Claudia Bacco, Managing Director – EMEA, has spent her entire career in telecom, IT and Security. Having experience at an operator, software and hardware vendors and as a well-known industry analyst, she has many opinions on the market. She’ll be sharing those opinions along with ongoing trend analysis for RCR Wireless through daily contributions going forward.
With Black Hat USA just concluding and DEF CON 22 hacking conference in process in Las Vegas, we couldn’t expect cars to not have a key presence with all of the connected and self-driving car activities at the moment.
Charlie Miller and Chris Valasek have been at it again this year researching the most/least hackable cars. They examined 24 different cars to determine how a remote attack on the systems in these cars might work.
First it’s helpful to understand how a cyber-attack on a vehicle might work. The good news is that is it more complicated than it might seem. Within cars there are devices called Electric Control Units (ECUs). There are between 20 and 100 of these in any given car. Just to keep it really simple, the ECUs communicate with each other in order to have the car react in a certain way depending on the situation it is in. This is important to know in order to understand how an attack might come to reality.
There are multiple levels to attacking the safety system in a car. And again, we’ll keep it really simple. You can read the entire 92-page report here. If a hacker is able to access the ECUs wirelessly, through Bluetooth for example, they could potentially be able to ‘listen in’ to the activities in the car. To impact the way the car handles there is a second level of intrusion required in order to impact the way the ECUs communicate with each other. This might involve making the car think it is about to have an impact and applying the brakes for example. As mentioned, I’ve kept this really high level as there are many moving parts in this discussion that the longer report does much better justice to if you are interested in all the details.
The report looked to judge the likelihood of specific car models being successfully targeted for a cyber-attack. One of the key findings was that in order to influence the cars behavior remotely — steering, braking, accelerating — it helped the hackers if the car had the more sophisticated features onboard such as park assist, adaptive cruise control, lane assist and collision prevention. Although the presence of these features makes attacks potentially more viable, some of the ECUs also have built-in features to identify when something is not working in the proper fashion related to turning, accelerating, etc. and respond accordingly.
So what were the findings?
There were some key trends across the industry that are worth noting:
- The number of networks, ECUs and attack surfaces are increasing year-over-year allowing for more points of entry for an attack
- Cars are using more common desktop interfaces and apps that are well known to the hacker community
- Cars manufactured in a similar geographic tend to have a similar network
- Newer cars have more opportunities for a cyber-attack as their networks require more computers and ECU interfaces, widening the opportunities for malicious access.
The cars that were tested covered a range of models and age. Cars were from Audi, BMW, Cadillac, Chrysler, Dodge, Ford, Honda, Infiniti, Jeep, Range Rover and Toyota. They ranged in age from 2006 models up through one 2015 model. There was a mix including hybrid and electric vehicles also included. The findings of the most/least likely to be susceptible to an attack were as follows:
Most likely:
- 2014 Jeep Cherokee
- 2015 Cadillac Escalade AWD
- 2014 Infiniti Q50
Least likely:
- 2014 Dodge Viper
- 2014 Audi A8
- 2014 Honda Accord LX
The smarter our cars get, the more appealing they are to malicious intent. I’m sure we’ll see an attack of the cyber-vehicles coming to a movie screen soon, but hopefully not coming to your personal car in the near future!