2015 年,世上還沒有任何針對醫院的勒索攻擊,而 2016年已經有 10 起了。這些網絡罪犯將滲入各個領域的內部網絡,控制用戶的計算機系統,并向這些受到非法控制的目標勒索贖金——這就是黑客掙錢的手段。目前,盡管我們還沒有遇到任何針對汽車的勒索攻擊,但目前的現狀已經足夠引起汽車網絡安全專家的警惕。
荷蘭 Irdeto 公司首席汽車安全架構師 Stacy Janes 解釋說,“汽車有很多可能受到攻擊的‘點’,而一些不懷好意的人就可以通過這些‘點’向車輛植入各種惡意軟件,有時甚至都不需要真正進入車輛的內部網絡。”除了大量應用程序,車輛最易受到攻擊的“點”是一些面向外部網絡的網關,比如車輛遠程信息處理系統、OBDII 端口和車載信息娛樂系統 (IVI) 等。
《汽車黑客指南》(The Car Hacker’s Handbook) 一書的作者、電氣工程師 Craig Smith 表示,車載信息娛樂系統比其他任何車輛組件都更易遭遇遠程攻擊。黑客只要拿到信息娛樂系統的鑰匙(即訪問權限),就相當于打開了汽車的大門。此時,整個汽車系統都將清晰地平鋪在黑客面前:車輛的 CAN 總線數據包如何傳輸;ECU 單元如何升級;車輛是否會向原始設備廠商傳回數據,傳回哪些數據以及如何傳回數據等。
Janes 表示,未來,汽車勒索攻擊可能就是通過滲入車輛信息娛樂系統實現的。想象一下這個場景:你早上起床準備開車去上班。你打開了車上的信息娛樂系統,接著系統屏幕開始瘋狂閃爍、音頻系統的音量不斷升高、暖氣也開到了最大馬力,關鍵是你根本關不掉。這時,你什么也做不了,只能選擇把車拖到經銷商那里。然而,經銷店里已經停了一大批受到相同攻擊的車輛。
此時,經銷商的服務經理已經聯系了廠商,而廠商表示目前受到影響的車輛已達數千輛。然而,攻擊并沒有停止。當天晚些時候,汽車廠商終于收到一封匿名郵件:“明天之內,請向我們支付價值百萬美元的比特幣,否則全世界都將知道這一切,這會毀了您的品牌,您一定很清楚這一點。祝您愉快。”
公共安全問題
七年前,羅格斯大學 (Rutgers University) 和南卡羅萊納大學 (University of South Carolina) 的研究人員成功為車輛安裝了一款非加密胎壓監測系統(TPMS)。這個系統可以“惡搞”儀表盤,顯示錯誤的胎壓讀數,并跟蹤車輛行駛記錄。他們當時肯定沒想到,會出現今天的情況。2011 年,安全情報專家 Charlie Miller 和 Chris Valasek 博士成功“黑入”一輛豐田普銳斯 (Toyota Prius) 和福特 (Ford) Escape,禁用了車輛的動力轉向系統、控制了車輛喇叭,還把儀表盤搞得一團糟。這里,值得說明的是,他們兩位并非真正意義上的“黑客”,而是兩位汽車安全專家,他們拿到了美國國防部高級研究計劃局 (DARPA) 的研發經費,專門負責探測車輛的網絡安全弱點。
2015 年,Miller 和 Valasek 又成功遠程控制了一款吉普大切諾基 (Jeep Grand Cherokee),此舉也最終導致克萊斯勒 (Chrysler) 召回 140 萬輛汽車,并向車主派發 USB 軟件更新驅動。此后,加州大學 (University of California) 的研究人員也演示了如何通過保險公司安裝在車輛 OBD 端口上的“加密狗”,成功禁用一輛克爾維特 (Corvette) 的剎車系統,并啟動了車輛雨刷。此時,整個汽車行業都被驚醒了。
GENIVI 聯盟網絡安全團隊領導人 Janes 表示,“從安全的角度來看,與其他領域的黑客活動相比,汽車領域的攻擊手段仍處于初級水平。”Janes 稱當前為“研究階段”。
“現在,攻擊者正在研究汽車,而汽車行業也在研究黑客。只要汽車人能保持略微領先優勢,汽車行業就大可不必為攻擊而擔心。”Janes 表示,“只要汽車行業能夠占據一點優勢,黑客就必須投入更多資金,才能發動一場無懈可擊的攻擊,而這樣的成本對他們來說太高了。”
