Connected Cars: Threat Intelligence Hits the Road

December 16, 2015 • Chris Poulin

As a species, humans have evolved our environment faster than our instincts to sense danger. In caveman days we had to be alert to the presence of predatory animals: saber toothed tigers, swooping pterodactyls, the daggered maw of a T-rex.

The formation of agricultural societies brought new dangers, and millennia later, we were still pretty much close to nature, but with gunpowder and domesticated horses for transportation. We find ourselves barely a few centuries after that, living in houses that automatically adjust the temperature for us, carrying sophisticated computers that allow us to have food delivered and track the whereabouts of our loved ones at any time, and our transportation is effectively a combination of a house and a mobile phone.

There’s no way we’ve adapted our biological risk mechanisms to threats that are new since the technological revolution, no less those that have cropped up in the last thirty years.

In fact, when polled, most Americans are terrified of shark attacks but would have no compunction about walking up and petting a cow; and yet we’re 22 times more likely to be killed by a cow than a shark. In large part that irrational fear is due to exposure to popular fiction and movies like “Jaws” and “Sharknado;” whereas, our primitive ancestors would most likely give cows a wide berth, but stand scratching their misshapen skulls at the sight of a shark.

The press has done it again, but this time instead of sharks it’s connected cars.

Connected Cars and Security — What Are the Risks?

Charlie Miller and Chris Valasek spent the last three or so years hacking various connected cars, from a Toyota Prius, to a Ford Escape, and most recently, a Jeep Grand Cherokee. The culmination of their research was sitting WIRED reporter Andy Greenberg behind the wheel of the Jeep and remotely controlling the vehicle, turning it into a haunted house on wheels.

First, Miller and Valasek jacked up the radio volume to disco while disabling the controls so he couldn’t turn it down. But that was just the appetizer; the entrée was disabling the brakes. Andy panicked and steered the car off the road in order to stop it, and that was the picture that appeared at the top of the ensuing article: a Jeep nose down in a ditch.

The takeaway for most drivers was that hackers can, and will, subvert control of their vehicle and cause mayhem, possibly leading to physical harm to them and their passengers.

Connected Car Security Timeline

Click image for larger view.

But the reality is that threat actors have little motive to harm John and Jane Q Public as they roll merrily down the road. Threat actors break down into two broad categories: cyber criminals, who are motivated by money, and ideologues, the latter comprising hacktivists, terrorists, nation states, and sometimes insiders. I break down the threat actors, their general motives, and some possible attacks in an article on TechCrunch.

Connected Car Security Timeline

Click image for larger view.

Finding the Vulnerabilities Before They Become a Problem

I believe car theft will continue to be a threat, although self-driving (a.k.a., autonomous) vehicles may allow thieves to control cars from thousands of miles away, sending them to chop shops without having to have a cohort behind the wheel. Ransomware will also likely find its way into a vehicle near you: the screen in your car may demand a few bitcoin in order to unbrick the engine. Nation states may listen in over the hands-free microphone in a high-powered diplomat’s limousine. Harm, however, only shows up in isolated cases of highly targeted individuals.

The good news is we most likely have a couple of years before threat actors start actively targeting connected vehicles; instead of burying our heads, the public and automakers should welcome the efforts of researchers. We need to find and mitigate the vulnerabilities in connected vehicles before they’re widely exploited by the dark side of the cyber security battle. And in fact, we should all become familiar with connected vehicle features and capabilities by embracing the technology: buy a connected car and actively engage with automakers through social media.

Hey, if you’re a geek, buy an OBD-II adapter and get some code off GitHub and start playing. The best disinfectant is sunlight.

Chris Poulin

Chris Poulin is a research strategist for IBM’s X-Force research and development team, responsible for researching and analyzing security trends in cybercrime with a special focus on Internet of Things and connected vehicle security.