The modern automobile has all the computer technology of your typical small business.
Cars typically have 70 to 100 electronic control units, or ECUs, and 10 million to 150 million lines of code running on their various systems. The entertainment consoles in the dashboard often allow USB and Bluetooth connectivity, which has provided researchers with an inviting path to these systems.
Little surprise, then, that automobiles are increasingly seen as computers on wheels.
Unfortunately, there is a downside to the technology. In 2010, a group of security researchers from the University of California, San Diego and the University of Washington did a comprehensive survey of vehicle systems and found significant vulnerabilities in the ECUs operating in a typical car.
Five years of car system analysis—from tire-pressure sensors to entertainment consoles—led up to the 2015 hack of the Jeep Cherokee to take control of various systems and shut down the transmission of a car on the highway, an event that forced Fiat Chrysler Automobiles to recall more than 1.4 million vehicles.
“Originally, a car was seen as an island. … You simply put new devices onto that island, and as long as they were inserted correctly, the system was secure,” said Rod Schultz, vice president of Rubicon Labs, a maker of secure internet of things (IoT) systems. “Now, we see that we are connecting devices, and every single ECU is potentially being connected to a network. So you can no longer assume that these devices will be secure.”
A year after the Jeep hack, automobile manufacturers are still trying to develop a solution to the complex problem of securing vehicle computer systems. The parade of vulnerabilities and issues has forced the auto industry to change, albeit slowly.
In 2015, just before news the Jeep Cherokee hack hit the internet, a global coalition of auto makers created the Automobile Industry Information Sharing and Analysis Center (Auto-ISAC). The group of 15 global automobile manufacturers represents 98 percent of the vehicles on the road in the United States.
On July 21, the Auto-ISAC published its best practices for the industry based on input from more than 50 automotive cyber-security experts. The document argues that manufacturers focus on seven security principles: risk assessment and management, threat detection and protection, incident response, collaboration with third parties, better governance, and security awareness and training.
“Automakers have many safeguards already in place to protect against cyber-threats, and the industry will continue to evolve to match emerging technology and the changing threat landscape,” Tom Stricker, vice president of product regulatory affairs for Toyota Motor North America and the chairman of the Auto-ISAC, said in an email interview. “Security will continue to be a top priority as automakers incorporate new technology into vehicles to meet consumer demands.”
Researchers, Auto Makers See No Quick Path to Secure Car Networks
The efforts have not always been positive. A proposed, and poorly worded, law in Michigan, for example, would make hacking a car a crime, no matter the purpose—whether for research or for malicious intent—and with a penalty that could be up to life in prison.
Yet, a variety of companies and researchers are focusing on ways to harden automotive systems against attacks. Typically, defenses fall into one of two approaches: either using cryptographic techniques to enforce behavior and trust between the systems or adding the ability to detect and mitigate an attack.
Rubicon Labs, for example, uses cryptography to enforce identity on the components of a vehicle’s controller area network (CAN) bus. The CAN bus connects ECUs and provides a path for communication between a vehicle’s components. Compromising the controllers would be detected by other systems, and any attempts to inject invalid packets into the system would be detected, the company’s Schultz said.
The problem for such approaches, however, it that, while security researchers have persuaded the automobile industry to focus on protecting their systems, the product development cycle for cars can last the better part of a decade. When Rubicon talks to automotive suppliers, they frequently discuss roadmaps for products extending to 2023 and beyond.
“Everybody wants to fix this problem, but it is very difficult when you have the massive fragmentation that you have in this industry to get any one sweeping change to happen,” he said.
Yet, other approaches exist.
At the USENIX Security Conference this year, two University of Michigan researchers will present a way to detect attacks using a simple intrusion detection system (IDS) based on knowing the timing of standard messages sent between components connected through the CAN bus.
The clock-based IDS, or CIDS, uses the fact that each ECU has its own timing and each is slightly different to create a fingerprint of the devices. If an attacker injects a message, a central monitoring system will detect that the message is invalid.
“My way was to do it [as] lightweight as possible without forcing manufacturers to change anything,” Kyong-Tak Cho, a co-author of the paper and a Ph.D. candidate in computer science at the University of Michigan, told eWEEK. “It runs independently on one node that can fingerprint others and then verify and authenticate the messages.”
Because the technique does not require changes to the ECUs or the CAN bus, Cho argues that it will be easily implemented and will not have to be incorporated into the typical product cycle, speeding manufacturers’ ability to deploy the technology.
In the end, car manufacturers will have to find better solutions to the in-car network security. Changing existing technology to do that, however, will be a tall order, Cho said.
“Car manufacturers and suppliers don’t put anything in that is not absolutely needed, because it is so expensive,” he said. “CAN is very cost-effective solution, so it is very difficult to get rid of it.”