但相反,如果汽車廠商稍有落后,壞人就會越來越猖狂。“金融、移動通信、媒體,甚至醫療保健系統等其他行業都存在這樣的攻擊。”Janes 說,“這些網絡攻擊就是一門生意。有時,他們發動一場攻擊可能要花 100 萬美元,但卻能掙 1000 萬美元。這樣算的話,‘投資回報率’還是很不錯的。在這種情況下,汽車行業必須時刻領先黑客,這樣才能增加黑客發動汽車攻擊的成本,迫使他們轉向其他領域。”
《汽車工程》采訪的一些專家認為,隨著網聯汽車和自動駕駛汽車的市場份額不斷增加,車輛網絡攻擊威脅也會不斷升級。目前,美國新車銷售中超過半數均為網聯汽車,在此背景下,可能遭到攻擊的潛在漏洞數量也在不斷累加。到 2020 年,全球預計將有超過 2.5 億輛網聯汽車投入使用。
2015 年,為了共同面對日益嚴重的威脅,OEM和供應商一起成立了汽車信息共享和分析中心 (Auto-ISAC),從而共同解決汽車網絡安全風險。目前,Auto-ISAC 大約有 30 個成員,將不間斷分享任何與互聯汽車有關的網絡威脅、漏洞、相關事故進展及大量追蹤與分析數據。
SAE International是 Auto-ISAC 社區的重要組成部分,目前已經出版了 7 部相關標準,其中包括世界上首部汽車網絡安全推薦指南— J3061。SAE 新項目發展經理 Patti Kreh 表示,“SAE 希望能夠成為汽車行業的戰略合作伙伴。在我們看來,合作可以產生很多協同效應,而整個行業都將受益。”
2016 年底特律網絡安全峰會期間,通用汽車 CEO Mary Barra 在其主旨演講中指出:“所有汽車制造商都要面對網絡安全事故,這是一項公共安全問題。”
隔離與“分層防御”
目前,最好的端對端汽車網絡安全防御措施是“可以完整覆蓋整個汽車互聯生態環境的多層防御系統。”哈曼國際高級營銷總監 Dvir Reznik 表示,“在網絡安全領域沒有所謂的靈丹妙藥。”
專家們同意,“縱深安全”防御軟件的各個組成部分,應當像樂高積木一樣相互緊密相連,其中包括次級系統電子控制單元代碼、所有內部網絡通信監控代碼,及一些在出現異常行為時發出警報的代碼。這些代碼的主要功能是防止網絡攻擊升級。此外,車輛信息娛樂系統等面向外部網絡的模塊,也是網絡防御軟件的重要保護對象。
SRI 國際 (SRI International) 是一家進行國家級網絡安全研究和分析的獨立非盈利研發中心。該機構項目總監 Ulf Lindqvist 表示,汽車保護措施的應用廣泛,設置應該相對簡潔。“安全的關鍵在于隔離,”Lindqvist 說,“汽車系統可以通過授權與 CAN 總線進行交互,但這并不意味著我們提倡這樣做。”他繼續說,問題在于,“人們似乎總是喜歡為了各種目的,而隨意去連接車輛系統。”
目前,一些云安全服務產品開始進入市場。這些產品經過專門設計,可以提前檢測和處理車輛網絡威脅,而且還支持 OTA 空中升級和實時信息傳遞。很多廠商都需要這樣的端到端解決方案,這也是哈曼 (Harman)和 IBM 安全 (IBM Security) 等公司開始提供擴展“安全套裝”的原因之一。
Argus Cyber Security 是汽車網絡安全解決方案領域的先鋒。這家公司最初的“網關盒子”可以為汽車網絡創建一道獨立防火墻,不斷掃描 CAN 總線信息,并在發現異常時及時關閉網絡。Argus 目前的解決方案是將監測組件安裝至車輛的一個或多個電子控制單元中。此外,Caramba、哈曼 (Harman)和諾基亞 (Nokia) 等其他領先行業公司也可以提供類似的解決方案。
Argus 北美業務發展執行總監 Meg Novacek 表示,一個理想的汽車網絡安全架構應有四個組成部分,分別為安全通信網關;可以立即識別/阻止網絡攻擊的入侵檢測/預防系統 (IDPS);汽車軟件 OTA 更新功能,及某些集成了遠程認證功能的主要硬件安全模塊。
Caramba 軟件工程師編寫的二進制車輛代碼中,也包括公司專門用于監控的“數字指紋”代碼。一旦植入車輛,這些代碼即可進行不間斷的監控,如果有任何東西試圖改變“數字指紋”或者覆蓋任何內容,系統即會立刻斷開網絡連接。
Navigant Research 分析師 Sam Abuelsamid 表示,這種措施的優勢在于:“汽車廠商所確定的車輛系統架構是固定的,任何試圖做出改變的外部操作,都會導致整個系統的關閉。”
