MOTOR Magazine

A MOTOR Magazine Newsletter
July 7, 2017

Contributed by Bob Chabot
Cracking Cars

Prevention, detection and timely responses are essential for effective cyber resilience

Before automobiles were so connected to the outside world, critical vehicle communication systems could be built on a Controller Area Network (CAN) bus with impunity and little concern for security. But times have changed.

In today’s world, brimming with telematics, connected cars, automated driving and increasing intelligent transportation, components the CAN bus has traditionally deemed trustworthy — such as the OBD-II interface, plug-in dongles, infotainment stacks and even diagnostic tools — have become gateways to the hacking of critical systems.

Connectivity in current and emerging vehicle systems has increased the surface area and attack vectors for hackers. (Image — Argus Cyber Security)

Security Can’t Just be Affordable, it Must Also be Fast-Reacting
In particular, spiraling technological complexity requires security measures that are built-in up front and fast-reacting anytime an attack occurs. As repeatedly demonstrated by several automakers, relying primarily on built-in — think offense here — security measures aren’t adequate.

They must also include “on-the-fly” measures for when a mission critical attack occurs — think defense here — especially when the vehicle is operating. For example, an attack that shuts down the engine while the vehicle is moving at 60 mph requires solutions that are virtually instantaneous. Lives and more are at stake.

Here’s the good news: The aftermarket has demonstrated, arguably more so than the automakers have, that it has offensive and defensive protocols in place that can prevent most attacks upfront, as well as immediately counteract the rare attacks that put vehicles and occupants at risk. Case-in-point: In the Spring of 2017, two aftermarket firms — Argus Cyber Security and Robert Bosch GmbH — were able to work together to do just that.

Connectivity has Increased Security Risk
“The world is becoming more and more connected as automobiles are simultaneously becoming smarter,” explained Ofer Ben-Noon, CEO and co-founder of Argus, a leading security firm founded in 2013 by former Israeli Defense Force officers. “But these technological advances have substantially increased the number of attack vectors and the risk of vehicles being hacked.”

“Connected cars are one the automotive industry’s biggest drivers for enhanced passenger safety, better driving experience and additional revenue generation,” added Yoni Heilbronn, marketing vice president for Argus. “However, despite its tremendous benefits, connectivity presents many more gateways for hackers.

“As automakers and Tier 1 suppliers race to make vehicles cyber resilient, more and more aftermarket connectivity options continue to be presented to drivers of current and future vehicles. Unfortunately, most of those are provided with little or limited security, let alone defensive, protection for the vehicles they are placed in. It’s puts security in the position of trying to catch a runaway train.”

Automakers, Tier 1 suppliers, regulatory bodies, insurance companies, technology companies, telecommunications providers and other connected have recently begun to share the responsibility for strengthening the industry’s cybersecurity posture by collaborating in the newly formed Automotive Information Sharing and Analysis Center (Auto-ISAC). The organization recently published Automotive Cybersecurity Best Practices, a guideline for integrating cyber security into the vehicle’s entire lifecycle, from concept through production, servicing and decommission. (Image — Auto-ISAC)

Major Risks Include Interruption, Disruption and Corruption
Many of the original standards still in use followed to design core communication and network systems in automobiles are unfit for risk-free use in modern and more highly connected vehicles. Manufacturers are now recognizing this and considering fundamental architectural changes to protect automobiles already on the road, as well as those entering the marketplace.

Companies in other industries are hacked all the time. Sometimes, the details of the successful attack, let alone a solution, don’t emerge until months or years after the fact. Numerous successful hacking attacks of automakers — wired and wireless — have demonstrated this. But with automobiles operating in increasingly connected transportation networks, that’s not good enough. Now when a vehicle(s) has been compromised, time is of the essence. Milliseconds matter.

“It’s important to put safe redundancy in place during the initial design stage — the right cybersecurity mechanisms, such as firewalls and connectivity protocols — that can instantly detect an attack and, where necessary, revert vehicles to a base level “safe” mode until the threat is addressed,” Ben-Noon cautioned. “For example, if and when a wide-ranging denial-of-service (DNS) hacking attack on one or more vehicles is successful, connectivity and functionality can be affected. The industry needs to ensure that in such an event, automobiles can still be operated safely, so that drivers, passengers and pedestrians are protected, while other corrections are addressed.”

Government agencies and regulators in the U.S. have taken note of the emerging public safety implications of vehicle connectivity and have begun considering new legislation and policy. For example, the Security and Privacy in Your Car [SPY] Study Act of 2017, introduced into Congress last January, if passed, will require federal and state administrative bodies, automakers and suppliers, academics and other experts to agree on a set of appropriate cybersecurity standards and defenses for new vehicles. (Image — U.S. Congress)

Can the Aftermarket Step Up?
Automakers have been slow to recognize and act on the need to address and build in security from the design stage on, let alone detect and respond if and when attacked. But they’ve seriously ramped up efforts in recent years. For instance, Bob Stewart, General Motors’ aftermarket representative explained, “Three years ago, GM had 60 engineers working on cybersecurity. Today, GM has more than 160 engineers doing this.”

