{"id":6904,"date":"2016-03-14T10:12:54","date_gmt":"2016-03-14T14:12:54","guid":{"rendered":"https:\/\/kasperskydaily.com\/uk\/?p=6904"},"modified":"2019-11-22T10:11:07","modified_gmt":"2019-11-22T10:11:07","slug":"car-hacking-rsac-2016","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/car-hacking-rsac-2016\/6904\/","title":{"rendered":"Hacking a car: a real threat or yet another shocker?"},"content":{"rendered":"<p>Since last year, there has been no doubt about the <a href=\"https:\/\/www.kaspersky.co.uk\/blog\/blackhat-jeep-cherokee-hack-explained\/6065\/\" target=\"_blank\" rel=\"noopener\">possibility\u00a0of taking control over a connected car remotely<\/a>. So, isn\u2019t it a little odd that we\u2019ve yet to see any hacked cars, racing around the streets? \u00a0Is it just a real threat or just a hypothetical possibility?<\/p>\n<p>Judging by the discussions going on at RSA 2016, the answer is complex. Right now the real threat is minimum however this will only increase over time. In several years, the situation will be far more complicated and dangerous than we currently see. What\u2019s worse, the car industry is organised in such a way that manufacturers would probably be solving these fundamental problems for decades. So if we don\u2019t want to lose the rush completely, it\u2019s high time to act. \u00a0Fortunately, many manufacturers are beginning to understand this as well.<\/p>\n<h3>No need for panic\u2026<\/h3>\n<p>\u2026But if you want to lift your adrenalin, watch the video taken by the Wired team and the duo of most famous automobile hackers, <a href=\"https:\/\/twitter.com\/0xcharlie\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Charlie Miller<\/a> and <a href=\"https:\/\/twitter.com\/nudehaberdasher\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Chris Valasek<\/a>.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/MK0SrxBC1xs?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>In the video, you\u2019ll find the Wired editor <a href=\"https:\/\/twitter.com\/a_greenberg\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Andy Greenberg<\/a>, driving a brand new Jeep. At the same time Miller and Valasek remotely hack Andy\u2019s car: they turn on the radio and the wipers, <a href=\"https:\/\/www.kaspersky.com\/blog\/remote-car-hack\/9395\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">slow or stop\u00a0the car<\/a> and do their best to show, that the steering, wheels, pedals and brakes are remotely controllable. \u00a0Because they\u2019re not directly connected (instead there\u2019s a lot of built-in computer systems on the way from one control element to another) they are vulnerable to hackers.<\/p>\n<p>Luckily,\u00a0only a few modern cars can be tricked in such a way. According to Kelley Blue Book experts, who reported this issue at RSA, the average car driven on US roads are 11 years old. That\u2019s why the majority of cars are not equipped with Internet or Bluetooth connection and various devices, which could let the hackers in. In a sense, old cars are like old phones: dumb.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/BlackHat?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#BlackHat<\/a> 2015: The full story of how that Jeep was hacked <a href=\"https:\/\/t.co\/y0d6k8UE4n\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/y0d6k8UE4n<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/bhUSA?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#bhUSA<\/a> <a href=\"http:\/\/t.co\/SWulPz4Et7\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/SWulPz4Et7<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/629651596876644352?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 7, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>A criminal would have to study\u00a0<em>a lot<\/em> of technologies and devices to hack a connected car. It\u2019s a big and complicated task. That\u2019s not the all: they would also need to invest money into the work as well as some special equipment. For example, Miller and Valasek studied this topic for four years and in the end learned how to hack only a handful of\u00a0car models.<\/p>\n<p>PCs mostly have the same type of processor units (Intel) and only a few Operating Systems (like Windows, OSX, Linux). A cars computer system consists of dozens of different specialised computers that interconnect via <a href=\"https:\/\/en.wikipedia.org\/wiki\/CAN_bus\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">CANbus<\/a>.<\/p>\n<p>From one point of view this is bad as such architecture makes it difficult to implement standard security measures, but it also protects it\u00a0from criminals, who\u2019ll need to spend a <em>great amount of time<\/em> to understand what is what.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Black Hat and DEF CON: Hacking a chemical plant \u2013 <a href=\"https:\/\/t.co\/KSnCTtLt5U\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/KSnCTtLt5U<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/634086251205926913?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 19, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h3>There is no room for complacency<\/h3>\n<p>Of course, this plateau period will not last forever. The number of connected cars is constantly increasing. According to Kelley Blue Book, for the last 5 years the amount of cars models connected <em>by default<\/em>, increased from 2 to 151.