Automotive cybersecurity has undoubtedly become a “must-do”—as evidenced by the prototype hacks on connected Jeeps and others that could give remote actors control over the vehicle. These have made headlines and prompted recalls and Congressional reviews, but the issue of how, exactly, to best approach car security is still an open question.
In its most extreme form—implementing total encryption and the use of TPM modules—security can have adverse effects on everyone from mom-and-pop mechanics to the home garage tinkerer to the “pimp my ride” aftermarket shops. The potential for a chilling effect on innovation is a very real possibility, says Rapid7 research director for transportation security Craig Smith, who joined the company over the summer and hacked his first car in 2008.
Speaking to audiences at the UNITED 2017 company summit, he explained that there’s a disconnect between what the security industry thinks is best practice, and how the automotive industry actually functions.
“Once the auto industry acknowledged that there might be a problem, security companies saddled up to come to the rescue,” he said. “The recommendation has been to try to lock down everything using PKIs. But that doesn’t translate well to cars, or a lot of consumer items for that matter.”
Security and the Issue of Ownership
In the auto industry, ownership is a thorny issue. Consumers spend tens of thousands of dollars to purchase a car; but, the vehicle runs software, with an implicit license that the automakers control; theoretically, then, they have ownership over the part of the car that actually lets it function.
Security companies want to exploit that fact, so that every software module is signed and encrypted, and only the car-maker owns the keys. But the ripple effects from that approach would put everything from satellite radio distributors to remote start and seat-warmer purveyors out of business—while severely limiting the options for consumers.
“If every module is encrypted and everything requires a key to sign for, this affects a lot of consumers,” Smith said. “It affects performance tuners, who do aftermarket and custom upgrades; it affects tinkerers and hobbyists that might want to replace or upgrade the radio or in some way customize their cars. You can’t do any of that in a signed environment.”
It also affects third-party mechanics that operate outside the auspices of the dealership. They sell aftermarket replacement parts and offer a cost-effective alternative to service at the dealership. But as automakers take more and more control over fixes and what people outside of their organizations can do, 56% believe they’ll be out of business within five years, Smith said.
Home car engineers that are pioneering self-driving approaches and other innovations would also be cut off at the knees.
“We’re looking at a world where we say, only these three companies can make self-driving cars because they have money and no one else can compete,” Smith said.
A New Approach
“Over the past five years, we’ve seen increased recognition for security research as a valuable part of the transportation development process,” Smith said. “Manufacturers are working to better understand how software vulnerabilities impact the safety of their products.”
Noting Buckminster Fuller’s famous quote that “To change something, you must build a new model that makes the existing model obsolete,” Smith said that there are models that can preserve owner autonomy while addressing security. His main proposal is for a warranty-voiding switch.
If you don’t change your process, you will lose this war.
“This ties into the root certificate, so that you can manually press a button that overrides the encryption,” he explained, comparing the process to rooting or jailbreaking a mobile device. “When you override it, you put it into safe mode and tell it to ignore all signed keys for the moment. So this will allow someone to modify their car. Once that switch is flipped, the car is marked as tainted [out of warranty]—you can’t take it back if things go wrong with your modifications and say, ‘it broke.’”
The switch approach also helps with the resale process, as buyers can know if someone modified the vehicle.
“This eliminates the possibility of a middleman attack,” he said. “This is hardware-based verification. People can use their device—in this case, a car—and can feel secure using it, without being stuck in a prison where no changes can be made.”
Rapid7’s IoT Division Launches
Cars are a part of Rapid7’s new internet of things (IoT) practice. The unit will help organizations think strategically about building security practices into product development lifecycles, provide thorough assessment and testing of potential weaknesses for both hardware and software, and offer forensic analysis for devices that have been compromised.
The division includes a transportation specialty, led by Smith, aimed at solving manufacturers’ specific needs and concerns. Rapid7 works with original equipment manufacturers (OEMs) and tier suppliers to fit into development workflows.
"Rapid7 understands the transportation industry, the needs of its engineers, what methods work, and which ones do not—we’ve seen what happens when security isn’t implemented correctly or is considered too late in the process,” said Smith. “We’re focused on identifying real risks to create custom solutions that integrate into what’s most important to the business, without compromising design.”
IoT Threat Grows
Cars are of course far from the only issue in IoT. According to Gartner’s Internet of Things Primer for 2016, by 2020, over 20 billion connected things will be in use across a range of industries. While driving significant productivity gains for businesses and consumers, this exploding growth also creates new attack vectors for malicious attackers and presents increased risk. In addition to securing IoT devices themselves, IT and security professionals are charged with defending their networks against this new threat vector.
IoT devices not only create new opportunities for attackers to invade networks to steal information, they can also be hacked to gain access to physical spaces and assets, or even cause harm to users. As users become more dependent on the functionality of connected devices, the risk represented by loss of use or corrupted use becomes even greater.
Compromised IoT devices also can be used to amplify and launch crippling denial of service (DDoS) attacks against others, as demonstrated by the recent Mirai botnet attacks.
“The risk posed by IoT devices has moved from theoretical to real-world,” said Deral Heiland, IoT research lead at Rapid7. “When we consider IoT, we’re no longer talking about a single or highly unlikely, targeted instance of a vulnerable device that leads to one compromised system or consumer. We’re now seeing large-scale attacks that leverage huge numbers of devices against extremely popular organizations. As a result, device developers and manufacturers are coming under increased scrutiny and heightened expectations. Their products are assumed secure, though many of these product developers are still learning the fundamentals of secure design principles.”
Photo © Syda Productions