Security researchers used Fiat Chysler’s telematics system to break into its command and control center to take over driving of the vehicle while a human was driving it and engineered a change in steering despite human interventions, cause the vehicle to brake and switch off its engine.
Cybersecurity researchers did all of this so as to demonstrate weaknesses into the mechanics of internet-enabled vehicles. They made extensive use of wireless signals to showcase these vulnerabilities.
Following this demo, Fiat Chrysler will recall 1.4 million vehicles in the United States alone. It will patch the software used in cars and harden them to prevent such attacks from malicious hackers, who can remotely steer the vehicle and take over its controls. As per Federal officials this is the first ever demonstrations of its kind.
The National Highway Traffic Safety Administration (NHTSA) got into the picture and has informed the public that it would investigate whether Fiat Chrysler’s upgradation and patching of its software is enough to protect consumers from hackers. In its recall announcement, Fiat Chrysler has said that it was unaware of any injuries caused by the remote takeover of its cars by hackers.
A spokesperson from NHTSA said that this was the first ever recall of vehicles arising out of concerns from cybersecurity. Experts in this field responded by saying hopefully this will act as an eye opener and the shock wave of this incident will not be felt by just the auto industry but beyond as well.
Risks from Wireless connectivity
With increased wireless connectivity to physical devices, the risks of connectivity far extends cars, chemical plants, hospitals and factories.
"It's a huge problem, and it's an architectural problem with this Internet-of-Things concept," said Nicholas Weaver, a security researcher from the International Computer Science Institute, Berkeley, California.
He went on to clarify, that at present there are differences in terms of designing the architecture for inter-vehicular communication. Products that are designed to be accessed by a range of means, including smartphones, tend to have a wider “attack surface”, and are typically easier to penetrate. Whereas products which have a single line of communication with an authenticated server, allows the server’s operator to mine a whole spectrum of information raising privacy concerns.
Ed Skoudis, an expert in securing connected devices, opined that the fact that Fiat Chrysler recalled its vehicles as soon as the FCA raised the cybersecurity issue, goes to show that this is in fact a “a shot across the bow of other IoT manufacturers that this could cost them a lot of money." It is a wake-up call to companies who earlier refused to allocate funds on cyber security and its design process, so as to avoid a similar recalls, potential lawsuits and increased regulation.
Connected cars are a security concern
Upto now, car manufacturers have typically tended to avoid and play down threats from hackers controlling the wireless connections that control a connected vehicle. Although security researchers and hackers had earlier demonstrated their capabilities to tamper with a car’s onboard computer system, albeit using a physical cable connected to its diagnostic system, Cyber Security Researchers have now gone on to develop a working code that has remotely controlled a Cherokee Jeep. The idea was to raise concerns over privacy matters, and members of the U.S Congress and the NHTSA have raised security concerns for Internet-connected vehicle control systems.
Two Democratic Senators introduced a bill on Tuesday that would direct the NHTSA to develop standards for isolating critical software and detect hacking as it occurs.
Frank Pallone Jr of New Jersey and Fred Upton, the Republican chairman of the House Energy and Commerce Committee have said, “… cars today are essentially computers on wheels, and the last thing drivers should have to worry about is some hacker along for the ride."
Already car manufacturers such as BMW and Tesla Motors Inc. can update the software, which runs the car, Over-The-Air (OTA).
Vehicles which have been recalled include some of Fiat Chysler’s top selling models including Cherokee SUVs (model 2014 and 2015), the Jeep Grand Cherokee and the 2015 Dodge Challenger sports coupes, among others.
A spokesperson from Fiat Chysler said that it would mail a memory stick to those customers who have been affected by this wireless security concerns. Sticking the memory chip into the cars computer will enable it to upgrade itself and add the necessary security features. The USB sticks would be mailed to customers "as soon as possible."
The spokesperson also went to add that it had already deployed a fix with its telecommunications provider which will block remote access, of the kind shown by security Researchers, to the car’s computer system.
FCA declined to comment beyond the statement it issued on the recall. The company did not respond to queries on whether the USB devices to be mailed to customers are on hand or have to be manufactured.
Steven Bellovin, a professor of computer science at Columbia University clarified on the security aspect saying, "this is another example of a problem with an embedded system, some computer that is something that is not really a computer from a user perspective but is built to make something else work. I suspect we're going to need some kind of regulatory frameworks."
