Vehicle Security: Making Sure K.I.T.T. Doesn’t Become K.A.R.R.
We ended 2022 with the announcement of a vulnerability within SiriusXM Connected Vehicle Services, which has a broad impact because of the ubiquity of these units. In 2023 the vehicle-related software vulnerabilities just keep on coming, this time within API endpoints used by vehicles’ telematics systems, an issue with a wide impact across 16 different vehicle manufacturers.
While hacking cars and vehicle components goes all the way back to 2002 through in-vehicle connections, in 2015 Charlie Miller and Chris Valasek remotely hacked a Jeep Cherokee and expanded what “breaking into a car” could mean. Since then, a year hasn’t gone by without more vehicles being compromised, whether through key fob hacks, software vulnerabilities, vulnerabilities in components, or even vulnerabilities with electric vehicles and charging stations. All of this leads to a threat that hasn’t been seen yet but is coming: a compromised vehicle doing damage to property or, even worse, people.
There have been IoT attacks that have released personal information (e.g., the Ring security breach), caused or potentially caused physical damage (e.g., Stuxnet or the attack on a German steel mill), or caused a distributed denial-of-service attack (e.g., Mirai botnet), but a rogue car is an entirely different scenario because vehicles are so close to us every day and used everywhere.
While the worst-case scenarios are gruesome, a simple shutdown of 100 cars on a busy highway could directly impact thousands of people and businesses. The issue starts with the fact that modern cars have dozens of computerized components in them, each with their own software, working together to make the whole package perform. One component can have a ripple effect across the whole system and literally bring the car to a screeching halt. Additionally, the components in a vehicle are often produced by different manufacturers and used by different vehicle producers, all coming together months or years before the vehicle moves into production. By the time the first car rolls off the assembly line, the software in one component could have an identified vulnerability and be open to attack.
There are regulations, such as United Nations Economic Commission for Europe’s (UNECE) WP.29, and standards, like ISO/SAE 21434, that are directing original equipment makers (OEMs) and Tier 1 and Tier 2 suppliers to ensure higher safety and appropriate cybersecurity approaches within vehicles, but the problem with regulations and standards is that they: 1) generally apply to future systems; 2) set a baseline, so it’s a race to the bottom to just demonstrate compliance until new regulations and standards are made; and 3) they do nothing for legacy systems in use, which in this case applies to hundreds of millions of vehicles globally.
Vendors that provide solutions for connected vehicle security are all working closely with manufacturers to uncover vulnerabilities in these systems and to secure the components and the connectivity between them, but in the meantime, the vehicle and component manufacturers might want to start applying minimum viable security practices to their software bill of materials (SBOM). If they don’t, the K.I.T.T. experience they’re looking to give their drivers could turn into K.A.R.R., an unpredictable threat.