{"id":4295,"date":"2015-07-29T16:34:25","date_gmt":"2015-07-29T16:34:25","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=4295"},"modified":"2019-11-15T13:57:31","modified_gmt":"2019-11-15T11:57:31","slug":"hacking-my-car-remotely-this-time","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/hacking-my-car-remotely-this-time\/4295\/","title":{"rendered":"Hacking my car, remotely this time"},"content":{"rendered":"

Wired recently ran yet another groundbreaking article<\/a> (they are really good at it), that got the heads of \u00a0car drivers, technology enthusiasts, and cybersecurity experts turned in the already familiar direction of\u00a0car hacking. We have just gotten used to the fact that computers are hacked remotely. Now, so are cars.<\/p>\n

No direct contact <\/strong><\/p>\n

The main subjects\u00a0of the article are familiar: Charlie Miller and Chris Valasek. These extraordinary gentlemen have made names\u00a0for themselves\u00a0in car hacking research.<\/p>\n

For years, they studied cars\u2019 on-board systems, discovered the vulnerabilities therein, and demonstrated the possibility of malicious exploitation. They have previously shown how to \u201cpwn\u201d the car and kill its brakes using the direct access to the on-board system (i.e. having a laptop hooked up the dashboard). While dangerous, this was impractical \u2013 which carmakers were quick to point out. However,\u00a0this already hinted on the very real possibility of car hacking.<\/a><\/p>\n

Now they have shown how to \u201ckill a Jeep\u201d (strictly remotely), which is a big and dreary news.<\/p>\n

Hacking my car, remotely this time #criticalsecurity<\/p>Tweet<\/a><\/blockquote>\n

Wired\u2019s Andy Greenberg described the ordeal he willingly went through, quite illustriously:<\/p>\n

\u201c\u2026Though I hadn\u2019t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.<\/p>\n

As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car\u2019s digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits.<\/p>\n

He goes on to state that Mr. Miller and Mr. Valasek developed a zero-day exploit that can target Jeep Cherokees and \u201cgive the attackers wireless control, via the Internet, to any of thousands of vehicles\u201d. He also described the code as \u201can automaker\u2019s nightmare\u201d, since it allows hackers to send commands throught the Jeep\u2019s entertainment system \u201cto its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.\u201d<\/p>\n

Who let the dogs in<\/strong><\/p>\n

Wait-wait-wait, what? The dashboard functions are \u201cmarried\u201d to the entertainment system with no isolation between them? Kudos for the great security approach to the manufacturer.<\/p>\n

As for it being \u201can automaker\u2019s nightmare,\u201d it is more likely going to be the driver\u2019s nightmare, the kind Mr. Greenberg experienced as his transmission was remotely cut down on the highway. It wasn\u2019t a life-threatening experience, but definitely no fun at all.<\/p>\n

The burning question, again, is how it was possible that the \u201csecondary,\u201d non-critical infotainment system appeared to be so closely integrated with the \u201cprimary,\u201d absolutely life-critical dashboard functions. These systems aren\u2019t just isolated from each other \u2013 it is really possible to do anything to the car \u2013 and all it takes from the attackers, according to Wired\u2019s article, is to know the car\u2019s IP address.<\/p>\n

\u201cAll of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone,\u201d Mr. Greenberg wrote. And after what he has experienced this acrimony is understandable.<\/p>\n

Haven\u2019t we warned..?<\/strong><\/p>\n

Honestly, it was coming for a long while. Our boss, Eugene Kaspersky, who recently shared his thoughts on the matter (take a look<\/a>), said he was \u201cjoking\u201d about the possibility of a car hacking back in 2002. In 2015, it\u2019s a reality.<\/p>\n

\u201cSome auto manufacturers keep squeezing onto CAN [controller area network \u2013 the on-board communications system that interconnects and regulates the exchange of data among the various devices]<\/em> more and more controllers without considering basic rules of security. Onto one and the same bus \u2013 which has neither access control nor any other security features \u2013 they strap the entire computerized management system that controls absolutely everything. And it\u2019s connected to the Internet,\u201d Mr. Kaspersky wrote.<\/p>\n

CAN was\u00a0developed 30 years ago, and it has no security functions built-in. And yes, now it is connected to the Internet without any \u201cdivision of trust.\u201d<\/p>\n

A straight-to-the-point picture:<\/p>\n

In fact, there is an answer to this \u201cwhy?\u201d Actually two: a simple one, and a complex one.<\/p>\n

