Staying secure with connected cars

From entertainment systems to tyre sensors, modern cars are full of potential security vulnerabilities. Ben McCluskey looks at how Tesla’s aggressive approach could point the way for other car manufacturers. 

As a tech-first company from Silicon Valley, the concept of ‘Agile’ software development is baked into Tesla’s DNA, and optimising security is part and parcel of a concept that boils down to quick delivery of a product that meets the customers’ needs, followed by regular updates containing ‘nice-to-have’ features and bug fixes.

Tesla’s concept of the ever improving car helps it jump on security issues quickly

A good example of agile in practice is the Tesla version 8.0 software rolled out last autumn. This delivered over 200 new features, including temperature monitoring when the car is parked for long periods of time, a new media player and autopilot improvements. The car is no longer a product, it’s an ever-improving service.

Whilst Elon Musk’s brainchild may be evolving quickly it isn’t perfect. Back in September 2016, a research team at Chinese IT firmTencent hacked into the braking systems of a Tesla Model S using its WiFi connection. However, unlike the uncertainty Fiat Chrysler showed in the wake of 2015’s infamous Jeep hack, Tesla’s over-the-air fix was logical and came within weeks of Tencent cracking the Model S.

If a major breach results in significant financial loss, OEMs will quickly see the value in collaboration

So, how has car security been improved by this new breed of tech-led manufacturer? And in what areas does the entire industry still need to improve according to the specialists?

Third-party collaboration

“Tesla was the first company to realise the value of collaborating with third-party researchers,” said Josh Corman, a founder of I Am the Cavalry, a security non-profit that developed the 5 Star Safety Framework outlining critical capabilities the industry needs to move forward. “Collaboration is key because it increases the volume and variety of problems the manufacturer didn’t (and perhaps couldn’t) catch themselves. This informs and instructs better design principles.” Since the Palo Alto manufacturer launched its coordinated vulnerability disclosure programme, General Motors and Fiat Chrysler Automobiles have followed suit. It’s a big step in the right direction, but more manufacturers must follow suit.

Professor Carsten Maple from The University of Warwick believes the need for even broader, industry-wide disclosure will soon be impossible to ignore: “The financial services sector came together to share information and analyses because hacking events represented such critical and costly threats to the entire industry,” he explained. “If someone dies due to a car hack, or if a major breach results in significant financial loss, OEMs will quickly see the value in collaboration.” Maple also sits on the Cars and Roads SECurity (CaRSEC) Expert Group at the European Union Agency for Network and Information Security Agency (ENISA) which is calling for a European version of the Automotive Information Sharing and Analysis Center (Auto-ISAC).

Over-the-air updates

Security vulnerabilities are akin to virus outbreaks. If emergent security issues aren’t tackled quickly, the window of exposure is increased and the cost of recall and repair grows significantly. As speed and coverage are the main concerns, over-the-air updates seem to provide the clearest path to achieving this, but many of the OEMs are concerned seem reticent to invest in rolling out this functionality: “So far, only Tesla, BMW and Mercedes can do over-the-air updates securely; Ford has made a public commitment to do so in the near future,” said Corman. “Over-the-air updates are controversial because many companies think over-the-air represents a new attack vector. To some degree that’s true, but we know how to lock them down pretty well and the benefits far outweigh the risks.”

Divide and conquer

Any time a hacker/researcher demonstrates their ability to compromise a car’s physical operation, they are reiterating a major flaw in current architecture: the failure to properly segment and isolate the critical and non-critical systems. All cars have some degree of segmentation, but the degree of logic needs to improve and, ideally, also incorporate physical ‘air gaps’ between the systems.

Hackers remotely took control of Jeep Cherokee back in 2015, prompting the recall of 1.4 million vehicles

Once again, Tesla is in a strong position. As part of the version 8.0 upgrade, and in response to the Tesla S hack, the company rolled out a measure called code signing. This requires any firmware written for components on the CAN Bus – the internal system that controls critical systems – be signed with a cryptographic key only the manufacturer possesses. The result is very tight control over anyone attempting to reprogram critical components.

Evidence capture

Recording electronic systems operations provides visibility over root causes when problems arise, yet no manufacturer is publicly using privacy-respecting ‘black box’ evidence capture. These records can plainly show sources of error, be they malfunctions, design defects or deliberate attack. “Take Chris Valasek and Charlie Miller’s hack on the Jeep Cherokee in 2015”, said Corman. “They claimed in their public speaking that it took months to get it to work. Months. My argument is that if car companies had invested in even basic logging technology, the researchers’ failed attempts would have been noticed and rectified months before the successful hack attempt that led Fiat Chrysler to recall 1.4 million vehicles.”

On this point, Maple was keen to flag an added level of complexity: “If the main hack attempts are on the Sprint network, how does Fiat Chrysler gain access to that information? That’s not a trivial question.” These are questions all manufacturers need to answer. Another challenge is the gathering of intelligence “There are ways for hackers to isolate the information the car is relaying,” Maple explained. “I could put the car in a simulated Faraday cage whereby the car appears to be connected to a 3G network, but the information is in fact being diverted to a sink hole, rather than the manufacturer.” Nevertheless, Corman remains resolute that this added layer of protection is vital, though he’s under no illusions it will be easy: “This capability will require a lot of effort, but it is foundational for improving safety in the long-term so starting now will help us achieve this goal.” As manufacturers become increasingly data dependent, it’s hard to disagree.

Safety by design

Security systems are clearly better when they’re built-in rather than bolted on. That’s not an option for cars already on the road, but manufacturers should be working to earn the public’s trust in their designs for the future. Corman believes that even the better performing manufacturers like Tesla and GM can make significant improvements in building confidence in the industry: “No manufacturer has published attestation of their secure software development lifecycle, summarising their design, development, and adversarial resilience testing programmes for their products and supply chain.” When that becomes industry standard, we’ll know the industry has truly embraced an open and agile approach to public safety.