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-6906\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/03\/05194106\/carhacking-rsa-stats.png\" alt=\"carhacking-rsa-stats\" width=\"1024\" height=\"655\"><\/p>\n<p>Besides, there are a lot of devices with Internet access, which can be built into even old cars via CANbus. For example, insurance and logistics companies often install trackers that monitor how well\u00a0people drive, where and how often they stop over and other things such things. <a href=\"http:\/\/www.securityweek.com\/researchers-hack-car-insurance-dongle\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Such devices can be hacked<\/a> as well to gain the remote access to CANbus and critical car systems.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/Progressive?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Progressive<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Snapshot?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Snapshot<\/a> Exposes Drivers to Car Hacking: <a href=\"https:\/\/t.co\/c8I8lc1zu0\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/c8I8lc1zu0<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/560112663741857794?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">January 27, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The positive dimension is that the number of experts who study this problem is increasing as well. For example, the <a href=\"http:\/\/opengarages.org\/index.php\/Main_Page\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Open Garages<\/a> project studies cheap or free hardware and software solutions, which let a user to analyse data from automobile network and interfere into its work. Besides, OpenGarages has contacts of garages, where you can find autos, tools and other infrastructure for testing new software and ideas.<\/p>\n<p>The simplest equipment for CANbus study are based on Raspberry Pi or Arduino. Together with accessories, they cost about $100. There are even open source apps for that of different functionality range; some of them are even free. This means, that the number of known vulnerabilities and decrypted sub-network control protocols will increase. Malicious application of this nature\u00a0is only a matter\u00a0of time.<\/p>\n<h3>Time to act<\/h3>\n<p>There are no simple solutions for this problem like <i>install an antivirus to the main computer system<\/i>. CANbus is a standard protocol, which originates from the 80s. It allows all the systems interconnect without authentication. If you want to improve it you\u2019d have to change almost all the systems in the car. This work is more than\u00a0likely to be done at some point however as CANbus will soon become a bottleneck for manufacturers.<\/p>\n<p>Another problem\u00a0for manufacturers is that, as Kelley Blue Book reports, the majority of surveyed people think that manufacturers should\u00a0provide the\u00a0security system, not the\u00a0auto dealer or a third party organisation.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Fiat Chrysler Recalls 1.4 million Cars After Software Bug is Revealed: <a href=\"https:\/\/t.co\/0G9HKy10DI\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/0G9HKy10DI<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/624616075607433216?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">July 24, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>At the same time the car industry has little to no experience in developing protective solutions for their autos. The situation is the same for manufacturers of car components, who also <a href=\"https:\/\/www.kaspersky.co.uk\/blog\/explaining-how-volkswagen-dieselgate-happened\/6560\/\" target=\"_blank\" rel=\"noopener\">face the same problem<\/a>.<\/p>\n<p>Fortunately, security experts and companies are familiar with these problems, as they have already gone down that path during the last ten years. The IAmTheCavalry project recommends to accept a <a href=\"https:\/\/www.iamthecavalry.org\/domains\/automotive\/5star\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">five-star safety program<\/a>, which gives a star for every security measure, implemented properly. So we can say that there are five major problems to be solved:<\/p>\n<p><strong>1. Secure Software Development Lifecycle, or safety by design<\/strong><br>\nThis means that you develop a car following basic security principles: your projects are standard based to ensure more predictable, normalised and comprehensive practices. Your hardware and software supply chains are all well-governed and traceable to make it easier to remedy any defects. The attack surface and complexity of your code is systematically reduced. And finally, you regularly invite specialists for independent, adversarial resilience testing.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">So, how did <a href=\"https:\/\/twitter.com\/hashtag\/Dieselgate?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Dieselgate<\/a> actually happen? A look under the hood: <a href=\"https:\/\/t.co\/WEUi1cnIJT\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/WEUi1cnIJT<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/autohacking?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#autohacking<\/a> <a href=\"https:\/\/t.co\/HTobFIrg9L\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/HTobFIrg9L<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/684741364798623744?