Bad Cars: Anatomy of a Ransomware Attack
By Alan Grau, VP of IoT, Embedded Systems, Sectigo
TV and science fiction writers have let their imaginations run wild with theories about what could happen if your car was attacked by bad actors. There have been a few real-world cases where white-hat hackers and researchers have been able – in limited, controlled instances – to actually penetrate a car’s electronics and communications systems, take over the car’s steering and acceleration systems, and potentially do real damage.
However, there are other scenarios that might not be as obvious or as dramatic.
For example, what if your car’s computer was infected by a virus that greatly reduced the engine’s efficiency or capped the car’s maximum driving speed? What if the virus did something less dramatic, such as make the car unable to lock the controls for automatic window operation, or simply prevent the car from starting? No one would die, but the car owner would be very upset, posing a disaster for the automobile’s manufacturers.
Motor City Ransomware
Electric Vehicles require sophisticated control and safety technologies for their electrical power systems to safely manage the high voltages that store and distribute from their battery systems. If something goes wrong, the car cannot operate, people could get electrocuted, or the car could burst into flames or explode. These are real dangers that are managed by the car’s network of fuses, circuit breakers, and control systems.
What would happen if a cyber hacker got into these sensitive electronic systems and turned off the safety and control system?
Why would someone do this? Money, of course.
Suppose the bad guys successfully penetrated and infected these vehicles? Imagine now that they had the software or security keys that could fix these problems, but hold them as ransom, jeopardizing an automaker’s entire fleet of new cars.
How many millions (or tens of millions) of dollars would the automaker pay to get that solution? Holding a manufacturer hostage is a very real possibility, as evidenced by the results that today’s hackers are getting by attacking hospitals and cities and successfully extracting substantial ransoms to just return these institution’s data. In a recent WIRED article, The Biggest Cybersecurity Crisis of 2019 So Far, which discusses the risks to “things” and across supply chains, the FBI explained, "We are seeing an increase in targeted ransomware attacks. Cyber criminals are opportunistic. They will monetize any network to the fullest extent.”
Pre- and Post-Assembly Infections
It is possible that cars could be infected before they even hit the auto dealers’ lots. Bad actors have the capability to infect a small electronic part, essential to the auto manufacturing food chain, purchased from one of the hundreds of component suppliers.
How could auto manufacturers possibly test each electronic element? It is almost impossible - and requires that parts manufacturers themselves take more care in their software development process to ensure the software in these components are not infected during manufacturing process, or during the testing and shipping processes.
Of course, cyber infections could happen on the actual assembly line where the cars are put together. With many car manufacturing plants using IoT connected robots and machines, there is always a possibility of infection happening on the assembly line.
These components could even become infected after assembly, during the manufacturers’ testing and process. Infection, during installation, or with after-market parts and upgrades, could arise after the vehicles arrive at the dealers’ facilities.
Already aware of the possibility and the potential disastrous effects of infected cars reaching the market, manufacturers throughout the supply chain need to become more aware of how their devices could be attacked and infected even before they leave the warehouse. This means embedding IoT security from day one - from the smallest electronic components to final assembly of motors, transmissions and other large vehicle components.
Sectigo (formerly Comodo CA) provides award-winning, purpose-built and automated PKI management solutions to secure websites, connected devices, applications, and digital identities. As the largest commercial Certificate Authority, trusted by enterprises globally for more than 20 years, and more than 100 million SSL certificates issued in over 200 countries, Sectigo has the proven performance and experience to meet the growing needs of securing today’s digital landscape. For more information, visit www.sectigo.com.