal, some will be for critical updates that would have to satisfy a

recall or to patch a security hole in the car. Whereas other are for minor and less important

updates that can be postponed and ignored by the owner of the vehicle. This system gives car

manufactures a way to deploy any security patches, which can be forced out to a whole fleet of

vehicles or can be downloaded and installed by owners at their own convenience. It goes without

saying that all vehicles getting OTA updates would have to be in standby position and not

moving. Being able to push out software updates that can fix bugs or exploits rapidly, is a much

better option than the lengthy process of taking your car to the dealership. OTA implementation

will cost millions of dollars to automakers, but not having OTA updates is already costing the

double amount of money in lawsuits and expensive recalls. In order to prevent monetary loses,

the entire system they are using now would have to change to make OTA happen. Therefore,

why not implement this system now.

11

Conclusion

Securing vehicles from cyber attacks can be very expensive for automakers but it’s a

necessity for people. Automobile networks are equipped with more and more technology but the

security of such technology is minimal in automobiles. Vulnerabilities within vehicular networks

need to be patch right away because when a hacker hacks into your computer and mobile device,

they may steal data, pictures, documents, contacts list, important files, etc., but if the hacker

attacks your car, then you can be put in a situation of life and death. It is clear, that the effect of

cyber attacks in vehicles is an important issue that needs to be a dealt with now. Patches and

updates are the first things that automakers must consider changing. They must leave aside the

old system of doing recalls for software updates and implement OTA updates. OTA technology

can eliminate system failures and reduced vehicle recalls by remotely addressing system

malfunctions and patching any security holes in the car. It is also, a flexible way for automakers

to push out updates since the only thing a car needs is a connection to the internet. The best way

to get internet connection in your car is by connecting your vehicle to your home network. After

implementing firewalls, your home network is the most secure way to apply any updates and it is

also the fastest way, if you rather use a 3G/4G network just keep in mind that it may take longer

to update because of the slow speed that offers. Smart vehicles or autonomous vehicles are the

future of automobiles and by 2020 we will see a high number of vehicles on the roads.

12

References:

● Dakroub, H. and Cadena, R., "Analysis of Software Update in Connected Vehicles," SAE

Int. J. Passeng. Cars –Electron. Electr. Syst. 7(2):2014,

● Ray, S., Chen, W., Bhadra, J., & Faruque, M. A. (2017). Extensibility in Automotive

Security. Proceedings of the 54th Annual Design Automation Conference 2017 on - DAC

17. ● Rizvi, Syed, Jonathan Willett, Donte Perino, Tyler Vasbinder, and Seth Marasco.

"Protecting an Automobile Network Using Distributed Firewall System." Proceedings of

the Second International Conference on Internet of Things and Cloud Computing - ICC

'17 (2017).

● Steinmetz, Katy. "Forget the Distant Future, Smarter Cars Are Already Here." Time, vol.

187, no. 8, 07 Mar. 2016, pp. 58-67. EBSCOhost,

search.ebscohost.com/login.aspx?direct=true&db=aph&AN=113323734&site=ehost-live.

● Taub, Eric A. "Your Car's New Software Is Ready. Update Now?" The New York Times.

The New York Times, 08 Sept. 2016. Web. 11 Mar. 2018.

● Greenberg, Andy. "Hackers Remotely Kill a Jeep on the Highway." Wired. Conde Nast,

03 June 2017. Web. 11 Mar. 2018.