What Does the Volkswagen Hack mean for IoT Security?

64
161

A remote hack-attack on Chrysler Jeeps dominated headlines this past summer when researchers used an exploit to wirelessly control parts of a car’s systems.  Initially, they took over the air conditioning, the windshield wipers and the radio.  Intrigue grew to concern, however, when those same researchers showed how they could also slow down the car on the highway without any chance for the driver to maintain control. Those revelations led to the first known product recall on a networked car:  The Jeep Manufacturer Fiat Chrysler had to update software in more than 1.4 million of its vehicles.

Are Car Hacks A Real Problem?

The Jeep hack was just one of several hacks during the summer.
Security experts from an IT security firm were also able demonstrate a hack when shut down a moving Tesla Model S at low speed.  A couple of weeks ago I had the pleasure to test drive a Tesla S car and for me this experience was amazing and scary at the same time.  Amazing from a driving experience point of view, because the Tesla S has a velocity of almost 0.8G and you feel like a rocket. But on the other hand, it was scary from an IT Security point of view.  The Tesla S is essentially a tablet computer on wheels. Its central command unit is remotely connected and it get updates all the time, with no real control from the car owner.

And now, more recently, Volkswagen had to admit that they had deliberately changed the behavior of their software during specific circumstances, in what is being considered a de-facto software hack.  How did this Volkswagen hack happen?  The fraud was possible because the company ran engine management software that could recognize laboratory situations and this could turn the engine into a kind of diet mode. Putting aside questions of ethics and responsibility, this is another example of how cars are not being designed with hacker protection in mind, regardless if the hacks are coming externally or internally.

A New Era Has Dawned

We are now in a time in when technology companies must provide “digital confidence.”  This is necessary and should be mandatory to keep customer trust.  From a technology and historical point of view, consider this the beginning of a digital Cambrian explosion.  In the Cambrian explosion 524 million years ago, conditions changed virtually overnight. Almost all known animal species emerged and before this, almost three billion years had passed with just a few algae and bacteria on earth.  Such a comparable explosion has begun now in the digital world.

Three reasons stand out from many others.

  • First, everything is connected with everything else via the Internet and cloud infrastructure. This is the baseline for all steps which are following.
  • Second to consider is the amount of data generated from all devices connected to this cloud. It is getting massive and clearly cars are now a connected “Thing” in this context.
  • And third, is the digital intelligence of data processing.  This does not mean artificial intelligence, but the variety of calculations that are possible using the amount of sensor data available today. Software can now recognize the most complex situations and customize the behavior of the machine, for good and for bad. In most cases this is for our advantage in our day to day life, but it can also be negative when such “bots” can become attackers.

Machine Learning Is the Next Level of the Evolution

In the Volkswagen case, the car had not become a learning machine (yet), but they did develop an intelligent application program that was able to adapt to specific situations and driving scenarios.

The fact is that digital automation is now a driving force behind many aspects of life, including the cyber-attack landscape. A modern upper class car carries million lines of code in its system, Tesla might be even more, and it is hardly feasible to have serious examinations and quality control over such large amounts of code.

Consequences for IoT Security

The Internet of Things (IoT) is here and it is real and cars are becoming a fundamental part of it. But the software-driven world of this new car technology and with it the related economy, is becoming a central problem for cyber security.  It involves pieces of work from different suppliers that use some proprietary software, some of which may be many years old.

For driving safety, there is a long tradition and also legal requirements like manufacturer crash tests. But the issue of safety is not bound to a security check in the software, which is used in the car nor to the network and connectivity layer of a car. Let’s face it, no Internet-connected car is without cyber-attack risk anymore and as a first step we have to have cyber security tests as part of the operation permit certification. This must be mandatory as legal requirement or regulation.

Everybody who is doubting this reality should consider that we’ve seen a more than 300% increase in organizations under constant cyber-attack, a sure indication that attacks now come from tireless machines. For those wondering how the security community should respond, the answer may well be a “if you can’t beat them, join them” approach where the same degree of automation is implemented into security management. We’ve reached a “my good bot against your bad bot” state in security.

Join me next week at IP Expo in London (7-8 October, Excel London), for my seminar on cyber-attacks and geo-political events. I look forward to having you in the session and discussing with you latest trends in cyber security.

