[00:00:17.470] – Jason Pufahl
And Matt [inaudible 00:00:17].
[00:00:18.190] – Matt
[00:00:19.630] – Jason Pufahl
Today, we’re talking about automotive hacking and should be worry or maybe alternatively, “Dude, where’s my car?” I feel like we’ve spend a lot of time on this topic, or at least maybe debating whether we wanted to or not do the topic.
[00:00:33.730] – Matt
That’d be a fair, I’d say.
[00:00:34.750] – Jason Pufahl
Yeah, chatting a little bit about, call it the modern vehicle, right? The idea of autonomous vehicles, maybe all of the technology embedded within vehicles, what the risk is to consumers. To some degree, it’s sensationalized. We see things on YouTube about stopping high cars while they’re driving on highways at 70 miles an hour, right? You get some of that. The “Hey, don’t buy an autonomous vehicle because you’re in for a world to hurt.” I think, in reality though, it’s probably a little less severe than that, right? Car hacking is not necessarily new.
[00:01:13.630] – Matt
So let’s touch on that a little bit. The popular press…Forbes centered on an article last month about car hacking risks to people, you know, likelihood of impact and so on. There are very broad statements about the future involving ransomware and needing a tow in order to get home because everything is completely disabled. To your point, car hacking is not new. It’s just an extension of using Jimmy stick or a coat hanger to break into a car or jump in a solenoid with a screwdriver to start an engine. It’s just the 21st-century equivalent.
[00:01:45.670] – Matt
Car hacking in particular isn’t new because, frankly, it’s been well researched over the last decade. The difference is that people are now buying cars that are the subject of the attacks that, frankly, were first researched and first published at the time, though.
[00:02:01.750] – Jason Pufahl
There’s less ‘88 Hondas on the road these days, which is probably also a good thing, though.
[00:02:06.070] – Matt
[00:02:08.050] – Jason Pufahl
So it’s an interesting point you made, though. So, you’re right. A lot of the attacks that you see are for the purpose of gaining entry to a vehicle and maybe starting a vehicle, right? So it’s Bluetooth exploits for some of the key fobs. They’re not ‘life threatening, put the driver in danger’ type of attacks.
[00:02:26.230] – Matt
Right. They’re all centered around access to the vehicle connectivity, showing things on the entertainment system. You know, demonstrating the capability of an attacker to reach all components of a car. Here’s the truth of it: All cars that are modern today are drive-by wire–literal wire with packets and networks. It’s not the cable attached to the emergency braking. Are there some vehicles that have that? Sure.
[00:02:57.070] – Matt
But these days, if you turn on your wipers or your radio, it’s because a packet was sent across the vehicle network to do that precise action. We’re in a different realm, and that means that the typical computer security considerations we talk about on a more regular basis apply to our vehicles.
[00:03:16.150] – Steve Maresca
Yeah, I think the attacks we are concerned about life-threatening results, they happen on a certain class of vehicles, too. You may be buying a new car this year that has a lot of features in it, but may not be at the level of a Tesla, for example, right?
[00:03:35.230] – Steve Maresca
And those attacks are different anyway. Most of those are going towards things like the sensors that it’s using; the vision it uses to determine if there’s a stoplight. So that’s a little bit different than what your car is probably doing. Sure, those cars are available, but it’s just a different class of vehicle that I’d say most people don’t drive or can’t afford, quite honestly.
[00:03:58.930] – Jason Pufahl
So how much do we have to think about that, though? I’ll speak for myself. I can’t wait for the truly autonomous vehicle, right? I can just sit there and be driven to work. And I think there’s so much good to come out of that space. I think about older people who might not want to have a license, actually, then just move forward with an autonomous vehicle so they can actually get driven around. There’s some real benefits to this stuff. I would argue that the risks are far outweigh…I’m sorry, the benefits are far outweigh the risks.
[00:04:30.730] – Jason Pufahl
But there are some probably legitimate risks. These, and some things that we need to bear in mind when you’re maintaining essentially computer equipment, right?