Source: Reuters
Cybersecurity researchers did all of this so as to demonstrate weaknesses into the mechanics of internet-enabled vehicles. They made extensive use of wireless signals to showcase these vulnerabilities.
Following this demo, Fiat Chrysler will recall 1.4 million vehicles in the United States alone. It will patch the software used in cars and harden them to prevent such attacks from malicious hackers, who can remotely steer the vehicle and take over its controls. As per Federal officials this is the first ever demonstrations of its kind.
The National Highway Traffic Safety Administration (NHTSA) got into the picture and has informed the public that it would investigate whether Fiat Chrysler’s upgradation and patching of its software is enough to protect consumers from hackers. In its recall announcement, Fiat Chrysler has said that it was unaware of any injuries caused by the remote takeover of its cars by hackers.
A spokesperson from NHTSA said that this was the first ever recall of vehicles arising out of concerns from cybersecurity. Experts in this field responded by saying hopefully this will act as an eye opener and the shock wave of this incident will not be felt by just the auto industry but beyond as well.
Risks from Wireless connectivity
With increased wireless connectivity to physical devices, the risks of connectivity far extends cars, chemical plants, hospitals and factories.
"It's a huge problem, and it's an architectural problem with this Internet-of-Things concept," said Nicholas Weaver, a security researcher from the International Computer Science Institute, Berkeley, California.
He went on to clarify, that at present there are differences in terms of designing the architecture for inter-vehicular communication. Products that are designed to be accessed by a range of means, including smartphones, tend to have a wider “attack surface”, and are typically easier to penetrate. Whereas products which have a single line of communication with an authenticated server, allows the server’s operator to mine a whole spectrum of information raising privacy concerns.
Ed Skoudis, an expert in securing connected devices, opined that the fact that Fiat Chrysler recalled its vehicles as soon as the FCA raised the cybersecurity issue, goes to show that this is in fact a “a shot across the bow of other IoT manufacturers that this could cost them a lot of money." It is a wake-up call to companies who earlier refused to allocate funds on cyber security and its design process, so as to avoid a similar recalls, potential lawsuits and increased regulation.
Connected cars are a security concern
Upto now, car manufacturers have typically tended to avoid and play down threats from hackers controlling the wireless connections that control a connected vehicle. Although security researchers and hackers had earlier demonstrated their capabilities to tamper with a car’s onboard computer system, albeit using a physical cable connected to its diagnostic system, Cyber Security Researchers have now gone on to develop a working code that has remotely controlled a Cherokee Jeep. The idea was to raise concerns over privacy matters, and members of the U.S Congress and the NHTSA have raised security concerns for Internet-connected vehicle control systems.
Two Democratic Senators introduced a bill on Tuesday that would direct the NHTSA to develop standards for isolating critical software and detect hacking as it occurs.
Frank Pallone Jr of New Jersey and Fred Upton, the Republican chairman of the House Energy and Commerce Committee have said, “… cars today are essentially computers on wheels, and the last thing drivers should have to worry about is some hacker along for the ride."
Already car manufacturers such as BMW and Tesla Motors Inc. can update the software, which runs the car, Over-The-Air (OTA).
Vehicles which have been recalled include some of Fiat Chysler’s top selling models including Cherokee SUVs (model 2014 and 2015), the Jeep Grand Cherokee and the 2015 Dodge Challenger sports coupes, among others.
A spokesperson from Fiat Chysler said that it would mail a memory stick to those customers who have been affected by this wireless security concerns. Sticking the memory chip into the cars computer will enable it to upgrade itself and add the necessary security features. The USB sticks would be mailed to customers "as soon as possible."
The spokesperson also went to add that it had already deployed a fix with its telecommunications provider which will block remote access, of the kind shown by security Researchers, to the car’s computer system.
FCA declined to comment beyond the statement it issued on the recall. The company did not respond to queries on whether the USB devices to be mailed to customers are on hand or have to be manufactured.
Steven Bellovin, a professor of computer science at Columbia University clarified on the security aspect saying, "this is another example of a problem with an embedded system, some computer that is something that is not really a computer from a user perspective but is built to make something else work. I suspect we're going to need some kind of regulatory frameworks."
Source: Reuters