Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Firewalls can't protect today's connected cars

Lucas Mearian | July 27, 2015
Much of the auto industry's efforts to date have been about building a more secure internal bus

According to Nate Cardozo, an attorney with the Electronic Frontier Foundation, "Consumers don't know with whom that data is being shared. Take the Ford Sync, for example. In its terms of service, it says it's collecting location data and call data if you use Sync to dictate emails."

Sync is Ford's current Microsoft Windows-based telematics or head unit system. The company is changing over to a QNX-software based system this year.

Miller and fellow hacker Chris Valasek shared their year-long efforts with Chrysler, which issued a software patch to fix the security hole in the head unit. Vehicle owners must download the patch onto a USB drive and then update the vehicle's software with that.

But Miller warned that while Chrysler may have fixed this specific remote flaw, "there are probably others."

"I don't think there's a way to you can make a really secure way for computers to communicate," Miller said. Hacking a network firewall simply takes time and perseverance.

The CAN bus is very simple and the messages on it are very predictable, Miller said. "When I start sending messages to cause attacks and physical issues, those messages stand out very plainly. It would be very easy for car companies to build a device or build something into existing software that can detect CAN messages we sent and not listen to them or take some sort of action."

Juliussen agreed.

Once past a firewall, hackers can make computers imitate any other computer on a network, and that means they can control the systems through electronic messaging. That's basically what Miller and Valasek did: They had the head unit pretend to be the electronic control unit (ECU) for the brakes, the transmission and other systems.

Behond the security curve
Carmakers are far behind the security curve, not only because vehicles have an average six-year development cycle, but also because they haven't taken the potential security problem seriously.

"The automobile industry has been slow to do anything. I did my first presentation [at an auto industry conference] five years ago and they said this very interesting, but we don't need it yet," Juliussen said.

For example, in response the hack on Chrysler's UConnect head unit, Ford issued a statement claiming its communications and entertainment systems feature a different architecture than what was hacked. "Our vehicles have a hardware based built-in firewall that separates the vehicle control network from the communications and entertainment network," Ford stated.

Ford declined further comment and didn't say whether its Sync head unit and coming QNX-based unit can detect errant messages that could indicate a cyber security breach has occurred -- and then shut it down.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.