Three Approaches to IoT Security: Part Three

This article, the third in our three-part series, looks at how one connected-car accessory maker approaches data security, and at how carmakers can take the lead of tech companies by learning from the hacker community.
Published: August 18, 2015

(Read Part One.)
(Read Part Two.)

A late-year model Jeep Cherokee. A 2013 Corvette. A Tesla Model S. In recent weeks, all three of these automobiles have been the focus of well-publicized hacks by data security experts who are working to expose the vulnerability of Internet-connected cars. The three hacks were very different.

In the case of the Tesla, the researchers had to purchase a Model S and reverse engineer its electronics in order to override its control systems, sending a kill command, which shut off the motor. But that was only after being stymied a number of times by Tesla’s computer system and finding, as CNET’s Antuan Goodwin wrote, that “although the Model S isn’t unhackable, its information systems are remarkably well designed and secured, rendering their hacking methods largely impractical for for [sic] anyone who doesn’t already have constant physical access to the car.”

Researchers from the University of California Santa Barbara seemed to have an easier time taking control of the Corvette. To hack into that car’s control systems, they took advantage of a vulnerability in a device that the researchers plugged into the car’s onboard diagnostics (OBD) port. The type of OBD devices used by the hackers contains a cellular modem used to transmit GPS coordinates, as well as speed, to the commissioning company—generally a fleet management firm or a usage-based insurance provider. San Francisco-based insurance company Metromile had issued the OBD dongle used for the Corvette hack, and according to Wired, the researchers shared their findings with Metromile before making them public, by which time Metromile had transmitted an over-the-air patch to correct the vulnerability they had exploited.

The Automatic OBD device

That type of exploit is one that Automatic—a San Francisco company that sells an OBD-based system for tracking driver behavior as part of an application intended to help drivers conserve fuel through changing their driving habits—designs its product to avoid.

“When I started Automatic over four years ago, my cofounders and I were excited to make driving better and safer for every car on the road. As we started developing the software, we looked at every available OBD adapter on the market,” Automatic co-founder and CEO Thejo Kote wrote in a blog post last week. “Our hardware engineers took them apart to learn their secrets, and we quickly discovered that they revealed their secrets far too easily. We saw glaring security holes that we couldn’t fix ourselves, so we made the hard choice to build our own hardware.”

In building its own OBD device, Automatic made a few key security design decisions, says Rob Ferguson, the company’s VP of engineering. “We use a unique encryption key per device,” he told IOT Journal. “This is a major differentiator for us.”

Rob Ferguson

When manufacturing each Automatic OBD dongle, a unique 128-bit AES symmetric encryption key is generated and used to encrypt data encoded to that device. Automatic stores the keys to on its servers, unconnected to the Internet.

Secondly, Automatic’s dongles will respond to only a select list of commands they receive. This approach is designed to prevent a third party from sending a command that would present a security threat, such as overtaking the car’s braking or steering system. Plus, to make any changes to the firmware running on the Automatic devices, one needs a master key (a password).

By and large, Ferguson says, insurance companies have commissioned off-the-shelf OBD devices and have not deployed robust security tools to ensure their security, thereby providing a means for hackers to use the devices as an entrance point into the host car’s control systems.

“Automatic is a very good example of a company in the automotive after-market that designed its product with security in mind right from the start,” says Steve Hoffenberg, director of IoT and embedded technology at VDC Research. But he adds an important caveat: “If Automatic’s device is found to have a major security hole, the car owner can just unplug it. But if a car’s built-in electronics are found to have a major security hole, users usually can’t do anything about it other than wait for the carmaker to issue a recall or update.”

The Car’s Place in the IoT
What makes the auto market special—and vexing, from the point of view of securing IoT-connected cars—is that it sits “right at the nexus between consumer products and something that needs life-protecting levels of security,” says Hoffenberg. “There are 100 million vehicle sold each year. That is very high number compared to airplanes or military equipment, or other things that must be built with really high [data] security.”

Automakers have been developing and building connectivity into automobiles for many years, and Hoffenberg notes that many car models being driven off sales lots today have built-in Internet connectivity. Some vehicles support firmware updates or vulnerabilities patches made over-the-air, but many cars on the road today contain cellular modems that do not support over-the-air updates. Owners of these vehicles must either bring them into a dealership for the updates, or they must download the update onto a USB stick and perform the update manually.

The latter options are the ones that Chrysler presented Jeep owners last month, following the hacks that security researchers Charlie Miller and Chris Valasek were able to perform on the car once they were able send remote commands, through the vehicle’s Internet-connected infotainment system, that could actually disable the vehicle while it is moving at highway speeds, or give them control of the vehicle’s steering. However, a few days after Wired magazine published a story about the Jeep hack, Sprint made updates to its cellular network that block the vulnerability which Miller and Valasek publicized in their research paper. This means that even for vehicles that are not updated via the software patch that Chrysler issued, other hackers are now blocked from exploiting the vulnerability Miller and Valasek discovered (the hacker can still try accessing the car’s Wi-Fi radio to perform the exploits, but to do that they would need to be close the vehicle).

While instances of hacking into connected cars draws a great deal of media attention, they have thus far been instigated by security researchers who want to see carmakers take cyber security more seriously, and none of the hacks have been exactly easy, Hoffenberg notes.

Steve Hoffenberg

“Most exploits published thus far required extensive research over long time periods by knowledgeable people who had direct access to the vehicles [that they hacked]. In some cases, they had to reverse engineer components. So while not impossible, they take a lot of time and investment,” he says.

Yet, while the Miller and Valasek used a 2014 Jeep Cherokee to reverse-engineer the telematics system and discover the vulnerability, they say once they found the vulnerability, they could have repeated the same attack on any Chrysler vehicle that comes with the Uconnect 8.4AN/RA4 radio manufactured by Harman Kardon (used for the car’s infotainment system) on which they conducted the exploit. Based on the number of cars to which Chrysler issued its software update, Miller and Valasek say that number is 1.4 million vehicles, including the Viper, Durango, the Chrysler 200 and others.

Still, while someone could remotely disrupt the operation of a car for malicious reasons—namely to hurt the driver or others—Hoffenberg says it is more likely that nefarious parties are looking for vulnerabilities in connected devices that could lead them to credit card data or other financial information. “The auto market does risk becoming a poster child for IoT’s failure [in the consumer realm] if there were to be massive breaches. But thus far that has not happened.”

The task automakers face is a daunting one, and will force them to hold their myriad suppliers to set a high standard for data security, so that no single component can create a weak link. “Each supplier has to make sure their component is secure, but when you put a bunch of secure pieces together, you don’t necessarily get a secure whole, says Hoffenberg, “because there [can be security] gaps between the components.”

Carmakers are essentially turning cars into rolling, connected, sensor-filled computers, so a good way for them to address the security of the data that these cars are trafficking might be to follow the lead of tech companies. Google and Mozilla incentivize users to seek out weaknesses in their respective products by offering “bug bounties.” Through its Bug Bounty Program, Mozilla has paid out $1.6 million to individuals who have brought security vulnerabilities to the organization’s attention. Google has also distributed millions through various bug bounty programs over the past five years. Tesla has joined followed. It is offering $25 to $10,000 per bug in its bug bounty program.

Ferguson says Automatic is launching a bug bounty, as well, and hires third-party security analysts to ensure its OBD device remains ahead of the latest security threats. Although the company has not been the victim of a security breach, he says there is never a time to let down the defenses. “Security is not a goal, it’s a process,” he says.