Answering our Twitter followers’ questions on Automotive Cybersecurity and More.
Today we sat down in Smart Cities Hall at CES with Assaf Harel, Karamba’s Chief Scientist and brought up a selection from the Twitter questions that our followers brought up.
Me: Hi Assaf, it is nice to have you here for this Twitter Q&A. Hope you are ready to answer our followers’ questions.
Assaf: Good morning! Thanks for having me and I look forward to answering their questions.
Me: It is a busy day here in the floor of CES so lets get started.
Me: Our first question comes from @nnachshon ‘Can a hacker implant malicious code while the car is under a software update in the official service center? #QAKarambaCES2019’
Assaf: Yes. A Hacker can implant the malware to the service center computers and from there move laterally into the vehicle. The protocol used to update cars is standard and most of it is known and mapped, so the task is relatively easy. Moreover, upgrade versions are readily available over the internet for hackers to research and reverse engineer, so updating the vehicle becomes even easier for the attacker.
Me: @nnachshon also asked ‘#QAKarambaCES2019 Can you hack an electric car through the charging port?’
Assaf: Yes. The charging port sits behind an Electric Control Unit (ECU), so it’s just as open to hackers as any other externally facing ECU (like infotainment and telematics units). Moreover, the charging unit is connected to an external charging stations that is a “sitting duck” for attacker to hack and then move laterally into the charged vehicle. There have been already several documented vulnerabilities in charging stations and in-vehicle charging units, and it’s logical that the hacking community interest in this attack vector is only going to increase.
Me: Very interesting.
Q: @Roikeman #qakarambaces2019 How easy is to hack a car?
Assaf: If the infotainment is externally connected (even through WiFi, Bluetooth or USB), it’s easy. The end result would be to control the infotainment (showing a ransomware, or mining for bit coins were the most common attacks of 2018). Going from one of the externally connected ECUs into controlling the rest of the car (speed & direction are the holy grail), requires these ECUs to be connected to the rest of the car. Starting from 2010, OEMs are connecting these ECUs, so the made this lateral movement possible. Starting 2016, OEMs added a security gateway to the architecture in order to control this attack vector (separating externally facing ECUS from safety critical ones), but this separation doesn’t work for 100% of the cases, so attackers still find ways to cross the gateway disguising as an allowed operation like cruise-control, self-parking, lane safe-guarding, or any other driving-assistance features provided or controlled by externally facing ECUs.
Q: @gilaedridekel #QAKarambaCES2019 If I get hacked (my car). Who is responsible?
Assaf: The OEM is in charge of the vehicle from beginning to end. The OEM is usually backed up with back-to-back agreements with the Tier-1 providers and protect themselves with recall insurance.
Me: So tell me Assaf, If I jail break my car to customize it. Who would be responsible if my car gets hacked?
Assaf: There’s a big legal debate about it, stating from the mobile device industry, where people used to jailbreak their devices, in order to enjoy more flexibility. The simple answer is that you are the owner of your car, so you’re responsible for that. In reality, though, the OEM will still maintain your car, but only if it can update it back to the supported version. Otherwise, you might have mis-used your car in a way that the OEM cannot guarantee your safety, or the proper behavior of your vehicle, as you might change its road behavior in a way that was neither planned nor tested before.
Q: @shainspan Is personal data vulnerable in an autonomous vehicle? #qaKarambaCES2019
Assaf: Yes. Several ECUs in the system log private information. The body-control unit holds your preferred in-vehicle configuration (seats, lights, AC, etc.). The telematics unit holds specific driving patterns that can easily be classified per driver. The infotainment system holds specific private information like GPS locations, call history, address book and favorite song list. As the infotainment of the future resembles the smartphone more and more, even more services will store user-specific information. All these become especially important, with respect to privacy, in an era, where car sharing becomes the norm, and new car-sharing and fleet-wide services spore like mushrooms after a rainy day.
Q: @03xcybertox How can I protect my Tesla from a cyberattack?
Assaf: Don’t connect through Wifi nor Bluetooth. Keep your keyfob in a metal box when not using it. Even at home. Don’t connect your smartphone to the car. Charge only at your own charging stations, or other charging stations that you can trust.
Me: What do you think is the next frontier for Automotive Cybersecurity?
Assaf: Attack prevention (and not just detection), Protecting safety critical ECUs (and not just the telematics / infotainment), Self-Driving cars specific scenarios, such as: Fleet wide attacks, Controlling vehicles remotely, Using the fleet as a botnet, Etc.
Me: We have seen hackers ask for ransom by taking over information, what is the interest of them in hacking vehicles?
Assaf: Ransom can still be obtained when your car doesn’t start in the morning, Bitcoin mining is a very lucrative business, exploiting the vehicle high-end systems, such as the Infotainment and the ADAS.
Me: Are autonomous vehicles going to become a commodity? If so, when? And what are the challenges?
Assaf: Seems like that, yes, as strong forces like Google, Uber, GM, BMW & Daimler are driving this revolution. The end-game is to make the self-driving car a service and not a commodity product, making it next generation public / private transportation, thus allowing a new ere of transportation as a service. Think of kids going to their after-school activities like that. Think of drunk teen agers, or blind elderly people driving like this, in order to realize the full potential. It’s uncertain when will this revolution start, but it’s obvious that when it will live its promise, adoption rate can be fantastic.
Me: How many automotive hacks have happened to date?
Assaf: The actual number is unknown, as OEMs keep most of this information to themselves. From information that has reported this way or the other we know that the number is in the hundreds. We know from ThreatHive reports that on monthly basis vehicle ECUs are being attacked by hackers over 300,000 times.
Me: Last question it was asked by many ‘Who is the weakest link in the automotive industry? (in relation to security and safety)’
Assaf: The weakest link is in the ability to upgrade the vehicle with a new software. Currently, in most of the vehicle the process is manual and is done annually at the service center. But even in the future, when over-the-air update are available, the upgrade is still slow, cumbersome, prone to hacks and failures, and is just not good enough to protect against a dedicated group of attackers.
Me: Thanks for the insight and I hope you have a wonderful day.
Assaf: Thanks for having me.
Hope you learned a lot and if you have any more questions Tweet us at @KarambaSecurity #QAKarambaCES2019