Modern cars are computers on wheels, which means hostile hackers can breach your car’s software and do whatever they want a lot easier than you might think.
Moshe Shlisel knows exactly how someone can hack your car. Fortunately, he is one of the good guys. His company specializes in cybersecurity. His team researches vulnerabilities in cars to identify risks and help guard against them.
In his experience, almost all modern cars on the road today are extremely vulnerable to hacking. And, it is happening in the real world, although it receives little attention and society is largely naïve about the number of car and other industrial hacks, Shlisel said.
In 2019, for example, the US Army’s Stryker armored vehicles were hacked, compromising some of their systems, according to reports published in The Drive and ArmyTimes.
In June of last year, Forbes reported that almost every automaker has been hacked and that there has been a general increase in attacks over the years. Forbes quoted Upstream’s latest Global Security report: “There was a 99% increase in cybersecurity incidents (150) in 2019 with a 94% increase year-over-year since 2016. Insurers Just beginning to realize the seriousness of the threat, and some question whether auto cybersecurity is a national defense issue.
“The more sophisticated the system, the more connected your vehicle is, the more exposure you are,” said Shlisel, CEO and co-founder of GuardKnox Cyber Technologies Ltd. in Israel with subsidiaries in Detroit and Germany. “We took any model (car) you can think of and we hack them in various places. I can control your direction, I can stop and (start) your engine, control your brakes, doors, wipers, open and close your trunk.
These are only a fraction of the safety risks of vehicles. Cyber security experts claim professional hackers can take over vehicle systems or access a driver’s personal data in most modern cars quite easily, even if they are sitting halfway around the world. . All they need to do is find your car’s unique Internet Protocol (IP) address.
It presents automakers with an endless task of keeping up with changing technology to stay one step ahead of the bad guys. And action is being taken.
“It’s a cat and mouse game, you have to be on the ball all the time to stay ahead of the game, otherwise if you don’t move forward you get hacked,” said Michael Dick, CEO of C2A Security, which is based in Israel and works with automakers on cybersecurity solutions.
Over the past 15 years, automakers have increasingly added software to vehicles.
Today there are 100 million lines of coding in a vehicle, more than in a jet, laptop or cell phone, Dick said.
Some of this software is written by automakers and some by vendors, which further complicates the process of protecting against malicious forces, he said.
“If you ask a manufacturer what kind of software is in a vehicle, they won’t be able to tell you. This is in part due to a complicated supply chain in the automotive industry, ”said Dick.
C2A Security has discovered that there are constant attacks on automotive systems such as infotainment and connectivity, possibly even safety-critical systems that go unpublished as they are typically done on a single car and stay between the hacker and the car manufacturer.
Dick expects that at some point there could be ransomware attacks on cars. This is where a driver will try to start the vehicle and get a message that says, “To start your vehicle you will need to pay 500 bitcoins. There is no way around it. You’ll have to get it towed and get brand new software to start it, ”he said.
It has already become popular to steal a credit card or personal information, which is available in the vehicle’s infotainment system, Dick said.
“These are two low-end examples,” Dick said. “I know for sure it happened… in cybersecurity labs they might have hacked cars and then they release it and tell the automaker they’re doing it to show how good they are. It happened several times during the year.
At the end of last year, ethical hackers installed software in a drone and flew over a Tesla and opened the doors of the car, Forbes reported.
“Theoretically, you could steal a car,” Dick said.
“When these hacks are published, it means they told Tesla and Tesla fixed it,” Dick said. “But they were able to do it.”
It has also been shown, he said, that a hacker could theoretically take control of one vehicle or multiple vehicles at once, posing a threat to lives and infrastructure.
“Imagine having that attack where you take the busy freeway at 9am and malware has been installed in thousands of vehicles and everyone is losing their brakes or turning left,” Dick said. “You would potentially have thousands of deaths and that would compromise the road network.”