Major aftermarket technology companies, such as Microsoft, Apple, Google and other tech firms typically track customer failures — known as ‘digital error logging’ — when their operating systems crash. Incorporating this practice, Ben-Noon advises, could help lead automotive engineers to a malfunction’s root cause(s), whether from design defects, human error or deliberate attacks.

For instance, had the error-logging practice been in place in earlier successful hacks into vehicle vulnerabilities, automakers would have been alerted sooner when they occurred, rather than well after the fact, once the attacks hit the news cycle. More importantly, they would also have been able to address them sooner, via over-the-air software updates or some other defensive fix, with less bad publicity.

Top Tier Cybersecurity Prevents, Detects and Responds Immediately
The time lag in taking cybersecurity seriously, let alone defensing it immediately, gave opportunity for third-party aftermarket specialists, such as Argus, to fill the gaps. “Argus is the world’s largest, independent automotive cyber security company,” shared Monique Lance, Argus marketing director. “We are currently working with many automakers, Tier 1 suppliers, aftermarket connectivity providers, fleet managers and service providers to protect connected cars and commercial vehicles from hacking.

“For example, to reduce risk in current and emerging vehicle systems — where the surface area for hacks is large — Argus works with OEMs on their next generation vehicles to ensure logical security is embedded during design rather than “bolted on” afterwards,” she added. “As soon as an OEM has a concept for a vehicle, Argus escorts them through their architecture, code reviews, penetration testing, vulnerability analysis and risk assessment to ensure early detection and security defenses are embedded.”

“Security experts commonly accept the adage that security isn’t always ‘backwards composable,’ which means if two components are proven to be secure individually, their security when combined isn’t guaranteed,” noted Ben-Noon. “Automakers, whether they go it alone or work with a third party, use distinct characteristics that may or may not be made composable.”

Consider, for a moment, the differences between the cybersecurity in the aerospace and automobile industries. Aircraft system security, civilian and military, is far more extreme, robust and costly, given the inherent risks compared ground transportation. They feature multiple levels of redundancy to combat hardware failures, software errors and hacks.

He cited Airbus as an example. Each Airbus plane has five built-in parallel computer systems onboard, each developed by different software authors. While automakers can’t afford five parallel levels, they could afford two, because costs could be affordably spread over more technologies and vehicles over time. In this scenario, one system could communicate with the external environment while the other communicated with the internal environment. Both systems would have to behave predictably for the vehicle to consider itself safe; if not, the vehicle would default to its “safe” mode of operation.

“All of the rhetoric around the benefits of vehicle-to-vehicle or vehicle-to-infrastructure communication will be undermined if consumers have reason and real world experiences to not have trust in their vehicle’s security,” Ben-Noon. He made it clear that’s the driving force bringing OEMs, suppliers, the aftermarket, regulators and others together to address cyber resilience.

Argus Cyber Security CEO Ben-Noon says the security equation is very simple: “If it’s a computer and it connects to the outside world, then it is hackable. Cyber defenses cannot be static; they must be dynamic, that is, continually evolving. ”As an example, he and Argus co-founder Yaron Galula how aftermarket cooperation between Argus Cyber Security and Bosch successfully countered a recent multilayed compromise of Bosch's Drivelog Connector OBD-II underdash dongle and its related phone app. (Image — Robert Bosch GmbH)

The Aftermarket Counters a Multilayed Attack in Real Time
“At its core, Argus is dedicated to ensuring that vehicles are cyber-safe and our ongoing collaboration with global Tier 1 suppliers and car manufacturers enables us to provide the most advanced multilateral cyber security solutions for the automotive industry,” shared Yaron Galula, the other co-founder of Argus.

“We’ve learned that solutions based on cryptography, authentication and other communication protocols, even when designed by leaders in the industry, are not foolproof. Cybersecurity must go above and beyond those measures. Multi-layered defenses are required to effectively protect vehicles from cyber threats today and in the future.”

Galula described the recent example of Argus working with industry partner and Tier 1 supplier Robert Bosch GmbH. Reported in April 2017, penetration testing by Argus discovered security vulnerabilities in both Bosch’s Drivelog Connector OBD-II dongle (a hardware device that monitors vehicle health, service needs and more, as well as Bosch’s associated Drivelog Connect smartphone app (software that connects to the dongle via Bluetooth). Both products were available to consumers.

“Essentially, Argus’ Bluetooth attack brute-forced the PIN for the dongle. We used the dongle as the attack vector to inject malicious CAN protocol messages — which fit the constraints of both the dongle and the vehicle — into the vehicle CAN bus, to then manipulate other ECUs on the vehicle communication network. This allowed us, for example, to turn off the engine while the vehicle was moving within Bluetooth range.” [Editor’s note: For more details of the attack, click here.]

When Argus reported the successful attack to Bosch, the supplier’s Product Security Incident Response Team (PSIRT) took decisive action to address the vulnerabilities across its security and development divisions. “Bosch takes security very seriously,” said Thorsten Kuhles, head of the Bosch’s PSIRT. “When Argus informed us about the security gaps, we took immediate action to verify the vulnerability, address it across our security and development divisions, and fix the issues.”

