Podcast: How Will Your Car Get Hacked?

In this episode, we discuss the cyber attacks threatening the automotive industry and what leading companies & researchers are doing to be prepared. 

This podcast is sponsored by SAE International. 

Episode Notes

This episode is part of a series developed in collaboration with SAE International to explore the leading edge of mobility with the support of experts from industry and academia. Learn more about the importance of cyber security in the automotive industry and sign up for the SAE certification by following this link.

Become a founding reader of our newsletter: http://read.thenextbyte.com/

Transcript

What's up, everyone? I'm going to explain to you something that sounds like a nightmare, but it's actually a real-life risk. So, imagine you're driving down the highway, suddenly your car breaks, steers, or comes to a screeching halt without your input. This is the danger of car hacking in the real world. In today's episode, we explain a couple different examples of automotive hacking and then explain the importance of automotive cybersecurity and what you can do to learn more.

What's up friends, this is the NextByte podcast where one gentleman and one scholar explore the secret sauce behind cool tech and make it easy to understand.

Daniel: What's up friends, as we alluded to earlier, today's episode is all about cybersecurity in the realm of automotive. And I kind of like this trend I'm seeing in cybersecurity in general, which is like, we need to treat hardware as the next critical frontier in cybersecurity, which is kind of counterintuitive because you say cyber, that kind of connotes that it's like in the digital realm, but hardware is a critical realm in making sure that your cyber frontier is completely secured which is interesting, especially in the realm of automotives. And we've got some pretty cool examples to talk about today and some more information on automotive cybersecurity as well.

Farbod: For sure. I think one thing that's been surprising to a lot of folks is just how the internet has evolved. In the earliest stages, you had internet as a place, a thing of information, right? Like websites that were static, they could read stuff about. And over time, we've now reached the stage of internet of things, where we have hardware that's connected over the internet to each other. And that's brought about a whole lot of goodies, a lot of fascinating things that are happening in that space, but it's brought about an equal amount of concern. And connected cars, I think, is at the top of that list.

Daniel: Yeah, and so let's kind of get into, in general, right, like the premise here. Kind of a nightmare, kind of not, but imagine you're driving down the highway. Suddenly your car breaks or steers without your input. It's not a malfunction, it's not sci-fi, there's actually this danger of car hacking in the real world. And we've seen a couple of examples. I think we were talking before this; I think for a boat and I accidentally prepped and pulled a lot of the same examples, but either way, right. We've got some interesting stories to share to kind of highlight the importance of automotive cybersecurity and then kind of some of the themes that, that we're seeing here, one of the first ones that I want to mention is in 2015, I think there was a Wired article that went pretty article saying, hackers remotely kill a Jeep on the highway with me in it. I was driving 70 miles per hour on the edge of downtown St. Louis when the exploit began to take hold. Which is just incredible headline and subtitle writing by the way. But these two hackers, Charlie Miller and Chris Valasek, I think they're YouTubers as well, I'm not sure.

Farbod: Yep.

Daniel: But they're part of a vehicle security research form called IOactive. And they're kind of trying to expose security vulnerabilities in automobiles, showing how easily cars could be hacked into remotely. Even in 2015, right, when I don't think that vehicles were as software defined as they are today, they are essentially able to use what's a zero-day exploit, right? And hack into the car which they'd learned how to do over the last year before doing this demonstration. And essentially, they found a way, an exploit in the Jeep Cherokee software that let hackers send commands through the Jeep's entertainment system, like through its speakers back into its dashboard functions and then control steering, brakes and transmission all from a laptop that wasn't even in the vehicle, right? It might be remotely connected from across the country, which is kind of crazy, kind of scary. Like I said, sounds kind of nightmarish, but it's just demonstrating. I think this was one of the first really public examples because they did it as a demonstration with Wired Magazine. But one of the first really public examples I was aware of, they were able to like hack this Jeep from 10 miles away, control it while this guy was driving in the highway, which is insane.

