Be it a household that has locked up for the night or a connected car sat in a parking lot, as soon as a gap in its security system is found it becomes a race against time to prevent harm from being caused.
Within the cyber security space, this issue is often referred to as the zero-day vulnerability – something that has been discovered by someone, but not necessarily by those who would want to mitigate it. In the case of the connected car, that would be the owner of the vehicle, the automaker or the software provider. The party that made that initial discovery could be a researcher with positive intentions, but it could also be a hacker that intends to keep it secret whilst plotting havoc.
“There are three guarantees in life: death, taxes and vulnerabilities,” said Stacy Janes, Chief Security Architect at Irdeto during a recent Automotive World webinar. “The zero-day vulnerability is something that you may not know about, but someone else does – and this is where problems start happening.”
How to defend against the unknown
Indeed, automakers must protect fleets of connected vehicles against vulnerabilities they may not even know about, and various brands have already been caught out in recent years. Luckily, automakers haven’t been kept in the dark.
In May 2018, researchers from Keen Lab, a unit of Chinese tech giant Tencent, released a report highlighting 14 individual vulnerabilities in various BMW models’ electronic control units (ECUs). The full report had previously been submitted to the automaker, with remedies applied prior to its publishing. Had these gaps in cyber security been exploited by a criminal attacker, it is unlikely that the automaker would have been gifted prior warning. As Janes pointed out, it is lucky that such work was carried out by ethical hackers. “They are good guys and disclosed this with the OEM, but if this wasn’t a friendly team and it was malicious, then those vulnerabilities would not be known by the OEM,” he warned.
In the real world, humans protect themselves from zero-day vulnerabilities on a daily basis, and Janes drew parallels between physical and cyber security techniques. “We’re always exposed to threats, and although we do not fully understand what that threat might be, we learn how to protect against what we believe could be a danger,” he said. “Typically, people assume that while some layers of security may not mitigate the problem, other layers will. Cyber security is conceptually the same as physical security, but the real difference is in the implementation; when we look at a physical fence, we understand whether we can circumvent it. Is it tall or short, can we knock it over, can we climb over it, or is there a subterranean tunnel to go under? But because we can’t ‘see’ cyber security in the same way, it is viewed as a dark art.”
By thinking of cyber security in a similar way to physical security, a number of relatively straightforward concerns can be addressed: how much security is necessary, in what format and location, and at what price? Homeowners, argued Janes, make the same considerations, but many are still caught out in ‘safe’ neighbourhoods because a burglary is statistically less likely. As such, security measures are either too weak, or simply non-existent.
The same issue occurs when industries begin using connected products and services. In 2013, US retailer Target was hacked via data from a heating, ventilation and air conditioning (HVAC) contractor. In 2017, a casino was hacked via a thermometer in a connected fish tank. “Attackers think about what is likely and unlikely to be secured,” explained Janes. “When new industries show up in connected markets, they often do not realise the threat they are under. The research community, or a malicious hacking community, gets involved and highlights that they have left some doors open that should not have been left open.”
But as any expert in this field will confess, there is no fail-safe approach to cyber security. If something can be hacked, someone will find a way to do it, but what does this mean for the automotive industry?
Find the breach, stop it, fix it
The analogy of home security paints a useful picture of the industry’s current approach to protecting connected vehicles from attacks. The behavioural analytics of external network traffic coming into a vehicle’s telematics can be compared to the front door and motion sensor lights on the outside of a property, suggested Janes. As he puts it, you want to know who is knocking on the front door. However, it is not always a casual knock, but a pounding fist.
“IT specialists see a lot of traffic that is pounding on the front door of these connected devices looking for known vulnerabilities. That traffic doesn’t care whether it is an ECU in a car, a smart television or the cloud – it is just trying to find a way into that connected ecosystem,” he explained. A firewall on the telematics is a necessary step to ensure that the ‘front door’ is not breached on any of these vehicles. “We’re monitoring all this traffic, but we want to make sure they don’t get in,” continued Janes. “We only want the things that are allowed to enter, to come in. You don’t want malicious connections to come through, so you put up a firewall.”
If a hacker somehow gets past that firewall, behavioural analytics on the ECU can detect certain types of ‘incorrect’ behaviour – something that is out of the norm. Janes compares this to a guard dog barking at an intruder. From there, simply detecting any tampering of the ECU does not cut it. Those activities need to be stopped in their tracks, and fast. Telemetry and cloud-based analytics can then gather data on the event. “They can look at what happened to a single vehicle, multiple vehicles, or even multiple automakers,” advised Janes. “You can build up a profile of what has happened, and maybe even track it back to the hacker’s identity.”
Just as a homeowner that has been burgled can reflect and gather information on what happened during a break in, the same approach can be taken with a connected car. In both cases, the problems are highlighted and fixes are put in place, resulting in an ultimately more secure foundation than before. This dynamic is likely to continue, and potentially worsen, as more elements of the vehicle become connected. The automotive industry must stay ahead of the curve, where possible, and continue working with so-called ‘white hat’ researchers to ensure that vulnerabilities are found by those with an interest in safety, not in harm. “It is a cat and mouse game,” concluded Janes, “and you always want to be the cat.”
