NASTF meeting examines automotive cyber threats for the ‘connected vehicle’
Las Vegas—The now-famous hack last year of a 2014 Jeep Cherokee through its wireless connection — just a demonstration by security researchers — was the first evidence of the vulnerability of an entire fleet of connected cars to potentially malicious attacks, warned Milan Patel, of IBM, a panelist at the Fall 2015 General Meeting of the National Automotive Service Task Force (NASTF).
Automotive-related cybersecurity threats were the focus of two panel discussions at the NASTF meeting, held at the Sands Expo Center in November during the Automotive Aftermarket Product Expo (AAPEX) show.
Donny Seyfer, who co-owns Seyfer Automotive in Wheat Ridge, Colo., moderated the first panel discussion, “How Will Vehicle Cybersecurity Impact Future Auto Repair?”, featuring Patel and Mohan Sethi, a service solutions expert for MAHLE, a diagnostic tool manufacturer.
“The world is becoming more intelligent and interconnected. You can put sensors in a river and measure rainfall now,” Patel said, adding that there are seven billion data points on the globe for measuring weather day by day. As common things like cars become smarter, data is generated and information can be tapped into.
The progression of vehicle connectivity has pushed the car closer to the IT world, he said, bringing with it a security burden for the entire automotive industry.
Surface attack opportunities
The connected car and connected shop both present opportunities for would-be attackers, the panelists agreed.
“Diagnostic tools are secure, but not secure enough,” presenting surface attack opportunities, Sethi said. Hackers can also gain vehicle access through a telematics head unit, tire pressure monitoring systems (TPMS), instrument panels, keyless entry systems, entertainment systems, CAN systems, and more, he said.
“A malicious code can be put into a box (diagnostic tool) and plugged into every car the shop sees,” Patel said. Viruses or codes can also be spread to infotainment systems via contaminated CDs, he added.
Once malicious code is out, there are larger implications for car-to-car infection, Patel said, especially with connected infrastructure between cars on the road.
“There are a lot of terrorists out there trying to attack us,” he said. “They could do it during rush hour in a major metro area.”
As OBDII connectors are phased out of vehicles, Sethi said, there will be more vehicle gateways or access points, creating even greater vulnerability.
“The tools will have to get smarter themselves,” Patel added.
Shop network security
Seyfer posed the question: “How can a shop unwittingly get involved in an attack?”
Sethi recommended that shops lock down wireless infrastructures and manage them properly. “You’re 100 percent responsible,” he warned shop owners, stressing the importance of network passwords. He also recommended separate networks for the guest lounge and the technicians working on cars. “The guest lounge network has to be set up a certain way,” he said. “It can’t be ad hoc and taken lightly.”
Technicians setting “hot spots” with their cell phones can also compromise network security, Sethi said.
“All devices in a shop really need to maintain integrity,” Patel said. Policies need to be in place and enforced, he added.
Technicians must be careful when borrowing scan tools and also when buying used tools over eBay, Sethi said.
Since many techs buy their own tools, Seyfer recommended that shop owners check out new employee devices and tools before they connect to the network.
Sethi also warned the audience that cheap, counterfeit OEM diagnostic software and hardware also pose a threat.
“After you’ve done everything recommended, change your hat and think about it as if you will be hacked,” Patel said. “What could go wrong and what would you do?”
Impact of SAE J2534-1 v5.0
Greg Potter, executive manager of the Equipment & Tool Institute (ETI), moderated the second panel, “SAE J2534-1 V5.0 – Benefits for OEMs, Technicians, and Tool Makers.”
The panel included Kurt Immekus of Volkswagen, Jill Saunders of Toyota, and Bernie Carr of Bosch, who revealed their process for implementing the new SAE spec v5.0, which enhances vehicle programming speed and device validation and management.
“Getting a box (diagnostic tool) approved by OEMs is unrealistic,” Potter said. “They can’t spend the money to evaluate every device. And things have changed so much, there’s no backward compatibility.”
Saunders agreed, noting that just to validate reprogramming on the Toyota vehicle lineup for the 2014 model year requires 8,400 tests for one device.
Volkswagen’s Immekus added that for vehicles 10 to 12 years old, testing has to be done on the actual car. “Each module has to be considered when doing a validation test.”