main

Attack Types & VectorsHacksSecurity

What Does the Volkswagen Hack mean for IoT Security?

October 1, 2015 — by Werner Thalmeier64

A remote hack-attack on Chrysler Jeeps dominated headlines this past summer when researchers used an exploit to wirelessly control parts of a car’s systems.  Initially, they took over the air conditioning, the windshield wipers and the radio.  Intrigue grew to concern, however, when those same researchers showed how they could also slow down the car on the highway without any chance for the driver to maintain control. Those revelations led to the first known product recall on a networked car:  The Jeep Manufacturer Fiat Chrysler had to update software in more than 1.4 million of its vehicles.

Are Car Hacks A Real Problem?

The Jeep hack was just one of several hacks during the summer.
Security experts from an IT security firm were also able demonstrate a hack when shut down a moving Tesla Model S at low speed.  A couple of weeks ago I had the pleasure to test drive a Tesla S car and for me this experience was amazing and scary at the same time.  Amazing from a driving experience point of view, because the Tesla S has a velocity of almost 0.8G and you feel like a rocket. But on the other hand, it was scary from an IT Security point of view.  The Tesla S is essentially a tablet computer on wheels. Its central command unit is remotely connected and it get updates all the time, with no real control from the car owner.

And now, more recently, Volkswagen had to admit that they had deliberately changed the behavior of their software during specific circumstances, in what is being considered a de-facto software hack.  How did this Volkswagen hack happen?  The fraud was possible because the company ran engine management software that could recognize laboratory situations and this could turn the engine into a kind of diet mode. Putting aside questions of ethics and responsibility, this is another example of how cars are not being designed with hacker protection in mind, regardless if the hacks are coming externally or internally.

A New Era Has Dawned

We are now in a time in when technology companies must provide “digital confidence.”  This is necessary and should be mandatory to keep customer trust.  From a technology and historical point of view, consider this the beginning of a digital Cambrian explosion.  In the Cambrian explosion 524 million years ago, conditions changed virtually overnight. Almost all known animal species emerged and before this, almost three billion years had passed with just a few algae and bacteria on earth.  Such a comparable explosion has begun now in the digital world.

Three reasons stand out from many others.

  • First, everything is connected with everything else via the Internet and cloud infrastructure. This is the baseline for all steps which are following.
  • Second to consider is the amount of data generated from all devices connected to this cloud. It is getting massive and clearly cars are now a connected “Thing” in this context.
  • And third, is the digital intelligence of data processing.  This does not mean artificial intelligence, but the variety of calculations that are possible using the amount of sensor data available today. Software can now recognize the most complex situations and customize the behavior of the machine, for good and for bad. In most cases this is for our advantage in our day to day life, but it can also be negative when such “bots” can become attackers.

Machine Learning Is the Next Level of the Evolution

In the Volkswagen case, the car had not become a learning machine (yet), but they did develop an intelligent application program that was able to adapt to specific situations and driving scenarios.

The fact is that digital automation is now a driving force behind many aspects of life, including the cyber-attack landscape. A modern upper class car carries million lines of code in its system, Tesla might be even more, and it is hardly feasible to have serious examinations and quality control over such large amounts of code.

Consequences for IoT Security

The Internet of Things (IoT) is here and it is real and cars are becoming a fundamental part of it. But the software-driven world of this new car technology and with it the related economy, is becoming a central problem for cyber security.  It involves pieces of work from different suppliers that use some proprietary software, some of which may be many years old.

For driving safety, there is a long tradition and also legal requirements like manufacturer crash tests. But the issue of safety is not bound to a security check in the software, which is used in the car nor to the network and connectivity layer of a car. Let’s face it, no Internet-connected car is without cyber-attack risk anymore and as a first step we have to have cyber security tests as part of the operation permit certification. This must be mandatory as legal requirement or regulation.

Everybody who is doubting this reality should consider that we’ve seen a more than 300% increase in organizations under constant cyber-attack, a sure indication that attacks now come from tireless machines. For those wondering how the security community should respond, the answer may well be a “if you can’t beat them, join them” approach where the same degree of automation is implemented into security management. We’ve reached a “my good bot against your bad bot” state in security.

