Your car will be recalled in 2017 thanks to poor open-source security
In the coming year, a high-profile auto manufacturer will be forced to recall vehicles due to a cybersecurity breach for the first time, experts have warned.
Security
Our cars are no longer simply a way to travel from A to B. They are no longer just mechanics, oil, and parts; but rather, they have become reliant on computer systems to function properly.
Everything from in-car infotainment dashboards which connect to the web to vehicle maintenance systems which send alerts to owners when a car needs servicing are now becoming commonplace; and as such, a pathway has been created for attackers to exploit.
A typical new car now contains over 100 million lines of code, and together with an internet connection, vulnerabilities are likely to be found.
We've already seen researchers demonstrating ways in which vehicles can be remotely attacked or broken into -- but according to security experts from Black Duck, these scenarios are going to take a more sinister turn in 2017.
See also: Hackers hijack Jeeps once more, your brakes belong to them
Auto manufacturers are not traditionally software experts and so software solutions are often sourced outside of the company.
It is common for software and online services to contain components which are based on open-source, community-driven technology. While open-source software is crucial to countless applications, bugs can be missed -- and over the past few years, we have seen high-profile open-source vulnerabilities including Heartbleed, Shellshock, and Poodle come to light.
According to Black Duck's vice president of security strategy Mike Pittenger, and director of product marketing Patrick Carey, as so many cars now contain open-source software components, this potential weak link will result in an automotive recall which may impact you in the coming year.
The security experts told ZDNet:
"Open source is used liberally in all types of software today. With thousands of new vulnerabilities disclosed each year, there are many that could be candidates.
The attackers' task is to gain a foothold through whatever means possible, then pivot to accomplish their goal. This could mean taking control of the vehicle, or disabling it."
Hackers focus on vulnerable targets for a variety of reasons, whether it be political, financial, or otherwise. With the exception of perhaps using a software or locking vulnerability in order to steal a vehicle, however, it may not be immediately obvious why vehicles on a large scale could be targeted.
Transport is critical to city infrastructure, and so, the exploitation of an open-source vulnerability in components widely used in cars could be achieved for hacktivism purposes in order to disrupt select areas.
This could include groups which consider gas-guzzling cars a threat to the environment and so turn to sabotage to deter the sale of such vehicles, or operations could even go so far as to be state-sponsored.
For example, taking out a class of vehicle used by first response teams, law enforcement, or government groups could be a way for attackers to take a political stand.
However, the lure of financial rewards may also cause attacks on vehicles to become problematic.
It may be that attackers will target automakers in the future in the quest for a "ransom" of sorts -- similar to how ransomware is used against hospitals to force payouts. The mere threat of an attack can force companies to pay up rather than suffer disruption.
"Call it a bug bounty, if you choose, but the potential for a large payout to prevent a large-scale attack on a major car brand is pretty easy to envision," Pittenger said.
Unfortunately, despite these looming threats, consumers have no control over these situations.
While some over-the-air (OTA) updating systems are used by manufacturers, you cannot pre-emptively patch your own cars, and if your vehicle needs to go back for system repairs there is little you can do but wait.
It will not, of course, just be consumers that will be affected by such attacks. Recalls cause ill-feeling due to the inconvenience and companies may also suffer negative impacts to brands and sales.
In addition, until such security problems are fixed, customers may be put at risk.
If vendors are going to protect themselves, their brands, and their consumers from the consequences of such cyberattacks in the future, there needs to be increased visibility into what open-source software is in use throughout the entire supply chain. Additionally, once vulnerabilities have been identified, it is up to companies to have an established patch system in place to make updating vehicle firmware and embedded software as painless as possible.
"The typical time it takes to address vehicle recalls (months) is out of step with the rate at which security vulnerabilities can be publicized and exploited," the researchers said. "A major recall that is not easily remediated (e.g., the software requires months to fix due to its interaction with other software and hardware) could be catastrophic to a brand."