A Message from the Common Table
I hope all of you had a great month. I think Spring is finally here. It has been rather cool today and the rain helped knock down all the pollen in the air.
I have big news for our club. We are back to being able to meet at Pritchard at South End. I have secured a meeting room for us that is right across the hall from the big meeting space we used for years. This was an old classroom when we were there previously, and it is now a conference room and it is perfect for our use. We can have our food here also. We will have our April 12, 2018 meeting there and going forward. I hope some of our members will return to join us at this central Charlotte location. I would like to thank Maryanne Dailey and the Better Business Bureau for hosting us for the last year or so at their office. Maryanne will be out for our next meeting. Maryanne, we wish you safe travel to the West coast for your conference.
One of our members, Alex Albl, is graduating from East Carolina University this May. Many of you will remember Alex coming to our meetings with his dad, Ludwig. He was in middle school when he joined us and had a real passion for computing and technology. He has written a theme paper for his school work and we are presenting it in this newsletter. We can all learn a thing or two about our vehicles and technology.
I hope to see all of you at the meeting.
How Hackable are Modern Cars
East Carolina University
Cybersecurity is becoming increasingly important as devices of all types are becoming connected to the Internet. Modern cars have complex networks of computerized controllers, and there have been no concerns about the cybersecurity of them until relatively recently. Cybersecurity researchers have demonstrated a wide variety of exploits on cars. As the complexity and number of onboard computers increases, hackers gain a greater attack surface and more vulnerabilities to exploit. A discussion of the history and development of electronic control units (ECUs), controller area networks (CAN), the exploits, and how automakers are responding towards the news of such exploits will be covered.
How Hackable are Modern Cars
In the 1980s, electronic control units (ECU) started to become common on cars. At that time they managed basic engine functions, increasing fuel efficiency and lowering emissions (Currie, 2015). They were implemented on cars to comply with emissions requirements created by the National Highway Traffic Safety Administration in the 1970s (Wojdyla, 2012). Before ECUs were invented all the functions of a car were controlled mechanically. ECUs receive input from sensors and send commands to controllers for common automotive components such as fuel injectors, ignition, and the throttle (Eyal, 2007). In the early 1980s only key engine components were computerized, as technology advanced more and more components of cars were managed by ECUs. Nearly every component on a modern car is computerized, this includes the radio, doors, and even seats (Wojdyla, 2012). Nearly all automotive innovations since the mid-1980s were possible because of the inclusion of ECUs.
One of the first cars to include an ECU was the 1978 General Motors Cadillac Seville. A feature made possible by ECUs included a display of speed, fuel, miles travelled, and engine information. By 1981, GM was using computerized engine controls running around 50,000 lines of code across its entire line of passenger cars (Charette, 2009). Other manufacturers quickly caught up. Today the onboard electronics account for over half of a new car’s cost (Goodman, 2015). The average modern car has around 100 million lines of code running on around 100 ECUs (Charette, 2009). More line of code, means that more vulnerabilities exist for hackers to exploit. A study done by Carnegie Mellon University in 2014, revealed that commercial software on average has around 30 bugs for every one thousand lines of code (Goodman, 2015). This means that hackers have around 3 million lines of code to potentially exploit in a modern car. In contrast Windows 7 has around 50 million line of code (Goodman, 2015). An F-35 fighter plane has around 8 million lines of code. The number of lines of code, illustrate just how complicated and computerized modern cars really are.
Controller Area Networks (CAN) using a bus topology, are how the ECUs communicate with each other. (Currie, 2015). CANs are similar to Ethernet networks in that they include functions such as message prioritization, error checking, and reception acknowledgements (Currie, 2015). Unlike Ethernet networks, the CAN bus in cars is not segmented and was not designed with any cybersecurity in mind, as all components can communicate with each other. As an example, the engine controllers can communicate with the entertainment system and airbags, when there is no reason to do so (Currie, 2015). Before the development of the CAN bus technology in the mid-1980s, ECUs were connected via point-to-point connections to a single ECU. This design was more costly, as more wiring was required (A Brief, 2015). The advent of the CANBus, lead to the development of the On-Board Diagnostics protocol (ODB). This allows anyone to plug a scanner into a port and receive error codes for specific problems with the car. There are software packages such as CANdo which allows for anyone to send messages to ECUs (CANdo, 2015). Mechanics use similar software to diagnose issues quickly and hot-rodders use them to increase an engine’s horsepower (Wojdyla, 2012).