Join me next week at IP Expo in London (7-8 October, Excel London), for my seminar on cyber-attacks and geo-political events. I look forward to having you in the session and discussing with you latest trends in cyber security.

Werner Thalmeier

As a Solution Evangelist, Werner Thalmeier is responsible for driving Security Product Strategy for Radware in the EMEA region. Before joining our team, he headed the global product management team at M86 Security as VP of Product Management and was also previously VP of Product Management at Finjan. An active member of IT industry for over 20 years, Werner has gained extensive field experience working with vendors, customers, technology partners and resellers in various management and engineering positions.

64 comments

  • Richard Quigley

    October 7, 2015 at 5:29 pm

    This is something we all should be made aware of.

    Reply

    • Tim

      February 19, 2016 at 3:04 pm

      they got the day/date reversed. FYI.

      Reply

      • Mike

        March 5, 2016 at 8:44 pm

        They simply arranged it in collating sequence – minor to major.

        Reply

        • Gary Mootz

          March 9, 2016 at 9:56 pm

          Which is the way the US military and much of Europe does it. Samsung reverses every thing and does year, month, day.

          Reply

      • William Seet

        September 29, 2016 at 11:01 pm

        In many countries date convention is day month year.

        Reply

    • Fred VonColln

      December 6, 2016 at 2:38 pm

      Richard Quigley?

      Reply

  • Alexander Dean

    October 16, 2015 at 4:39 pm

    Even taking your car to the dealer for an oil change can be a cyber risk. Updates to the firmware present on most vehicles today are uploaded via the CD player and can easily be altered with malware installed by a rogue service technician or anyone else that gains access to the vehicle. Low tire pressure sensors are Bluetooth controlled and usually unprotected which can give access to anyone close enough to connect which could allow a hacker to change the programming low pressure tolerance setting and giving the driver a false low pressure reading. Scary stuff!

    Reply

    • BeeH

      December 20, 2015 at 3:37 pm

      False low pressure reading. So what?

      Reply

      • Brian F

        February 17, 2016 at 2:35 pm

        That’s VERY SERIOUS. If they get a low pressure reading they will have to break out their “low tech” tire pressure gauge and NOBODY KNOWS HOW TO USE LOW TECH ANYMORE. Or they are just too lazy.

        Reply

      • Maggie

        February 24, 2016 at 2:58 pm

        Kidnapping when they stop to check the tires comes to mind, but I may have watched too many Criminal Minds episodes.

        Reply

    • Bob Lupini

      April 29, 2017 at 11:44 am

      Ho Adriaen! Where is my model T parked? Has MicroSofty heard about this?

      Reply

  • Jon

    October 23, 2015 at 5:24 am

    “the Tesla S has a velocity of almost 0.8G”

    G’s are a unit of acceleration, not velocity. It’s like saying, “we drove a distance of 30mph.”

    Reply

    • Tom Johnston MD, FACS

      December 9, 2015 at 12:26 pm

      …and you feel acceleration, not velocity…

      Reply

    • Igor

      December 9, 2015 at 2:15 pm

      Velocity is also a Vector, it’s two parts; Magnitude and direction.

      Reply

      • Tim

        February 19, 2016 at 3:03 pm

        Like TJ said…

        Reply

      • Obsolete Professor

        May 5, 2016 at 11:25 pm

        In your world..

        Reply

    • Juan Salazar

      June 12, 2016 at 1:27 pm

      Ahahaha… Thank you. I thought Is losing MY mind.

      Reply

    • CarNut

      August 19, 2017 at 8:30 pm

      Also, just because a car is electric doesn’t mean it has more computing power than an internal combustion car… In fact it needs less because it doesnt have to monitor a bunch of fuel injectors, spark plugs, obd diagnostics, etc… A hybrid like the Volt has to do both gas and electric so that’s actually more sophisticated

      Reply

  • unsecured loans

    October 29, 2015 at 3:20 am

    Marvelous, what a blog it is! This web site gives valuable data to
    us, keep it up.

    Reply

  • eddie g

    December 4, 2015 at 8:03 pm

    smartypants

    Reply

  • Rick

    December 7, 2015 at 11:31 am

    Some things are better off left in human hands and this is one of them. At least place a safety protocal to do as such for the driver to overide the system in case of such an emergency.