“First, we immediately activated a two-step verification for all users to be registered to a device. This measure was automatically implemented from our server, and required no other action by users. Next, to address security in the authentication process, we developed and released and application and dongle firmware update that limited the allowable commands the dongle is able to place directly onto the CAN bus. Finally, PSIRT is working on measures to further limit the possibility of sending undesirable CAN messages, which will be rolled out alongside further improvements later in 2017.”

The pairing process shown above is a high-level overview of what takes place during authentication, a key element in cybersecurity. Successful authentication— whether legitimate or a hack — involves a number of steps:

  • The phone application connects to the underdash dongle using Bluetooth and requests the dongle certificate (the dongle’s public key and a signed binary string), which the dongle then sends.
  • The server replies with a pairing certificate that is received by the dongle (via the app), which then verifies that the pairing certificate contains a matching PIN to the one stored in it electronically.
  • Upon successful verification, the dongle sends the dongle certificate and nonce to the phone app. Upon receipt of the dongle certificate, the phone app verifies that it contains a matching PIN to the one provided by the user, then signs the dongle’s nonce.
  • Then the phone app sends both the dongle’s nonce and the phone’s nonce to the dongle to which the dongle responds by signing the phone’s nonce and transmitting it back to the app.
  • Once both the dongle and the Android app verify the signature of each nonce respectively, an encrypted channel is set up and becomes operational.
In short, Argus was able to successfully attack and penetrate the Bosch dongle and phone app by brute-forcing the PIN (information leak in the authentication process) and then using the enabled communications channel to send malicious CAN bus messages that physically affected the vehicle’s operation. (Image — Argus Cyber Security)

State-of-the-Art Automotive Cybersecurity Requires Multilayered Solutions
“The security equation is very simple: If it’s a computer and it connects to the outside world, then it is hackable,” emphasized Heilbronn. “This includes electronic tools and equipment, plugin onboard diagnostics, insurance or other connected devices. These accessories are typically beyond the control and responsibility of automakers. Who knows whether or not these devices rely on secure wireless connections?”

“Currently, many OEMs are increasingly isolating the computers and modules that control the vehicle’s most sensitive systems, hoping they won’t be breached,” he continued. “That’s a primitive and ineffective defense, because hackers can do just that, by tapping into other technologies onboard vehicles, as we just did with the simultaneous penetration of the Bosch dongle and app.”

Vehicle infotainment systems as also very vulnerable to attack because they’re so highly connected to the outside world via connections to cellular networks, Bluetooth, WiFi and others. It’s clear to us that automakers and suppliers have little idea what’s going on at all times, nor can they yet readily determine if and when these systems have been hacked or not.”

When it comes to cyber resiliency, challenges are continually evolving. In the early days, recognizing the need for, and then implementing, preventive security was the challenge. Today, automakers face a far more complex challenge: How to update security software, once it has been installed, continually over the lifetime of the vehicle. Automakers and their partners have to build cybersecurity protections into the vehicle before it ever hits the road, and continually update them as new threats emerge.

“While it is clear that cryptography will continue to play a large role in the future of automotive security, it cannot be relied upon to protect against all attacks,” advised Ben-Noon. “Certainly, preventive measures are required, but experience has shown us that attackers will eventually find a way to bypass them and once they do, detection solutions are paramount in order to be able to properly react to the threat and mitigate the attack immediately.”

Updating Security Software is the New Frontier
He suggested over-the-air (OTA) downloads — much as you would update the software on a smartphone or home computer — could play a significant role in detection and mitigation. The potential of OTA software upgrade technology, such as Delphi has developed, is clear. It provides a feasible means for automakers to deliver quicker solutions to safeguard vehicles and occupants.

“Once an attack is detected, automakers need to use detection and analytical tools to understand the attack and leverage the ability to send OTA security updates to affected vehicles in operation. In addition, automakers and suppliers should carry out regular penetration testing of their products and services, tests that should be performed by automotive security experts.”

Connectivity is no longer a pipe dream of futurists. It’s arrived and it’s here to stay. Automated driving is closer every day. And with the advent of Intelligent Transportation Systems, virtually all vehicles and devices will come with embedded, tethered or smartphone enabled connectivity by the 2020s.

The multitude of previous “white hat” hacks — both hard-wired and wireless — of both passenger cars and commercial vehicles have demonstrated the ever-present danger of being complacent or lagging behind the cybersecurity curve. The aftermarket, automakers and other stakeholders will need to work together with security experts to ensure motorists and the public are protected. They’ll also need to understand when to lead, follow and stay out of the way of those keeping cybersecurity resilient and effective.

[Editor's note: Visit for the latest diagnostic and service insights.]

Important Links
MOTOR Current Issue
MOTOR Current Issue
MOTOR Magazine

MOTOR Information Systems • 1301 W. Long Lake Road, Suite 300 • Troy, MI 48098