Farbod: You briefly touched on it, but what blew me away is this wasn't like a, I don't know, a vulnerability in the engine software, like something within the ECU. No, it's not that, it's the infotainment system. Like something that you would not expect to be as critical as it actually ended up being. And then on top of that, it's not something that's constrained to a single model, right? As a manufacturer across multiple brands, GM was deploying this to a lot of cars. And what this led to was a recall. I think they recalled one and a half million vehicles at the time. But actually, it took five years to fully address this problem.

Daniel: Well, and it's funny because like the origin of zero-day exploit means that the person who deployed the software or this hardware has zero days to fix the vulnerability because it's already present in every single one of their products. Crazy to say you have zero days to fix it and it takes you five years to patch it. Like that just shows and there's numerous other examples, right? But there are a number of different vulnerabilities that are typically unknown to the person who's selling a car, designing a car, designing software for a car. And there's not often a patch or fix immediately available, which highlights the importance of prioritizing cybersecurity ahead of time during the development process, and testing for security so that you don't end up with something like this on the road, where for five years, if hackers, bad actors are trying to play their cards just right. They have the ability to control the car remotely, which is scary.

Farbod: I couldn't agree with you more. And this kind of reminds me of a conversation you and I had with a security researcher at MIT last year. I don't think, did we end up posting that?

Daniel: No, but friend of the pod, Joseph Ravichandran.

Farbod: He's incredible, man. And I remember he had, at the time, I don't think it was public, he was talking about a zero-day exploit on the iPhone. And he was kind of like walking us to the complexity of why it's not such an easy problem to address. Like what it boils down to is that if you have a fully software product then you can have a software fix. But with these hardware products that talk to the internet, you have a mixture of the software, but there's also firmware that talks to the hardware. So, there's a certain limitation baked into the product that might not be addressable over the air, right? And that makes it much more of a critical item to get it right the first time around. Because if you mess up and it's out in the wild, it's not easy to get all the hardware back and address it.

Daniel: Well, and another note on Joseph, right? He's the person that's planted this seed in my brain of like hardware is the next critical cyber frontier for cybersecurity. So, thank you, Joseph, for letting me borrow your wise words there. But he not only did it on the iPhone, I think he's found exploits on the Mac. He's found exploits in tons of Microsoft products. And recently he actually went viral. He found, I think he used something in the kernel to hack Apple Vision Pro on its release day, which is crazy. Dude didn't even have his hand on the product for that long, was able to exploit the Apple Vision Pro the day it was released.

Farbod: Tangent, why haven't we interviewed him yet? This is crazy. I'm just thinking out loud here. All right, we gotta make that happen soon.

Daniel: Yeah, I know. Joseph, you're coming on the pod soon.

Farbod: For sure, for sure. Yeah, so this is, I think, one really key example of how things could go wrong, right? Like the infotainment system getting messed up. But it's nice to hear that with a lot of these smart cars are getting deployed in the wild, it's become standard that you have these OTAs, or over the air updates, that they can push out, and as long as your car's connected to the internet, you can pull it, boom, you're good to go. However, as we've seen, OTAs are also susceptible to getting hacked. So, like, it's a solution and potentially a root cause for security concern as well. And I think the example that both you and I have on the sheet is that 2016 Tesla Model S hack where security experts, part of a bug bounty program were able to show a vulnerability by putting malicious software on a Tesla and actually being able to control the brakes and shutting down the car, all of which are pretty frightening to think about again, if you're operating this thing on a highway. Again, fortunately, because this was part of a bug bounty program, Tesla was very quick to address the problem with an OTA to prevent that from happening. But it just goes to show that even the avenues that you have to apply a potential fix, those can become compromised as well.

