A hacker's guide to fixing automotive cybersecurity
The security researcher known for hacking a 2014 Jeep Cherokee, leading to a 1.4 million-vehicle recall, outlines how automakers can keep connected cars safe from cyberattacks.
Illustration by Alicia Tatone
My first car was a 1965 Ford Mustang. It wasn’t a terribly reliable vehicle, but as one of the world's leading experts on automotive cybersecurity, I can attest that it was extremely resilient to cyberattack.
That was the past, now cars are different. Every year, more computers are added to vehicles and they are simultaneously becoming more connected to the outside world. While these new features are really useful and help to make vehicles safer and our trips more pleasant, they do open up the possibility of attack by hackers.
This threat was highlighted recently by me and my research partner Chris Valasek. While our willing accomplice, a reporter from Wired Magazine, drove down a highway near my house in my 2014 Jeep Cherokee, we remotely hacked into it and for a short time disabled the transmission, bringing him to a slow halt. Once we had that level of control, we could have affected the vehicle in even more insidious ways, such as controlling the radio, speedometer, turn signals, and to some extent, safety critical systems including the steering, brakes, and acceleration of the vehicle. There was nothing special about this Jeep and no modifications had been made to it. The same attack could have been performed on any of the 1.4 million Fiat Chrysler automobiles that were eventually recalled to fix this security vulnerability.
How did we get from my old Mustang to the cars of today that are constantly connected to the internet? The earliest automobiles didn’t have any real functionality beyond moving a passenger from place to place. As time went on more devices were added, such as turn signals, speedometer, windshield wipers, and airbags. Each of these required some connectivity between components. For example, for a turn signal to work, it requires a wire to be run from the turn signal lever in the steering column to the respective devices which control the flashing of the lights that indicate you want to turn. As more and more devices were added to the automobile, more and more wires were necessary to run throughout the vehicle to connect these devices. These additional wires required not only extra weight (which hurt fuel efficiency) but also extra cost. In a business where you are selling millions of vehicles, every little cost adds up. The solution to wires running everywhere was the introduction in 1986 of the Controller Area Network (CAN) bus. The first CAN chip was delivered a year later and by the year 2000 more than 100 million CAN devices were sold.
CAN is a specification utilized by almost all automobiles. It is a single two-wire connection between all the components of the car. Instead of running separate wires for everything, all the components can take turns sending messages on this shared bus to one another. Because of the way this specification is designed, the messages are broadcast to all components. There is no way to know which component sent which message or to verify it was really sent by that component.
This limitation was acceptable and didn’t add any security risk for many years. However, two additional events began to happen in the design of automobiles that significantly changed this threat level. Together, these two design changes enabled the end-to-end hacking that landed us in the security conundrum we find ourselves in today. Without both of these events, the most serious types of car hacking would not be possible.
The first such change was that additional safety and convenience features were added to automobiles. One of the more interesting was Automated Parking Assist that is a convenience feature that will help steer a vehicle into a parallel parking spot. This was first seen in the US in 2006 in some Lexus vehicles. In 2009 and 2010, it was introduced into Fords and BMWs, respectively. Beyond Automated Parking Assist, and around the same time, other technologies such as Lane Keep Assist, Collision Prevention, and Adaptive Cruise Control were introduced. Together, these form a diverse set of features that vary from helping you to stay in your lane or help you park your car to performing safety critical actions like applying the brakes if it thinks you will crash. Additionally, more features like these are being introduced all the time. Together, these high-tech features can save lives – they’ve bailed me out more than once – but they have one important thing in common. They all require that computers (like the parking assist module) have the ability to send commands to other computers (like the power steering control module) that physically control the actions of the car. This means that hackers may potentially be able to utilize this functionality to control these physical actions of the car.
The other significant change that allows for the possibility of car hacking is allowing outside data into the car. In the Jeep demonstration discussed above, this was through an internet connection the Jeep maintained at all times. The head unit (you know, the big computer with the navigation maps and radio in it) also had a cellular modem built into it. This allowed the Jeep to collect traffic information for navigation as well as find local restaurant recommendations. Unfortunately, this feature also allowed us to communicate with the head unit over this same Internet connection. We identified a vulnerability in the software that ran on this computer and were able to get it to run commands of our choosing. Had the Jeep not been reachable over the internet, we would not have been able to remotely take control of it. But it was, and so we did.
