The history of automotive cyber attacks on vehicles can be traced back to the late 1990s, with the introduction of the OnBoard Diagnostics port (ODB) into vehicles which, for the first time, provided direct access to engine management systems.
Of course, in those days to attempt to hack a vehicle you needed expensive hardware, direct access to it in order to connect to the ODB port and proprietary software. Even then, it was far from simple, as you had to have an understanding of the Control Area Network bus (CANbus) control codes, which are typically unique to each vehicle model. Furthermore, as systems were predominantly isolated on different bus topologies, just having access to one bus would not allow you to easily access other electrical sub systems. Back in the early 2000s, what we know today as the In-Vehicle Infotainment (IVI) system was typically a proprietary piece of hardware running a Real Time Operating System (RTOS) and had very limited functionality in comparison to today’s advanced Android-based systems.
As vehicles became more sophisticated, so did the methods of attack. These ranged from “man in the middle” attacks extending the range of key fobs to broadcasting false traffic information over RDS systems to try and make cars re-route.
The Connected Car Age Changes Everything
As we move into the age of connected vehicles, the landscape for automotive cyber security is once again changing. Tens of millions of cars are already on the road with embedded connectivity capabilities. Juniper Research predicts that as many as 775 million connected cars will be on the road by 2023 (via telematics modules or via consumer apps). As a result, a whole new set of challenges will face the industry moving forwards.
However, this is not the only change that is taking place. We are seeing an evolution in the design of internal vehicle architectures. Consumers are demanding more capable experiences within the vehicle, with their expectations being driven by developments in the mobile and tablet arenas. OEMs are responding and are now implementing more advanced experiences These can include streaming content services (everything from traffic updates to Spotify or Netflix), support for digital assistants such as Google and Alexa as well as advanced software updating capabilities. These changes are taking place at the same time as the industry is moving to implement electrification of the power train, deployment of advanced driver assistance systems (ADAS) and moving to level 2 autonomous systems. All of these changes combined are driving the need for new internal vehicle architectures that can support 100’s of the microprocessors that are now standard inside modern vehicles. Ethernet (and specifically Ethernet-AVB) is now becoming a common solution within vehicles, to provide greater bandwidth and timing synchronisation together with support for gateways that allow different bus architectures to communicate with each other in ways that were not possible 10-15 years ago.
For hackers, the most significant change is the removal of the need to have physical access to the vehicle, as they can now target the embedded connectivity modules and, therefore, vehicles that are in motion. This was first highlighted back in 2015 with the infamous Jeep hack (Miller and Valasek).
Whilst that hack was performed under controlled conditions with the intent of providing valuable insights for OEMs (called a White Hat attack), they did demonstrate that, theoretically, they could have remotely achieved control of the vehicle. With today’s telematics units not only connected to the CANbus but also to IVI and other sub-systems, the potential for a remote hacker to cause driver distraction, or even to influence the vehicle itself, is a key concern. This has indeed been proven to be the case over the last few years, with 2019 marking a key milestone for the industry. Last year, there were more black hat attacks on vehicles than white hat attacks.
Technologies such as Wi-Fi and Bluetooth are also now commonplace in vehicles and these also facilitate the potential for remote attacks. For example, embedded Wi-Fi 33 modules are being used as private networks, replacing complex, expensive and heavy wiring harnesses between sub-systems in order to both reduce cost and also improve fuel efficiency. Vehicle users are often not even aware that these systems exist or maybe exposed to hackers.
Another source of attack is on the back-end cloud platforms that vehicles are connecting to in order to download content, software updates or to upload diagnostic logs etc. Whilst this does not directly enable a hacker to take control of a vehicle, it could, for example, allow them to track where a vehicle is or to retrieve user information and credentials. It could also enable them to embed malicious content into updates being sent to the vehicle, which could then force an IVI or telematics unit to reset, thereby causing distraction for the driver.
Another consideration is the widespread move towards Linux-based platforms such as Android or GenIVI. This presents two key challenges:
1. Common platforms = more developers
In the past, OEMs would normally use RTOS platforms such as QNX or iTron. These were highly specialised for the automotive industry and hence, if you did not work in the industry it was very unlikely that you would develop the expertise or have access to tools to carry out an attack against a vehicle. However, with the move towards repurposing server, desktop and mobile platforms for automotive, this is increasing the potential number of developers that have the expertise to work on these platforms. This is both positive and negative. While OEMs can harness more development talent to work on their projects, they are now also using platforms that are widely understood by hackers and are commonly targeted by them. While there are specific Linux releases, such as the SELinux Kernel enhancements, that focus on enhanced security, they do not cover all aspects of security and still require additional hardening of the operating system.
2. The Application Challenge
One of the attractions of moving to Linux-based platforms is the ability to support 3rd party applications and services that can be pre-installed or added by vehicle users. While this undoubtedly has many potential benefits for all parties concerned, it does open-up additional attack vectors. We have seen the impact of developers embedding malicious code into applications and downloadable in the desktop and mobile world and the devastating impact this can have, from rendering devices unusable to ransomware attacks. While OEMs will be able to limit what applications and services are made available to vehicles, using platforms that are widely understood by black hat hackers will focus their attention on this area. Already in 2019, according to Upstream Security Ltd, 13% of reported automotive cyber attacks were conducted via mobile applications.