Daniel: Yeah. I mean, there are tons of examples of, let's say, really bad actors, total black hackers trying to use this as an opportunity like steal cars. Another example of your hardware has to be secure to be able to be a secure hardware software product, especially as cars are becoming software defined products. There was a number of different Kia and Hyundai models that didn't have a physical engine immobilizer, which is a physical device in the motor vehicle that prevents the engine from being started unless the key is there. So that engine immobilizers were originally created to prevent people from cracking open your dashboard and hot wiring the car to spark it to start. But there was a bunch of hackers, I think post 2010 Kia vehicles and post 2014 Hyundai vehicles until 2022, didn't have these immobilizers, didn't have the hardware present. And they were able to, with a USB plug cable, plug in and access the vehicle and were able to start it and drive it away just with a USB plug, which is crazy. Reminds me why people say like, don't plug your phone into USB plugs in public because all it takes is someone having physical access to a port on your device and knowledge of one of these exploits to be able to hack your device, steal your information. In this case, for me, it hits home, like as one, as an automotive engineer, right? This is something that I care a lot about, like designing a product that people can feel secure that no one's gonna be able to just like plug in a USB plug and drive their car away. Also, as someone who recently had their car broken into, this also hits home for me, which is like, I want to be able to trust that nobody's going to be able to pop open my car door, plug in a USB cable and drive my car away. So has a lot of implications here on the, again, I keep saying, but the importance of physical hardware security, software security, because cars are now a combined software hardware product. They're not just one or the other. And that almost gives hackers twice as many frontiers to try and exploit your vehicle and either steal vehicles, control it while you're driving it. There's a lot of ways that bad actors can take control here.

Farbod: Yeah, I think if I'm not mistaken, it was this vulnerability that brought about the Kia Boys challenge, right? So, for the folks that don't know, Kia Boys was a challenge that was trending on TikTok and social media for a while, where kids were encouraged to break into Kia's and Hyundai's that suffered from this vulnerability, drive the cars, have a little joy ride, and then they would crash it. The consequence of this was it became significantly more expensive to insure Kia's and Hyundai's. I remember being on a Reddit thread once and this guy was like, my BMW 3 Series now costs more, I'm sorry, less to insure than my wife's Hyundai Lancia from like 2016, 2017. So, like, it might seem like a little small issue. We can patch in the next model or whatever, but the impact this has for car owners and I guess just society as a whole, if you take the crime into account, it's pretty crazy. And that's kind of where I wanna go into, well, how do we make sure that this isn't our existence for the future, especially as you're saying, cars become more and more self-defined. The bug bounty product programs have been pretty helpful, at least as far as I've gathered, right? You have GM and both Tesla around 2015 when we talked about those big hacks were coming out where they set up a program and they go to, you know, in the world of hackers, you got the black hat hacker who's the bad person. And then you have the white hat hacker who's actually like doing hacking for the net positive of society, the greater good. And they would pretty much give money to hackers to hack into their product and then tell them about the vulnerabilities so that they could get paid and the company could patch the product. Over the years, we've seen a couple of good catches from this program. The Tesla thing I was talking about, that was a part of it. There was another one that made the rounds. I remember when I was in high school, with the Tesla key fobs, where if you had like a very inexpensive, like a listener, it could pick up the codes that were being transmitted and then you could just get into someone's Tesla. So, those have been pretty fruitful. And I'm hoping, if not already, most manufacturers are gonna start hopping onto this trend and then promoting it out to the rest of the community.

Daniel: Yeah, and just another example here. I'm scrolling now at this point, just trying to find awesome examples. Awesome slash scary. I don't know how many vehicles this impacts. This is actually a new article from October 6th, 2024, thieves were breaking into Toyota headlights. Is there a bit of crack open? Yeah. Crack open the headlight, unscrew the light bulb and they could plug in and access the cars. I forget what CAN stands for. Give me a second.

Farbod: I forgot too, but the CAN Bus is what brings together like the ECU. So, like the interface between all the electronics and your engine. And it's, I guess what makes it scarier is how commonly used it is across the industry.

Daniel: Yeah, controller area network bus, right? It's this message-based protocol, basically a simple low voltage system by which each of the electronic control units, ECUs, are able to communicate with each other. It's like a well-known standard, it's reliable, it's something that makes it possible for different suppliers to be able to supply ECUs to a bunch of different automakers. But the concern here is like, oh, if I unscrew the light bulb and these folks did it on a Toyota, right? They cracked open the light bulb, unscrewed it, plugged it into the CAN bus, and they were able to unlock the car and drive it away. Could someone do this on any car with any headlight with a CAN bus? I have no idea, but.

Farbod: Well, that's where I can chime in. Well, this is where our research differed a little bit. I read an article about the same thing, but in Europe. Luxury cars are having a problem of getting stolen using this exact same method. So, BMW's…

Daniel: Through the headlights?

