Cybersecurity preparedness and quick response are a must in the event of an automotive ransomware attack.
Consumers upgrade their vehicles sans cyberthreat considerations. The very nature of a vehicle today has been altered by consumers who want a car to be like a smartphone, explained Davis. They demand cars with more functions and features so they can run new applications albeit “without rigorous security assessment,” Davis explained. Every time a smartphone app is integrated into vehicles, it’s an open invitation for ransomware. The more apps in the vehicles, the more attack opportunities for hackers to play with. Cellular, Wi-Fi and Bluetooth network connectivity and their protocols can be all penetrated, said Davis.
Figure 1: Malware vs. ransomware.
Only a year ago, the FBI issued a public service announcement, together with the Department of Transportation and the National Highway Traffic and Safety Administration, warning drivers about the threat of over-the-internet attacks on cars and trucks.
It’s been almost two years since Charlie Miller and Chris Valasek successfully pulled a remote attack on a Jeep Cherokee. The incident led to Chrysler’s recall of 1.4 million vehicles.
For years, traditional automotive engineers maintained that car hacking was far-fetched. They offered two reasons. First, they said, it’s “not possible” to pull it off without physical access. Second, there’s no way to make money from hacking a car. Granted, penetrating a car is no trivial task. It would take hours of work and expert knowledge.
Despite mounting evidence about security threats against cars, Ponemon Institute survey results showed that among 500 respondents directly involved in developing auto software, only 52% believe hackers are actively targeting automobiles.
Amidst high-profile automotive cybersecurity incidents in the last 12 months, reasonable people should be plotting revolutionary changes in the automotive industry’s attitude toward cybersecurity, said Gene Carter, director of product management and marketing at Security Innovation.
Instead, the survey found that automakers and suppliers still haven’t made cybersecurity a priority,with only 54% of respondents agreeing. “The automotive industry has a very long way to go before embracing [the need to be fully prepared for] cybersecurity,” Carter told EE Times. Further, less than half (42%) agree that their company’s development processes include rigorous security requirements, design, implementation and testing.
When we asked Davis why car OEMs remain so casual about cybersecurity, he said that he doesn’t think that’s the case. Rather, the challenges among traditional OEMs are more cultural. The engineers working on components at a carmaker are not the same as those who work in IT. Internal communications and priorities set by car OEMs are not yet in parallel to cyberthreats. Do car OEMs/ executives expect automotive hardware engineers to be software developers or security experts? Probably not.
The problem for many car OEMs, however, is, “They don’t have a huge control over a lot of embedded computers used inside their vehicle, as they are provided by different Tier Ones,” said Davis.
How can OEMs be prepared for the arrival of ransomware?
Davis explained that securing a gateway type of device inside a vehicle is the obvious first step. Segregating connectivity among a variety of embedded computers is another. Detecting any compromise that might have occurred inside devices is crucial, so it can be stopped at the boundary.
But in the event of an automotive ransomware attack, the key is preparedness among a carmaker’s senior management. Quick response is critical, because it affects consumers, shareholders and ultimately the brand, Davis noted.
The bottom line is that “it takes a real world incident” for the whole industry to take automotive cybersecurity seriously. The world’s first ransomware aimed at vehicles might finally be the industry’s wake-up call, Davis concluded.
First published by EE Times.