Even beyond directly connecting to the internet, vehicles have been slowly processing more and more data from the outside world. Some vehicles, like the Jeep, offer Wi-Fi hotspot internet access to their passengers. Less high-tech vehicles still collect data from the outside world. Most cars offer Bluetooth connections to their driver’s phones. This allows the driver to make hands-free phone calls or play music from their phone over the car’s speakers. It also means the car is processing data over Bluetooth from the outside world. In fact, in 2011, researchers from the University of Washington and University of California, San Diego, successfully attacked a car through the Bluetooth interface by exploiting a vulnerability in the code that parsed the Bluetooth communications.
At an even lower level, most cars have wireless sensors that monitor tire pressure and report if it is getting low. This is yet another opportunity for vulnerabilities in automotive software that handles that data. In the future, vehicles will process data from other vehicles or from infrastructure that reports road and traffic conditions. This represents yet another way that outside, possibly malicious data can enter the automobile that must be ready to process it safely. Regardless of the data source, any vehicle software that uses external data may contain vulnerabilities that external attackers can leverage.
All this leads to the inevitable conclusion that automobiles are vulnerable to cyber attacks and in the future are more likely, rather than less likely, to be vulnerable as even more high-tech, complex, and connected features are added to them. The state of computer security in general should not make us feel better about this. Large high-tech powerhouses such as Apple, Microsoft, and Google have been trying for years to produce secure software for us to use. Despite this effort, vulnerabilities are continually discovered and companies provide patches to fix those that are reported. This steady stream of patches is a constant reminder that at this time, nobody knows how to create software that is completely secure and resilient to attack. There is no reason to think that automotive companies have silently solved this problem. So, as vehicles process outside data, there will inevitably be security issues in the software running on our cars.
Faced with the demonstration of the Jeep vulnerability, as well as earlier work from the academic researchers mentioned earlier, car manufacturers are at least aware of this problem. While it is not realistic to think that they will make vehicles with fewer features or make them less connected, there are still a variety of solutions available to them to help make vehicles more secure. One solution is to add additional components to the CAN bus that can behave as firewalls and filter traffic between the various components. This would prevent, for example, an internet-connected component like the head unit from sending messages to a component that has physical control, like the power steering control module. Other solutions might include adding authentication or encryption layers on top of the CAN bus protocol. The drawback to these types of solutions is that many of these require completely redesigning the way vehicle components communicate with each other, either structurally or architecturally.
While these large changes may be necessary, especially considering the slow development time of automobiles – cars designed today won’t be on the road until 2020 or later – we need simpler solutions that can be implemented more quickly. One tool is to add some kind of intrusion detection and or prevention system (IDS/IPS). One of the big weaknesses we exposed when hacking the Jeep was that, despite performing the demonstration many times and sending many malformed or malicious messages on the vehicle’s CAN bus, neither the vehicle itself nor Fiat Chrysler had any inkling that these attacks were occurring. The other reason automotive network IDS/IPS is likely to work is because the CAN bus is a very controlled and predictable environment populated entirely by automated computers that communicate at well-established time intervals. As such, it is easy to detect anomalous or unexpected traffic. (In contrast, enterprise networks have humans surfing the web, rendering JavaScript and sharing Microsoft Word documents, etc., and so it is difficult to detect strange activity). This solution would enable the automobile to detect attacks, investigate further, and possibly take preventative actions. While automotive network IDS/IPS is not a silver bullet for automotive security, it represents a relatively simple and inexpensive layer of security that could be quickly added to existing automobiles.
