Ransomware: The Next Big Automotive Cybersecurity Threat?
Dozens of researchers have currently shown in which the idea’s possible to hack in to a car as well as commandeer its controls. however inside real world, such dire automotive cyberattacks have yet to materialize.
in which shouldn’t lull anyone into a false sense of security. Both terrorists as well as hackers pose a serious threat to connected automobiles—as well as as many as three-quarters of brand new cars are expected to have internet connectivity on board by 2020, according to John Carlin, assistant attorney general for national security at the U.S. Department of Justice. Carlin said many vehicles, including self-driving cars, may soon be in danger of having their systems compromised. Also recognizing the problem, the National Highway Traffic Safety Administration (NHTSA) has just issued Cybersecurity Best Practices for Modern Vehicles, a guide for the auto industry.
“We’re on the cusp of a transformation, as well as the auto industry can be at the front of in which transformation,” Carlin said. “We can’t make the mistake again of not building in cybersecurity by design on the front end as well as preventing espionage or loss of life.” One of the most ominous cyber threats to cars could be the use of ransomware, a type of malware in which literally locks users out of their systems–in in which case, cars—until they pay a ransom to regain control.
in which scourge has affected thousands of computer systems, ranging via individual PCs to networks in hospitals as well as different institutions. In a typical ransomware attack, the user can be locked out as well as his or her data can be encrypted or otherwise made inaccessible. Too often, the only recourse has been to pay.
– John Carlin, U.S. Department of Justice
“The current ransomware business style works well because the attackers ensure in which the cost paid can be well worth the data restored,” explained Tony Lee, technical director at security research firm FireEye. “Can home users put a cost on precious family photos or financial documents? Can organizations put a cost on critical information necessary to conduct business? If in which answer can be yes as well as the cost can be low enough, the ransom will be paid.”
The same rationale can be extended to vehicles. Approximately 250 million connected cars are required to be on roads worldwide by 2020, according to a 2015 analysis by technology consulting firm Gartner, producing connected cars the next potential market for hackers. These attacks could range via simply locking motorists out of their vehicles to locking them inside; a more ominous scenario could allow hackers to freeze the ignition, essentially “bricking” the vehicle as well as producing the idea completely unusable.
Stephen Cobb, senior security researcher at security provider ESET, recently coined the term “jackware” to recognize in which specific kind of automotive ransomware. He says in which, although the idea hasn’t yet been encountered, there can be little doubt the idea can be already in development.
“The computer systems are designed, features are designed, products are brought to market, as well as people adopt them,” he said. “On the different side, hackers speculate, probe, develop a proof of concept, attack, as well as then finally monetize the threat.”
Fleets Might Be a Top Ransomware Target
Ransomware has long relied on social engineering to be successful—disguising itself in what might appear to be a helpful warning to fool unsuspecting users into exposing their operating systems. Think back to warnings you may have received in which your computer was infected that has a virus as well as you needed to pay to contain the idea cleaned.
In vehicles, in which could appear to be anything via warnings about vehicle warranties as well as services to notifications in which a satellite-radio subscription will soon expire to threats of traffic violations. An unsuspecting motorist could react quickly to such warning, as well as suddenly find the vehicle locked or worse.
“The bigger threat could be the possibility of disabling the vehicle in some way,” Lee said. “For example, locking the vehicle, disabling the ignition, or engaging the emergency brake. The variety of ransomware will only be limited by the attacker’s creativity.”
If there’s not bad news, the idea’s in which the effectiveness of any type of in which scareware will quickly decline once motorists become aware of the avenue of attack.
Consumer vehicles may not be the primary target for these directed attacks, however. Commercial businesses as well as government agencies could find themselves on the receiving end of targeted attacks in which take out an entire fleet of vehicles.
“Fleets as well as infrastructure act as a multiplier,” Lee said. “For example, if the average individual could pay $20 to regain control of their vehicle, imagine what a car-rental organization could pay–especially when they consider the cost for their loss of business as well as reputation. For well-organized attackers, in which may end up being a numbers game, which may be similar to credit card theft as well as sale.”
What Auto Execs Can Learn via Aviation
Nearly three-quarters of vehicles sold in which year will have a telematics system, according to Colin Bird, senior analyst of automotive technology at IHS Markit, as well as the likelihood of attacks will increase as more vehicles become more connected. At the same time, vehicle defenses haven’t yet caught up to the potential problems.
“There can be no firewall between the telematics as well as data buses,” Bird said. “Right currently, we’ve seen how hackers can take control by accessing the software ports, however they can also use RFID connections as well as soon the idea will be through the unprotected telematic systems. Right currently, only certain OEMs are being proactive as well as are starting to install firewalls, however again, most cars have no security in place.”
a numbers game, which may be similar to credit-card
theft as well as sale.” – Tony Lee, FireEye
In catching up, the automotive industry may take a cue via different sectors inside transportation industry. Travel-technology provider SITA released its 2016 Airline Passenger the idea Trends Survey, which found in which 91 percent of airlines plan to invest in cybersecurity. in which came after hackers infiltrated U.S. air-traffic-control systems last year, which grounded planes as well as put the detailed travel records of millions of people at risk.
In September, an FAA advisory Centeng recommended in which cybersecurity measures be taken to ensure in which airline systems, as well as aircraft, can’t be hacked. in which included calls for future industry-wide standards in which could affect everything via aircraft design to flight operations to maintenance practices.
The auto industry will have to follow a similar plan, especially since there are already so many aftermarket products in which run on proprietary software. Those efforts are underway; the automotive Information Sharing as well as Analysis Center (Auto-ISAC), a voluntary group of automakers as well as key suppliers focused on emerging cyber threats, commenced up in January.
however inside automotive world, the threats may be more complex. Today, a car can have upward of 30 million lines of code, meaning there are increasing opportunities for someone to do the wrong thing.
If there’s some solace, the idea’s in which OEMs are using numerous operating systems, which limits the potential for hackers to target systems in which are widely adopted. however in which’s not as important as another factor, says Lee.
“Operating-system versions will most likely not limit attackers as much as a lack of reliable remote connectivity,” he said. “If exploitation of the vehicle requires physical access, the damage will be more limited than in which of a remote exploit. however we do not believe the threat can be overstated.”
- Study: Key Fobs via 100 Million Car Keys Vulnerable to Easy Hacks
- How the Connected Car Will Defend against Hackers
- Fiat Chrysler Starts Bug-Bounty Program, however There’s a Catch
The DOJ’s Carlin, speaking at the inaugural Billington Global Cybersecurity Summit in July, was more blunt.
“Think of the terrible, tragic incident in Nice, where [attackers] used a heavy truck, as well as we know people are experimenting with autonomous heavy trucks, as well as the idea shouldn’t take too much imagination,” he said. “We know terrorists want to kill through experimental as well as splashy ways. They want to drive trucks into civilians, as well as the idea’s not too much to think they can hack a car as well as do the same thing.”