Smart Transport: New Information Security Challenges

The theme of the 46th World Economic Forum in Davos was the “Fourth Industrial Revolution” - a change in the technological structure that can dramatically change the existing economic and social realities. The Internet of everything (as a broader vision of the Internet of Things, IoT), cyber-physical systems, machine-to-machine (M2M) interaction, smart cities are key concepts and trend of the future ecosystem of the digital economy.



One of the cornerstones of future changes and the technology that most clearly and vividly demonstrates the depth of change is smart transportation. Self-managed, collected in a single network, exchanging information about the traffic situation with the control center and with each other cars, completely change the passenger transportation system, and logistic schemes.

')

The article will discuss existing examples and potential vulnerabilities of smart transport, the dangers associated with remote control capabilities and telemetry interception, and other risks.



Modern car may already be called smart. Active cruise control, tracking road signs and markings are the technologies used by automakers more and more massively, and not only on their flagships demonstrating these capabilities. Even on a relatively budget car today, you can meet the functions of intellectual parking. All these functions have become available, including the fact that the absolute majority of cars no longer have a physical connection between the controls and, conventionally, the wheels (as well as the box, brake system, etc.). Now the steering wheel and the pedals are the interface of the onboard computer, which directly controls the car. The result is gigabytes of code responsible for control logic and telemetry analysis from various sensors.



Until recently, the potential risks of penetration into the on-board equipment did not worry the automakers and the public too much, since far from all systems could be connected remotely.



However, the situation is changing. Now there are many anti-theft systems and systems of comfortable use, providing remote access to the important functions of the car. There are cases of compromise of such systems [1], which potentially represents serious material damage. A year ago, a vulnerability was discovered in the Land Rover keyless entry and launch system, which led to spontaneous unlocking of doors [2]. And this is just the tip of the iceberg.



In the same 2015, security experts Charlie Miller and Chris Valasek demonstrated the possibility of a remote hack of the Jeep Cherokee [3]. At first they got access to the multimedia system by hacking into Wi-Fi, but they did not stop there. They used the cellular network to which the car’s computer is connected and which they managed to reach using a femto cell. After scanning the IP-addresses and intercepting certain calls, which they learned when hacking Wi-Fi, the experts found all the machines with the installed computer. After that, a particular car was calculated using a GPS tracker. Despite the fact that the multimedia system and control units (ECU) are not formally related, in practice, we managed to find a vulnerability that allows access to the CAN bus. And after reflashing the computer, they were able to manage the car’s systems







Hacked Jeep Cherokee



The hacking demonstrated by specialists is interesting though, but the cause of the problem is easy to fix: it is enough to completely isolate the multimedia service connected to the network from the vehicle control systems. The mission does not seem impossible even in spite of the fact that the number of functions is growing, access to which is provided through a single interface with the entertainment system (one conventional touchscreen on which you can adjust the volume of the music and turn on the heated seats).



But with the development of the concept of autopilot and connected to a unified information network of cars, the problem arises in full growth. According to estimates by the authoritative publication Gartner, by 2020 the number of “connected” cars will exceed a quarter of a billion [4]. And it's not just about the infotainment network. Smart cars will transmit telemetry, location data, various service information to unified control centers and automakers' service departments.



The increasing amount of code and the complexity of the logic will require a permanent connection to the network to receive updates. If there is a connection, the vulnerability of the system is obvious. Positive Technologies specialists Kirill Yermakov and Dmitry Sklyarov on the PHDays information security forum talked about hacking into a car control microcontroller (ECU) [5]. Another example was demonstrated by the associate professor at the University of Hiroshima, Hiroyuki Inoue [6]. By connecting a Wi-Fi device to the CAN bus, the researcher was able to hack the system using a smartphone, the program for which he wrote himself. Having connected, he was able to change the instrument readings and “play” with the vehicle systems. Even without delving into the control logic, with the help of a DDoS attack on control systems, he managed to prevent the vehicle from moving: the computer simply could not process the data stream.



Research and development work in the field of fully unmanned vehicles are carried out by many companies, such as automakers themselves (for example, Audi, Ford) [7], and IT giants. Google is actively testing its unmanned cars [8]. Since 2009, they have traveled more than 2 million kilometers (California authorities legalized the use of autopilot vehicles on state roads in September 2012). And in February 2016, one of the “Google mobiles” became the cause of the accident [9]. Samsung and Baidu are not far behind in development [10]. In our country, attention to the topic of unmanned transport is manifested at the highest level: KamAZ, together with Cognitive Technologies, began the development of an unmanned truck [11].



But despite the close (as we hope) attention to security, such systems are too complex to completely eliminate the possibility of their hacking. Moreover, the existing platforms and communication channels are used as the element base for development.