    Reply

    • Ron

      December 12, 2015 at 1:34 pm

      Exactly! Notice that he didn’t even mention driver-less cars, in testing now. Not only could persons inside, be killed remotely by some hack, say a president diplomat, by nefarious rogue government agents, just as an off he wall example. But let’s say a terrorist group hacked cars, and drove them into large crowds possibly laden with explosives. They need an airplane any more, with millions of cars available. It wouldn’t even involve a suicide bomber! Fantasy? Sure, …for now.

      Reply

      • Ron

        December 12, 2015 at 1:38 pm

        Sorry, blasted typo’s, before my coffe, lol!
        sic (…president OR diplomat,…), sic (…They WOULDN’T need an airplane…)

        Reply

      • Fred Flinstone

        June 5, 2016 at 8:53 pm

        I can’t wait to get my self driving car and have it drive my robot up to a bank teller and then…….

        Reply

      • Tammy

        December 14, 2016 at 11:38 pm

        No, I live in Pittsburgh, we have had self driving taxi’s and Uber for over a year. There has been a steering wheel and driver in all those cars, but PA just past a law, beginning in 2017, a few weeks away. No steering wheel or driver needed. So it’s not so far off that a terrorist could take over this car and us it as a weapon.

        Reply

  • Tom

    December 8, 2015 at 7:40 pm

    I would not call the VW emissions scandal “a hack”. The VW engine management software was designed to cheat by the engineers and was installed at the factory.

    Reply

  • Steven

    December 10, 2015 at 12:08 pm

    Tom,
    The 2nd tier emissions program discovered in VW products is most definitely a hack. It was not universally known within the corporate structure, but only by a small group of engineers. It shows that a data breach can happen from any source, external and internal. Technically it can happen anytime the OBD2 port is accessed, during emissions testing, at the dealer, or any plug in.

    Reply

    • BeeH

      December 20, 2015 at 3:51 pm

      The corporate structure is not aware of 99% of what engineering does.

      The product was delivered by VW with that behavior.. Very simply enabling emission control for a set timeframe when “tester present” on the OBD port. Delivered that way means desired behavior. Not a hack.

      Reply

  • John Brooks

    December 13, 2015 at 10:59 am

    R. Buckminster Fuller said: “The future of humanity depends on the integrity of the actions of each and every human being.” Lacking ethics and integrity, we are doomed. I prefer to believe in the innate goodness of people. Nonetheless, Jesus said (in the book of Thomas): “Be ye as wise as serpents and as harmless as doves.”

    Reply

  • Kris

    December 15, 2015 at 3:02 pm

    Anyone have a bicycle they can sell me?

    Reply

    • Bicycle Bobs Prescott WI

      December 28, 2015 at 2:44 pm

      yup, but now many of the quality and elite bike come with electronic shifting

      Reply

    • styrgwillidar

      May 23, 2016 at 5:02 pm

      You don’t need a bike, just a car/truck without all the cr@p on it.

      Reply

  • keith

    December 17, 2015 at 2:23 pm

    so the TESLA being hacked was not over the air and your comments are very misleading… They had months to hack the car, and had to have physical access to it… TESLA fixed the vulnerability to all cars immediately.

    There is a valid concern though that the more we interconnect cars etc… the more we need to worry about security.

    Reply

    • Lisa

      December 11, 2016 at 4:26 pm

      Keith…An analogy re: taking time to hack… Not quite the same situation but speaks to the time it takes…Flying airplanes into the Twin Towers and the Pentagon took a long time to plan and the culprits had to have access to planes to train on, but once the training was done, physical access to prep each and every target was not needed. For our case, once the Jeep hackers researched and learned how to do it, they would not need physical access to each and every car. Just gotta have the same architecture, OS, ports, software, etc. They can do it in a larger scale to many more cars of the same type if there is no patch. Absent any action to prevent it, terrorists/hackers/whomever will find a way, no matter how long it takes. Preventive measures are important. Build in security and get rid of the vulnerabilities.

