Top OTA Expert Shows How State Actors Hack into Your Car and What Happens Next: ‘People Will Die’

“Updates are an attack vector nation-state actors particularly like, because they are very hard to defend against.”

Bertel Schmitt

No day without headlines about hackers breaking into your car. Yikes, breaking into cars is for wimps who can buy a key code grabber from Alibaba. Real hackers don’t hack into your car. For hacking at scale, real hackers hack the server your car gets the OTA (over-the-air) update from, and once they are in that server, “they can get any update they want into any of your connected cars,” Professor Justin Cappos told a group of suitably horrified industry experts assembled at a recent IT conference in Tokyo.

Their level of horrification rose another notch when Cappos, one of the world’s most brilliant cyber security experts, showed a slide with some of the biggest brand-names in the computer industry. Being a professor at NYU, he asked his class what those names may have in common. Nobody had the correct answer. The dimmed lights charitably hid the paled faces when Cappos revealed that from Apple to Google to Microsoft and in-between, “their software update infrastructure has been hacked, some multiple times.” The talk Cappos gave was titled “Securing software-over-the-air-updates from nation state actors,” because breaking into update servers is a favorite of government-employed blackhats from China’s Ministry of State Security all the way to America’s NSA, and all of them want to get into your car.

“Updates are an attack vector nation-state actors particularly like, because they are very hard to defend against,” said Cappos, noting that the Stuxnet rootkit that brought down nuclear centrifuges in Iran was smuggled into a supposedly air-gapped Programmable Logic Controller via a compromised update system using pilfered software keys used to sign Windows drivers. Weren’t we given the often-told story of thumb drives “accidentally lost” in the mensroom of the Natanz nuclear facility? Compromised update servers receive few headlines, because they are an embarrassment for the industry, enablers for hacking at scale. Once hackers are in the update server, “that’s it,” Cappos told the software gurus sent to Tokyo by major OEMs. “They can install whatever they want into your ECUs. They can crack your cars. They can kill people.”

In his talk, Cappos tried very hard to disabuse his audience, most of them computer experts of the automotive industry, of the thought that the pervasive threat model facing the connected car is a script kiddie with a software-defined radio and a hoodie. State-owned hackers want into those cars for the same reasons they want into electric grids and election systems: Anything from general mayhem to targeted assassinations. With a compromised car, they don’t have to bug a target’s phone, they can listen-in on discussions in the back of a limo. With a hacked self-driving car, they no longer need two guys with a motorcycle and an Uzi to effect a targeted termination, the car will do the contracted killing, and as a bonus, the carmaker will end up in court, or at a congressional grilling. Pwned cars promise nearly unlimited ransomware value. Imagine how quickly a car company will pay up if their cars no longer start in the morning. Or, after the first deadline for only 1,000 bitcoins (close to a billion in today’s dollars) has passed, imagine the ransom rising after the cars start, but no longer stop. American state actors are said to have hacked into the Russian power-grid as a defensive (yeah, sure) measure. Imagine the military value of immobilized cars during a mass mobilization of the military. The possibilities indeed are endless.

If you think that these threats are way over-inflated, Cappos suggests to consider the lawsuit brought against Fiat Chrysler after its Uconnect fiatsco, “which is in the hundreds of millions of dollars, despite the fact that no-one was hurt. You can imagine what would have happened if there was some loss of life.” After making the requisite “I am no lawyer” noises, Cappos deemed the case to be “extremely solid,” citing his experience as an expert witness in similar cases.

“The reason why I am here is that we don’t want people to die,” Cappos told his audience assembled at the Open Source Summit 2019, organized by the Linux Foundation. He also was in Tokyo to make perish the thought that hackers can successfully be kept out of the car by high firewalls and iron-clad encryption. “You would have thought that companies like Microsoft, Google, Apple have the best security, and their update systems were hacked. How hard would it be to compromise systems of car companies, where cyber-security is not their primary goal?”

Instead of indulging in the false security of keeping hackers ante portas, Cappos told the industry experts to act as if the hackers already have breached the parapet: “An attacker being in your vehicle actually is a fairly likely outcome for a modern car,” Cappos said, causing gulps among the listeners. Just like the accident-free car is a nice, but still fanciful idea that requires seat-belts, crumple zones, and ambulances, OEMs should apply the same thinking to cyber disasters: Try to prevent them, try to detect them, try to insure against them (however, “in the automotive industry, you are very unlikely to be able to transfer that risk to cost-averse insurance companies”) and finally, “try to make the damage as small as possible.”

As a co-author of the industry-standard TUF security system that is at the heart of many update systems of companies like Cloudflare, Docker, DigitalOcean, IBM, Microsoft, and VMware, Cappos is intimately familiar with the strengths and weaknesses of update systems we tend to put our blind trust in. To “handle all the oddities that make automotive difficult platform to work on,” Cappos and his associates built Uptane, “an open and secure software update system design which protects software delivered over-the-air to the computerized units of automobiles.” Extending into the supply chain, a source of the bulk of the software working in our cars, there is s similar system called intoto.

Compared with the possibly sky-high cost of life and lucre, protection is ridiculously cheap. The open-source and free Uptane system is available free for the download on Github. Uptane also is built into Automotive Grade Linux, a likewise open source Linux-flavor that quickly is becoming the industry-standard automotive OS, adopted by top OEMs representing half the world’s global output of cars.

Uptane is for cyber what crash-tests, airbags, and auto-brakes are for accidents. They help prevent and mitigate damage, but we still are far removed from zero fatality. “Attacks will continue to happen,” Cappos told the world’s automotive IT experts. “There will be lawsuits. Simply following regulations doesn’t help. Your company is going to have issues, and people will die.”