“It's very much like shooting fish in a barrel at the moment,” said Professor Tim Watson, director of the University of Warwick's Cyber Security Centre referring to the much discussed problem of automotive security at this year's Security and Counter Terror Expo.
If you buy a new car it may well come wi-fi enabled as part of its infotainment system. That wifi may well come with static credentials. Electronic control units (ECUs) which can be simply reset, a lack of network segregation within vehicles, coupled with the emergence of new functionality, like the ability to control your car with a phone app, all point towards a foreboding picture.
Indeed, we have seen examples of just that. In 2015, researchers ably spoofed an autonomous vehicle's LIDAR system, the mechanism which allows self driving cars to image the world around them.
Researcher Samy Kamkar, showed the world how he could easily exploit vehicle-connected apps to then exploit those connected vehicles. Perhaps the most famous example of ‘car hacking' is Charlie Miller and Chris Valasek's demonstration on the Jeep Cherokee. The two researchers used mobile phone signals to get into the car's infotainment system, before taking over its brakes and steering.
“These are soft targets”, said Watson, ”It is relatively straightforward with resources and skills to exploit vehicles.” Moreover, he added, the kinds of people looking to exploit vehicles are not hacktivists and script kiddies, but those with the resources and patience to do so: terrorist groups, organised crime gangs and nation states.
“The only thing at the moment that is protecting our vehicles is the fact that they are not remotely connected to the internet,” warned Watson, “but that is changing”.
When that does change, it's entirely possible that, for example, ransomware operators might look to vehicles as a lucrative stream of income.
It's bad, but it's not that bad, added Watson. The automotive industry is starting to take the threat more seriously, investing in research and putting out bug bounties on its products.
“Cars are built by safety engineers, they're not built by cyber-security specialists so what we see is a wonderful safety culture”, but Watson told SC, “what they're not thinking about is the malicious actors who can choreograph your bad luck”.
But the problems presented by hackable cars, are not problems that are limited to cars. The same questions confront a whole array of smart technologies.
Smart technologies present bold new opportunities for security, but they also present new weaknesses and for attackers, a bright bullseye for them to target.
Here a certain mindset needs to be reevaluated. Defenders need to start thinking like their creatively devious enemies, and start practicing similar creative deviance, a form of “digital judo”, which responds to adaptation.
If you're attacking a car, your first question will probably be, what you can make it do? Too often, defenders ask where the software is and go straight “for the ones and zeros”, focusing on data and taking an information assurance approach: “they're missing the point, they're not focusing on the right thing.”Furthermore, concluded Watson, we don't need more isolated specialists “We need people who understand different disciplines, because, as an attacker, I'm going to combine physical access with social engineering with technical attacks.”