A consumer advocacy group has warned that automakers are rolling out new vehicles increasingly vulnerable to hackers, which could result in thousands of deaths in the event of a mass cyberattack.
In a new report entitled Kill Switch: Why Connected Cars Can Be Killing Machines And How To Turn Them Off, Los Angeles-based Consumer Watchdog said cars connected to the Internet are quickly becoming the norm but constitute a national security threat.
The watchdog said industry executives are aware of the risks but still pushes ahead in deploying the technology in new vehicles, putting corporate profit ahead of safety. The report was based on a five-month study with the help of more than 20 whistleblowers from within the car industry.
You can control all sorts of aspects of your car from your smartphone, including starting the engine, starting the air conditioning, checking on its location," said one of the whistleblowers, who were not identified.
The report recommends all connected vehicles be equipped with an Internet kill switch and that all new designs should completely isolate safety-critical systems from Internet-connected infotainment systems or other networks. In the meantime, the US Department of Homeland Security issued a security alert on July 30 for small planes, warning that modern flight systems are vulnerable to hacking if someone manages to gain physical access to the aircraft.
An alert from the DHS critical infrastructure computer emergency response team recommends that plane owners ensure they restrict unauthorised physical access to their aircraft until the industry develops safeguards to address the issue, which was discovered by a Boston-based cybersecurity company and reported to the federal government.
Most airports have security in place to restrict unauthorised access and there is no evidence that anyone has exploited the vulnerability. But a DHS official told The Associated Press that the agency independently confirmed the security flaw with outside partners and a national research laboratory, and decided it was necessary to issue the warning.
The cybersecurity firm, Rapid7, found that an attacker could potentially disrupt electronic messages transmitted across a small plane's network, for example by attaching a small device to its wiring, that would affect aircraft systems.
Engine readings, compass data, altitude and other readings "could all be manipulated to provide false measurements to the pilot", according to the DHS alert.
The warning reflects the fact that aircraft systems are increasingly reliant on networked communications systems, much like modern cars. The auto industry has already taken steps to address similar concerns after researchers exposed vulnerabilities.
The US Federal Aviation Administration said in a statement that a scenario where someone has unrestricted physical access is unlikely, but the report is also "an important reminder to remain vigilant" about physical and cybersecurity aircraft procedures.
Aviation cybersecurity has been an issue of growing concern around the world.
The vulnerability disclosure report is the product of nearly two years of work by Rapid7. After their researchers assessed the flaw, the company alerted DHS. Tuesday's DHS alert recommends manufacturers review how they implement these open electronics systems known as "the CAN bus" to limit a hacker's ability to perform such an attack.
The CAN bus functions like a small plane's central nervous system. Targeting it could allow an attacker to stealthily hijack a pilot's instrument readings or even take control of the plane, according to the Rapid7 report.
Only a few years ago, most auto manufacturers used the open CAN bus system in their cars. But after researchers publicly demonstrated how they could be hacked, auto manufacturers added on layers of security, like putting critical functions on separate networks that are harder to access externally.
The disclosure highlights issues in the automotive and aviation industries about whether a software vulnerability should be treated like a safety defect – with its potential for costly manufacturer recalls and implied liability – and what responsibility manufacturers should have in ensuring their products are hardened against such attacks. The vulnerability also highlights the reality that it's becoming increasingly difficult to separate cybersecurity from security overall.
The CAN bus networking scheme was developed in the 1980s and is extremely popular for use in boats, drones, spacecraft, planes and cars – all areas where there's more noise interference and it's advantageous to have less wiring. It's actually increasingly used in airplanes today due to the ease and cost of implementation.
It's been four years since researcher Ruben Santamarta rocked the security world with his chilling discovery of major vulnerabilities in satellite equipment that could be abused to hijack and disrupt communications links to airplanes, ships, military operations, and industrial facilities.
Santamarta has now proven out those findings and taken his research to the level of terrifying, by successfully hacking into in-flight airplane WiFi networks and satcom equipment from the ground. "As far as I know I will be the first researcher that will demonstrate that it's possible to hack into communications devices on an in-flight aircraft … from the ground," he says.
He accessed on-board WiFi networks including passengers' Internet activity, and also was able to reach the planes' satcom equipment, he says, all of which in his previous research he had concluded – but not proven - was possible. And there's more: "In this new research, we also managed to get access to important communications devices in the aircraft," Santamarta, principal security consultant with IO/Active, says.
In his 2014 research, Santamarta provided a report on several possible attack scenarios using the vulnerabilities he had discovered in the firmware of popular satellite ground terminal equipment.
In his latest research he studied other satcom systems and infrastructure and found the usual suspects of industrial Internet of Things flaws: backdoors, insecure protocols, and hard-coded credentials as well as buffer overflows, code injections, and exposed services.
These vulnerabilities "allowed us to take control of these devices and allow anyone to access the satellite services," he says. "We can leverage satcom devices to perform cyber-physical attacks."
But like with Santamarta's previous research, the affected vendors and providers unfortunately aren't all on board with fixes for the newly discovered security holes. "The critical things have been fixed mostly. But there are other significant vulnerabilities that are still there, and that’s a still a problem," he says.