'

How automakers are tackling connected vehicle vulnerability management

A new report suggests that front-end security in smart vehicles is improving but the back-end is a different story.

A car was once simply a way to go from A to B and whether or not you purchased a cheap runaround or a luxury model, they all simply had one purpose: travel.

However, our vehicles are now becoming smarter. Rear-view cameras, GPS-based map assistants, mobile apps, self-driving features, and always-on connectivity are becoming common, such as through Apple CarPlay and Google's Android Auto.

Vehicle connectivity provides a new channel for the collection of data, a valuable commodity for automakers and technology vendors. However, this conduit requires Internet access -- and this, in turn, has created a channel in which attacks can be performed.

It was back in 2015 that cyberattacks levied against our means of transport first hit the spotlight. IOActive researchers were able to compromise the Uconnect connected car system in order to remotely control a Jeep and send it off the road.

This was only the beginning. Another attack involving a Jeep permitted attackers to take control of the brakes; security flaws have been found in vehicles which enable unlocking; vulnerabilities in infotainment dashboards were uncovered to grant remote access, and an exploit was developed which could disable security features on most modern vehicles.

TechRepublic: PCI compliance slipping for first time in 6 years, but IT remains on top

Engineers and consultants from IOActive have been tracking the threat landscape relating to connected vehicles since 2012. According to a white paper documenting the research (.PDF), based on thousands of hours of work on vehicle hardware systems between 2016 and 2017, modern attack vectors can include exploits relating to Bluetooth, cellular connections, Wi-Fi, vendor interfaces, and external storage such as USB drives.

IOActive has compiled data during the 2016 - 2017 period to examine the commonalities of vulnerabilities relating to connected vehicles.

The researchers say that the majority of vulnerabilities present in connected vehicles are considered "medium impact," and may result in information disclosure and compromised network connections such as Man-in-The-Middle (MiTM) attacks or eavesdropping.

See also: Hackers hijack Jeeps once more, your brakes belong to them

However, these types of bugs are not of the most serious kind -- such as those which permit remote code execution (RCE) or persistence in a system.

According to the firm, this represents a "significant drop" in the number of critical-impact vulnerabilities from previous years, a reduction of roughly 15 percent.

"We've seen significant growth in the design of vehicle systems to incorporate security from the start," IOActive says. "This includes making sure that the processes that handle data are running with limited privileges, which helps lower the impact of the most likely attacks."

screen-shot-2018-09-27-at-11-22-11.png

When it comes to the likelihood of vulnerabilities being exploited, the research team says most vulnerabilities could either "only be exploited by advanced attackers or may require another compromise to be exploitable."

screen-shot-2018-09-27-at-11-29-56.png

The most common attack vectors described in the report were local and network-based.

Local attacks require credentials or another kind of foothold in the system, whereas network-based vectors are wider in scope and can include intrusion through third-party systems or software.

CNET: Trump OKs 'offensive cyber operations' as deterrent against US rivals

The team also noted a rise in serial attacks, which may include modifying a vehicle's firmware, eavesdropping on information exchanged between components, and abusing debugging systems.

However, physical access to a device is required to take advantage of this attack vector.

screen-shot-2018-09-27-at-11-37-05.png

"The large increase in local and serial attacks can be attributed to a shift in testing approaches," the researchers note. "As security has become a more prevalent concern, more companies are providing documentation and debugging access to help identify vulnerabilities inside their systems. The automotive industry is also taking more of an interest in lower-level security features, like secure boot, which is reflected in the areas we end up testing."

The most common vulnerabilities reported by IOActive were coding logic errors, which bypass program logic rather than exploit technical flaws in data handling. In addition, memory corruption security flaws, privilege escalation bugs, and information leaks were also frequent.

screen-shot-2018-09-27-at-11-43-53.png

The report has also explored how automakers tackle the remediation of security flaws. Low-level fixes, for example, may include patches or configuration changes; whereas critical vulnerabilities may demand complete system overhauls.

IOActive found that the majority of vulnerabilities were easy to fix, but as "low-hanging fruit" bugs could be resolved with quick changes, the effort required to resolve new vulnerabilities has gone up.

The automotive industry needs to pay more attention to industry best practices, IOActive says, as this could resolve many of the problems the industry faces when it comes to cybersecurity. By following guidelines issued by groups such as OWASP or Auto-ISAC, vendors can learn how to prevent security issues such as authentication and filtering problems which can be exploited by attackers.

Automakers are improving their cybersecurity practices, but back-end systems, in particular, need to catch up. As threat actors are continually developing new tools, exploits, and tactics, those responsible for the way we travel have a responsibility to mitigate such threats to our safety and privacy through the eradication of vulnerabilities, better patch management processes, and by following industry guidelines.

Previous and related coverage