A simple one is \u201cmarketing.\u201d The complex one is \u201ca consequence of a common business logic.\u201d<\/p>\n

This logic says: \u201cWell, we need to stay ahead of the competitors, so let\u2019s make\u00a0this one new fancy car model even more appealing. How? Let\u2019s stuff it with electronics and call it \u2018smart.'\u201d<\/p>\n

And then marketing: \u201cHey! Have we got a deal for you \u2013 the car that is so smart it obeys your commands via a smartphone.\u201d<\/p>\n

And the person who bought this \u201csmart\u201d car: \u201cWow! I have a car that\u2019s hooked up to the Internet; it\u2019s cool!\u201d<\/p>\n

It becomes way less cool as soon as remote hacking becomes possible \u2013 it is a dream gift for both car thieves and much more capital offenders. After all, the primary problem is the old one: the automotive on-board system lacks the \u201csecurity-by-design.\u201d<\/p>\n

\u201cThroughout the auto industry there\u2019s a tendency \u2013 still today! \u2013 to view all the computerized tech on cars as something separate, mysterious, faddy (yep!) and not really car-like, so no one high up in the industry has a genuine desire to \u2018get their hands dirty\u2019 with it; therefore, the brains applied to it are chronically insufficient to make the tech secure\u201d, Kaspersky writes, adding that everywhere the hasty \u201cgrowth of functionality of all this new tech is hurtling ahead without taking security into account!\u201d<\/p>\n

Yes, this is the case with other critical infrastructure<\/a> \u2013 and cars can easily be called \u201ccritical infrastructure\u201d too: Lives depend on how safe they and their CANs are.<\/p>\n

And it is wrong to say that a modern car\u2019s on-board systems are reliable on their own, even without added internet connectivity. They are not.<\/p>\n

Recently, a fellow alumnus of this post\u2019s author, a well-known business journalist, barely survived a serious accident: An airbag did not deploy despite the fact that the driver was buckled up properly and the hit was frontal.<\/p>\n

The car manufacturer\u2019s support service said that the on-board system decides whether to open the airbag based on a number of various factors in order to minimize the possible harm (in some situations airbags may inflict extra injury\u00a0on the driver). And in this particular case, it decided that airbag should not be opened. That really looks like a malfunction, and\u2026 Well, \u201cthe system decided not to open the airbag\u201d sounds wicked, does it not?<\/p>\n

An exploit let the hackers to take over all of the car\u2019s systems remotely #criticalsecurity<\/p>Tweet<\/a><\/blockquote>\n

An acknowledged problem<\/strong><\/p>\n

Automakers acknowledge there is a problem, and apparently, so do legislators. Wired\u2019s Andy Greenberg wrote that Miller and Valasek managed to \u201cspook\u201d the industry and \u201cinspire\u201d legislation: A new bill that\u2019s designed to require cars to meet certain standards of protection against digital attacks and privacy is underway in the U.S., and hopefully other nations will follow suit.<\/p>\n

The entire automotive industry is on its toes. US Alliance of Automobile Manufacturers announced the creation of an Information Sharing and Analysis Center to deal with cyber threats and vulnerabilities in the on-board electronics and in-vehicle networks.<\/p>\n

It\u2019s up to the manufacturers to change the approach to designing modern hi-tech equipment. As we have written before, security should come first. It must be taken in account at the design level, not added later (if added at all). It is the only way to decrease the risk level \u2013 both for automotive systems and other civilian critical infrastructure \u2013 which is high enough without an unnecessary exposure to cyberthreats such as in the case of a remotely hacked Jeep.<\/p>\n","protected":false},"excerpt":{"rendered":"

It’s up to the manufacturers to change the approach to designing modern hi-tech equipment. As we have written before, security should come first. It must be taken in account at the design level, not added later.<\/p>\n","protected":false},"author":209,"featured_media":15433,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3021],"tags":[542,2325,1171,2326,2327],"class_list":{"0":"post-4295","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-car-hacking","10":"tag-car-on-board-systems","11":"tag-exploits","12":"tag-miller","13":"tag-valasek"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/hacking-my-car-remotely-this-time\/4295\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/hacking-my-car-remotely-this-time\/4295\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/hacking-my-car-remotely-this-time\/4295\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/car-hacking\/","name":"car hacking"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/4295","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=4295"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/4295\/revisions"}],"predecessor-version":[{"id":24556,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/4295\/revisions\/24556"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/15433"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=4295"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=4295"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=4295"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}