      Reply

  • Lewis Tagliaferre

    December 20, 2015 at 3:04 pm

    At my age of 82 I recall the emergence of the digital age and I am afraid of what it has brought so far…and since the future is indefinitely uncertain that makes it even more scary…I do not have a smart phone and do not ever intend to get on as I see what it has done to young people and life in general…people cannot even walk their dogs without chatting on a cell phone…and forget banking online…all I have for money are numbers on a computer screen…I still prefer paper checks and deposit receipts thank you very much…so now we have smart cars and what comes next???…it must all be god’s will of course, or it would be different…generator, operator, destroyer…GOD..it controls everything from atoms to galaxies…ergo theofatalism…look it up…www.theofatalism.org

    Reply

  • BeeH

    December 20, 2015 at 3:41 pm

    I disagree with calling the Volkswagen scandal a hack. The engine computer manufacturer included a “testing mode” in their software that allows the car manufacturer to disable emission control. Volkswagen chose to use that mode to game the emissions testing. No “hacking” involved there. Actually a simple case of fraud.

    Reply

  • E William Meharra

    December 29, 2015 at 2:19 pm

    Remember the Y 2 K scare. Surely dare guards can be devised to prevent takeovers of vital functions.Nevertheless, my pencil may break or my pen may need a refill, but I am the intelligence behind them for check writing & starments. I insist on a paper trail!

    Reply

  • richard story

    February 12, 2016 at 10:01 pm

    How special it will be when all the google self driving cars get hacked at the same time. Methinks I’ll stick to driving myself. Or park my self driving car next to the gyrocopter Popular Mechanics said I would by flying to work.

    Reply

  • LURCH_1972

    February 15, 2016 at 2:54 pm

    Wow! Maybe my car will have a comments section one day. Instead of the “middle finger” we will just write a “strongly worded” comment that will fuel more comments seeking to best the previous comment. If machines start taking over just form them into committees and they’ll cease to make ANY progress. Their code will be flawed just like us…

    Reply

  • Nope

    February 17, 2016 at 12:59 pm

    Stopped reading when you called the VW thing a hack. This is not accurate at all and makes it obvious you are just grasping for 3 supporting facts.

    Reply

    • Jim

      February 21, 2016 at 2:19 pm

      Interesting info. I had not heard these details before. I read Sifi and one scenario had people using chips implanted in their brains for me memory aids and communication. In the story people could get hacked and taken over. The story is several years old. Impressive how the authors imagination was so accurate. Think I will pass on that one!

      Reply

    • Joyce

      April 6, 2016 at 5:51 pm

      It us a back if you did not know there was a problem with YOUR car and they, behind your back, went into your vehicles controls and fixed their problem without notifying you first. If they can do this what us to stop them from doing something worse is stopping your car in the middle if rush hour on the freeway. Just a thought. Look beyond the obvious.

      Reply

      • Joyce

        April 6, 2016 at 5:52 pm

        Darn spell check. It is a hack.

        Reply

  • Keith H.

    February 22, 2016 at 12:22 am

    Nikola Tesla was a fascinating man; He was a hundred years ahead of his time. From the motor to the wireless connectivity, his ideas are part of this intelligently designed car.

    I find it interesting that you compare a mindless event some claim to have occurred 524 million years ago to the technology explosion we are experiencing. Is not evolution mindless? Yet this technology explosion is expertly designed? Did you know your DNA is a highly complex code designed to build and sustain your body? Fascinating.

    The Volkswagen issue was not a hack. It was designed from the inside to thwart emissions testing. Pure deception on the part of the manufacturer and no hacking was involved.

    We definitely need to keep our software controlled “things” safe and secure, not just from hackers, but also from the very manufacturers that would insert deceptive programming. Like the 82 year old Lewis, I look forward to a day when I don’t need to be connected.

    http://www.creation.com

    Reply

    • Rcard

      February 24, 2016 at 2:37 pm

      Who cares about who hacked what FIX THE FUCKING PROBLEMS put an automatic back trace on any change in the auto while diving and make it so the memory card is a six ply replaced card that gets all updates at home on an exact copy during the day and put in the next day. With automatic backtracks on any deviation from sopf

      Reply

      • Rcard

        February 24, 2016 at 2:38 pm

        That’s supposed to be simply

        Reply

    • BobboMax Fankhauser

      April 3, 2016 at 3:00 pm

      A better way to describe the VW issue is to say their engineers hacked the entire testing system, using multipurpose software that was designed to run the engine AND exploit certain vulnerabilities in the emissions testing protocol.

