In the coming year, a high-profile auto manufacturer will be forced to recall vehicles due to a cybersecurity breach for the first time, experts have warned.
Our cars are no longer simply a way to travel from A to B. They are no longer just mechanics, oil and parts; but rather, they have become reliant on computer systems to function properly.
Everything from in-car infotainment dashboards which connect to the Web to vehicle maintenance systems which send alerts to owners when a car needs servicing is now becoming commonplace; and as such, a pathway has been created for attackers to exploit.
A typical, new car now contains over 100 million lines of code, and together with an Internet connection, vulnerabilities are likely to be found.
We’ve already seen researchers demonstrating ways in which vehicles can be remotely attacked or broken into – but according to security experts from Black Duck, these scenarios are going to take a more sinister turn in 2017.
Auto manufacturers are not traditionally software experts and so software solutions are often sourced outside of the company.
It is common for software and online services to contain components which are based on open-source, community-driven technology. While open-source software is crucial to countless applications, bugs can be missed — and over the past few years, we have seen high-profile open-source vulnerabilities including Heartbleed, Shellshock and Poodle come to light.
According to Black Duck‘s vice president of security strategy Mike Pittenger and Patrick Carey, director of product management, as so many cars now contain open-source software components, this potential weak link will result in an automotive recall which may impact you in the coming year.
The security experts told ZDNet:
“Open source is used liberally in all types of software today. With thousands of new vulnerabilities disclosed each year, there are many that could be candidates.
The attackers’ task is to gain a foothold through whatever means possible, then pivot to accomplish their goal. This could mean taking control of the vehicle, or disabling it.”
Hackers will focus on vulnerable targets for a variety of reasons, whether it be political, financial or otherwise. With the exception of perhaps using a software or locking vulnerability in order to steal a vehicle, however, it may not be immediately obvious why vehicles on a large scale could be targeted.
Transport is critical to city infrastructure, and so, the exploitation of an open-source vulnerability in components widely used in cars could be achieved for hacktivism purposes in order to disrupt select areas.
This could include groups which consider gas-guzzling cars a threat to the environment and so turn to sabotage to deter the sale of such vehicles, or operations could even go so far as to be state-sponsored.
For example, taking out a class of vehicle used by first response teams, law enforcement or government groups could be a way for attackers to take a political stand.
However, the lure of financial rewards may also cause attacks on vehicles to become problematic.
It may be that attackers will target automakers in the future in the quest for a “ransom” of sorts — similar to how ransomware is used against hospitals to force payouts. The mere threat of an attack can force companies to pay up rather than suffer disruption.
“Call it a bug bounty, if you choose, but the potential for a large payout to prevent a large-scale attack on a major car brand is pretty easy to envision,” Pittenger said.
Unfortunately, despite these looming threats, consumers have no control over these situations.
While some over-the-air (OTA) updating systems are used by manufacturers, you cannot pre-emptively patch your own cars, and if your vehicle needs to go back for system repairs there is little you can do but wait.
It will not, of course, just be consumers that will be affected by such attacks. Recalls cause ill-feeling due to the inconvenience and companies may also suffer negative impacts to brands and sales.
In addition, until such security problems are fixed, customers may be put at risk.
If vendors are going to protect themselves, their brands and their consumers from the consequences of such cyberattacks in the future, there needs to be increased visibility into what open-source software is in use throughout the entire supply chain. In addition, once vulnerabilities have been identified, it is up to companies to have an established patch system in place to make updating vehicle firmware and embedded software as painless as possible.
“The typical time it takes to address vehicle recalls (months) is out of step with the rate at which security vulnerabilities can be publicized and exploited,” the researchers said. “A major recall that is not easily remediated (e.g., the software requires months to fix due to its interaction with other software and hardware) could be catastrophic to a brand.”