Ransomware, which blocks personal or company computers until a fee is paid, may potentially target automotive vehicles now.
WikiLeaks’ revelation of classified CIA documents listed “potential mission areas” for the CIA’s Embedded Devices Branch that included “Vehicle Systems” and “QNX.”
Among a host of alleged CIA documents released to the public this week, WikiLeaks disclosed, “As of October 2014, the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks. The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations.”
The thought of hackers–or terrorists–remotely hacking into your car, taking over the control and crashing it with you inside seems like a scene out of a spy novel. It’s terrifying. But this isn’t the scenario that scares the automotive industry. Ransomware does.
Security experts in recent months have publicly predicted that 2017 will be the year hackers will first target vehicles with ransomware. Andy Davis is one expert who thinks it will happen.
Davis is research director at NCC Group (Manchester, the U.K.), an information assurance firm covering software escrow and verification, and cyber security consulting. He belongs to a technical steering committee of Fastr (Future of Automotive Security Technology Research), an industry group founded to foster cross-industry collaboration on automotive security technology.
Figure 1: Andy Davis, cybersecurity expert, believes hackers will now target vehicles as well.
"Ransomware," so called because it blocks a person or company's computer until a fee is paid to unlock it, is fast rising throughout the world.
According to the SonicWall security team GRID Threat Network, ransomware attacks grew to 638 million last year, an explosive rise from 3.8 million attacks in 2015. Thus far, none of those attacks were aimed at vehicles.
We caught up with Davis and asked him what automotive ransomware entails, the eventual ramifications for automakers and why he believes the vehicle is the next target.
Threat of auto ransomware
Picture yourself in your car. You’ve turned on the engine and a message pops up on the dashboard.” The message said, “this car has been hacked. Pay up XXX dollars in the next Y days or we won’t allow you to start the car.”
This could be a very simple attack. It could be a bogus message. But you can’t help but wonder what will happen the next time you hit the ignition. Will it start? Will it blow up? Will it crash intentionally into someone else?
“Few drivers would take the chance,” said Davis. Most likely, they would get out of their car and simply walk away, because those ransomware messengers “are inducing fear.” Ransomware typifies an aspect of “social engineering”–in the hacking sense–designed for psychological manipulation.
There is a second scenario, said Davis, that “can be more lucrative but potentially riskier.” Hackers could go directly after car manufacturers for extortion. They’d play “a reputational angle,” he said. Of course, the bigger the car OEM they target, the greater law enforcement’s involvement, which could result in the hackers’ capture.
In principle, ransomware is no different from computer malware. When a computer or a smartphone user opens an attachment, he could be accidentally installing into his device ransomware instead of a virus. Different from malware though is that ransomware is sent to unspecified masses in quantities. Often advanced malware hides itself for as long as possible. Ransomware exposes itself immediately after encrypting important files and demands a ransom by a set time.
Smartphones have been attacked by ransomware. But smartphone OS vendors like Apple and Google understand such threat models. They have installed what’s called “exploit mitigations” in their operating systems that can limit the impact of a ransom attack.
In contrast, embedded systems within a vehicle have never been designed with the mindset of computer software experts or IT managers. Therein lies the allure for hackers to target cars and trucks.
While Davis refrained from commenting on the WikiLeaks disclosure of the CIA’s vehicle hacking plots, he pointed out that there are no government agencies, industry organisations or security experts in the world today [who are] not aware of the cybersecurity vulnerability of vehicles.