OTA: Good for Drivers, Better for Hackers?
The auto industry is on a fast track to autonomous vehicles, in which nearly all vehicle operations will be under the control of a central computer, leaving the passengers to sit back and relax on the road. Where to turn, when to brake, how fast to go and almost every other aspect of the driving (actually, riding) experience will be machine-driven.
Cars are well on their way to becoming internet of things (IoT) devices, with updates—both operational and security—delivered over the air (OTA). And, as autonomous vehicles take center stage, OTA will become even more prominent. For car manufacturers, repair shops and drivers, OTA makes sense: Why spend half a day at the garage getting a software update when it can just be downloaded over the connected vehicle network?
But just as OTA makes sense for the above-mentioned parties, it does as well as for hackers. Like with any other communication channel, we can expect to see hackers piggyback onto OTA software updates for vehicles to install malicious code that will compromise the vehicle and gain control over some aspect of it—if not the entire thing.
While a corrupt OTA update can cause substantial damage even to a vehicle in which a driver has control of the steering wheel and the brakes, the sky’s the limit for hacker activity on self-driving vehicles, in which the systems run the show. Hack your way into those systems and the vehicle is yours.
Unlike other “devices” that utilize OTA, self-driving vehicles need to be super-secure. A connected washing machine that gets a corrupt update might not get your clothes completely clean, but a car that gets a corrupt OTA update can kill you. Thus, security for OTA in vehicles must be completely airtight, with no room at all for errors.
Unfortunately, that kind of airtight security still eludes us. There have been numerous incidents in which hackers took direct control of IoT devices, including toys. These weren’t just random incidents; there were enough of them to prompt the FBI to issue a warning. And, according to many experts, a vehicle’s CAN bus is eminently hackable.
The security model used for other devices—security teams developing responses to threats as they appear—is inappropriate for connected vehicles. That model does nothing to solve zero-day attacks. To cause injuries and death, all it takes is one rogue vehicle. Because OTA updates are delivered over the internet, they are vulnerable to the same security risks as any other data sent over an internet connection.
If hackers can corrupt messages over a 4G network, why wouldn’t they be able to hack into a vehicle OTA update? How can manufacturers, OEMs and dealers prevent this kind of risk? Obviously, a different approach to security is needed. If self-driving and connected vehicles are to be made secure, the updates to their operations—delivered OTA—must be guaranteed safe.
Protecting the OTA communication channel and checking the authenticity of the new software are longstanding and vital security measures for any IoT device. But for a car, where update security is crucial, these measures are not enough. OEMs must assume that the OTA update can be (or is already) hacked, and deploy security measures that can detect and cope with a security breach.
One way to do that is to examine not just the OTA update for expected threats or malware signatures but also the behavior of the vehicle. An autonomous vehicle will have dozens of systems that are supposed to operate within specific parameters. Sensors, for example, will send data to the autonomous driving computer about speed, traffic and distance from the vehicle in front to determine how much pressure needs to be applied to the brakes.
If the communication packets act in an anomalous manner, it could be a sign that the system has been compromised. In that case, the security system could signal the security operations center that there is a potential breach that has to be analyzed. In critical scenarios, the vehicle might be directed to slow down and move to the side of the road. The same approach could be used in any of the other systems in a vehicle.
The advantage of this is that security teams don’t have to develop solutions for threats they don’t even know about yet—which, of course, they couldn’t do even if they wanted to. By concentrating on anomalous behavior, teams can deal with or prevent any threat. Thus, if an OTA update is infected, the malicious behavior caused by the OTA will be detected and the previously unknown vulnerability that allowed the infected OTA to happen could be dealt with.
Autonomous vehicles are here to stay; an entire IoT infrastructure is being built around the connected vehicle. With anomalous detection, all aspects of autonomous vehicle operations, including OTA updates, can be made safe.
This post was also published on Security Boulevard.