Cars face cyber threats too

Below: The chief of DHS speaks in Asia, former military officials like a former NSA director did lucrative work for foreign governments and the FTC looks into Mastercard and Visa’s security token practices. First:
Europol smashes an alleged car-hacking operation, but that’s not the only cyberthreat to vehicles
Europol busted up a keyless car hacking ring, the European law enforcement agency announced Monday, arresting 31 suspects and seizing more than a million dollars in criminal assets.
“The criminals targeted vehicles with keyless entry and start systems, exploiting the technology to get into the car and drive away,” Europol announced. “A fraudulent tool … marketed as an automotive diagnostic solution, was used to replace the original software of the vehicles, allowing the doors to be opened and the ignition to be started without the actual key fob.”
Theft of keyless cars is easier than traditional theft, which requires either physical access to a key and hotwire know-how or both, experts say. And while theft might be the most common threat hackers pose to automobiles, it isn’t the only one, as security researchers demonstrated when they remotely shut down a Jeep while it was driving along a highway in 2015.
In an increasingly internet-connected industry with electric cars and autonomous vehicles also poised to carve out a bigger share of the marketplace, and with few government requirements on the books, those risks aren’t likely to subside soon. (By one estimate, there were 84 million connected cars on the streets of the United States last year.)
“As cars become computers with wheels in a lot of senses, the threat from attackers gets bigger,” Rafal Los, head of services at cybersecurity firm ExtraHop, told me.
That doesn’t mean nobody has taken action to counter those threats. Cyber experts say the industry took steps to improve the cybersecurity of vehicles after the landmark Jeep hack. And the National Highway Traffic Safety Administration in September updated guidance it issued in 2016 on vehicle cybersecurity. It’s just that it’s not been enough, those experts say.
Nationwide crime statistics aren’t as reliable as they once were, owing to decreased local law enforcement submissions of data to the FBI, but signs point to an increase in auto theft in recent years.
“Keyless entry systems which allow users to enter a vehicle and start its engine without inserting and turning a key likely helped reduce vehicle thefts since the 1990s, but the dramatic 30-year decline has suddenly gone into reverse,” Sen. Edward J. Markey (D-Mass.) wrote in a letter to auto manufacturers in July. “Although the exact cause of this turnaround is unclear, a growing body of evidence suggests that keyless entry systems may play a role.”
But an industry group, the Alliance for Automotive Innovation, said in response to Markey that keyless systems enhance security. It also touted other security measures for keyless entry, such as features allowing owners to manually deactivate fobs.
“Theft mitigation is an evolving issue and prescriptive requirements are often an impediment to innovation,” wrote Garrick Francis, vice president of federal affairs. “It is important that manufacturers maintain flexibility in the design, evaluation, and implementation of security features for keyless entry systems so that the automotive industry can continue to quickly respond to emerging issues that could affect vehicle owners.”
Still, researchers frequently demonstrate their capabilities for hacking their way into cars and starting their engines, including with vehicles from Tesla and Honda in recent months.
“There are certain car companies where the security is laughable,” Robert Leale, the president of CanBusHack and founder of the Def Con security confrence’s Car Hacking Village, told me. “If you know how to [hack into] one car, you probably can figure out how to do it on every car in the manufacturer’s lineup.”
The shutdown threat has more dangerous consequences, even if they’re far less common — or in some cases, speculative:
- A disgruntled former employee of a Texas auto center allegedly used repossession software to remotely disable cars for more than 100 drivers in 2010.
- The 2015 hack featured researchers cutting a Jeep’s transmission and brakes, blaring the radio and turning on windshield wipers. It led Chrysler to recall 1.4 million vehicles in the first and only cyber-related recall. The same researchers hacked vehicles before and after to further demonstrate vulnerabilities.
- Former White House cyber official Richard Clarke said the 2013 death of journalist Michael Hastings was “consistent with a car cyberattack,” although the coroner’s report and Hasting family members ruled out foul play.
While the United Nations and Europe have pushed cybersecurity rules for vehicles, the United States hasn’t gone as far. Last year’s bipartisan infrastructure law did include a provision directing the Federal Highway Administration to establish a cybersecurity coordinator. And the White House this month is kicking off an initiative for labeling secure “internet of things” devices, but it’s starting with routers and cameras.
Right now, though, there’s not enough financial incentive for vehicle manufacturers to take action on their own to prevent theft, Leale said.
“They typically don’t want to add cost, and really theft isn’t a problem for the manufacturers,” he said. “It’s a problem for the user and the insurance companies.”
The grass-roots digital security initiative I Am the Cavalry put out a “five star” plan for automotive cybersecurity in 2014, some of which the industry has embraced, like providing incentives for researchers to report bugs, founder Joshua Corman told me.