Hackers alert Detroit’s 3
One of the most notorious vehicle hacks came in 2015 when ethical hackers Charlie Miller and Chris Valasek conducted a semi-controlled experiment and managed to remotely take control of a Jeep Cherokee, activating the windshield wipers, detonating the radio and turning off the engine in the middle of a freeway, ultimately landing it in a ditch, according to a Wired report.
Both caught the attention of General Motors. In 2017, Cruise, GM’s autonomous driving subsidiary in San Francisco, hired Miller and Valasek.
A year later, GM launched Bug Bounty. GM brought 10 hand-picked hackers to Detroit – technical jargon for an ethical hacker or security expert. GM paid them a bounty or cash payment for each “bug” they discovered in any of GM’s vehicle computer systems.
GM ended its private Bug Bounty program in 2019, but has an active bug bounty program through its HackerOne vulnerability disclosure program. HackerOne is a forum for ethical cybersecurity researchers to report various security vulnerabilities to companies.
Fiat Chrysler, now called Stellantis, has been running a similar program since 2016. According to Bugcrowd, a report provided to Free Press by a spokesperson for Stellantis, the automaker awarded 542 benevolent hackers for finding vulnerabilities in the wire. years. It pays them $ 150 to $ 7,500 for each vulnerability discovered. Over the past three months, the average payout per vulnerability was $ 422.98, Bugcrowd said.
Earlier this year, ethical hackers alerted Ford Motor Co. that its internal system filled with confidential confidential information was not protected against hostile forces. Ford said he believed he had circumvented a security breach.
“We must remain vigilant”
In 2016, GM launched its vulnerability disclosure program on HackerOne.
Since then, researchers have reported to GM over 2,000 vulnerable areas, which GM has corrected, and, “over 500 hackers have been thanked for their support, so we appreciate this relationship,” said Al Adams, product manager of GM.
Adams leads a product cybersecurity team of approximately 90 engineers and inside hackers around the world. GM has also hired eight to ten third-party cybersecurity companies to find weak spots in GM cars.
GM practices a “defense in depth” strategy, Adams said.
“It’s a security strategy where we design overlapping security controls,” Adams said. “So a vulnerability that exists that exposes a security check, he has a backup to protect against that. These are layers that overlap and protect each other.
GM’s Vehicle Intelligence Platform (VIP), launched in 2019 on Cadillac CT5s, CT4 sedans and Corvette Stingray, is an example of GM’s cybersecurity evolution, he said. .
The software in VIP is authenticated. This means that if a hacker tried to install some other software on the car’s system to say, take control of the steering or lock the ignition, VIP would block the foreign software as the system would know it is not genuine. or authorized. In addition, VIP has improved the live update capability to further protect the car software. Adams said by 2023 VIP will be on the majority of GM models.
“If you consider the security controls we currently have in place and the VIP enhancements, we are well positioned against the attack known today,” Adams said. “But we must remain vigilant and ensure that in the future we monitor the progress of the attack and have an evolution of our controls in parallel.”
Driving a car from the 60s
Dick said, “If you want to be safe you have to drive in a car from the 60s.”
It’s a bit extreme, but Adams and Shlisel offer other tips for car owners to protect themselves against cyber hacking beyond what automakers do with cybersecurity.
• Consumers should demand that regulators require automakers to pass the same type of cybersecurity exam as they do for safety assessments, Shlisel said.
• Don’t connect devices via Bluetooth to your car, unless device providers can make sure the device is protected, Shlisel said.
• Keep your mobile phone up to date with the latest security checks available, Adams said.
• Create and use strong passwords for your OnStar account or in-vehicle WiFi, Adams said.
• Do not insert untrusted devices into the USB port. If you find a USB drive on the floor, don’t plug it in to find out what’s in it, Adams said.
“There is a lot of talk about cybersecurity these days because we realize that the current situation is not good, it is a dangerous situation,” Dick said. “There is lidar, radar and cameras and the more systems the car has, the more vulnerable the car is and it is progressing in leaps and bounds.”
The software-updated Tesla Model S P90D dashboard displays icons enabling Tesla’s autopilot, with limited hands-free steering. Car hacking is more of a threat than most realize.