[00:04:37.690] – Matt
Right. And manufacturers are thinking about that, too. Tesla, in 2015, did the first mass over-the-air update to its vehicles because of a response to an actual security risk. They’re thinking about it. They’re trying to protect consumers and maintain their reputations as much as anything else. I think the more likely impacts for the future include attacks to fleets of vehicle, extraction of data about whereabouts of vehicles, the metadata of driving and behavior, less about disabling a vehicle remotely.
[00:05:14.110] – Jason Pufahl
So, attack to a with a fleet of vehicles…
[00:05:15.550] – Matt
Yeah, we’re talking about rental vehicles or…
[00:05:18.670] – Steve Maresca
The trucking systems…
[00:05:19.750] – Matt
Yeah, the motor panels that might be out there. Rental cars, rental scooters, they’re all tracked. They’re all controllable remotely. The same sorts of thoughts apply to them.
[00:05:29.770] – Matt
Yeah, disrupting truck routes can mean millions of dollars for a company. It could be very keen to ransomware, where things may not be locked up, but you might have redirected all their trucks. That’s a big problem for any logistics company, right?
[00:05:43.270] – Steve Maresca
Yeah. That’s an interesting point. So, again, not intended to be life threatening, which I think a lot of people go down that path. As soon as they start talking about vehicles, it’s, “Well, how does the driver get impacted?” And in reality, I think you’re right. It’s more, “Is there an opportunity here to make money,” right? The criminal [inaudible 00:06:01].
[00:06:01.810] – Matt
We saw recently with the pipeline attacks and the meat plant impacts that ransomware operators are deliberately staying away from ‘life health safety’ type of attacks they’re canvassing their victims. The same, in my opinion, will apply to this type of thing. Cars are connected. They are accessible remotely. They are just as robust as any computer system we have on our desks, realistically. But the actual cost-benefit profit motive of an attack is really the driving consideration. And mass disruption is rarely an actual goal.
[00:06:39.430] – Matt
Yeah, they’re computer systems. Anything you can dream of under the sun is possible, but the actual relative risk is low, in my opinion.
[00:06:48.250] – Jason Pufahl
Right. And going back to what Steve was saying, as far as the manufacturer working to protect the consumer…In a different life, Steven and I actually had a glimpse into how some of that process works with how those OSs that run your entertainment systems and the control systems. They take years and years of development. It’s a very political process, unfortunately, and it’s not like these things get developed and then pushed out a week later. It’s not like your software that you’d be using from Microsoft Word, for example. It doesn’t happen that fast.
[00:07:23.890] – Matt
I think that’s actually a benefit in this regard. So, for example, as a result of some of the government funded research, DARPA funded the 2012-2014 timeframe. The National Highway Traffic Safety Administration, the National Transportation Safety Board–they’ve published guidelines for automotive manufacturers, their standards [crosstalk 00:07:41].
[00:07:41.470] – Jason Pufahl
They align with NIST.
[00:07:42.490] – Matt
Right. They align with NIST. They align with secure development practices and testing procedures. In our world today, these systems are fairly rigorously tested. That doesn’t mean bugs aren’t present. Attackers will find them. But, realistically, attention is being paid and that scrutiny will only increase going forward.
[00:08:05.050] – Jason Pufahl
[00:08:06.130] – Matt
So shifting a little bit, I think I want to talk about what can we do as individuals, because everything we’re talking about sounds a lot, unattainable, untouchable components of the vehicle.
[00:08:17.890] – Jason Pufahl
Yeah, there doesn’t feel as much we can do.
[00:08:20.710] – Steve Maresca
Right. Yeah. You’re going to get that stuff in your car when you buy a new one.
[00:08:23.350] – Jason Pufahl
And more and more and more, right? You’re talking about these are high-priced vehicles. The reality is they’re getting more consumer-based all the time, right?
