Paul McLellan

Community Member

Blog Activity
Options

One Thing Could Shut Down this Party—Automotive Cybersecurity

4 minute read

breakfast bytes logoofer ben-noonOfer Ben Noon, CEO and co-founder of Argus Cybersecurity, had the job of raining on the parade at the Automotiv Elektronik Kongress in Ludwigsburg recently. On the day he was speaking, Europe was under attack, Ukraine was largely shut down, big-name shipping companies were shut down. Closer to home, the Wannacry ransomware had shut down Honda's Sayama plant in Japan, Nissan's plant in Sunderland (UK) and Renault's plants in France.

As Ben put it, in response to the optimism about when we were going to get our self-driving car:

One thing could shut down this party: cybersecurity

Ever since a couple of researchers took control of a Wired journalist's Jeep and drove it off the road—with him in it—automotive security is in the news. You can read my post Automotive Security: A Hacker's Eye View for more details on his particular event, when Charlie Miller, one of the researchers, gave a keynote at last year's ARM Techcon. It is one thing if some virus slows our PC down, another thing completely if one speeds our car up. Ofer warned us that there are plenty of events that have not become fully public, that security researchers are the main people to know about. The panel below is just a few relevant ones that are public.

Sicherheit

One thing I didn't know is that the German word sicherheit means both safety and security. Ofer likes to define safety as functional safety plus cybersecurity. But absolute security is a myth. As Mike Rogers, the head of the NSA, put it to a group of businessmen:

Despite your best efforts, you must assume you will be penetrated. It's not about if you will be hacked, but when. The key question is what is the right vision for the way forward.

He had some sober datapoints on how much various intrusions had cost, including the jobs of some of the senior people involved. At the time he was speaking Wannacry was up to $4B and was still ongoing. It spread to 230,000 computers in 150 countries in just a single day.

He had a video that was what he called Wannacry for cars. A car wouldn't start and required the owner to send a ransom. The scary thing is that it was done three years ago, not last week.

Ofer said that the experience in the datacenter area has meant that people are no longer ignorant about the issues, or the idea that cars will not be attacked. There are lots of motivations, from minor crime, to car theft, to identity theft and invasion of privacy.

One thing he emphasized, and that I have learned from my peripheral involvement in security, is that it is not a one-time event. It affects a vehicle throughout its lifecycle, just like safety. So you need to have a philiosophy of:

  • Prevent
  • Understand
  • Respond

In particular, you cannot rely on perimeter exclusion. One reason that the big Target theft of credit card data a couple of years ago was so significant was that once the hackers were in they were there for weeks without being detected. That's like locking your front door but leaving the safe open. Security is not something you check once a year, more like once an hour. In the same way as functional safety requires built-in-self-test to be run regularly, so that failures get detected before they have a chance to have an effect.

Argus is obviously in the business of automotive security, and they showed a dashboard from their operations center where they handle security for vehicle fleets.They can respond with over-the-air updates on a global scale. They have professional "red teams" who are very skilled and will try and break into your systems. They are fluent in automotive architectures, protocols, standards, and use cases. Argus is the biggest independent automotive cyber security company in the world, with over three decades in automotive.

It is not just the vehicle. He had an example where they penetrated an enterprise server through the car head unit, the infotainment systems. They had been hired to review it, in what is called black box testing where they are given no information about what was inside. After two months with four researchers, they got in through the WiFi connection and took control of the vehicle. From there to the servers in the back end. They took control of the databases. But they didn't stop there. They moved on into IT and could shut down the company. As he said, the "OEM was less excited than we were," but it was an important wakeup call.

Washington

I had very little idea that any of this is on Washington's radar, but it is. There is a "Spy Car Act" of 2017 that is actually something originally introduced in 2015, that NHTSA and FTC need to issue regulations. There was a public hearing just a couple of weeks earlier. Congress could introduce a bill by the end of July (Ofer's opinion is that it wouldn't happen that fast, it will take a couple of years.

In the Q&A , Ofer said that the whole environment is changing and companies are not ready. Often he said, the first time the IT security and vehicle security met in the same room was in a meeting with Argus. Industry needs to change as a whole.

Sign up for the weekly Breakfast Bytes email: