In keeping with our research into the Internet of Everything, I wanted to look more in depth at the question “what could possibly go wrong” in regards to a recent proposal by the United States Transportation Safety Board (NTSB) calling for vehicles to be able to wirelessly “talk” with one another to help prevent crashes.
The proposal is one of several to come out of the NTSB’s investigation into two fatal accidents between school busses and trucks. On the face of it the proposal is straightforward and makes sense. The NTSB is recommending that the National Highway Traffic Safety Administration (NHTSA) develop standards for wireless vehicle-to-vehicle communication that could be used for smarter collision avoidance technologies. Once those standards are in place, the NTSB says, the NHTSA should then require it be installed in all new vehicles.
Put simply, the NTSB is saying that in the future all cars and trucks should be able to “talk” directly so they can help drivers prevent collisions.
In itself, this isn’t a new idea. A system like this has been successfully used for years to help prevent airline collisions. That system, called Traffic Collision Avoidance System (TCAS) has been mandatory in the United States since 1986 and is credited with successfully preventing numerous mid-air collisions over the years.
What is new, though, is that cars in 2013 have more integrated systems and direct Internet connections that airplanes didn’t have in 1986. And this raises news potential threats and risks.
Trend Micro’s Forward Threat Research Team (FTR) has been doing research into the Internet of Everything including cars. I was able to ask Martin Roesler, the head of FTR about some of the possible threats and risks this proposal could face based on their research.
First of all, he explained that even without this, in-car technology has been converging to create a single integrated network for all the systems. As cars have developed more sophisticated electronics, two separate de facto networks have emerged in them: a CAN bus network for the drive systems (steering, navigation etc) and a network for the entertainment system (radio, CD, MP3). Over time, these two separate networks have been slowly converging into a single network.
Even without this proposal, these merged networks are already facing new threats and risks as manufacturers connect these now-unified in-car networks to the Internet for things like streaming music, web browsing and navigation systems.
And the consequence of compromise of these systems is already very real. He explained to me that researchers have been able to compromise the entertainment systems and use that to jump to the navigation system and successfully make a car’s breaks engage. It’s not big leap to conclude that a successful compromise of the system to engage the brakes means it’s also possible to disengage them and possibly cause a true crash with injuries or even fatalities.
By also including an Internet connection to these systems, manufacturers make it possible for these attacks to be carried out from anywhere on the Internet. The old rule of “if you can hit it on the Internet, it can hit you back” applies here.
Against this backdrop of current threats car’s are facing, the NTSB proposal to add peer-to-peer wireless connections to the mix only increases the risks even more. As Martin noted, proposals like this “start with the assumption of ideal roads. They don’t look at the possibility that vehicles will be malicious”. Here again is the root of “what could possibly go wrong” not being asked.
Adding peer-to-peer networking capabilities to these networks opens a new vector for remote attacks, one that can actually make it easier to locate specific targets. Locating a specific target vehicle by networked IP address on the Internet can be a challenge; finding that vehicle by having someone follow it is a lot easier. Low tech tactics can still be the most effective and this is an area where that can be the case. An attacker that is able to identify and follow a target vehicle while in range of its mandatory anti-collision WiFi transmitter would be able to carry out similar proximity/location-based attacks to what we see against WiFi and Bluetooth today. Going back to the results of the research that FTR has already done, if an attacker is able to access the CAN bus system through the Wifi transmitter, they could manipulate the vehicles steering, navigation or other critical systems with full control.
What makes embedded systems like those in vehicles particularly worrisome is the fact that often little thought is given to updating these systems as attackable vulnerabilities are found. Martin noted that FTR’s research shows that around 90 percent of onboard systems run LINUX. How are these systems being updated when vulnerabilities are found? Based on my own experience in the security response world I can say that very few of them are. Not many people are giving thought to the question of how to “patch” a car. And that’s a problem.
This isn’t to say that the NTSB’s proposals shouldn’t be followed. But it is to say that security and privacy need to be key components of the discussion now. A vulnerability in a mandated technology poses broad, unique risks and is an attacker’s dream. Integrating proper security and privacy requirements that includes active security countermeasures and updating capabilities is critical.
And the time to do this is now: some of the pieces of this possible attack scenario are already in place and others quickly falling into place. Unless we start asking car makers what security and privacy protections they’re including now, we’ll once again be playing catch-up around risks and threats in a new technology connected to the Internet.