Thanks to security researchers Charlie Miller and Chris Valasek, we already know that late-model cars are vulnerable to cyberattacks that can range from the annoying – say, an uncontrollably blasting horn – to the potentially lethal: slamming on a Prius’s brakes at high speeds, killing power steering with commands sent from a laptop, spoofing GPS, and tinkering with speedometer and odometer displays.
Now, we know that US state police troopers’ cars are also vulnerable to cyberattack.
Virginia State Police (VSP) have been waging cyberwar against 2012 Chevrolet Impalas and 2013 Ford Tauruses and have found that even non-networked cars are susceptible to attacks.
As Dark Reading reports, the project didn’t involve sending a moving car into a ditch or rolling onto highway exit ramps after losing control of the gas pedal, a la Miller and Valasek’s handiwork.
The hacking was done by a public-private working group that focused on stationary police cars.
Virginia Governor Terry McAuliffe kicked off the project in May 2015.
Its focus is to explore the safeguards needed to protect against cyberattacks targeting automobiles.
Participating organizations included Mitre Corp., the Virginia Department of Motor Vehicles, the University of Virginia, and others, in cooperation with the Department of Homeland Security (DHS).
In a series of attacks on a VSP Impala and and one on its 2013 Ford Taurus, the researchers found they could make it impossible to shift gears from park to drive, cause a spike in engine RPMs, cause the engine to accelerate without applying a foot to the pedal, and cut off the engine completely.
Besides the groups’ success in wrecking havoc with the gearshift, the instrument panel and the engine, researchers from Mitre also wrote attack code that opened the trunk, unlocked the passenger doors, locked the driver’s door, turned on the windshield wipers, and squirted wiper fluid.
This isn’t an attack that’s easy to pull off or one that’s happened outside of a security research setting.
Like Miller and Valasek’s earlier work in this field – such as the 2013 hijacking of a Ford Escape to make it plow into some weeds in an abandoned parking lot – the hijacking of the state police cruisers’ computer systems required physically jacking in to the cars.
Mitre’s first attacks on the cars involved a mobile phone app connected via Bluetooth to a device planted in the vehicle, according to Brian Barrios, portfolio director of Mitre’s National Cybersecurity Federally Funded Research and Development Center (FFRDC).
The Impala lacked Bluetooth or cellular connectivity, so the Mitre device provided it.
Creating custom software for such an attack, as Mitre did, would require knowledge of the car model’s electronics, he said.
Between the need for physical access to a police cruiser like one of these, plus an intimate knowledge of its electronics, it’s hard to imagine an average person being able to pull off such an attack.
That doesn’t make it impossible, though, and that’s the point, Barrios said: we need to know what attacks are feasible so we can prepare for them.
According to Dark Reading, Kaprica Security built a proof-of-concept, real-time device to thwart attacks like the one Mitre came up with. The device also collects forensic data from an attack.
The device is a dongle that can be plugged into the car’s so-called On Board Diagnostics (OBD) and which can detect and block abnormal commands.
Other attacks, on the Ford Taurus, were cooked up by Msi. One such attack performed a denial-of-service (DoS) that blocks the car from starting, while yet another attack emanated from a mobile device and succeeded in remotely starting the car.
They also managed to lock and unlock the car so as to trap the driver inside – at least, until he or she rolled down the window and manually opened the door.
The researchers also came up with yet another dongle-like device that monitors the ODB II port and detects any hacking tools plugged into the car’s port, as well as any attacks over the CAN bus, and which, like Kaprica’s tool, blocks attacks and collects attack forensic data.
While neither Ford nor GM worked directly on the project, both carmakers knew of it and provided statements about vehicle cybersecurity.
The University of Virginia study is helpful to remind industry, regulators, law enforcement and consumers that cybersecurity is an issue that requires focused attention. The staged cyber-attack on a Ford vehicle required unrestricted physical access to the interior to install a device that provided remote access to the electronic control module.
This study does not simulate any immediate real-world risk. It highlights the need to be vigilant about vehicle security and to avoid plugging in devices or technologies that do not have proper security safeguards. And, it serves as a reminder that all connected computing systems should have appropriate safeguards in place to mitigate the threat of cyber-attacks.
And from GM:
GM takes matters such as potential cyber threats, which affect our customers’ safety and security very seriously. We are taking a layered approach to in-vehicle cybersecurity and are designing many vehicle systems so that they can be updated with enhanced security measures as potential threats evolve.
We recently created an integrated organization, Vehicle and Vehicle Services Cybersecurity, which consists of internal experts who work with outside specialists, and is actively working to minimize risks of unauthorized access to vehicles and customer data.
Well, thank heavens they’re taking it seriously.
Not that they have much choice, mind you: calls for securing vehicles have been getting ever louder since we first heard of a remote attack against an unnamed vehicle back in 2011.
Concerns have become more amplified still in the wake of Miller and Valasek remotely taking over a Jeep (no physical jacking-in required) from 10 miles away a few months ago.
US Senator Edward Markey issued a report in February 2015 that criticizes what had been, up to that point, the auto industry’s weak response to addressing security vulnerabilities, as well as the lack of privacy protections for the data collected from vehicles by the manufacturers.
Markey also introduced legislation in July seeking to establish mandatory security standards for all cars and trucks.