Study highlights importance of manufacturers in reviewing the design of cyber systems in command of future automobiles
Researchers and engineers have already found several ways to break into cars connected to the Internet. Recent hack tests (such as the famous Chrysler Jeep hack case) reported specific vulnerabilities in car models / brands that, after identification, were quickly resolved.
Trend Micro - a company specializing in defending digital threats and security in the cloud era - sought to unravel the responses of the security industry when it finds a hack that is not only successful but can also drastically affect performance and function of the automobile.
Currently, there is no technology capable of protecting the modern car and, to completely resolve this, broad and comprehensive changes in standards and in the way the networks and devices in the vehicle are made would be needed. Realistically, it would take an entire generation of vehicles for this vulnerability to be addressed, not just an OTA (over-the-air) recovery or update.
Trend Micro's Future Threat Research (FTR) team, along with the collaborative research efforts of Politecnico di Milano and Linklayer Labs, raised a number of questions to see what changes could improve this scenario.
What are the characteristics of the recent tests of hacker attacks on connected cars?
These attacks disable a device (for example, airbag, parking sensors, active security systems) connected to the car's device network, making the attack unnoticeable to state-of-the-art security mechanisms.
What are the main conclusions of this research?
Gaining access to someone else's vehicle has become a common situation, with many legitimate use cases. It is time for standardization bodies, decision makers and car manufacturers to take this change into account and review the design of cyber and physical systems in charge of future automobiles so that they can protect them.
Was the "Jeep hack" the most advanced attack so far?
The "Jeep hack" was actually very advanced and effective. However, the currently available cyber security technology in the car (for example, a non-original IDS / IPS) can detect this attack, as it requires a frame-injection feature. In addition, car manufacturers could simply update the software running on a car device to fix the vulnerabilities exploited by this attack.
Remote Access vs. Location: The vulnerabilities of modern cars
Many car hack concepts and vulnerabilities are not taken into account because they require local access to the car. First, an attack can be triggered through any remotely exploitable vulnerability that would allow an attacker to reprogram an ECU firmware. Second, local attacks must also be taken seriously. Traditionally, the scenario in which an attacker can access a car in this way is not only rare, but also very risky. Current transport trends, such as car sharing, hitchhiking and car rental, mean that many people can have local access to the same car. As such, a paradigm shift in terms of cyber security of the vehicle must take place.
Mitigation
Mitigating this specific security issue will not be easy, as the vulnerability is in the design itself and cannot be fixed immediately. Any dignified solution would require a drastic change in regulation and policy and would lead a whole generation of vehicles to adopt them.
In the technical dossier, entitled "Vulnerabilities in modern automotive standards and how to exploit them", Trend Micro details the findings regarding specific vulnerabilities. The mechanics of the attack and the recommendations for mitigating this vulnerability are also explained.
EN 
PT 