一些工程師和網絡安全專家表示,機器學習和人工智能 (AI) 也很有可能成為異常檢測的解決方案。巴特爾紀念研究所 (Battelle Memorial Institute) 等一些此類技術的支持機構表示,這種系統對具體平臺并無區別對待,可以適用于任何車載電子控制單元,不需要對簽名數據庫和發動機檢測元件進行定期更新。在這種系統中,一旦監測到任何異常,系統即會根據威脅的嚴重程度,采取不同等級的措施,包括發出聲音警報、采取車輛干預措施(如“自我保護”模式),或直接通知緊急救援機構等。
無盡的戰斗
目前,一些公司正在開發可以在威脅解除后,將車輛恢復至之前狀態的“自愈”軟件代碼,也就是大家所熟知的區塊鏈技術。具體來說,區塊鏈可通過獨立計算機網絡,也就是分布式總賬系統發送信息,保護數據和財產安全,進而保護交易和所有權的安全。豐田研究院 (Toyota Research Institute) 正在與 MIT 媒體實驗室及其他合作伙伴共同進行區塊鏈研究。許多專家認為,這種技術可以促進網絡安全自動駕駛技術的發展。
值得一提的是,所有網絡安全專家均已達成共識:黑客攻擊將永遠不會停止。
“在這個領域中,誰都無法做出任何保證。”SRI 國際的 Lindqvist 表示,“我們能做的是盡量減少黑客出現的幾率,并限制他們可能產生的影響。”
Irdeto 的 Janes 表示,“這是一場間諜之間的大戰。”Janes 等人表示,一些OEM和一級供應商已經開始讓網絡安全工程師共同參與車輛電氣架構和次級系統的設計。現階段,他們正在進行詳細的威脅分析,并開始將安全需求加入供應商的報價申請書 (RFQ) 中,這種做法可以將網絡安全需求逐級傳遞至不同級別的供應商。
“我們可以說自動駕駛汽車行業非常脆弱,只要發生幾起造成人員傷亡的自動駕駛汽車網絡攻擊事故,整個行業就全完了。”Janes 說,“工程師需要站在黑客的角度思考問題,理解他們的想法,并順著他們的思路采用更有效的應對措施。”
In 2015 there was no such thing as a ransomware attack against a hospital. In 2016 there were 10 such attacks. The cyber criminals who penetrate and disable computer networks until users pay ransom, profit from vulnerable and easy targets. And while there have yet been no ransomware attacks against automobiles, they’re the threat cybersecurity experts fear the most.
“There are multiple ‘attack surfaces’ in vehicles through which nefarious players can plant bad software; you don’t need to be on the internal networks,” explained Stacy Janes, Chief Security Architect – Automotive, at Netherlands-based Irdeto. Along with various apps, the most vulnerable points of entry are those on the outward-facing gateways: vehicle telematics, the OBDII port and the IVI (in-vehicle infotainment) stack—all of which connect the vehicle to outside communications.
