Playing with Fire: The Security Implications of Connected Vehicle Technology
by Letters 4 the Damned
How would you feel if I told you a man by the name of Charlie Miller held in his hands the power to throw over one million vehicle transmissions into neutral? How would you feel if I also told you Miller acquired this capability using a connected vehicle technology that allowed millions of vehicles to communicate with one another? [i] Now, how would you feel if I told you the National Highway Traffic and Safety Administration proposed on December 13 to mandate connected vehicle technology in all new light vehicles? Are you concerned?
On December 13, 2016 NHTSA released the agency’s Notice of Proposed Rulemaking which would require auto manufacturers to install Digital Short Range Communication Devices in all new light vehicles. [ii] These devices utilize the 5.9GHz bandwidth to warn drivers of impending collisions, other vehicles, and hazardous road conditions. The purpose of this technology is to save lives but done haphazardly such technology can also cost lives.
Approximately six months prior to the release of NHTSA’s Notice of Proposed Rulemaking Public Knowledge and the Open Technology Institute petitioned the FCC for “Rulemaking and Emergency Stay of Operation of…(“DSRC”) in the 5.9 GHz Band.” The petition explained “[t]he DSRC service lack[ed] rules…to protect DSRC units from malware or other forms of cybersecurity attacks.” [iii] The FCC took notice of this petition and opened the issue for public comment approximately two months later. [iv]
Senators Ed Markey and Richard Blumenthal wrote the FCC on August 4, 2016 expressing their concerns over vehicle-to-vehicle communications and the lack of cyber security protections. “[H]ackers could remotely access one vehicle or one commercial application then use its DSRC system to spread malware. That could allow hackers to commandeer vehicles and intentionally cause crashes.” [v]
Presently many auto manufacturers are voluntarily installing connected vehicle technology with little cybersecurity protection. A 2015 Report by Senator Edward Markey on connected vehicle technologies found that “[s]ecurity measures to prevent remote access to vehicle electronics [wer]e inconsistent and haphazard across all auto manufacturers…[and] [o]nly two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most sa[id] they rel[ied] on technologies that cannot be used for th[at] purpose at all.”[vi]
In 2013 a Government Accountability Office Report on vehicle-to-vehicle technology stated that “[o]f…21 experts…interviewed, 12 cited the technical development of a V2V communication security system as a great or very great challenge to the deployment of V2V technologies.” [vii] Two years later in 2015 the MITRE Corporation in its technical report to the Department of Transportation found 21 “high level threats” to the connected vehicle communication system. [viii]
NHTSA’s V2V rulemaking proposes a digital certification management system to prevent unauthorized devices from communicating with the network. “As a networked system, V2V/V2I are intended to employ a secure and reliable communications network, allow only certified devices to access that network, and have a trusted entity (the Security Certificate Management System – “SCMS”) to issue, distribute, and, when necessary, revoke device certificates.” [ix]
Such a strategy would require any device communicating with the network to be registered and certified by a trusted third party. The devices also utilize predetermined message structures and are required to be able to detect and report anomalies in messaging. “The required V2V devices must implement a message authentication proposal that enhances “confidence in the authenticity of V2V messages and secure the exchange of safety data,” and requires V2V devices to be able to check incoming safety messages to detect and avoid “misbehavior.” [x] However, there are two major flaws with these strategies.
Anyone that could obtain access to the trusted third party certificate authority could potentially add and certify a new device allowing an adversary to communicate with the network and malware which possesses metamorphic features could emulate predetermined message structures. Even worse, if an adversary gains access to the private key the entire network would be compromised. Furthermore, if commercial applications utilize the same bandwidth [xi] those applications could be exploited to gain access to the DSRC network.
“Although the NPRM would require V2V technology to be installed in vehicles when manufactured, V2V systems could also be installed “aftermarket” or potentially could be brought into the vehicle by handheld devices.” [xii] However, leaving such systems open to aftermarket devices and handheld devices creates numerous other vulnerabilities and entryways into the network. Furthermore, the NPRM doesn’t take into account the insider threat posed by disgruntled or negligent employees installing these systems.
In summary once access is gained the extent of the damage caused depends solely on the skill of the adversary. The level of risk created by the mandate of connected vehicle technology demands careful consideration and collaboration across agencies. If done carefully the technology may protect drivers on the nation’s highways. Yet if rushed that same technology will endanger the very lives it seeks to protect.
- Christopher Kolezynski
[i] CYBERWAR: The Zero Day Market, (Vice Productions Inc. 2016). Miller was never paid for his work. Although one year later Chrysler changed policy and began a company bounty program paying researchers who found vulnerabilities in their cars. They were the first major American car company to do so. Miller explains “car companies are so new to this. Most car companies, you don’t even know who you would contact to tell them you found a vulnerability.”
[ii] Federal Motor Vehicle Safety Standards; V2V Communications, 49 CFR Part 571 (proposed Dec. 13 2016) (to be codified at 49 CFR pt. 571). NHTSA released their Advanced Notice of Proposed Rulemaking in August 2014.
[iii] Open Technology Institute & Public Knowledge, Petition for Rulemaking and Request for Emergency Stay of Operation of Dedicated Short-Range Communications Service in the 5.850-5.9925 GHZ Band (5.9 GHZ Band), i (June 28, 2016).
[iv] Beyoud L., FCC Studying Cybersecurity of Connected Vehicle Tech, (July 27, 2016) BNA http://www.bna.com/fcc-studying-cybersecurity-n73014445537/.
[v] Senators Ed Markey and Richard Blumenthal, Letter to FCC Chairman Wheeler, (Aug. 4, 2016) available at https://www.markey.senate.gov/imo/media/doc/2016-08-04-Markey-Blumenthal-Cybersecurity-cars-FCC.pdf.
[vi] Senator Ed Markey, Tracking & Hacking: Security and Privacy Risks Put American Drivers at Risk, 1 (Feb. 2015).
[vii] US Gov’t Accountability Off., Intelligent Transportation Systems: Vehicle to Vehicle Technologies Offer Safety Benefits but a Variety of Deployment Challenges Exist GAO-14-13, at 21 (2013).
[viii] MITRE Corporation, Final Requirements Report, Dept. of Transportation FHWA-JPO-15-235, ii (Sept. 11, 2015), https://www.regulations.gov/contentStreamer?documentId=NHTSA-2016-0126-0008&attachmentNumber=1&disposition=attachment&contentType=pdf.
[ix] Gossett D., NHTSA Issues Proposed V2V Crash Avoidance Technology Rule, Lexology (Dec. 19,2016), http://www.lexology.com/library/detail.aspx?g=22cdefa8-99f2-4dd7-bcc2-caabd953346c.
[x] Higgins J., NHTSA proposes rule on ‘vehicle-to-vehicle’ communications requiring cybersecurity controls, Inside Cybersecurity (December 14, 2016), https://insidecybersecurity.com/daily-news/dot-proposes-rules-auto-cybersecurity-seeks-public-comment.
[xi] Federal Communications Commission, Public Notice: The Commission Seeks to Update and Refresh The Record in the “Unlicensed National Information Infrastructure Devices in the 5 GHz Band” Proceeding, 1-2 (June 1, 2016), https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-68A1.pdf.
[xii] Gossett D., NHTSA Issues Proposed V2V Crash Avoidance Technology Rule, Lexology (Dec. 19,2016), http://www.lexology.com/library/detail.aspx?g=22cdefa8-99f2-4dd7-bcc2-caabd953346c.