The US Attorney General’s Office has warned that rogue nation states could remotely hack vehicles for the purpose of killing their ideological or geopolitical enemies.
“There is no Internet-connected system where you can build a wall that’s high enough or deep enough to keep a dedicated nation-state adversary or a sophisticated criminal group out of the system,” US Assistant AG John Carlin said, speaking at a Society of Engineers event this week in Detroit. “This will be the next battlefront.”
He added, “If you were able to do something that could affect a large scale of an industry—like 100,000 cars—you could see that being in the arsenal of a nation-state’s tool kit is a new form of warfare. We’ve seen rogue nation states try to assassinate those that do not share their beliefs. If they were able to do it remotely through a car, I don’t see why they consider that a safe zone.”
Carlin’s comments follow the highly publicized Jeep hack last fall, in which two white-hat hackers were able to remotely access a Jeep’s internal system, including its brakes, steering and AV systems—access that could certainly be used to eliminate passengers. That incident prompted the recall of almost 1.5 million vehicles—the first auto recall prompted by cybersecurity concerns.
By 2020, there will be nearly 21 billion devices connected to the Internet, including up to 22% of passenger vehicles worldwide, according to IDC. And overall, there is a growing awareness of connected car security, which is driving more investment in the space—to the tune of $1.27 billion by 2020, says BI Intelligence, Business Insider’s premium research service. Traditional IT security practices like network monitoring and segmentation will also become even more critical.
“The automotive industry has been stepping up to the challenge of hardening cars against cyberattacks,” said David Barzilai, chairman and co-founder of Karamba Security, via email. Karamba’s goal is to partner with companies that build connected car systems and provide them with the Karamba auto-security endpoint product. “All major car companies and every major system provider have created cyber-teams that direct a more secure development of the cars and car controller. Karamba Security believes that the best method is to block hackers before they hack into the car. This mission is achieved by hardening cars’ externally connected controllers according to factory settings. All foreign codes are then blocked from penetrating the car’s safety-related systems and risking drivers’ lives.”
That said, research from Veracode recently revealed that automotive manufacturers on average have a security lag of up to three years before systems catch up with cyber-threats.
“What we’re seeing happen in the auto industry is a microcosm of what’s happening in financial services, healthcare and virtually every other sector—applications are not created with security in mind, creating a major area of risk,” said Chris Wysopal, CTO, Veracode. “Exposing a car to the internet makes it vulnerable to cyber-attack due to poorly written software, which could render the car unstable or dangerous. Building a secure application development program is a significant challenge for manufacturers, which is compounded by the need to do so under the microscope of government regulated safety standards and liability concerns.”
SOURCE: Tara Seals