Security researchers Charlie Miller and Chris Valasek recently highlighted a series of automotive vulnerabilities when they hacked a Chrysler jeep driven by Wired journalist Andy Greenberg. Indeed, the duo managed to (wirelessly) assume control over dashboard functions, steering, transmission and brakes.
Image Credit: Wired
Shortly after the widely publicized hack, Chrysler confirmed it would be issuing a software update (patch) on USB drives for jeep owners to install via their dashboard ports. The automotive manufacturer also said it was taking steps to block digital attacks with network-level security measures.
“If you hack into my car’s head unit and change the radio station, I don’t care. I can live with that,” Miller told ComputerWorld’s Lucas Mearian. “If you can hack into my head unit and make my brakes not work, then that’s a different story. “
According to Mearian, Miller and Valasek tapped into the Jeep’s head unit and subsequently accessed the vehicle’s control area network (CAN).
“The CAN bus is very simple and the messages on it are very predictable. When I start sending messages to cause attacks and physical issues, those messages stand out very plainly,” Miller explained. “It would be very easy for car companies to build a device or build something into existing software that can detect CAN messages we sent and not listen to them or take some sort of action.”
Joe Gullo, the senior director for Rambus Ecosystem strategy and development, expressed similar sentiments.
“Vehicles today are essentially a network of networks – equipped with a range of embedded communication methods and capabilities,” he said. “In addition to CAN, these include WiFi, USB, Bluetooth, OBD II (On-Board Diagnostic System), FlexRay and automotive Ethernet. Unfortunately, most automotive network communications remain unsecured despite very real risks such as ECU (electronic control unit) tampering.”
According to Gullo, adopting a hardware-first approach to security and implementing the necessary functionality on the SoC level is a key element of securing embedded automotive technology.
“The Chrysler jeep hack was definitely a popular topic at the recent 2015 Automated Vehicles Symposium. During multiple discussions with industry peers, I emphasized that a software-centric security approach for vehicles will inevitably require frequent patches due to unforeseen vulnerabilities,” he explained.
“Moreover, what happens 8 or 10 years from now when an automotive company chooses to discontinue critical software updates? To avoid potentially dangerous scenarios – as highlighted by the now infamous Chrysler hack – vehicle manufacturers should focus on designing strong hardware-based security and isolation mechanisms that offer uncompromising protection against various forms of attack.”