February 12, 2015
This week, Senators Edward Markey (D-Mass) and Richard Blumenthal (D-Conn) again took on auto manufacturers, pointing to the privacy and security issues associated with the sophisticated electronic systems that proliferate in today’s vehicles. The senators announced at a hearing on “The Connected World: Examining the Internet of Things,” that they plan to introduce a bill that will require the National Traffic Highway Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to create federal standards to ensure that automakers protect security and privacy. Sen. Markey said: “We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe.”
In November, Markey sent questions to 19 manufacturers asking what they are doing to protect new technologies from hacking. Their response, released in a report this week, varied widely, but in short, the take-away was: Not much.
That’s not surprising when automakers still often refuse to acknowledge that electronics systems are any different than mechanical parts. Having the latest technologies leaves little time for thinking about complicated safety and security measures during development. And what incentive do manufacturers have when the regulators have equally ignored the issues? NHTSA, for its part has never adopted standards to ensure that the electronic systems – many of which offer significant safety benefits – have functional safety built in. The result is that defects emerge when vehicle electronic controls fail (which they will at some point) with varying results from simply no operation to driver’s experiencing complete loss of vehicle control or safety features that cause injuries. Look no further than the recent re-recall of more than two million airbags that inadvertently deploy because of a degrading electronic chip to understand this concept.
Now the cybersecurity threat is taking the spotlight. In the past, the potential for remote hacking was more of an abstract threat, but not anymore: Last month, BMW announced that 2.2 million vehicles had a security loophole that could allow hackers break into the vehicles using only a smartphone. The glitch was in the BMW Connected Drive system, which allows the vehicle to talk to the car manufacturer about roadside assistance or inspection due dates and has a smartphone app for things like remotely opening the door or activating the horn. This would only give the hacker access to the car, not the ability to operate it, but an enterprising hacker could combine it with a previous vulnerability in the 2010-2011 models’ wireless key fob to actually steal the car.
Central Nervous System
Almost all vehicles on the market today rely on in excess of 50 minicomputers, or Electronic Control Units (ECUs), that control one or more specific aspects of the vehicle’s operation, from dashboard lights to airbag sensors to steering and braking. The ECUs regularly share data with each other through the vehicle’s controller area network (CAN), like nerve signals sent out through the body. That’s why the seatbelt tightens when the brakes are applied suddenly and electronic stability control alters engine torque and wheel speed if more traction is needed. Wireless Bluetooth, smartphones, and infotainment systems also communicate with ECUs, opening up wireless entry points to the CAN. Although the communications ECUs do not control safety features, they are often bridged to other ECUs, especially when the vehicle allows drivers to unlock doors or even start the vehicle from their phones. And all vehicles have a federally mandated OnBoard Diagnostics (OBD-II) port under the dashboard, allowing easy access to anyone seeking to access the vehicle’s internal networks.
Just like a home computer, this network of sophisticated software makes vehicles incredibly vulnerable to hackers, either through physically embedded malware or through wireless access. In 2010, researchers at the University of Washington and the University of California San Diego connected a laptop to two late-model passenger cars’ OBD-II ports to run a CarShark program that manipulated the vehicles’ CANs. They later ran the same program through a car’s Bluetooth system. The researchers were able to prevent the driver in a moving car from braking and lock up the brakes unevenly. The researchers also manipulated the speedometer, turned off all of the cars’ lights, blared the horn, killed the engine and locked the doors to prevent the driver from exiting. They discovered that the gateway between the low-speed networks, which control the less critical functions, and the safety-critical high-speed networks was weak, so compromising any ECU can allow a determined hacker to compromise safety-critical ECUs.
“In starting this project, we expected to spend significant effort reverse-engineering, with non-trivial effort to identify and exploit each subtle vulnerability,” the researchers said. “However, we found exiting automotive systems – at least those we tested – to be tremendously fragile.”
In 2013, two cybersecurity experts, Chris Valasek and Charlie Miller, demonstrated how easy it is to control the steering, braking, acceleration and display in a 2010 Ford Escape and a 2010 Toyota Prius by manipulating their internal wiring. Last year, they surveyed the schematics of 21 vehicles to determine their susceptibility to a remote attack, which unrolls in three stages: the hacker accesses an ECU that “listens” to outside messages; that ECU interacts with a safety-critical ECU; and the hacker makes the safety-critical ECU behave in a way that compromises vehicle safety. Without the actual vehicles to test, they couldn’t determine how easy it would be to remotely attack them through vulnerabilities in the schematics. But Valasek and Miller did find that many vehicles use common desktop technology already familiar to hackers and that 42 percent of the vehicles had no separation between an openly accessible ECU, like remote keyless entry, and a safety-critical ECU. The 2014 Jeep Cherokee, 2015 Cadillac Escalade and 2014 Infinity Q50 appeared to be the most hackable vehicles, while the 2014 Dodge Viper, 2014 Audi A8 and 2014 Honda Accord were the least hackable.