Another weakness highlighted by the Jeep hack is that car manufacturers should consider implementing over the air updates. Thankfully, some companies already are doing this, but updates are an important part of securing systems, and all companies should implement these updates. The code shipped in your automobile is not perfect and will contain security vulnerabilities. Over the air updates allow vulnerabilities to be fixed as they are discovered. After the vulnerability in the Jeep head unit was reported, there was no easy way to fix all the exposed vehicles. Chrysler mailed out USB sticks to allow drivers to update it themselves or asked them to take their cars to the dealer. Neither of these solutions is ideal from a consumer’s perspective. Of course, there are downsides to over the air updates. One is it could possibly introduce even more security vulnerabilities. However, experience shows that this particular mechanism is rather small, simple, and can be done in a mostly secure fashion. Historically, there haven’t been a large number of vulnerabilities in software update mechanisms. Another downside is that sometimes the car may not be available to drive or at least may have some features unavailable during the updating processes. Despite these potential downsides, having the ability to fix critical software vulnerabilities is an important part of securing modern vehicles and should be implemented by all manufacturers.
Those two additions would improve automotive security. However, the biggest improvement would come from more transparency by the automotive industry. Ever since vehicle attacks were first publicly discussed in 2010, automotive manufacturers have responded that they take this issue seriously and are working on it. The response of the Jeep hack, five years later, was nearly identical. Car manufacturers tell consumers that their cars are safe and not to worry about these attacks. They reassure us that they have teams working on this issue. But how are consumers to know? It is common practice in the computer security field to publish details of how security systems are designed and implemented. Companies such as Microsoft, Apple, and Google publish papers describing exactly how their web browsers are secured, how memory is protected from attacks, etc. At first glance, one might think this gives an advantage to attackers. But in security, good systems should be hard to attack even if you know how they work. The way web browsers encrypt data is well known and documented, but we can still safely shop online. Sure, hackers occasionally steal credit card numbers. But this theft is due to corporate breaches and data dumps, not because the hacker has somehow broken web browser encryption and snatched the numbers during transit.
If the only thing keeping us safe from automotive cyberattacks is the secrets of how automotive systems are designed, we are in for a bad time. Releasing information about how their automobiles are designed to resist attack not only forces manufacturers to design robust systems, it allows them to learn from one another as well as give a way to differentiate the systems when making purchasing decisions and gives security researchers like myself a chance to make comments or suggestions without purchasing a car and spending a year figuring out how the system works. So far, the members of the automotive industry have chosen to make their security decisions proprietary and rely on an approach of security through obscurity.
One positive recent trend is that manufacturers are beginning to reach out to the security researcher community. General Motors offers a program where security researchers can report vulnerabilities they find. Tesla and Fiat Chrysler go a step further and promise to actually pay researchers for vulnerabilities they report. While these types of “bug bounty” programs are common in the software world, it is nice to see some manufacturers beginning to embrace them in an effort to get help from the outside research community.
Trying to secure automobiles from cyberattacks offer some interesting differences from traditional information security. The biggest difference is that if a hacker attacks your work computer, they may steal some data, some photos, or your contact list. If a hacker attacks your car, you may find yourself in a ditch needing medical attention. Clearly, the ability to affect this physical system makes cyberattacks on automobiles is an important issue that needs our attention.
The other big difference is that at home or at the enterprise, as a user, you can take actions to protect yourself. You can buy firewalls to protect your network, antivirus to protect your computer, choose which web browser to use, or utilize password managers. There are a large number of free and commercial solutions available to help you if you are feeling security conscious. On the other hand, when it comes to automobile security, you’re largely at the mercy of the manufacturer.
It is almost impossible, even for an expert, to determine if one manufacturer is doing a better job than another at protecting their vehicles. Consequently, as consumers our only options are to let car manufacturers and our government officials know that this is an issue with which we are concerned as well as encourage active and open research by the computer security community. We don’t want the automobile manufacturers to stop innovating. We want new features; we just want to make sure they are designed in a secure way.
Dr. Charlie Miller is "one of the most technically proficient hackers on Earth", according to Foreign Policy. After receiving his PhD in Mathematics from the University of Notre Dame, Dr. Miller was a computer hacker for the National Security Agency for five years. Since that time he has been a consultant and worked for the Twitter and Uber information security teams. Lately, he spends considerable time in the field of automotive security along with his research partner Chris Valasek. He is currently leader of Autonomous Vehicle Security at Didi Chuxing.