The Information Security Analyst sat quietly in the audience. He had driven for hours to hear this presentation, and he could barely believe what he was hearing. The speaker, the head of a government organization, an organization responsible for protecting his country’s information systems, was downplaying the importance of automotive cyber security, comparing those worried about the situation to “Chicken Little,” running around and complaining that the sky was falling. “Wow” he thought. “Does this guy just not understand the situation, or is he pretending that it isn’t a problem for some reason?” The analyst knew full well there was a problem, because he had read two important papers on the topic.
The first was titled “Comprehensive Experimental Analyses of Automotive Attack Surfaces.” The second was titled “Experimental Security Analysis of a Modern Automobile.” These two papers, both written by a team of researchers from the University of California, San Diego and the University of Washington painted a very different picture of automotive cyber security. Not only did the papers point out that there were vulnerabilities. The researchers demonstrated exploits against the vulnerabilities. Three experiments were most notable. First, they demonstrated that it was possible to hack a vehicle through a music file, which would play fine on a computer or a stereo system, but would deliver software updates to onboard computers called Electronic Control Units (ECUs) when played on a vehicle stereo system. Next, they demonstrated that it was possible hack a car while the car was in motion, disabling the brakes at 40 miles per hour. Finally, they demonstrated that multiple cars could be hacked and then commanded to respond to remotely issued commands in unison. This was done while the cars were geographically separated by a large distance.
The authors left it to the reader to speculate what sort of major cyber-attack might be possible should some gifted hacker, terrorist group or some nation state decide to get very nasty. The idea of millions of cars simultaneously losing the brakes while driving over 55 mph came to the analyst’s mind. “Guess that means I’m chicken little” he thought. “Well, at least I’m not running around claiming the sky is falling.” Of course, he would do something about it. He was planning to get another car. This car would be cyber hardened because it would contain no ECUs. This car would be a 1966 Corvette.
Two important papers on automotive cyber security…
copyright 2013 NetChime Research LLC, All rights reserved.