Ironically, Valasek and Miller said new technologies designed for safety might actually leave vehicles more susceptible to security breaches. Manipulating normal braking systems is difficult because the hacker has to find the vulnerabilities and convince the system to apply the brakes, but newer collision prevention systems are already programmed to stop when the CAN receives certain messages – all the hacker has to do is get a message in to the internal network.
At least one real-world hacking incident has been recorded: in 2010, a man fired from a Texas dealership hacked into the dealer’s remote vehicle immobilization system – which lets the dealer disable a vehicle when a payment is missed – and shut off about 100 cars or kept their horns blaring.
With the government’s plans to implement vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) technologies allowing vehicles to “talk” to each other and receive signals from road signs, the hacking threat will only become more imminent, and without proper functional safety designed in, errant signals from one vehicle can potentially affect others around it.
Message Unreceived
Automakers have typically ignored these warnings. As the Markey report points out, Valasek and Miller approached Ford and Toyota before releasing their 2013 study to the public, giving them a chance to correct the vulnerabilities. But the manufacturers instead claimed it didn’t matter because Valasek and Miller accessed the vehicles through their computer systems and the real danger is remote hacking through a wireless device. The automakers ignored the earlier proof that a remote attack using a wireless Bluetooth stack is just as easy.
The Markey report, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” based in part on responses to a detailed questionnaire by the Senator, found that “many manufacturers did not seem to understand the questions posed” and often gave incomplete or vague answers, or declined to answer altogether. (16 automakers responded to the questionnaire – Aston Martin, Lamborghini, and Tesla declined.) Among the findings:
Markey also asked about data collected on driver history – a median of 35 percent of vehicles have technologies that can gather enormous amounts of information, such as locations entered into navigation systems, current location, last location parked, steering angle and belt use, tire pressure, engine status and distances and times traveled. Some manufacturers keep the data stored in the vehicle, but others transfer it to a central location, and a large majority contract with outside companies to collect the data. Only one automaker specifically designs the data-storing systems with security protections.
Last year, the automakers tried to head off scrutiny of their lack of mechanisms to protect driver information by creating a set of consumer privacy principles, submitted to the Federal Trade Commission (FTC) by the Alliance of Automobile Manufacturers, Inc., and the Association of Global Automakers. The principles are categorized as: transparency, choice, respect for context, data minimalization, de-identification and retention, data security, integrity and access, and accountability. But Markey noted the vaguely worded principles leave a lot of wiggle room for manufacturer interpretation and discretion.
The report concluded: “The alarmingly inconsistent and incomplete state of industry security and privacy practices, along with the voluntary principles put forward by industry, raises a need for [NHTSA], in consultation with the [FTC] on privacy issues, to promulgate new standards that will protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles.” The standards should:
The Safety Record has repeatedly pointed out the gaping holes that have allowed for vehicle electronics to proliferate without first advancing an effective functional safety standard for these systems (see “NHTSA Seeks Input on Electronics Rule”). The lack of adequate security for these electronics increase the safety hazards associated with these systems.
Right now, the only functional safety standard is the voluntary International Organization for Standardization (ISO) standard ISO 26262, created in November 2011, which outlines rules for performing functional-safety assessments, identifies risks during the design phase, and includes guidelines throughout the lifecycle of the product from development to production to operation to reuse and decommission.
In December 2014, NHTSA finished collecting comments on its long-overdue electronics rule, seeking information to determine “whether there are emerging gaps in the functional safety assurance processes of motor vehicles.” But manufacturers are fighting it. The Association of Global Automakers said in its comments that, “there are already a number of process standards and best practices that have either been published or are in the process of being developed” and that “NHTSA’s participation can most effectively be pursued through collaborative efforts with industry and voluntary standards organizations.” On the issue of cybersecurity, the trade association said adopting standards would exacerbate the problem: “If all manufacturers were required to employ either identical or overly prescribed designs for their electronic systems and cyber-attack countermeasures, such attacks could be more likely, or more widespread, if vulnerabilities were to be identified in the agency’s required approach.”