Being able to send messages to the ECU allows someone to take over the system, as is possible with any other computerized system that accepts input data. Hackers have demonstrated loading malware into an ECU, using an infected audio file on a CD, flashdrive, or a malicious smartphone, app connected via Bluetooth. A disgruntled mechanic or user that is unaware that media they are using contains malware, could easily infect their car (Greimel, 2016).
More components in cars are being connected to the Internet, such as the onboard GPS, in vehicle Wi-Fi, and entertainment systems (Greimel, 2016). Connecting cars to the Internet allowed for many innovative services such as GM’s OnStar, which automatically calls an ambulance when the airbag inflates and remotely reporting automotive issues to dealers before they result in major damages. Insurance companies use this technology to keep track of drivers’ habits and to charge them accordingly (Goodman, 2015).
Rogue employees are a large cybersecurity threat to car industry, as is the case with all other technology-dependent entities. In 2010, a former employee at a Texas Auto Center caused the horns of more than 100 cars to honk uncontrollably and made them temporarily inoperable. This attack was carried using WebTecKPlus, an application that manages the black boxes built into vehicles. The rouge employee used another employee’s account to carry out the attack, this attack required minimal skill. Fortunately, the rouge employee’s IP address was traced and he was later arrested. Disconnecting a cable in each vehicle was required to stop the horns from honking (Goodman, 2015). This was one of the largest attacks on cars that did not require technical skills to carry out.
In 2015, a group of cybersecurity researchers remotely took control of a Jeep Cherokee travelling at about 70mph on a highway. Andy Greenburg, a senior writer for WIRED magazine, was driving the jeep at that time. When he pushed the brake pedal, there was no response. Other things done by cybersecurity researchers included activating the windshield wipers, air-conditioner, and the radio. All of these attacks were possible, because of a weakness in the onboard entertainment system. This attack was only done as a demonstration and the terrified driver called the researchers, begging them to stop. Thankfully the researchers stopped tampering with the Jeep and nobody was injured (Greenburg, 2015). These attacks illustrate the need for auto manufacturers to take cybersecurity as seriously as other industries have done so for many years.
The way that auto manufactures have been responding to incidents of cars being hacked are very mixed. Lawmakers from the House Committee on Energy and Commerce, have written letters to several major auto manufacturers and the National Highway Traffic Safety Administration (NSHTA) about the attacks and asked what the manufacturers are doing to prevent similar attacks (United States House of Representatives, Committee on Energy and Commerce, 2015). As early as 2010, Autostar a company based in Germany has been working on creating open cybersecurity standards on cars. In 2015, the Automotive Information Sharing and Analysis Center was formed as a response to the hacks (Greimel, 2016). The NSHTA and most auto manufacturers with the exception of Tesla and BMW have taken few actions to address these issues. BMW, provided cybersecurity updates wirelessly to 2.2 million cars that were determined to have cybersecurity vulnerabilities. Tesla hired a cybersecurity professional from Apple to implement secure code in its cars (Goodman, 2015). More automakers are following in suit.
Unfortunately not all automakers are placing a high priority on cybersecurity. Many still prefer to keep cybersecurity obscure, which has not proven successful in other industries. While they do usually implement proprietary messaging systems on the CAN Buses in their cars, they do not implement encryption, as is the case with most IoT devices (Currie, 2015). Fortunately, Trillium, a Japanese company, creates SecureCAN. This encryption software which generates new encryption keys when the ignition is turned on and changes the cipher text at random intervals (Yoshida, 2015). Authorization is more difficult to implement as it requires additional hardware; automakers will be hesitant to implement the additional hardware due to increased weight and costs (Currie, 2015).
