How safe is your connected car from being cyber-attacked and what should be done to protect it?
I was thinking about Jeff Weiner's question to identify a single product or feature that you cannot do without. For me, it is easy to pay that accolade to Tesla's self-driving autopilot. Every time I am stuck in Bay Area traffic, I allow the car to drive itself while I engage in creative thinking or relax with an audiobook. This is the perfect example of what technology should do—take on the monotonous work and do it better than a human being can.
But, as a security researcher, this exact same scenario is also what keeps me up at night. If my car were hacked, it would be really easy for someone, even sitting across the ocean, to veer me off the road or into a truck. In fact, this risk does not only apply to self-driving cars—any connected vehicle can be taken over and the owners' lives held at ransom. In 2015, researchers Charlie Miller and Chris Vilaseck showed that a Jeep Chrysler could be taken over remotely and made to do their bidding. This led to a recall of 1.4 million vehicles, making it one of the most expensive IoT breaches to date.
Fast forward two years, and almost every new car on the road is connected—in two ways. First, they have an internet connection to enable streaming content to the cars. This means that anyone on the internet can reach (and quite possibly, breach) the car. Second, the critical components of the car are all connected together, often using protocols with no security layer at all. For example: the car radio volume automatically increases as the car accelerates on a freeway. While this useful feature is achieved by a message from the wheel rotation sensor to the audio subsystem, you can extrapolate the possibilities of this same communication channel being used in reverse.
Let's consider where this problem could be addressed:
So what can and should be done? I encourage all researchers and developers in this field to protect the connected-vehicle ecosystem. This includes car manufacturers who need to put air-gaps or security barriers between the critical systems (e.g. braking, steering) and the informational systems (radio, browser). This includes the network providers who can detect and identify attacks targeting cars. And this includes security engineers who can bring to the table their experience and expertise of protecting millions of connected devices, based upon sensing the environment. Finally, I strongly believe that machine learning, applied both on-device and on the network, can be a critical tool in protecting these connected mobile devices.
Small to medium sized businesses are an easy target for cybercriminals, and too few are performing the necessary security patches to protect themselves.
RSA attendees can learn about cryptomining, take part in the challenge, and even win a prize.