New research paper from IOActive shows half of vehicle vulnerabilities could put hackers in the driving seat
IOActive, the worldwide leader in research-driven security services, will be releasing the findings of a three year study into the vehicle cybersecurity space. The findings are detailed in a new research paper – Commonalities in Vehicle Vulnerabilities – which offers analysis on the general issues and potential solutions to the cybersecurity issues facing today’s connected vehicles.
The paper provides metadata analysis of real-world private vehicle security assessments, conducted by IOActive’s Vehicle Cybersecurity Division since 2013. It combines insights gleaned from 16,000 man hours of combined research and services, as well as other publicly available research. The detailed findings include stats on the impact, likelihood, overall risk and remediation of vulnerabilities, with recommendations from IOActive on how to create more secure vehicle systems in the future.
Key findings include:
- The impact should a vulnerability be exploited:Half of the vulnerabilities uncovered would be considered ‘Critical’ (i.e. would receive media attention and have a severe impact on the vehicle) or ‘High’ impact (i.e. would have a major impact on the vehicle and could be a regulatory violation) and would result in a compromise of components, communications, or data that causes complete or partial loss of control over the vehicle
- The likelihood that a vulnerability will be exploited:71% of the vulnerabilities uncovered were categorised as ‘Medium’ or above in relation to the likelihood of them happening – meaning at best, ‘an attacker could exploit the vulnerability without much difficulty’, at worst ‘the vulnerability is almost certain to be exploited and knowledge of the vulnerability and its exploitation are in the public domain’
- The overall risk when combining impact and likelihood:22% of vulnerabilities sit in the ‘Critical’ camp; meaning they are both easy to discover and exploit, and can have a major impact on the vehicle
- The impact on the vehicle of specific vulnerabilities:27% of vulnerabilities can be used to gain CANBus (Control Area Network) Access and if a hacker can get into the CANBus they can control the vehicle; a further 8% could provide ECU control (8%) or disable ECU (1%) which would allow the hacker to control everything, including all normal functionality, as well as potentially allowing them to add functionality
- The most common attack vectors:55% of vulnerabilities are related to the network (which includes all network traffic, such as Ethernet, Web and Mobile/Cellular) and attackers are most likely to focus their efforts on the points where data enters the vehicle, such as: Cellular Radio, Bluetooth, Vehicle to Vehicle (V2V) Radio, on-board diagnostics equipment (e.g. OBDII), Wi-Fi, Infotainment Media, Zigbee Radio, and Companion Apps
- The ability to remediate vulnerabilities:Engineering problems are the root cause of three of the top eight vulnerabilities, and they are also the most difficult to remediate. In some cases vulnerabilities stemming from design-level issues are impossible to fix, as the system is ‘insecure by design’. Problems with deployment mechanisms, process and testing also cause a number of vulnerabilities, such as backdoors, information disclosure, hardcore credentials and vulnerability dependency. Fortunately, some of these can be easier to remediate and the majority of critical impact vulnerabilities can be remediated with simple fixes – for example, patching code to remove a buffer overflow is relatively easy
Corey Thuen, Senior Security Consultant at IOActive, who authored the paper, commented: “The days when a rogue street urchin wielding a coat hanger was the main threat to vehicle security are long gone. As the report shows, we have uncovered a number of ‘hair-on-fire’ vulnerabilities that could easily be exploited at any moment – so manufacturers really need to wake up to the risks they face in the new connected world. The majority of cybersecurity vulnerabilities are not solvable using bolt-on solutions, instead relying on sound engineering, software development practices, and cybersecurity best practices. The most effective cybersecurity work occurs during the planning, design and early implementation phases of the products, with the difficulty and cost of remediation increasing in correlation with product age and complexity. Failing to address security at the early development stages could be very costly in the long-run, leading to loss of consumer confidence or even product recalls – a situation that some vehicle manufacturers would find hard to recover from.”