Hackers target information as well as vehicles

Recently, a fleet of autonomous trucks crossed Europe to highlight the benefits of autonomous trucking – namely cost savings for freight companies in terms of labor and fuel. However, the issue of cyber security remains a potential red flag to autonomous vehicle roll-out. Kaspersky Lab, one of the world’s fastest-growing cybersecurity companies, has long warned of the threat of vehicles being hacked. In 2014 Kaspersky Lab and IAB, Spain’s leading marketing and digital media company, released the First Annual Connected Cars Study which identified a number of security concerns in connected cars.

Software updates and mobile apps in connected cars create openings through which cybercriminals can launch attacks. “Connected cars open the door to threats that have long existed in the PC and smartphone world. For example, the owners of connected cars could find their passwords are stolen. This would identify the location of the vehicle, and enable the doors to be unlocked remotely. Today’s motorists need to be aware of new risks that simply never existed before,” said Vicente Diaz, Principal Security Researcher at Kaspersky Lab.

Customers have taken note: In March 2016 a joint IDC/Veracode study that polled 1,000 drivers across the UK and Germany revealed that 50% of drivers surveyed are concerned about the security of driver-aid applications such as adaptive cruise control, self-parking, and collision avoidance systems, reflecting an equal level of concern with the safety of the entire vehicle. At stake is an Internet of Things market estimated to be worth $140.3bn in 2016. Apps which help drivers to navigate, park, communicate, conserve fuel and other functions are changing the nature of driving. But at the same time exposing a car to the Internet makes it vulnerable to cyberattack which could render the car unstable or dangerous, says an excerpt from the study.

A Financial Times article quoted Eugene Kaspersky, founder of Kaspersky Lab as saying that today’s vehicles were “more safe but less secure” because of the array of gadgets they carry, from safety sensors and GPS trackers to music-streaming capabilities and high-speed internet links. The article goes on to quote Kaspersky as saying that cars that connect to the internet will be vulnerable to hackers for a decade. The US$ 619 million Kaspersky Lab, has around 3,300 highly qualified specialists and have around 400 million users that are protected by Kaspersky Lab’s technologies. The company says it has around 270,000 corporate clients.

Automotive Industries (AI) asked Alex Moiseev, European Managing Director, Kaspersky Lab, what are the security concerns with self-driving trucks.

Moiseev: Firstly, they can be hacked into and stolen, but it’s worth noting it’s not always the vehicle criminals are after. In fact, many cybercriminals find that targeting vehicles for access to private data, address books and credentials is far more profitable, as this can be sold on to third parties. There are also various software components in vehicles which can be monetized. Imagine a scenario where a hacker can disable an ignition/navigation system and hold the driver to ransom before unlocking it.

The current state of vehicle design doesn’t take into account security in such cases. The mechanisms for real-time tracking, detection, analysis and resolution of cyber-threats for computers and mobile devices are not enough. If driverless vehicles aren’t designed with security in mind, we could see them being disabled, destroyed or hijacked, with disastrous consequences. Rather than waiting for the first attack to take place, we have to assess and protect these vulnerabilities now before the technology is integrated extensively into trucks or consumer vehicles.

AI: How do companies like yours stay ahead of hackers?

Moiseev: There is an ongoing battle between cybersecurity companies and cybercriminals as new layers of threats and the security to guard against them emerge. Kaspersky Lab works tirelessly every day to ensure cybersecurity is the best it can be.

AI: A 2013 attempt to hack a Ford Escape showed that it isn’t all that easy to do – should car manufacturers still be worried?

Moiseev: It’s unbelievable how sophisticated the technology has become since 2013. What is disconcerting is how easily these attacks are becoming to execute at the click of a button on a keyboard. With the sophistication of these threats increasing, along with the ability to carry them out, manufacturers should be striving to keep their cybersecurity systems as robust as possible.

We’ve seen previous examples of hackers remotely gaining access to vehicles through Wi-Fi. Last year during an experiment, two hackers were able to gain access to a Jeep Cherokee driving along the motorway. Not only were they able to toy with the air conditioning settings, the radio and the windscreen wipers, but they were also able to completely cut the transmission – all through their laptops and a Wi-Fi connection.

AI asked David Emm, principal security researcher, Kaspersky Lab, what research and development conducts in the fields of cyber threats to automobiles and other vehicles.

Emm: A typical car contains dozens of computers that control brakes, wheels, lights and climate controls. Of course, automotive vendors have followed the digital evolution enabling the usage of various online services in new cars, making them “connected”. For example, you can remotely adjust the air conditioning in your car by using your smartphone.

Research conducted by a Spanish brand of Interactive Advertising Bureau (IAB) has demonstrated that there is already a widespread use of such devices. The analysis of “connected” features exists in cars from 15 leading automotive brands, including Audi, BMW, Ford, Lexus, Opel, Renault, Volvo and others, indicating that every vendor has some kind of connectivity solution. BMW leads the pack with 20 smartphone apps and 14 in-car apps, which provide every single feature from Spotify music control to remote car diagnostics. Kaspersky Lab was asked to assess the security risks of using a “connected car” based on BMW implementation.

AI: According to your research, how big a problem could this be?

Emm: Several areas of risk have already been identified. For example, by obtaining a vehicle owner’s identity credentials, thieves could remotely unlock, and take possession of, a vehicle. By intercepting and tampering with mobile communications and over-the-air software updates, cybercriminals could transmit malicious code or, in a worst case scenario, send new and dangerous instructions to the vehicle’s software systems. And as with other areas of online life, something as a simple as poor password protection could also, quite literally, leave the door open to criminals.

AI: How real is the danger of vehicles being used by cyber terrorists to inflict damage?

Emm: The threat is more real than ever. We’ve seen numerous examples of cybercriminals managing to gain access to a variety of different vehicles and inflict damage. For example, pirates were able to hack into a shipping company, allowing them to determine the location of valuable cargo before intercepting and hijacking vessels the targeted attacks. This is a clear example of the potential dangers of increased connectivity.

Everyone involved in the creation of a connected vehicle needs to work together to ensure these points of weakness are dealt with before the vehicles make it onto our drives and onto our roads. One thing’s for sure – however fast we go, hackers will be just a few steps behind. AI: How does your company work with the automotive sector to address these problems?

Emm: Since 2010, for example, Kaspersky Lab has worked alongside Ferrari, helping them to protect their sensitive intellectual property and improve performance. With global volumes of malware and targeted attacks increasing exponentially, Ferrari was looking for an IT security partner that could not only keep pace with the latest threats, but have the expertise to stay ahead of them. Kaspersky Lab’s core team of expert developers and engineers worked to overcome performance and latency challenges, while coming up with a solution that would integrate seamlessly with Ferrari’s highly complex infrastructure.