64 COMMENTS

  1. Even taking your car to the dealer for an oil change can be a cyber risk. Updates to the firmware present on most vehicles today are uploaded via the CD player and can easily be altered with malware installed by a rogue service technician or anyone else that gains access to the vehicle. Low tire pressure sensors are Bluetooth controlled and usually unprotected which can give access to anyone close enough to connect which could allow a hacker to change the programming low pressure tolerance setting and giving the driver a false low pressure reading. Scary stuff!

  2. “the Tesla S has a velocity of almost 0.8G”

    G’s are a unit of acceleration, not velocity. It’s like saying, “we drove a distance of 30mph.”

  3. Some things are better off left in human hands and this is one of them. At least place a safety protocal to do as such for the driver to overide the system in case of such an emergency.

    • Exactly! Notice that he didn’t even mention driver-less cars, in testing now. Not only could persons inside, be killed remotely by some hack, say a president diplomat, by nefarious rogue government agents, just as an off he wall example. But let’s say a terrorist group hacked cars, and drove them into large crowds possibly laden with explosives. They need an airplane any more, with millions of cars available. It wouldn’t even involve a suicide bomber! Fantasy? Sure, …for now.

      • No, I live in Pittsburgh, we have had self driving taxi’s and Uber for over a year. There has been a steering wheel and driver in all those cars, but PA just past a law, beginning in 2017, a few weeks away. No steering wheel or driver needed. So it’s not so far off that a terrorist could take over this car and us it as a weapon.

  4. I would not call the VW emissions scandal “a hack”. The VW engine management software was designed to cheat by the engineers and was installed at the factory.

  5. Tom,
    The 2nd tier emissions program discovered in VW products is most definitely a hack. It was not universally known within the corporate structure, but only by a small group of engineers. It shows that a data breach can happen from any source, external and internal. Technically it can happen anytime the OBD2 port is accessed, during emissions testing, at the dealer, or any plug in.

    • The corporate structure is not aware of 99% of what engineering does.

      The product was delivered by VW with that behavior.. Very simply enabling emission control for a set timeframe when “tester present” on the OBD port. Delivered that way means desired behavior. Not a hack.

  6. R. Buckminster Fuller said: “The future of humanity depends on the integrity of the actions of each and every human being.” Lacking ethics and integrity, we are doomed. I prefer to believe in the innate goodness of people. Nonetheless, Jesus said (in the book of Thomas): “Be ye as wise as serpents and as harmless as doves.”

  7. so the TESLA being hacked was not over the air and your comments are very misleading… They had months to hack the car, and had to have physical access to it… TESLA fixed the vulnerability to all cars immediately.

    There is a valid concern though that the more we interconnect cars etc… the more we need to worry about security.

    • Keith…An analogy re: taking time to hack… Not quite the same situation but speaks to the time it takes…Flying airplanes into the Twin Towers and the Pentagon took a long time to plan and the culprits had to have access to planes to train on, but once the training was done, physical access to prep each and every target was not needed. For our case, once the Jeep hackers researched and learned how to do it, they would not need physical access to each and every car. Just gotta have the same architecture, OS, ports, software, etc. They can do it in a larger scale to many more cars of the same type if there is no patch. Absent any action to prevent it, terrorists/hackers/whomever will find a way, no matter how long it takes. Preventive measures are important. Build in security and get rid of the vulnerabilities.

  8. At my age of 82 I recall the emergence of the digital age and I am afraid of what it has brought so far…and since the future is indefinitely uncertain that makes it even more scary…I do not have a smart phone and do not ever intend to get on as I see what it has done to young people and life in general…people cannot even walk their dogs without chatting on a cell phone…and forget banking online…all I have for money are numbers on a computer screen…I still prefer paper checks and deposit receipts thank you very much…so now we have smart cars and what comes next???…it must all be god’s will of course, or it would be different…generator, operator, destroyer…GOD..it controls everything from atoms to galaxies…ergo theofatalism…look it up…www.theofatalism.org

  9. I disagree with calling the Volkswagen scandal a hack. The engine computer manufacturer included a “testing mode” in their software that allows the car manufacturer to disable emission control. Volkswagen chose to use that mode to game the emissions testing. No “hacking” involved there. Actually a simple case of fraud.

  10. Remember the Y 2 K scare. Surely dare guards can be devised to prevent takeovers of vital functions.Nevertheless, my pencil may break or my pen may need a refill, but I am the intelligence behind them for check writing & starments. I insist on a paper trail!