      Reply

  • Anthony D.

    February 29, 2016 at 5:31 am

    A remote hack attack on Chrysler Jeeps dominated headlines this past summer when researchers used an exploit to control parts of car system without using wires. IOT security will hack the problem raised from this issue.

    Reply

  • John Browning

    March 2, 2016 at 1:51 pm

    It’s sad when a tech writer doesn’t know the difference between acceleration and velocity. The car’s “velocity” is not 0.8G, its acceleration is 0.8G. Perhaps the author should enroll in a Physics 1 course at a local community college.

    Reply

    • Randall

      June 28, 2016 at 9:05 pm

      most “tech writers” are nothing more than bloggers, twitters, and snapchatters who know some big name people.

      Reply

  • John Browning

    March 2, 2016 at 1:56 pm

    In rereading what I just wrote, it does come off a bit mean-spirited. I’m sorry about that! Perhaps it was just a typo of the mind, confusing velocity with acceleration.

    Reply

    • BobboMax Fankhauser

      April 3, 2016 at 3:20 pm

      Agreed about the “typo”. I expect better in tech columns. However that doesn’t invalidate his larger point, which is that we’re headed for a LOT of unintended consequences. Brooks’ Buckminster Fuller comment about personal integrity is relevant. The global climate change issue is an even more significant example of unintended consequences that are being ignored or denied by far too many people who should know better.

      Reply

  • Clarence

    March 5, 2016 at 7:39 pm

    There are 2 types of businesses: those that know that they have been hacked and those that have yet to discover the hack. The electronic cars should have an emergency backup file, offline. the OS can only be activated manually by the driver. the speed of the vehicle may however make this too little too late.

    Reply

    • victor

      March 6, 2016 at 5:57 pm

      There is alwayd going to be defects in innovatoions till it gets refined technology fast pace business market grabs

      Reply

    • Randall

      June 28, 2016 at 9:09 pm

      It isn’t a “hack” if it is just poorly written code.
      It isn’t a “hack” if someone guessed someone’s password, then inserted “bad code”
      It isn’t a “hack” if someone left the door open enough for someone to change the code without permission.

      Reply

  • Siegfried

    March 18, 2016 at 4:11 pm

    If the “designers” would simply keep ALL critical systems off the cloud and require all updates to be authorized by a human (the owner of the car) at home or wherever, it would be a huge step in minimizing this problem of “live access”.

    Reply

  • john gary

    April 2, 2016 at 6:11 pm

    I wonder how many Gs the Tesla pulls smashing into a wall at eighty mph

    Reply

  • Dan Birch

    April 3, 2016 at 4:10 pm

    It’s way harder to hack a key.

    Reply

    • Nuanda

      April 13, 2016 at 4:15 pm

      Use a screwdriver. Or is that a pick vs a hack?

      Reply

  • JEAN

    April 28, 2016 at 2:04 am

    Why do all the cars have to have all this crap on them. I want to be able to drive myself and not have a car dive me. I think it’s the way the governments can control us. We should have a chose. Some model with all this technology and some without. It shouldn’t be shoved down our throat.

    Reply

  • Windbourne

    May 7, 2016 at 12:22 am

    What the author purposely left out, was that Tesla was the only car that could not be remotely cracked. It required being given the keys to the car try to open it up and have physical access to the computer.
    Apparently, even the professional car thieves were unable to break into the car as well.

    Reply

  • C. Paul Gallagher

    June 3, 2016 at 6:05 pm

    “Journalist” doesn’t know the difference between velocity and acceleration.

    Reply

  • Tom G

    December 10, 2016 at 2:01 pm

    Wow !!!!! We have a lot of “gyro-gearloses” in our world today; I am impressed.

    Reply

  • HondaLaura

    July 15, 2017 at 2:16 pm

    That is why I take Robert Deniro’s advise “Get A HONDA !”

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *