IoT Time Preview: Transportation Security

By Ken Briodagh June 08, 2017

IoT Evolution, the leading media brand for the Internet of Things (IoT), has published a book outlining more than 150 of the leading trends in the IoT industry, entitled “IoT Time: Evolving Trends in the Internet of Things.” The book, written by IoT Evolution Editorial Director, Ken Briodagh, seeks to explore the factors that have shaped the recent past of the developing industry and use those to predict the trends that will drive the next period of growth. Each of the trends is explicated and illustrated with a case study or product review that supports each position.

In this weekly series, we’ll be previewing chapters for you to read in the hopes that you’ll like enough to read the whole thing. To do just that, for free, click here. Alternatively, there’s a paperback version available on Amazon for $14.99.

Chapter 19: Transportation Security
Trend: Connected cars are vulnerable
The IoT Is in Your Car, and That Means We Need a Change

Most of the world’s automakers are putting connective infotainment systems into at least some of their vehicles. These systems will put the IoT on wheels and in the hands of consumers on the go. Or will it? The key element seemingly forgotten in the rush to connect the cars is security. The point was strikingly made through the Jeep hacking performed by a pair of sophisticated crackers that allowed them to take control of the vehicle and disengage the transmission while the vehicle was in motion on the interstate and cut the brakes, forcing the driver to put the SUV into a ditch. All was done wirelessly from a laptop miles away and using a simple exploit that only required the vehicle’s easily-obtained ISP for its cellular connection. There are dozens of similarly vulnerable vehicles from almost every major automaker.

Meanwhile, analysis from Frost & Sullivan indicates that the connected car industry is already chomping at the bit to implement 5G connectivity, which may or may not have similar vulnerabilities, but with higher rates of data exchange possible. The study, The Global Advent of 5G in Cars, said that 5G will act as an enabler for autonomous vehicles and will make the over-the-air updates viable, since level 3 or 4 automation requires a massive amount of data processing to occur in real time.

All that sounds excellent, but driverless cars with these vulnerabilities can, even more than a compromised car with a driver, become a weapon in the hands of a villain. The study goes on to say that Asian countries such as South Korea and Japan will be the market leaders in commercializing 5G, while several Asian carmakers are among the most vulnerable. Not a good match.

Most cellular infotainment systems in cars are many-to-few systems that communicate directly with a central information source. The cloud is also becoming a factor, with its own complications. Electric Cloud, an enterprise continuous delivery and DevOps automation provider, and Arynga, an intelligent vehicle software management solutions provider recently created a product integration partnership that will help automotive manufacturers, OEMs and system integrators adopt DevOps automation and Continuous Delivery practices to bring IoT software systems to the connected car market quicker than ever.

“Today's software applications are being developed and deployed through Agile-based methods, and applications are being further accelerated via DevOps and Continuous Delivery practices,” said Walter Buga, CEO, Arynga. “Partnering with Electric Cloud will help our automotive customers adopt these practices and speed the deployment of updates and new features that are differentiating products in the marketplace.”

This new over-the-air updating solution is potentially a new point of entry for bad actors, but it is more important as an all-too-infrequent fix for security issues. If software hacks can be found and exploited over-the-air, then systems like this need to become standard for repairing those vulnerabilities.

“The automotive industry is leading much of the innovation around the IoT movement, and partnering with Arynga provides customers a comprehensive approach for building and deploying software to vehicles in the most efficient manner possible,” said Steve Brodie, CEO, Electric Cloud.

But, not everyone in the industry was as concerned with the results of the Jeep hack. Ron Montoya, senior consumer advice editor at, told IoT Evolution that consumers really don’t need to be alarmed.

“Car owners might read about this hack and become understandably concerned, but they need to know that this is not an issue that should keep them up at night. This was an isolated hack that could only be performed on one specific vehicle and it was not something that could be replicated on a mass scale. Jeep Cherokee owners who are concerned that this can happen to their cars can go to a dealership to install a patch to address the vulnerability, or they can even do it themselves.”

Although he is technically correct that this was an isolated test, it was also a proof of concept, and the pair of hackers who did the job said they have a whole list of vehicles that are susceptible to similar attacks. They chose the Jeep, they said, because it was the most vulnerable. The real problem was that, as Montoya said and a statement from Chrysler affirmed, the fix had to be done at a dealer, and wasn’t able to be patched to all owners remotely. Perhaps not a big deal now, but as cars become more automated and connected, wireless patches need to become standard practice.

“This is a legitimate issue for automakers and they have been proactively addressing these security concerns ever since the first connected car was introduced,” Montoya said. “Automakers are notoriously competitive, but this is one area where manufacturers are working together to address these sorts of vulnerabilities. It's in the entire industry's best interest to make sure they are on top of this issue so that safety continues to be a top priority.”

There are rumblings of concern in Washington D.C., too. Legislation was introduced by Senators Ed Markey of Massachusetts and Richard Blumenthal of Connecticut, to direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards for securing cars and protecting privacy. The “Security and Privacy in Your Car (SPY Car) Act” would also set up a rating system, to be known as the “cyber dashboard,” that will rate automakers’ security approaches above and beyond the minimum standards.

“Rushing to roll out the next big thing, automakers have left cars unlocked to hackers and data-trackers,” said Blumenthal. “This common-sense legislation protects the public against cybercriminals who exploit exciting advances in technology like self-driving and wireless connected cars. Federal law must provide minimum standards and safeguards that keep hackers out of drivers’ private data lanes. Security and safety need not be sacrificed for the convenience and promise of wireless progress.”

The likelihood of all connected vehicles ever being completely safe seems unlikely, but steps need to be taken to keep folks safe. One approach is to remove storage form the local car or truck and move it into a secure cloud, via the cellular system. Dave Miller, an international security thought leader, subject matter expert on connected vehicles and CSO, Covisint thinks that’s the way to go.

“Because cars are left alone so often – you purposely leave your car places unattended at least 90 percent of the time — it’s impossible to secure the vehicle itself. The easiest way for an auto manufacturer to fulfill requirements of car data security is to never store any data in the car and never let the car be the decision maker about external commands,” he said. “Store vehicle data in the cloud where you can secure it and make decisions about external commands.”

Whether cars are completely hardened against attack (which makes them very expensive), or data is stored non-locally, (another point of vulnerability), an answer needs to be found before the public will ever accept a driverless IoT-powered automotive fleet.

Trend: Hackers be hacking
Mitsubishi Hacked: Security Firm Shuts Off Alarm and Accesses Outlander PHEV

Looks like Mitsubishi should have been paying more attention to what happened to Jeep. Pen Test Partners (PTP), a UK-based penetration testing and security services provider, announced that it has completed a successful hack of the Mitsubishi Outlander PHEV hybrid that allowed them to shut off the vehicle's anti-theft alarm, in addition to several other services.

The initial breach was accomplished thanks to the way the vehicle’s mobile app connects to the car. On its website PTP said that most cars that have remote control apps for car location, operating headlights and remote locking use a web service hosted securely by the manufacturer or service provider. That service connects to the car using GSM. The Outlander PHEV, alternatively, connects via a Wi-Fi access point located within the vehicle. In order to connect to the car functions, we have to disconnect from any other Wi-Fi networks and explicitly connect to the car AP. From there, we have control over various functions of the car. This means that if a hacker connects to the vehicle’s AP, he or she can take control of a variety of the car’s functions.

And that is exactly what PTP did.

What’s worse, the Wi-Fi passkey is written in the owners’ manual and uses a simple format that the firm found out in a brute force hack on a 4 x GPU cracking rig in less than 4 days. It would have been much faster using a cloud hosted service, or by buying more GPUs, PTP reported. Once the hackers got access to the Wi-Fi handshake by de-authorizing the owner's cell phone from all other connections, it could connect to the car automatically. That was enough for the hackers to capture the code. That gave them access to SSID in addition to the PSK. Using a man-in-the-middle attack, in which the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other, PTT "sniffed" the Wi-Fi connection. That gave them the rest of the information they needed to turn the lights on and off, change the electric car's charging program, turn AC on and off to drain the battery and, most egregiously, disable the anti-theft alarm. And now, they could discretely enter the car and get access to the on-board diagnostic port.

And that's the game, folks. The OBD port could be used to recode laser keys, and change any number of operational parameters. PTP didn't look into connections between the Wi-Fi module and the Wi-Fi module or the Controller Area Network (CAN), but plans to investigate this further.

To repair these issues, Mitsubishi had send out an OTA firmware update to fix the vulnerabilities in the Wi-Fi module. Long-term, PTP recommends a GSM module for better security and said that Mitsubishi has been working with them to fix the problem.

Trend: Aftermarket solutions
Symantec Launches Connected Car Security Solution

Symantec, the global cybersecurity giant, has taken aim at the IoT’s Connected Car market, and the hackers determined to find a breach and initiate a “Zero Day” scenario. The Symantec Anomaly Detection for Automotive (ADA) is a software solution designed to protect IoT-enabled cars against never-before-seen attacks by looking for unauthorized attempts to access and other “anomalies” and blocking them until they can be verified.

“Machine learning gives us the ability to do high-level detection [of security problems] with extremely low false positive rates,” said Brian Witten, Senior Director, Mobile & IoT, Symantec. “We’re already under evaluation with four of the world’s largest automakers.”

Symantec Anomaly Detection for Automotive uses machine learning to provide passive in-vehicle security analytics that monitor all Controller Area Network (CAN) bus traffic without disrupting vehicle operations. Over time, it will learn what normal behavior looks like and flag any anomalous activity that could indicate an attack. Symantec says that the solution is designed to work with virtually any automotive make and model.

“Driven by opportunity, manufacturers and their suppliers will partner with cybersecurity vendors on securing connected cars as they would with any other networked endpoints such as mobile devices and laptops,” said Christian Christiansen, VP, Security Products, IDC. “Keeping security top of mind will not only help ensure the safety of drivers and passengers but also build trust in the car manufactures and the overall Internet of Things ecosystem.”

ADA is designed to learn the vehicle’s behavior in a deep, precise way in order to help automakers to see previously invisible attacks. The analytics engine will automatically prioritize incidents based on perceived criticality and risk and detect anomalies without requiring manufacturers to set rules or create policies.

Connected car hacks are becoming a real problem, as new vulnerabilities like the one found in the Mitsubishi Highlander are identified daily, it seems.  “A lot of people look at these attacks as if they are specific to the brand, but a lot of them have these vulnerabilities,” Witten said. Fixing these specific problems as they are found is like “putting a Band-Aid on a knife wound and then going into a swordfight. They just need better armor.”

Trend: Bringing security in-house
Volkswagen Starts Own Cybersecurity Firm with Israeli Experts

Smart Transportation, and especially Automated Vehicles, are getting closer to viability in the real world. And so, too, must security for these vehicles. Volkswagen has jumped on that need and brought the capability in house with its own cybersecurity firm, CYMOTIVE Technologies, which is based in Herzliya, Israel, and in Wolfsburg, Germany. The firm is led by Yuval Diskin, Tsafrir Kats and Dr Tamir Bechor, all former Israeli intelligence officers and officials, and will develop advanced cyber security solutions for next generation connected cars and mobile services.

“It is a long-term investment in cyber security to make vehicles and their ecosystem more secure,” said Dr Volkmar Tanneberger, Head of Electrical and Electronic Development, Volkswagen.

Connected vehicles have extraordinary power to transform daily life for consumers and for supply chain companies, but also represents huge potential risk of exploit by bad actors. Through this venture, Volkswagen has set out to develop its cyber security bona fides and get ahead of the risks.

“The car and the Internet are becoming increasingly integrated. To enable us to tackle the enormous challenges of the next decade, we need to expand our know-how in cyber security in order to systematically advance vehicle cyber security for our customers,” said Tanneberger. “CYMOTIVE Technologies provides an excellent platform for doing this. It is a long-term investment in cyber security to make vehicles and their ecosystem more secure.”

Diskin, former head of the Israeli Security Services, and chairman, CYMOTIVE, said he’s looking forward to the new challenge. “The new cooperation will take an innovative and strategic approach to cyber security. Together with Volkswagen we are building a top-notch team of cyber security experts. We are aware of the significant technological challenges that will face us in the next years in dealing with the cyber security threats facing the connected car and the development of the autonomous car.”

The industry is likely to follow suit, either by contracting out to security firms, or establishing in-house skunkworks like this one.

“This is a fantastic decision by VW. When done correctly, security manifests trust in a system and for a system. This trust was implicit in the automotive world for many years, but it is now crumbling, and the public is very aware of that fact,” said Rod Schultz, VP of Product, IoT security firm, Rubicon Labs. “Poor embedded security decisions, coupled with false performance claims, have compromised the trust of an entire industry, and a concerted effort by VW to build back that trust through security innovation will pay off in the long run.”

In this weekly series, we’ll be previewing chapters for you to read in the hopes that you’ll like enough to read the whole thing. To do just that, for free, click here. Alternatively, there’s a paperback version available on Amazon for $14.99.

Editorial Director

Related Articles

As The LPG Tanker Market Grows, Companies Turn to Industrial IoT

By: Juhi Fadia    11/19/2019

LPG tanker manufacturers and the oil producers and converters who lease or buy the vessels are constantly looking for new ways to improve efficiencies…

Read More

Tata Communications to Accelerate Connected Cars with Microsoft Platform

By: Ken Briodagh    11/14/2019

IoT connectivity and network insights through Tata Communications MOVE will help manufacturers introduce new in-vehicle services more quickly and impr…

Read More

LocatorX and Schoolhouse Brewing Leverage Asset Tracking for Customer Service

By: Ken Briodagh    11/12/2019

Georgia-based brewery selects LocatorX in next-gen tracking technology for customer engagement and asset tracking

Read More

Tive Releases New 5G Supply Chain Tracker

By: Ken Briodagh    11/12/2019

Single-use tracker from Tive to support 5G, 4G and 2G networks, eliminating data and coverage gaps to deliver full visibility on all global in-transit…

Read More

Sigfox IoT Provider Xperanti Orders GPS Devices from Digital Matter

By: Ken Briodagh    11/12/2019

Digital Matter has partnered with Xperanti IoT, in order to supply more than 11,000 Oyster Sigfox battery-powered GPS tracking devices for asset track…

Read More