The main elements susceptible to hacking are the built-in systems of the car itself, as well as the communication channels and road infrastructure. Security work is underway today. For example, Kaspersky Lab is developing its own operating system for cars [12]. Intel announced the creation of a supervisory board in the field of automotive security Automotive Security Review Board (ASRB) [13]. Security research is conducted by McAfee and IET [14]. For the “communication” of cars with each other and with the infrastructure, the standards V2V (car — car) and V2I (car — roadside infrastructure) are being worked out [15]. However, all this can not completely protect against threats. Autopilot transport - a multicomponent system that includes, in addition to the control computer, a number of orientation tools, such as radars, lidars (a device for receiving and processing information about remote objects using active optical systems), satellite navigation systems (GPS), stereo cameras, terrain maps . Information from any of these elements may be compromised.



As an illustration of a promising infrastructure scheme of smart transport, it is interesting to analyze the concepts of the military field, since many fundamental technologies of modern IT-industry come from it.







GIG Global Information Network Diagram



GIG (Global Information Grid) is the global information network of the US defense department [16]. The concept of a global network for the management of troops is not developed the first year and uses including existing civilian data networks. The main charm of the above scheme is that each element of this concept is an object of the network (even a rocket has an address). It is easy to assume that such a scheme will be the basis of a civil unified system of transport management.



Although transport will be only part of such a system. For example, the Russian company RoboCV [17] is introducing autopilot warehouse equipment, working in conjunction with warehouse programs and built on Ubuntu and Wi-Fi networks - and potentially vulnerable to hacking. Apparently, it is these systems, coupled with the automation of freight transport, that will become the main exit point for the autopilot vehicle. This is understandable: cargo transport is, in fact, part of production and trade, and logistics and transport companies are most interested in automating transportation processes and the associated possibilities of optimizing delivery schemes, calculations, cost reduction (the US state of Nevada has already authorized the use of self-managed Daimler truck on their roads [18]). You can imagine the whole scheme, which turned out as a result: the goods “ship” the goods in the warehouse program, after which the forklift loads the truck itself, which, in turn, takes the cargo to the customer, where everything repeats in reverse order. Man is completely excluded from the process - a brave new world! However, from an information security point of view, such a scheme cannot but cause at least distrust. A lot of entry points from the warehouse network of the enterprise to the management network of freight transport and the system of the transport itself, control centers that track the movement of goods ... And the complete exclusion of people from the process will not let you know about burglary until the goods have to get into circulation. At the same time, the car itself can act as a cracker: being infected, it turns out to be the entry point in the network to which it is connected. A wagon with a product can take out a warehouse and a database or serve as a source of infection of the corporate network.



These are just some of the potential consequences. Although the most obvious problems are related to traffic safety (interference with the management process), mass automation of transport carries the risk of continuous movement control even without hacking the end user: information will be available in centralized systems. Absolutely new opportunities open up for smuggling. You can literally parasitize on the infrastructure, using someone else's transport, even without the knowledge of the owners. There are new attack patterns ordered by competitors. Not to mention the possibility of cyberterrorism and mass attacks on control systems.



The ideas of smart unmanned vehicles are not new, but obviously: their time has come. Representative conferences are held abroad and in our country [19]. Attention is also paid to legislative aspects: a draft act on automotive cyber security has been submitted in the United States [20]. Like any new large-scale technology, smart transport carries many risks, and, fortunately, there is an understanding of these risks.

Sources

1. Vulnerabilities of the cryptotransponder allow to start more than 100 models of machines without a key
2. A bug in Land Rover’s software leads to spontaneous unlocking of doors .
3. Hackers Remotely Kill a Jeep on the Highway — With Me in It .
4. Gartner Says By 2020, Quarter Billion Connected Vehicles, Will Be Enabled In-Vehicle Services & Automated Driving Capabilities .
5. Presentation "How to" set "the car" brains " . "
6. Toyota Corolla Hybrid Car Hacked via Smartphone .
7. Audi piloted driving . This is a really big deal .
8. Google Self-Driving Car Project .
9. Google says it bears some responsibility 'after self-driving car hit bus .
10. Samsung and Baidu are in a hurry to overtake Google cars .
11. KamAZ began developing an unmanned truck .
12. Kaspersky Lab is developing a secure OS for cars .
13. Intel begins to fight for the information security of cars .
14. McAfee Automotive Security Best Practices . IET. Automotive Cyber ​​Security: An IET / KTN Thought Leadership Review.
15. Vehicle-to-Vehicle / Vehicle-to-Infrastructure Control .
16. Net-Centric, Service-Oriented DoD Enterprise.
17. Intelligent autopilot for warehouse equipment
18. Self-driving semi licensed to drive in Nevada .
19. Automotive Cybersecurity Summit, Connected Car Summit.
20. Senators presented a draft act on automotive cybersecurity .