Interesting that I read about automotive manufacturers being able to remote control your cars (https://www.linkedin.com/pulse/teslas-cat-bag-roger-c-lanctot). There have been rumours about this for some time, just as there has been about commercial aircraft. It was back in 2015 when PTP was still an investor that I discussed this idea with Ken Munro about driving a car on stand at InfoSec. At that time compromises were limited to standardised input control systems like stereos, and then poorly implemented in-car Wi-Fi.  This was certainly the case in European builds, and we were not able to gain sound forensics / useable evidence either.  However, manufacturers assured people these systems were not linked to driving functions.  So, the hack demonstrated only access via Wi-Fi, and unlocking the car / disabling the alarm which was disappointing.

With technology advancing coupled with the advent of 5G access, we have seen the trend to add enhanced access, location beacons, ability to respond to geofences etc.  This has been coupled with the reduction in mechanical interfaces to perform functions like acceleration, braking, steering and more. We also know that active technology is being used to provide driver assistance – lane warnings, active crash avoidance and even driverless solutions. These active technologies in cars are becoming more pervasive and emergency systems need to have access to the communication equipment.   Manufacturers are not putting in more than one communication solution for this, so these systems will use the same service.  As such these systems, must be connected within the car.

So, what happens if they suffer from flaws and need to be updated? Is this all being done at service?  No. This requires connections to the mobile network, and based on what we have seen to date, most companies fail to keep their own devices up to date.  What about your car, is that important after they have the sale and your cash?  If they do update it, what happens if they release software that itself has security issues?

Anyone watch humans?  If so people always want to hack stuff to see what happens. This is human nature, you build it – someone will break it.  The government has put tax money into driverless cars which is a great thing for innovation. Let’s hope their coffee / Red Bull budget is not larger than their security budget as is the case in lots of organisations!

What happens next?  It is interesting that the leak of the ‘Vault 7’ information from the CIA suggests weaponised hacks already exist.  It also states that the forensic evidence left behind is non-existent. This is likely to be the case as the ability to log commands and provide tamper resistant / evident protection is usually severely limited / compromised in most IoT.  It is also unlikely that any of these commands will be independently logged by a service provider in a meaningful way (although I am sure there is a great annuity revenue stream for a company here). So how do you prove your Wi-Fi kettle burnt down your house deliberately or someone else crashed your car?

Limitation in the forensics information available

Currently there is limited information on this that is generally available.  It is highly likely that there are going to be only two viable options:

1.       The use of black box systems, akin to those of aircraft that employ tamper resistant and tamper evident solutions;

2.       Independent standards for the inclusion of active and passive security methods that can provide independent evidence in the case of tamper.

This may still not help the end user at the time though.  If you can use weak crypto in a pacemaker to assassinate someone you can certainly use a car.  There needs to be some independent research and development of standards conducted.  This would lead to assurance that there is a minimum level of security that is built in, who / what has access and how if it all goes wrong an investigation can occur in a meaningful and legally sound manner.

The Risk-X forensics team will be investigating this in more depth in the coming months.  So check back regularly for the latest update and findings in this area.

 

Written by:

Steve Marshall
Steve Marshall