The IVI system offers more remote attack surfaces than any other vehicle component, notes electrical engineer Craig Smith, author of The Car Hacker’s Handbook. Gaining access to the IVI “opens a door to additional info” about how the vehicle works, such as how it routes CAN bus packets and updates the ECU. Understanding the IVI system can also provide insight into whether the system ‘phones home’ to the OEM; if it does, hackers can use access to the IVI to see what data is being collected and potentially transmitted back to the manufacturer.
Penetrating the IVI system is how a real-world ransomware attack on the mobility industry might play out, said Janes. He offers a scenario: You get in the car, turn it on and the IVI screen starts strobing wildly. The audio system volume cranks up, the heat comes on full blast and you can’t shut it off. There’s nothing you can do, so you get the car towed to a dealership—which is jammed with vehicles victimized by the same attack.
The dealer’s service manager already has contacted the OEM, which says thousands of vehicles are afflicted. And the attacks continue. Later in the day, the OEM receives an anonymous email: “Tomorrow, your company pays us millions in bitcoin or we’ll release a statement on what we did. We’ll destroy your brand. Have a nice day.”
A matter of public safety
Such a cybersecurity scenario was not envisioned seven years ago, when researchers at Rutgers University and the University of South Carolina successfully penetrated a non-encrypted tire-pressure monitoring system (TPMS) and were able to display false tire-pressure reading “spoofs” on the cluster—and track the car’s movements. In 2011, security intelligence experts Dr. Charlie Miller and Chris Valasek, working on a DARPA grant to probe vehicle cyber-weaknesses, hacked a Toyota Prius and a Ford Escape, disabling the power steering, taking control of horns and playing havoc with cluster displays.
Miller and Valasek then executed their seminal 2015 remote hijacking of a Jeep Grand Cherokee, prompting Chrysler to recall 1.4 million vehicles and dispatch USB drives with software updates to owners. The mobility sector was awakened, but not before University of California researchers demonstrated they could disable a Corvette’s brakes and activate its windshield wipers by hacking the insurance-company dongle plugged into the car’s OBD port.
“From a security perspective those were all very basic attacks, compared to what we see in other markets,” observed Janes, who is also the cyber team lead for the GENIVI alliance. He calls the current era “the researcher phase.”
“Right now, you have attackers learning about cars and car people learning about security. As long as the car people stay a bit ahead, the attackers won’t bother with autos,” he said, “because they’ll have to invest too much money in order to mount a sophisticated attack.”
But if the OEMs fall behind, the bad guys will get bolder. “We saw this with attacks in other industries—financial, mobile, media companies, healthcare,” Janes said. “The attackers are a business. Some attacks can cost $1 million to execute, but they make $10 million—not a bad ROI, right? Automotive needs to get ahead of it and stay ahead, so it gets too costly for the attackers and they move on to another sector.”
The experts Automotive Engineering interviewed for this article believe the cyberattack threat will only increase as connected and autonomous vehicles gain market share. Already, over half of the vehicles sold in the U.S. are connected, with an expanding number of potential vulnerabilities. More than 250 million connected cars are expected to be in use by 2020.
Unifying to face the growing threat, OEMs and suppliers in 2015 founded the Auto-ISAC (information sharing and analysis center), a global community to address vehicle cybersecurity risks. With around 30 members, Auto-ISAC operates a central hub for sharing, tracking and analyzing intelligence about cyber threats, vulnerabilities and incidents related to the connected vehicle.
SAE International is part of the Auto-ISAC community, having published seven related Standards, including J3061, the world’s first automotive recommended practices on the topic. “SAE hopes to be a strategic partner—we see many synergies to benefit the entire industry,” said Patti Kreh, SAE’s New Program Development Manager.
A cyber incident “is a problem for every automaker in the world,” asserted General Motors CEO Mary Barra in her keynote at the 2016 Cybersecurity Summit in Detroit. “It is a matter of public safety.”
Separation and ‘layered defense’
The best end-to-end defense in automotive cybersecurity is “a multi-layer approach involving the complete ecosystem of connected vehicles,” said Dvir Reznik, Senior Marketing Director at Harman International. “There is no ‘silver bullet’ in this space.”
