Bad Cars: Protecting Against IoT-Based Cyberattacks

Bad Cars: Protecting Against IoT-Based Cyberattacks

By Alan Grau, VP of IoT, Embedded Systems, Sectigo.

Many IoT industry pundits and technology “experts” have let their imaginations run wild with theories about what could happen if your car was attacked by bad actors.

Yes, there have been a few real-world cases where white-hat hackers and researchers have been able – in limited, controlled instances – to actually penetrate a car’s electronics and communications systems, to take over the car’s steering and acceleration systems, and potentially to do real damage. And as our cars become ever more connected via infotainment systems, downloadable software updates, and by communications between autonomous cars and between the cars and the cloud, there will be even more opportunities for bad things to happen.

However, there are other scenarios that might not be as obvious.

For example, what if your car’s computer was infected by a virus that greatly reduced the engine’s efficiency or capped the car’s maximum driving speed? What if the virus did something less dramatic, such as make the car unable to lock the controls for automatic window operation, or simply prevent the car from starting? No one would die, but the car owner would be very upset, posing a disaster for the automobile’s manufacturers.

Ransomware for Next Generation Cars – Holding the Manufacturers Hostage

Modern day vehicles, with millions of lines of code, are susceptible to cyberattack – on the road, in the repair shop, and even on the assembly line.
Modern day vehicles, with millions of lines of code, are susceptible to cyberattack – on the road, in the repair shop, and even on the assembly line.

Electric and autonomous vehicles require a complex network of sophisticated control and safety technologies for their electrical power systems to safely manage the high voltages that store and distribute energy from their battery systems. If something goes wrong, the car cannot operate, people could get electrocuted, or the car could even burst into flames or explode. These are real dangers that are managed by the car’s network of fuses, circuit breakers, and electronic control systems.

What would happen if a cyber hacker got into these sensitive electronic systems and turned off the safety and control system? It would not be good…

Why would someone do this? Money is one answer. Politics could be another, as rogue nation states seek to undermine the industrial and manufacturing sectors of their enemies.

Suppose the bad guys successfully penetrated and infected these vehicles? Imagine now that they had the software or security keys that could fix these problems, but instead, hold them as ransom, jeopardizing an automaker’s entire fleet of new cars.

How many millions (or tens of millions) of dollars would the automaker pay to get that solution? Holding a manufacturer hostage is a very real possibility, as evidenced by the fees paid to today’s hackers by hospitals, cities and other large businesses, that are victims of ransomware attacks. Six-figure payments to just return these institution’s data have been reported.

Cyberattacks – Targeting Factories and Components

It is possible for cars to be infected before they even hit the auto dealers’ lots. Bad actors have the capability to infect a small electronic part, essential to the auto manufacturing food chain, purchased from one of the hundreds of a vehicle’s component suppliers.

How could auto manufacturers possibly test each electronic element? It is almost impossible and requires that parts manufacturers themselves take more care in their software development process to ensure the software in these components are not infected during manufacturing process, or during the testing and shipping processes.

Of course, cyber infections could happen on the actual assembly line where the cars are put together. With many car manufacturing plants using Internet of Things (IoT) connected robots and machines, there is always a possibility of infection happening on the assembly line. The robots and machine systems assembling the vehicle could be maliciously instructed to insert malware during assembly, making it very difficult for a manufacturer to diagnose and repair.

These components could even become infected after assembly, during the manufacturers’ testing and process. Infection, during installation, or with after-market parts and upgrades, could arise after the vehicles arrive at the dealers’ facilities. New car software updates can be delivered from the manufacturer via the web to the dealer’s repair shops and then downloaded into vehicles before and after they are sold. Inserting corrupted and infected updates is yet another delivery vector for an IoT-based attack.

Automobile software is extremely complex with millions upon millions of lines of code required to manage, control, and operate a vehicle’s numerous sub systems and components. Once the software is hacked, discovering the bad code – especially if it is cleverly written and inserted – could be almost impossible.

Already aware of the possibility and the potential disastrous effects of infected cars reaching the market, manufacturers throughout the supply chain need to safeguard their devices from attacks and infections even before they leave the warehouse.

This means embedding IoT security from day one, from the smallest ECUs to the most complex systems. It means implementing secure tracking records to ensure that both the car’s hardware and the software, throughout the entire manufacturing and distribution process, are protected from outside bad actors and that to guarantee that these parts and components remain immune from malicious cyber infections.

Author Bio – Alan Grau, VP of IoT, Embedded Solutions, Sectigo
Alan has 25 years of experience in telecommunications and the embedded software marketplace. He is VP of IoT, Embedded Solutions IoT at Sectigo. Alan joined Sectigo in May 2019 as part of the company’s acquisition of Icon Labs, a leading provider of security software for IoT and embedded devices, where he was CTO and co-founder, as well as the architect of Icon Labs’ award-winning Floodgate Firewall. He is a frequent industry speaker and blogger and holds multiple patents related to telecommunication and security. Prior to founding Icon Labs, Alan worked for AT&T Bell Labs and Motorola. He has an MS in computer science from Northwestern University.
About Sectigo
Sectigo (formerly Comodo CA) provides award-winning, purpose-built and automated PKI management solutions to secure websites, connected devices, applications, and digital identities. As the largest commercial Certificate Authority, trusted by enterprises globally for more than 20 years, and more than 100 million SSL certificates issued in over 200 countries, Sectigo has the proven performance and experience to meet the growing needs of securing today’s digital landscape.

Related posts