This post results from the project “Carsec” within the Munich Cyber Security Program (MCSP) The MCSP is a cooperation project between Champlain College and ComCode (Germany). The project Carsec focusses on Cybersecurity topics for connected / self driving cars.
Within the past month, cybersecurity has made numerous headlines as attackers’ started taking advantage of the shift to virtual work. From the Colonial Pipeline hack that shut down much of the east coast’s gas supply, to the JBS attack that wiped out a portion of the United State’s meat supply. The need for security is finally becoming a consideration for many companies as they attempt to navigate an increasingly connected and vulnerable world. It’s becoming clear that blackhat hackers will continuously attack every part of the available infrastructure. With this being said, it’s clear that organizations need to strengthen their defenses. Included in those organizations are the world’s automobile manufacturers. This wasn’t always inherently obvious, as older cars were all mechanical, but as we move closer and closer to autonomous cars the need for security grows.
Fortunately, most new cars are being designed with security in mind. The trouble comes from the cars that are a little older, think five to ten years old, who have some technology (such as Bluetooth) but aren’t currently on the radar of auto manufacturers. These are the cars that can be the most vulnerable, as they weren’t designed with security in mind, and no new patches or updates are being delivered (or are even able to be delivered). Similar to how phones get security updates, cars can also receive patches, but doing so usually requires trips to the dealership (and potentially money), which most people do not do. All of this comes together to mean that there could be thousands upon thousands of vulnerable vehicles on the road today.
This fact became overwhelmingly clear in 2015 when two researchers (Charlie Miller and Chris Valasek), exploited vulnerabilities within a car remotely. Utilizing insecure wireless and mobile telecommunication stack within modern cars, they were able to remotely control the car from almost anywhere. This includes braking, steering, acceleration, even seemingly less important features such as the radio. After disclosing their findings to Chrysler, and seeing no changes, they disclosed their findings to Wired Magazine who made the information known to the public (video can be found here). Unbeknownst to them at the time of discovery, their vulnerability applied to 1.5 million cars.
Governments soon realized that they needed to lay out guidelines for auto manufacturers, as many weren’t concerned about cybersecurity even after seeing the effects that an exploit could have. This is where the main chunk of my research came from. The main guideline, named ISO-21434, is still being developed. This leads me to one of my biggest issues; the fact that this is being developed behind closed doors, making finding information about this standard fairly difficult. However, there are numerous second-hand accounts of the regulation that I was able to get information from. This standard serves to provide the first set of rules and regulations related to cybersecurity for manufacturers. It includes risk assessment methods, including asset identification, threat analysis, impact assessment, and vulnerability analysis. As well as the methods to manage, monitor, and respond to any incidents during every phase of the automobile’s life cycle. There were a few other regulations that I focussed on, but ISO-21434 will certainly be the most important in my research.
For the course of the summer, I’ve been tasked with researching automobile security as part of my internship with the Munich Cyber Security Program. This being a topic that was fairly foreign to me, I had to gain a little bit of background knowledge. Figure out exactly what I would be looking into, and why it was relevant. The information laid out in this first post is the baseline research that I looked into during my first week. The second piece of my internship will be completing weekly blog entries that will serve as documentation of my work. Each week, I’ll be posting to my LinkedIn profile. From here, my research could branch out in many ways, so be sure to keep an eye out for my next update.
Follow us for more updates on this project!
For further questions about Munich Cyber Security Program, or this project please feel free to contact mcsp@comcode.de
Written By: William Alber '22 // Computer & Digital Forensics