Known as “security in depth,” the building-blocks of defensive software should fit together like a Lego structure, the experts agree. They include code installed in subsystem ECUs and those which monitor all internal network communications, alerting the system to any changes in normal network behavior. Their job is to halt attacks from advancing within the network. The outward-facing modules such as IVI head units “on the vehicle perimeter” also are the focus of cyber-defense software products.
Ulf Lindqvist, program director at SRI International, an independent non-profit research center involved with national-security level cybersecurity research and analysis, said a broad automotive protection approach should be relatively simple. “Security really is all about separation,” he noted. “Just because [a system] is authorized to talk to the CAN bus doesn’t mean you should do so.” The problem, he continued, is “there always seems to be some reason or another to connect” quasi-related vehicle systems.
And cloud security products and services are entering the market. These are designed to detect and address threats before they reach the vehicle. They also can transmit over-the-air (OTA) updates and intelligence in real time. OEMs are demanding such end-to-end solutions, one of the drivers behind companies such as Harman and IBM Security joining forces earlier this year to offer expanded “security suites.”
A pioneer in automotive cybersecurity solutions is Argus Cyber Security. The company's original “gateway box” was added to the vehicle network to create a discrete firewall that searched CAN messages and shut down the network if an anomaly was detected. Argus’s current technology builds the monitoring component into one or more ECUs on the vehicle. Other leading cybersecurity firms, including Caramba, Harman and Nokia offer similar approaches.
Meg Novacek, Argus executive director for North America business development, said the company’s vision of the ideal automotive cybersecurity architecture is comprised of four elements: a secure communications gateway; the company’s Intrusion Detection and Prevention System (IDPS) system that can immediately identify a cyber-attack and block it; OTA updates for vehicle software and some type of principal hardware security module that incorporates remote-attestation capabilities.
When Caramba’s software engineers build the binary code that goes into the vehicle, it includes some of Caramba’s own code that basically takes a ‘digital fingerprint’ of the binary. Once installed in the vehicle, it is constantly monitoring. And if anything tries to change that ‘fingerprint’ or overwrite anything, it shuts the network down.
The advantage of this approach is that “you know from the factory what is supposed to be in there. If anything alien tries to alter that, the whole thing gets shut down,” observes analyst Sam Abuelsamid of Navigant Research.
Some engineers and cyber-security experts say machine learning and artificial intelligence (AI) are potential solutions for anomaly detection. Advocates including the Battelle Memorial Institute say they are also platform-agnostic, can be applied to any onboard ECU and don’t require constant updating of signature databases and detection-engine components. In such systems, abnormalities detected can generate audible alerts, vehicle intervention (such as limp-home mode) or directly notify first responders, depending on the severity of the threat.
An endless battle
“Self-healing” software code that can be changed back to original form after it’s compromised, is in development at some companies, as is Blockchain technology. Blockchain sends information over a network of independent computers, known as a distributed ledger, intended to ensure that the transaction is secure and ownership rights over the data or property are protected. The Toyota Research Institute (TRI) is exploring blockchain in collaboration with the MIT Media Lab and other partners. Many experts believe it could accelerate development of cyber-secure autonomous driving technology.
One point on which all cyber-security experts agree is hacking will never end.
“It’s really hard to make guarantees in this space,” said SRI’s Lindqvist. “We have to get to the place where successful hacks are rare—and they have to have limited consequences.”
“This is a Spy vs. Spy kind of game,” noted Irdeto’s Janes. He and others said some OEMs and Tier 1s have begun incorporating network-security engineers into their electrical architecture and subsystem design processes. They’re conducting detailed threat analyses and baking security into RFQs, pushing cyber requirements down through the tiers.
“If you want to kill the autonomous-vehicle industry, let an autonomous car get maliciously hacked with injuries or lives lost,” he said. “Engineers need to adopt a hacker’s view of the world to understand and defeat the threat.”
Author: Lindsay Brooke and Bill Visnic
Source: SAE Automotive Engineering Magazine