  11. How special it will be when all the google self driving cars get hacked at the same time. Methinks I’ll stick to driving myself. Or park my self driving car next to the gyrocopter Popular Mechanics said I would by flying to work.

  12. Wow! Maybe my car will have a comments section one day. Instead of the “middle finger” we will just write a “strongly worded” comment that will fuel more comments seeking to best the previous comment. If machines start taking over just form them into committees and they’ll cease to make ANY progress. Their code will be flawed just like us…

  13. Stopped reading when you called the VW thing a hack. This is not accurate at all and makes it obvious you are just grasping for 3 supporting facts.

    • Interesting info. I had not heard these details before. I read Sifi and one scenario had people using chips implanted in their brains for me memory aids and communication. In the story people could get hacked and taken over. The story is several years old. Impressive how the authors imagination was so accurate. Think I will pass on that one!

    • It us a back if you did not know there was a problem with YOUR car and they, behind your back, went into your vehicles controls and fixed their problem without notifying you first. If they can do this what us to stop them from doing something worse is stopping your car in the middle if rush hour on the freeway. Just a thought. Look beyond the obvious.

  14. Nikola Tesla was a fascinating man; He was a hundred years ahead of his time. From the motor to the wireless connectivity, his ideas are part of this intelligently designed car.

    I find it interesting that you compare a mindless event some claim to have occurred 524 million years ago to the technology explosion we are experiencing. Is not evolution mindless? Yet this technology explosion is expertly designed? Did you know your DNA is a highly complex code designed to build and sustain your body? Fascinating.

    The Volkswagen issue was not a hack. It was designed from the inside to thwart emissions testing. Pure deception on the part of the manufacturer and no hacking was involved.

    We definitely need to keep our software controlled “things” safe and secure, not just from hackers, but also from the very manufacturers that would insert deceptive programming. Like the 82 year old Lewis, I look forward to a day when I don’t need to be connected.

    http://www.creation.com

    • Who cares about who hacked what FIX THE FUCKING PROBLEMS put an automatic back trace on any change in the auto while diving and make it so the memory card is a six ply replaced card that gets all updates at home on an exact copy during the day and put in the next day. With automatic backtracks on any deviation from sopf

    • A better way to describe the VW issue is to say their engineers hacked the entire testing system, using multipurpose software that was designed to run the engine AND exploit certain vulnerabilities in the emissions testing protocol.

  15. A remote hack attack on Chrysler Jeeps dominated headlines this past summer when researchers used an exploit to control parts of car system without using wires. IOT security will hack the problem raised from this issue.

  16. It’s sad when a tech writer doesn’t know the difference between acceleration and velocity. The car’s “velocity” is not 0.8G, its acceleration is 0.8G. Perhaps the author should enroll in a Physics 1 course at a local community college.

  17. In rereading what I just wrote, it does come off a bit mean-spirited. I’m sorry about that! Perhaps it was just a typo of the mind, confusing velocity with acceleration.

    • Agreed about the “typo”. I expect better in tech columns. However that doesn’t invalidate his larger point, which is that we’re headed for a LOT of unintended consequences. Brooks’ Buckminster Fuller comment about personal integrity is relevant. The global climate change issue is an even more significant example of unintended consequences that are being ignored or denied by far too many people who should know better.

  18. There are 2 types of businesses: those that know that they have been hacked and those that have yet to discover the hack. The electronic cars should have an emergency backup file, offline. the OS can only be activated manually by the driver. the speed of the vehicle may however make this too little too late.

    • There is alwayd going to be defects in innovatoions till it gets refined technology fast pace business market grabs

    • It isn’t a “hack” if it is just poorly written code.
      It isn’t a “hack” if someone guessed someone’s password, then inserted “bad code”
      It isn’t a “hack” if someone left the door open enough for someone to change the code without permission.

  19. If the “designers” would simply keep ALL critical systems off the cloud and require all updates to be authorized by a human (the owner of the car) at home or wherever, it would be a huge step in minimizing this problem of “live access”.

  20. Why do all the cars have to have all this crap on them. I want to be able to drive myself and not have a car dive me. I think it’s the way the governments can control us. We should have a chose. Some model with all this technology and some without. It shouldn’t be shoved down our throat.

  21. What the author purposely left out, was that Tesla was the only car that could not be remotely cracked. It required being given the keys to the car try to open it up and have physical access to the computer.
    Apparently, even the professional car thieves were unable to break into the car as well.

LEAVE A REPLY

Please enter your comment!
Please enter your name here