connected car

This fall, Sentryo invites you to take a look back at a series of emblematic cyberattacks: discover the first episode of the saga The Sentryo Files: Industries vs. Cyberattacks with the hijacking of a connected car.

Hijacking of a connected car

In 2015 in the United States, two security researchers successfully took control of a car, thus forcing the manufacturers to recall the vehicles (more than 1.4 million) as a result of the flaw. This cyberattack shed some light on the risks related to connected cars.

How did the attack play out?

It all started with a video published by Wired magazine: Andy Greenberg, a journalist who specialized in new technology, was driving a Jeep Cherokee on the highway when two people remotely took control of the IT systems.

The two hackers were actually IT security researchers (Charlie Miller et Chris Valasek) who, through this experiment, wanted to demonstrate the risks related to connected car technology.

The two researches managed to turn the radio on, pump up the volume and activate the windshield wipers. They also managed to stop the motor and prevent the driver from restarting it. To top it all off, they even disconnected the Jeep’s brakes!

A security flaw

Some vehicles have an option that allows drivers to control the on-board console via Wifi while others are even connected to the GSM network.  In this case, all the researchers had to do was use a GSM antenna to gain remote access to the on-board console. In fact, this console was connected to a CAN bus (internal network connecting the organs of a vehicle) through another component, the V850.

By modifying the firmware of the V850, the researchers were able to send commands to the vehicle and take control. A security flaw that is similar to the ones in the IIoT.

What protection are there against this type of cyberattack?

The researchers estimate that 471,000 cars were affected by the flaw they discovered. The goal of this experiment was to warn automobile manufacturers because “perhaps the software bug is what is most likely to kill someone”, affirms Charlie Miller.

In order to ward off this type of malicious intrusion, like with industrial IS , vehicles must separate vital transport features from entertainment features.  Access to a vehicle’s IT system must be protected:

  • The Wifi password shouldn’t be predictable (based on the date it left the factory).
  • Access control mechanisms must protect vehicles from unauthorized actions.

The following measures could have provided protection from this type of cyberattack:

  • Use an algorithm to generate an unpredictable password.
  • Implement Security by Design in order to limit privileges of software components.
  • Set up a mechanism that prevents the firmware of a V850 controller from being updated without code signing.
  • Ensure the filtering of communications between the V850 controller and the CAN Bus (ACL, firewall, etc.).

This attack, aimed at raising awareness, forced the automobile industry to look its responsibilities in the eye. It just goes to show that two people – sure, with excellent technical knowledge but equipped with only a GSM antenna bought on eBay – were able to take control of a vehicle and so car makers need to be aware of the risks that come with connected cars. This attack also sheds light on the threat of cyberattacks in the industrial sector, as demonstrated by these 4 most emblematic industrial cyberattacks.

Sources: reports drafted by the SCADA work group of the French Information Security Club (Clusif) in 2017.