Presentations show the auto industry needs to shore up cars' security

Charlie Miller and Chris Valasek again hacked into a Jeep Cherokee and showed that they can take control of the car steering wheel and brakes, so how do manufacturers fix this glitch?

blackhat 2015 jeep hack

Chris Valasek (L) and Charlie Miller give a briefing during the Black Hat USA 2015 cybersecurity conference in Las Vegas, Nevada August 5, 2015. Valasek and Miller talked about how they remotely hacked into a Jeep Cherokee.

Credit: REUTERS/Steve Marcus

Once again automotive cybersecurity researchers Charlie Miller and Chris Valasek hacked into a Jeep Cherokee and showed that they can take control of the car steering wheel and brakes— but this time at high speeds, not low speeds (self-parking mode) as they did in July 2015. This year's Black Hat conference also offered a "Car Hacking--Hands on" training with Robert Leale, founder of CanBusHack.

For a few years, the auto industry has been under fire, motivating manufacturers to focus more on security. That's one reason why connected car vulnerabilities has been a notable event at major conferences. In its endeavors to build stronger security, the industry at large has invested extensive resources into researching and educating practitioners. 

Black Hat was not the only conference at which hackers could learn about car hacking, though. Many were able to participate in competitions at DEF CON 24's Car Hacking Village.

[ RELATED STORY: Does entertainment trump security in connected cars? ]

We love our cars, and their vulnerabilities are personal which can have a devastating impact on the auto industry. That's a reason to bring security to the forefront for every auto manufacturer.

David Barzilai, Karamba Security co-founder, said the demonstrated attack by Miller and Valasek was “Well, wired—as in a physical intrusion, unlike last year’s remote wireless attack."  

It’s the wireless attack through electronic control units (ECU) that represents the real threat," said Barzilai. "The attack skipped the remote access phase altogether and physically connected to the [Controller Area Network] bus. The novelty of this attack is its ability to find more ingenious ways to exploit ECUs by exploiting capabilities available via the bus."

More than anything else, this demonstrates that protecting at the bus level is too late. "Prevention must block the ability to gain access to the bus. What enabled this act was connecting the hackers directly to the bus,” said Barzilai.

The ability to connect to the bus is indeed what manufacturers want to eliminate. At their Black Hat presentation this year, Miller and Valasek outlined advanced CAN injection techniques, but they closed with suggested ways for making these systems more robust. 

Barzilai said there are certainly ways to stop these kinds of attacks with software that hardens the car controllers according to factory settings. "When Chris and Charlie, or any other cyber hacker, wish to attack the car remotely (and not by connecting their laptop physically to the car’s CAN bus), they must compromise one of the car’s externally connected controllers and run operations or files that are not part of factory settings."

In addition to Karmaba Security's Carwall, Symantec also announced the release of its new Anomaly Detection for Automotives tool in June. It uses machine learning to provide passive in-vehicle security analytics that monitor all CAN bus traffic without disrupting vehicle operations.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.