Farbod: Through the headlights. They're knocking out the headlight, getting access to the CAN bus, and just by plugging into it, they're able to override any authentication needed to start the engine, and they drive away with the car. So, this isn't like a problem of, oh, you drive a Toyota, so that's like a lower end daily commuter car. But me, in my $100,000 Model S, I don't have to worry about this. No. This is impacting everyone. And like you're saying, it's both scary and kind of cool that at least we now know about it, but how can all these manufacturers come together and make sure that these vulnerabilities are addressed before selling the products?

Daniel: Well, and you mentioned Bug Bounty Programs as like an awesome way of turning, flipping the incentives, right? Because you're like, oh, if I can steal a car, there's a lot of headache in me trying to sell it. It's nearly impossible to sell a stolen car. Lot of headache, hard to make your money. But if you get $500,000 from a certain automaker rewarding you for finding this exploit and showing it to them so that they can secure against it, that's easy money and you actually have done the right thing and it's completely legal. So, you mentioned white hat hackers and you mentioned black hat hackers. I think that bug bounty programs have actually incentivized a lot of gray hat hackers, let's say. Who've sat on both sides of the table maybe, depending on the situation, as an opportunity to share the exploits, help secure against them. And I'm gonna mention Joseph Ravichandran again, our friend from MIT. He actually teaches a class at MIT, which I want to go audit, because he talks about-…

Farbod: We should take it together.

Daniel: Yeah, we should. He talks about like how physically hacking into different devices, like normal everyday devices, you can access the software and then can control the device. So, I think that Joseph is an awesome example of like, I think he's made quite a bit of money off of the Apple Bug Bounty program because he's a smart dude that loves to hack into stuff. And now with those incentives, he's able to not only make some money off of it, but now he's in a position where he can teach new people, right, how to design hardware systems that are secure against that type of hacking in the future, which is, it's desperately needed in the world, as these examples we've showed today can tell you.

Farbod: Definitely. Now, what's been surprising for Daniel and I is that we made this podcast to make tech easy to digest for like the average person, right? We love communicating data and information like that, but we've actually seen by the analytics of our podcast that a lot of the folks who listen are professionals in the industry. And, sorry, I got a little guest here. My cat wants to see what's going on in the world of IoT security. And if you're interested in learning more about this topic specifically as it applies to the automotive world, well, today's sponsor, SAE, actually has an event coming up for our European fans. I believe it's running from May 5th to May 6th for their level one training. And May 19th to May 20th for their level 2 training. And the goal here is to give you a cybersecurity certification that goes over the fundamentals, what's happening in this field and how to best be prepared for these challenges that we've just been talking about for the past 20 minutes or so. So, if you're interested, we're going to put in the show notes. You should definitely check it out.

Daniel: Yeah, I'm with you. And just, just a note here, right? We've appreciated this series with SAE. They are helping connect us with the future of mobility topics, something like this, and then also with folks that are at the forefront of developing these new technologies as well. We've appreciated this partnership with SAE and this is a part of a multi-episode series with them where we're talking about the future of mobility and also ways about how you can get connected to learn more. Like Farbod said, linking in the show notes, this article which explains what's going on with this automotive cybersecurity certification program, what the different levels are, and how you can sign up for that event if you're interested.

Farbod: Yeah. Is that the pod?

Daniel: I think so.

Farbod: Awesome. Thanks, folks.

Did you like this episode? Great. Make sure you share it with a friend because friends don't let friends miss an episode of The Next Byte. Thanks for listening and we'll catch you in the next one.

As always, you can find these and other interesting & impactful engineering articles on Wevolver.com.

To learn more about this show, please visit our shows page. By following the page, you will get automatic updates by email when a new show is published. Be sure to give us a follow and review on Apple podcasts, Spotify, and most of your favorite podcast platforms!

--

The Next Byte: We're two engineers on a mission to simplify complex science & technology, making it easy to understand. In each episode of our show, we dive into world-changing tech (such as AI, robotics, 3D printing, IoT, & much more), all while keeping it entertaining & engaging along the way.