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">January 6, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><strong>2. Third party collaboration<\/strong><br>\nThis means that all researchers who have found a vulnerability, should know what\u2019ll come after they report their findings. They must not be threatened by court. Instead, rewards and bounty programs are much welcomed. For example, <a href=\"https:\/\/www.kaspersky.co.uk\/blog\/tesla-model-s-being-hacked-and-patched-blazing-fast\/6082\/\" target=\"_blank\" rel=\"noopener noreferrer\">Tesla already rewards<\/a> experts who find vulnerabilities in their cars but it\u2019s not yet a widespread practice in the car industry.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Tesla Model S being hacked and patched blazing-fast <a href=\"https:\/\/t.co\/ZuC0uzeKfn\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/ZuC0uzeKfn<\/a> <a href=\"http:\/\/t.co\/al9naQnsbx\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/al9naQnsbx<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/630751291342483460?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 10, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><strong>3. Evidence capture<\/strong><br>\nUntil a car has a \u201cblack box\u201d, it will be hard to investigate an incident and gather any proof of hacking. Such black boxes should keep the records of CANbus data exchange. At the same time, privacy concerns should also be taken into account: this data should not be transferred anywhere.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">What is a plane's \"black box\" really?  <a href=\"https:\/\/t.co\/cXLa0FE3ba\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/cXLa0FE3ba<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/airplanes?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#airplanes<\/a> <a href=\"https:\/\/t.co\/3iCiJ9m6sm\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/3iCiJ9m6sm<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/664869307369787392?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 12, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><strong>4. Security updates<\/strong><br>\nIf your car is vulnerable to hackers, you can solve this problem, however you need to visit a car dealership in order to do this. Of course, this complicates the update process and as such, a number of people did not install the updates at all. That\u2019s why OpenGarages recommends that manufacturers create an \u201cover the air\u201d update system \u2014 just like the Apple\u2019s solution, implemented in their phones.<\/p>\n<p><strong>5. Segmentation and isolation<\/strong><br>\nCritical and non-critical systems should be independent, so that criminals could not break the whole car by hacking an entertainment\u00a0application, for example. It\u2019s also necessary to implement techniques that indicate when a system has been compromised.<\/p>\n<p>Fortunately, all these measures can be implemented in cars that will be developed in a the next few\u00a0years. \u00a0However, with more and more connected cars on the roads, manufacturing should be looking to secure cars now.<\/p>\n<p>We at Kaspersky Lab take part in the development process as well. We are open for cooperation with car parts manufacturers and auto-mobile makers to help them develop cars that are secured by design.<\/p>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>2015 proved: it\u2019s possible to hack a connected car remotely. But is it as dangerous as it appears?<\/p>\n","protected":false},"author":32,"featured_media":6905,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2026],"tags":[1363,629,842,78,525,1362,1344,97,993],"class_list":{"0":"post-6904","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-auto","10":"tag-cars","11":"tag-future","12":"tag-hackers","13":"tag-hacks","14":"tag-rsa-2016","15":"tag-rsac2016","16":"tag-security-2","17":"tag-technologies"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/car-hacking-rsac-2016\/6904\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/car-hacking-rsac-2016\/5359\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/car-hacking-rsac-2016\/6853\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/car-hacking-rsac-2016\/6834\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/car-hacking-rsac-2016\/7936\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/car-hacking-rsac-2016\/7708\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/car-hacking-rsac-2016\/11193\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/car-hacking-rsac-2016\/11551\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/car-hacking-rsac-2016\/6111\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/car-hacking-rsac-2016\/7228\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/car-hacking-rsac-2016\/10739\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/car-hacking-rsac-2016\/11193\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/car-hacking-rsac-2016\/11551\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/car-hacking-rsac-2016\/11551\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/auto\/","name":"auto"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/6904","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=6904"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/6904\/revisions"}],"predecessor-version":[{"id":17770,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/6904\/revisions\/17770"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/6905"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=6904"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=6904"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=6904"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}