As more vehicles become connected, so the potential threats to their security increase. Gil Reiter, vice president of product management for security firm SafeRide, says the biggest ‘attack surface’ for connected cars is their internet connectivity - and the in-vehicle applications that use the internet connection.
“The most vulnerable connected electronic control units (ECU) in vehicles are the telematics and infotainment units - as once malware is able to penetrate the connected ECU it can penetrate other vehicle systems through the in-vehicle network.”
But he warns that the biggest threat is the unknown - as new vulnerabilities that were not thought of beforehand will be exploited by hackers, and original equipment manufacturers (OEMs) need to be ready for them.
“Traditional security mechanisms that are deployed to prevent malware installation and attack penetration to other systems can only handle threats that were detected when the vehicle was designed,” Reiter adds.
These threats pose a present danger as figures from the UK Office of National Statistics show an overall 19% increase in vehicle crime, along with a 29% increase related to vehicle interference since 2014.
Deep learning
SafeRide provides OEMs, fleet operators and automotive suppliers with early detection and prevention of cyberattacks, and is offering its vXRay solution as a line of defence.
Reiter explains that vXRay utilises machine learning and deep learning technology to help OEMs detect anomalies such as ‘zero-day’ vulnerabilities - ones which have never previously been detected - before an attack begins.
For example, hackers can use a software bug in a telematics box to install malware capable of sending malicious commands on the controller area network (CAN bus) – the comms network which connects components within a vehicle (see box).
“If the software bug was unknown, the deterministic protection was unable to prevent the malware penetration - but the AI [artificial intelligence] solution will detect the malicious commands on the CAN bus and will help prevent the damage that the malware seeks to inflict on the vehicle,” he says.
The vXRay product can also identify vehicle malfunctions before they happen, to avoid recalls – and can also detect operation outside the allowed range.
The importance of thinking maliciously
Last year, Stacy Janes, chief security expert – automotive at Irdeto, told ITS International that the industry needs to “think maliciously” to prevent hackers from taking advantage of increased connectivity in transportation.
Hacking experts Charlie Miller and Chris Valasek deliberately tried to illustrate the vulnerability of car systems by remotely hacking a Jeep Cherokee in 2015, apparently controlling the steering and braking, according to an article in Wired magazine. It worked. “When the Jeep hack happened, they knew there was a problem – it got everyone’s attention,” says Janes. Fiat Chrysler recalled 1.4 million vehicles as a precaution.
Detection capabilities
At the Consumer Electronics Show (CES) 2019 in Las Vegas, vXRay was tested by two partners; one is developing an autonomous shuttle while the other is building a connected security operation centre (SOC).
“At CES we demonstrated the detection capabilities by playing back an attack scenario that was collected and tested by one of our partners,” Reiter continues. “During the demonstration, visitors were able to see how alerts are generated and presented to security analysts at a SOC.”
The vXRay solution uses advanced, unsupervised machine learning paradigms to establish the normal behaviour of the vehicle without dependencies or previous knowledge of ECU properties and protocols.
“Once the behavioural baseline is established, the machine learning models can accurately detect, categorise and flag any abnormal behaviour and report it to the connected vehicles’ SOC for further analysis,” he explains.
The vXRay technology can be integrated into the OEM SOC, where security alerts are analysed and users can download a security policy update or update software over the air to correct a new vulnerability.
Installation is a two-fold process, as Reiter insists that most connected vehicles do not have enough computer power on-board to run advanced AI algorithms.
CAN bus
A Controller Area Network (CAN bus) allows microcontrollers and devices to communicate with each other without a central computer. The engine control unit is generally the biggest processor in a traditional automobile, with other units used for transmission, airbags, cruise control, electric power steering, power windows, doors or – for hybrid and electric cars – battery and recharging systems. “In these vehicles, the in-vehicle network data is collected and sent to the cloud through the telematics control unit. The AI system is installed in the cloud and it’s integrated in the OEM SOC.”
The data that comes out of the vehicle is analysed in the cloud, where anomalies are reported to the SOC. In this scenario, the vXRay can be used without needing to change vehicle hardware.
For autonomous vehicles (AVs) and some high-end cars, an on-board graphics processing unit (GPU) allows AI algorithms to run inside. The vXRay can be deployed in the vehicle and provide real-time alerts.
Reiter emphasises that OEMs can improve protection in vehicles by installing a multilayer security protection including firewall, authentication and integrity verification to minimise cyberattacks.
“At the same time, OEMs should assume that the security mechanisms will fail and therefore install an intrusion detection and prevention solution that can detect an intrusion after it has happened and allow for remediation,” he warns. “AI-based anomaly detection solutions are the ultimate line of protection that can detect intrusions that exploit unknown vulnerabilities.”
Zero-day
In the next five to ten years, Reiter predicts there will be more zero-day attacks and that more sophisticated software in connected vehicles will be met by more sophisticated attacks.
He believes that OEMs will be more concerned and serious about solutions as they are already starting to realise that consumers and regulators will be looking to them for security answers. Also, he thinks OEMs will transition from relying on component suppliers to asking cybersecurity experts to solve security concerns.
“Security companies working with OEMs are taking a variety of approaches, from monitoring the network to examining the ECU for anomalous activity,” he suggests. “OEMs who haven’t made this a priority yet will certainly do so in the coming years; they won’t really have a choice.”
Reiter estimates that OEMs will start deploying intrusion detection and prevention systems built into the vehicle, which examine activity and can send out alerts if security has been compromised.
In parallel with this change, he forecasts that SOCs will feature advanced intrusion capabilities that do not exist in most vehicles today due to technical and cost limitations.
“So to be fully effective, SOCs will start to deploy advanced anomaly detection technologies to analyse the data coming from vehicles over the network and effectively detect anomalies and intrusions,” Reiter concludes.
Admittedly, much needs to be done to offer better protection against cyberattacks and there is no clear-cut resolution. But if OEMs start taking steps now, they are likely to be better served in the years to come.
99% of drivers unaware of cyberattacks
In the UK, 99% of drivers are unaware of security flaws such as phone phishing, according to a survey. This is where hackers send emails containing malicious links to drivers. The malware can connect to a car’s Wi-Fi features and take control.
MoneySuperMarket says 16% of drivers - or someone they know - have experienced car hacking. Also, eight out of 10 drivers do not know if their insurance covers digital threats.
In addition to the lack of awareness, only half of drivers are concerned about vehicle theft via keyless entry - despite 110 car models being vulnerable to this threat.
The research says criminals often attack cars by using a relay system to amplify the vehicle’s key signal from inside a property - so that it reaches the car on the driveway.
Hackers can also exploit local remote control apps, which drivers use to start and control their car, as well as using sensors inside a tyre to display false pressure readings or track the vehicle. Other methods include keyless jamming as well as hacks on the car’s controller area network and on-board diagnostics.
