Even today’s most sophisticated interconnected vehicles aren’t immune to cyber attacks. At the 2020 Black Hat Conference, a group of security researchers from the company Qihoo 360 demonstrated how they can hack a Mercedes-Benz E-Class car and remotely start its engine and open its doors.
How Did They Do It?
Using a testbench, the research team reverse engineered the vehicle to expose its software. This allowed them to spot weaknesses. They meddled with the car’s telematics control unit (TCU) file system, a component that allows the vehicle and the internet to communicate. The TCU gave them a gateway to access the car’s root shell, which provides administrative access to the vehicle’s private data, such as passwords and certificates. Due to a weak certificate password, they were able to access the vehicle’s internal network in China, which could give them control of other cars in the vehicle’s network in the region. The researchers also gained access into the vehicle’s back end—essentially the heart of its internal network—by attacking its embedded SIM card, which connects it to cell networks.
Their success foretells a potentially frightening future, considering most new cars today come with some form of internet connection, be it an entertainment system or navigation. In the coming years, vehicles will be even more connected, especially autonomous ones, making such potential attacks incredibly dangerous. In addition to privacy concerns, cyber security experts fear these types of vulnerabilities could allow bad actors to take control of autonomous vehicles and use them to wreak havoc on roads.
Protecting Connected Vehicles With “Security By Design”
From connected vehicles to electric scooters, the e-mobility industry is widespread yet also quite new. As a result, cyber security features are not currently evenly distributed throughout these systems.
In today’s connected vehicles, battery management and the main digital interface are where attacks are most likely to occur. Hackers could also gain control through malware on USBs, which could give them a gateway to other parts of the car and, ultimately, the entire network.
A potential solution could be “security by design,” in which security is embedded into all elements of a connected vehicle from the initial stages of its design, rather than waiting until the final stages. This would require a complete rethinking of how vehicles are made. “[E-mobility] is new technology and they’re working on iterating on current technology,” Mark Adams, a former principal security engineer at Lyft, told the Financial Times. “Security by design is still in its early stages—but you’ll see a lot of those in the autonomous vehicle industry are starting to grow out their security teams, and taking it seriously.”
Examples of a “security by design” approach include:
- Routinely analyzing and monitoring security threats within the supply chain starting with the most basic components.
- Ensuring that third-party vendors are following practices in compliance with the security policies of your organization.
- Making cyber security the responsibility of every employee in the organization, rather than relying on a small group of individuals. For example, this could mean investing in cyber security training for your employees.
- Ensuring the security review process is objective by hiring outside experts, as well as going through industry standard audits to identify vulnerabilities.
Experts Urge Lawmakers to Regulate Connected Vehicles
As autonomous vehicle technology begins to rev up across the world, experts are calling on governments to establish regulations. The United Nations Economic Commission is currently initiating regulations in 54 European nations. While the U.S. has not imposed specific regulations, the SELF DRIVE ACT does require manufacturers to create a policy around how they would respond to cyber attacks for vehicles that are highly automated.
Although connected vehicles currently pose potential threats to public security and safety, many experts say they also have the potential to prevent accidents, reduce vehicular deaths, and make our roads safer and less congested. However, regulations and enhancements in vehicle-to-vehicle technology need to come first in order to maximize the benefits.
Automotive Cyber Security
As the automotive industry continues to work on intelligent and autonomous vehicles, there is a need to better comprehend the safety and security of this connected technology. The IEEE five-course program, Automotive Cyber Security: Protecting the Vehicular Network, aims to foster the discussion on automotive cyber security solutions and requirements for not only intelligent vehicles, but also the infrastructure of intelligent transportation systems.
Contact an IEEE Content Specialist today to learn more about getting access to these courses for your organization.
Rodney, Joffe. (6 August 2020). Making the business case for security by design. Security Magazine.
Whittaker, Zack. (6 August 2020). Security bugs let these car hackers remotely control a Mercedes-Benz. Tech Crunch.
Shah, Sooraj. (19 July 2020). Why e-mobility is the ‘Wild West’ of cyber security. Financial Times.