“When we put out this ‘five-star,’ at the time there were zero carmakers that did all five and today, there’s still zero carmakers that do all five,” said Corman, vice president of cyber and physical safety at cybersecurity firm Claroty. “So do we have the political will, and are we moving fast enough to adapt to the threat landscape?”
DHS chief: Beware China deals, look to U.S. on cyber
Nations should be wary of accepting assistance from China when making deals on critical infrastructure because they could undercut data security and privacy, Department of Homeland Security Alejandro Mayorkas will say in a speech in Asia today.
“It is our belief that our essential telecommunications networks should not be owned or operated by companies who will either sell or provide your information to a foreign government,” Mayorkas plans to say in a speech at the Singapore International Cyber Week Summit, excerpts of which were exclusively shared with The Cybersecurity 202. “Cheap telecommunications technology is not worth the price of citizens’ privacy, your national security or your sovereignty. If the deal looks too good to be true, it probably is. The cut-rate price at which the technology was purchased may not be the final bill to arrive.”
He also will encourage other nations to adopt DHS-written voluntary security guidelines.
“In consultation with industry, we will soon issue cybersecurity performance goals that constitute the highest-priority baseline measures critical infrastructure owners can take to protect themselves,” his prepared remarks read. “We call on partners around the world to work with us to consider these security measures as worthy minimum-security baselines within your own countries and industries.”
And he’ll signal U.S. dedication to streamlining cybersecurity regulations internationally.
“We must simultaneously look for opportunities to harmonize regulations domestically and with international partners,” he’ll say. “Multinational companies operate across jurisdictions and deploy tech infrastructure that serves their global needs. As much as we can, we as governments should strive to harmonize requirements so that there is a sensible landscape of rules that incorporate the best security standards, and which companies can implement in a practical way.”
Former NSA director and military leaders took lucrative jobs for foreign governments
Keith L. Alexander, the former leader of the National Security Agency and U.S. Cyber Command, is one of hundreds of retired U.S. military personnel who did lucrative work for foreign governments since 2015, Craig Whitlock and Nate Jones report.
- The State Department approved Alexander’s request to help develop and serve on the board of the Prince Mohammed bin Salman College of Cyber Security — which was established under the direction of the crown prince’s aide, Saud al-Qahtani. That approval came two months after the U.S. government sanctioned Qahtani, saying that he “was part of the planning and execution of the operation that led to the killing” of Washington Post contributing columnist Jamal Khashoggi.
- Alexander has sought U.S. approval for four separate deals to advise the governments of Singapore and Japan since 2017, my colleagues report.
Alexander declined to comment, but Bridget Bell, a spokeswoman for his consulting firm, IronNet Cybersecurity, said the Saudi contract “focused on the development of the college’s educational efforts” and that the arrangement lasted until 2020. Alexander and IronNet didn’t “have any interaction” with Qahtani, Bell said. And even though Alexander was supposed to serve on the school’s board, he neither attended meetings “nor worked directly on the company’s contract,” Bell said.
The Post obtained thousands of pages of documents on military officials’ work for foreign governments after suing the Army, Air Force, Navy, Marine Corps and State Department under the Freedom of Information Act. The documents also show how the United Arab Emirates has hired Americans to help manage nearly every part of its military machine, including with cybersecurity advisers, my colleagues report.
FTC is looking into antitrust implications of Visa, Mastercard debit-card security tokens
The Federal Trade Commission is examining whether the tokens — which Visa and Mastercard use instead of debit-card numbers for many payments with digital wallets — stifle competition, the Wall Street Journal’s AnnaMaria Andriotis reports. The firms have disclosed an FTC probe in regulatory filings from recent years, but the FTC has expanded its focus to security tokens. It’s not clear if it’s a new investigation or part of the other one.
“Visa and Mastercard have pushed for widespread tokenization in recent years, noting that the tokens help protect the cards from fraud,” Andriotis writes. “The FTC is looking into whether Visa and Mastercard have been limiting the information they send when they enable an online payment to go over a different network, the people [familiar with the matter] said. That alleged practice, according to merchants, increases the chances that the card’s issuing bank will reject the transaction when it is handled by a different network.” Visa and Mastercard declined to comment to Reuters, which also wrote about the report.
- CISA Director Jen Easterly, National Cyber Director Chris Inglis, NSA Cybersecurity Director Rob Joyce and top Ukrainian cybersecurity official Viktor Zhora speak at Mandiant’s mWISE conference starting today.
- Recorded Future holds an intelligence briefing on Russian threats today at 2:30 p.m.
- The Institute for Security and Technology hosts an event on the data transfer agreement on Wednesday at 11 a.m.
- Rep. Jim Langevin (D-R.I.) and Dmitri Alperovitch, the co-founder and chair of Silverado Policy Accelerator, speak at a Washington Post Live event on Wednesday at 11 a.m.
Thanks for reading. See you tomorrow.