The increasing prevalence of self-driving cars presents even more opportunities for criminal hackers. Self-driving cars are only more difficult to secure, the increased number of sensors, cameras, and controllers on them provides hackers an even greater attack surface compared to cars, without self-driving features. Most auto-manufactures are expected to have autonomous vehicles by the 2020s, when there will be a larger number of autonomous vehicles on the road. This would require upgrading the transportation network as extensive vehicle-to-road, vehicle-to-vehicle, and vehicle-to-satellite communications (Rosenfield, 2017). Securing a transportation network would be a massive effort. In addition, non-autonomous cars will still have a presence for many years later. In September 2017, the House of Representatives passed the SELF DRIVE Act. This is a bipartisan bill which gives the NSHTA power to set basic standards for self-driving vehicles (Clerkin, 2017). As technology progresses, legislation needs to be passed that will ensure that it is implemented in ethical ways.
Fortunately, the legal and technical aspects of automotive cybersecurity are being addressed, though just as with computer network cybersecurity, securing cars will require cooperation between auto manufacturers, engineers, governmental agencies, and information cybersecurity professionals. Even with the cybersecurity standards in place, there will still be vulnerabilities and auto manufacturers may find ways to building their products adhering to cybersecurity standards. Updates will need to be automatically applied to cars, as software has done for many years. Automotive cybersecurity must be taken with as much if not more seriously than network cybersecurity, after all many of the same issues are present, except lives are at stake.
A Brief Explanation of CAN Bus. (2015). Retrieved February 17, 2018, from https://sewelldirect.com/learning-center/canbus-technology
CANdo. (2015). CANdo CAN Bus Analyser. Retrieved February 17, 2018, from http://www.cananalyser.co.uk/index.html
Clerkin, B. (2017, September 21). How Will We Ensure Cybersecurity in a Self-Driving World? Retrieved April 03, 2018, from https://www.dmv.org/articles/cybercybersecurity-and-self-driving-cars
*Charette, R. (2009, February 01). This Car Runs on Code. Retrieved February 02, 2018, from https://spectrum.ieee.org/transportation/systems/this-car-runs-on-code
*Currie, Roderick. “Developments in Car Hacking.” Edited by Manuel Santander, SANS Institute InfoSec Reading Room, SANS Institute, 5 Dec. 2015, www.sans.org/reading-room/whitepapers/ICS/developments-car-hacking-36607
Eyal, N. (2007). Vehicle Lab – Engine Control Unit. Retrieved Aril 2, 2018, from http://www.vehicle-lab.net/ecu.html
Greimel, H. (2016). PLAYING CATCH-UP. Automotive News, 90(6748), 24. Retrieved from http://search.proquest.com.jproxy.lib.ecu.edu/docview/1832903801?accountid=10639
Greenburg, A. (2015, July 21). HACKERS REMOTELY KILL A JEEP ON THE HIGHWAY—WITH ME IN IT. Retrieved February 23, 2018, from https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
Rosenfield, H. (2017, June 27). Self Driving Vehicles The Threat To Consumers. Retrieved March 31, 2018, from http://docs.house.gov/meetings/IF/IF17/20170627/106182/HHRG-115-IF17-20170627-SD020.pdf
United States House of Representatives, Committee on Energy and Commerce. (2015, May 28). Committee Leaders Seek Information on Auto Cybersecurity [Press release]. Retrieved April 2, 2018, from https://energycommerce.house.gov/news/press-release/committee-leaders-seek-information-auto-cybersecurity/
Wojdyla, B. (2012, February 21). How it Works: The Computer Inside Your Car. Retrieved February 17, 2018, from https://www.popularmechanics.com/cars/how-to/a7386/how-it-works-the-computer-inside-your-car/
Yoshida, J. (2015). CAN Bus Can Be Encrypted, Says Trillium. Retrieved April 2, 2018, from http://www.eetimes.com/document.asp?doc_id=1328081
Pritchard Memorial Baptist Church at 1117 South Blvd.
Maps and directions are below.
Join us with your bag supper at 5:30 or the meeting at 6:30.
The PCCC meets the second Thursday of most months at Pritchard in Dilworth. The location is 1117 South Blvd., Charlotte.
Room and Parking information:
We are meeting in a different room in the same building as the big hall. Come in the atrium and look for us in the first room on the ground floor down the hall to your left. If the parking lot closest to the building is full, park in the deck directly across the street. Do not park in the upper lot!
If you are lost, locked out, or wish an escort from the parking deck, call 704-607-6461.
Click on map for Google directions (https://firstname.lastname@example.org,-80.8507889,18z) .
Find it at What3Words (https://map.what3words.com/chef.pens.with)