[00:08:30.190] – Steve Maresca
Exactly. Give it five years and you’ll be able to afford one just like you can afford a [crosstalk 00:08:34].
[00:08:35.230] – Matt
Frankly, I think that’s reasonable to assume. And the high likelihood is that you own a vehicle that has some degree of potential risk. But, these attacks center around connectivity. Be judicious of what WiFi you use, what Bluetooth connectivity you have. Don’t enable it if you don’t need it. Don’t pair with unknown devices. These are simple things to keep in mind. Don’t plug in unknown things to your computer. Don’t plug in unknown devices to your car. It’s the same sort of mentality patch them if you have the opportunity.
[00:09:11.530] – Matt
If your dealership says you need some a software update that they can’t perform remotely, they probably want you to come in for a good reason. Do so. Ultimately, think about what you’re doing, how you interact with your systems in your car, and pay attention.
[00:09:29.530] – Steve Maresca
It’s a privacy issue, too. Where, let’s say you’re selling your car, you’re trading it in for something, make sure you’re actually doing some diligence or asking the dealership to wipe your entertainment systems. The amount of data that some of those things take off of your phone and store is not nice.
[00:09:50.710] – Jason Pufahl
How many times have you gotten into a rental vehicle only to find the previous renter’s contacts, text messages..You’d be surprised at some of the things that actually get stored on those.
[00:09:59.410] – Matt
Related subject: The little plug in devices that insurers will now distribute to lower your rates? They are information goal lines, and Interestingly, they were one of the very first early routes into breaking into cars. Your privacy is at risk when you use those items. And so is potentially the security of your vehicle. So if you don’t have to use them, perhaps think twice about it.
[00:10:24.610] – Jason Pufahl
Yeah, you bring up a really interesting point, though, right? So it’s not just a matter of are there security vulnerabilities, but you’re in that data-privacy realm in a lot of ways where you got contacts, you probably were using GPS for a vehicle, right. So who knows…
[00:10:39.060] – Steve Maresca
[crosstalk 00:10:39] …you have a remote start on your phone?
[00:10:42.310] – Jason Pufahl
All kinds of things that you have to be mindful of. And going back to Steve: What you said a little bit around what steps can you take as an individual to protect yourself a little bit–those are really easy ones, right? So, updating your vehicle is maybe a little bit more challenging, potentially, right. They might be a bit more of a complicated approach there. Deleting the information from your entertainment system or your GPS or some of these other things probably isn’t so difficult, right? It’s definitely reasonable.
[00:11:12.430] – Jason Pufahl
One other thing, and I want to be careful with this little bit because I don’t know if anybody have answers, but we’ve seen credit card skimmers at traditional gasoline pumps, right? One of the things that you said before around, “Well, don’t plug unknown things into your vehicles.” The whole model behind an electric vehicle is drive up to some station somewhere and stick a charging…nozzle (I guess you call it “nozzle”) into your vehicle, right? I can envision that being a perfect area of compromise, potentially,
[00:11:46.910] – Matt
I can actually say with actual confidence that that is unlikely to be true. Those protocols are actually fairly dumb, like, they use resistors. They’re less about packets and network connectivity devices. Thank God, ultimately.
[00:12:03.230] – Jason Pufahl
So there’s one place you can trust?
[00:12:04.370] – Steve Maresca
Yeah, most manufacturers do…do try to separate those types of control planes, if you will. I’ll call it ‘the more intelligent side,’ where you’re getting a bunch of information or interacting with your car is usually separated from those basic functionality things for that particular reason.
[00:12:26.330] – Jason Pufahl
There’s a little peace of mind there. [crosstalk 00:12:27].
[00:12:27.350] – Steve Maresca
…But, that doesn’t mean that it won’t eventually happen, though, that those things get connected to the same systems. And again, it’s something you can’t really control, right?
[00:12:36.410] – Jason Pufahl
No, I mean, you have to keep driving. So you’ve got to charge where you are, I suppose, unless you only do it at home, which is impractical for most people.
