The potential threats posed by Internet of Things (IoT) devices corrupted by hackers have been discussed ad nauseam for some time now but the vast majority of these threats are relatively benign in nature – data theft risks, backdoor entry points to a larger corporate network, takeover of devices by malicious actors, etc. – and don’t involve the potential for physical injuries to humans. However, that’s not the case in the brave new world of connected and autonomous automobiles, which if compromised, could result in the loss of human life.
Such a scenario has even been played out on the big screen in the film, “The Fate of the Furious,” in which a team of cyber terrorists hijacks a variety of connected vehicles and turns them into weapons. While the plot may have only been the creation of a writer’s imagination, the threat of internet-connected cars being compromised is real and has been demonstrated with frightening results.
In 2015, two white-hat hackers showed how they could leverage the Uconnect system in a Jeep Cherokee to take control of a variety of systems in the SUV, including its steering, brakes and transmission. As a result of the experiment, Fiat Chrysler issued a recall of 1.4 million vehicles to update their software to prevent a similar attack from being carried out in the future.
According to Bob Anderson, Principal at security consulting firm The Chertoff Group, any vehicle that has an open connection to the internet has the potential to be hacked and compromised in some way. This is particularly problematic when it comes to autonomous vehicles, which are expected to be in more widespread use in the coming years, especially in long-haul trucking and taxi/ride share operations.
“In the last few years we’ve seen terrorists, if they can’t get guns or bombs, they’ll take a car or truck and run it through a crowd of people, so there are definitely people – I don’t know if they have the technological capability to do it or not – who would look to weaponize autonomous cabs, tractor trailers or anything that doesn’t have somebody in it,” says Anderson, who served more than 20 years in the FBI.
The Nation-State Threat
Fortunately, Anderson says carrying out an attack in a lab environment, like many of the documented vehicle cyber intrusions that have been reported thus far, is much easier than executing one in the real world, however; they do demonstrate that it can be done. Perhaps the larger threat stems not from terrorists being able to take over a single vehicle or even a handful of connected vehicles, but rather a nation-state actor gaining access to a company that operates a fleet of autonomous cars and wreaking havoc on transportation across an entire city or region.
“I don’t think you’re necessarily going to see attacks specified to a vehicle, so I think the bigger threat is making sure the command centers for autonomous vehicles are not breached. Think of it this way, if you get in on the backside of the autonomous vehicle, whatever it is, you then have access to all of the fail-safe mechanisms that are built into it and the ability for you to then be able to pick a vehicle for an attack would be much more strategic,” Anderson adds. “When’s the last time you were at the airport and the monorail that’s taking you to the gate had somebody in it? These vehicles are out there, they’re out there in the oil industry, there definitely in the transportation industry and I think by the end of this year and into next year, you’ll see them come online for real.”
Collaborative Security Approach Needed
Unlike other industries in which cybersecurity only became a primary concern once it started to impact the bottom line, Anderson says automakers have been very proactive in looking for safety features to mitigate the cyber threats posed to vehicles.
“The auto industry, quite frankly, is probably one of the better industries in the United States when it comes to cybersecurity,” he says. “This is not an issue they’ve been thinking about for the past couple of weeks. Way before we started talking about autonomous vehicles or autonomous long-haul trucks around the country… they had artificial intelligence and different levels of prioritizing (cybersecurity) in vehicles for a while. As this integration of technology started to go into these vehicles five years ago, they started thinking way out in front of, “Ok, what If we get to the point that these cars are driving themselves?’”
Rather than just simply shoving regulations on industry from a distance, Anderson believes that the federal government needs to do a better job of working with the private sector in addressing national cybersecurity threats, like those posed by autonomous and connected vehicles, because the feds are no longer the technology leaders they used to be.
“In the old days, Big Brother was the government. The government had the technology and they had the ability to look at a lot of things. I will tell you, having spent a lot time in the government, Big Brother nowadays is the private sector tech giants and all of this technology that we’re utilizing just to live our everyday lives, including autonomous vehicles,” he says. “It would be in the interest of our country if the U.S. intelligence community, the Congress and everybody worked hard to partner in a meaningful way with private sector companies.”
In general, Anderson says that cybersecurity risks are not showing any signs of slowing down and that trying to stay ahead of the bad guys in mitigating attacks against connected vehicles and critical infrastructure networks is the new normal.
“Unfortunately, I did 30 years in law enforcement and I’ve been in the private sector for three years, none of this is getting better,” he says. “I wish I could say that it is but it’s not. These threats are not going away and the only way to defeat them is to try and be out in front of the possible bad things that can happen and work from there.”
About the Author:
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].