[00:12:44.870] – Steve Maresca
Yeah. I’d say the biggest things that people have to worry about these days are sensors. Honestly, just a quick anecdote here, driving to work today, I had an issue with it where my car decided that the car in front of me was too close, even though it was quite a few car lengths away, and put the brakes on for me. Not something I asked it to do, but I can see how I’d say that sensor attacks are probably the thing you’ll see before much else, because that can actually have a kinetic effect, if you will.
[00:13:15.530] – Steve Maresca
…On what’s going on.
[00:13:17.390] – Jason Pufahl
It brings me back to the idea. And we talked about this in some other podcasts: Ignoring information that you’re given, right?. So we see security devices overwhelming you with information. My car regularly beeps at me when there’s just nothing in the road, right? I don’t know what it’s seen or what it’s detected, but I find now regularly I’ll hear it, and I’m pretty slow to react because I think it over-alerts me.
[00:13:40.550] – Matt
Yes, sensor fatigue is a real issue. It’s very far field of our topic today, but it’s certainly related to modern enhancements in vehicles. Here’s the thing: We love technology. We are technology evangelists. You hear us occasionally getting a bit paranoid and hopefully, healthily paranoid. Use technology judiciously and you can stay safe. That’s the message, ultimately. And though you may hear about frightening things in the press, it’s not likely to affect [crosstalk 00:14:12].
[00:14:12.590] – Jason Pufahl
Yeah, there the education is largely, right? But it is interesting because we’re going to see more and more vehicles with more technology come out as the years progress, and certainly there’s a push to the idea of an autonomous vehicle. There’s no doubt. There’s a whole variety of legal things to chat about in that space, I think. But, in general, we’re seeing, right? We’re seeing cars that maintain their speed and their distance in traffic today. We’re seeing some that will steer on their own. I mean, they’re not going to bring you from point A to point B unattended, but yeah, 10 years away maybe.
[00:14:47.510] – Jason Pufahl
Maybe that feels optimistic a little bit, but we’re headed that way. So it’s worth starting to think about it.
[00:14:53.450] – Steve Maresca
It’s here to stay. It will just get more prominent.
[00:14:54.950] – Matt
Right. I think I’d like to close with just some things to go take a look at if you’re curious in other areas. Matt and I participate in the DARPA Cyber Fast Track program now, many years ago, and one of our peer researchers in that program were Charlie Miller and Chris Valsec. They did some research in the 2014-2015 timeframe that I think is worth referencing even today. Wired, Scientific American, and Forbes have their material–their videos on YouTube. Go take a peek. It shows you some of what’s possible.
[00:15:29.190] – Jason Pufahl
So I think in closing, I’ll say this: We did debate whether we wanted to do this topic and for me personally, actually, I found this one to be one of the more kind of one of the more fun ones.
[00:15:38.550] – Jason Pufahl
I felt a little bit, maybe all over the place, tangential, the tiny bit. But it’s an interesting space to cover because we all have to drive, maybe that’s not so true, but a lot of people have to drive. We’re seeing a real push toward smarter vehicles or more capable vehicles all the time. And I think it is worth spending a little bit of time on the security risks. Maybe a little bit the safety risks? The Privacy risks for sure. They aren’t the vehicle. They’re not my 1989 Jeep, right, where is a real basic system, I can practically stand inside the hood in that, right? They’re wholly different nowadays.
[00:16:16.330] – Jason Pufahl
As always, if anybody wants to explore this topic a little bit more, feel free to reach out to us on LinkedIn at Vancord or Twitter @VancordSecurity Steve, Matt, this is fine. Actually, I’m enthusiastically now thinking about the podcast ahead with the three of us doing it. So I think this is great, and I appreciate you guys joining.
[00:16:33.010] – Matt
Yeah, it’s good as always.
[00:16:33.670] – Jason Pufahl
[00:16:36.190] – Speaker 1
Stay vigilant. Stay resilient. This has been Cybersound.