With an increasing number of connected cars coming onto the market over the past several years, it was only a matter of time until we saw a complete remote hijacking of a moving vehicle. This week, as reported by Wired, security researchers demonstrated the ability to wirelessly take control of a moving Jeep Cherokee from a remote location ten miles away.
The hack is accomplished by first connecting to the Internet via a wireless telecom provider. The hacker can then connect to any other device on that wireless network by way of a very relaxed security architecture. Once connected to a car, the hacker can exploit a vulnerability in the car’s software to take control of the vehicle’s dashboard functions, steering, brakes and transmission.
It’s estimated by the researchers that there are roughly 471,000 cars on the road that may be vulnerable to this kind of exploit.
The manufacturer of the vehicle featured in the Wired report just released a patch for this zero-day vulnerability, but it requires a clunky manual installation on each car. The unlucky owners of affected vehicles must manually install the patch via a USB stick or visit their neighborhood dealership. Many will not know they need to do this until their next visit to the automotive dealer, leaving them vulnerable in the meantime.
This type of discovery is, unfortunately, a frequent scenario that plays out in IT departments across the globe:
A new zero-day vulnerability is reported and hackers begin exploiting that vulnerability, resulting in many unfortunate victims. Security vendors issue signatures or updates to block or detect the threat and the vendor releases a patch. The patch is eventually deployed to close up the vulnerability, though inevitably there will be some systems that do not receive the patch for various reasons.
But what happens in an IoT scenario when that “thing” is your car?
A new zero-day vulnerability is reported and hackers begin exploiting that vulnerability, resulting in many unfortunate victims. Victims’ cars may begin to randomly accelerate or they might lose the ability to brake. Security vendors issue signatures or updates to block or detect the threat - but wait! There aren’t any security tools to update on a car. So the vendor releases a patch, and that patch is eventually deployed to close up the vulnerability, but inevitably there will be some cars that do not receive the patch for various reasons. In this scenario, each car will need to be manually updated. It’s not unlikely that many vehicles will remain vulnerable for years.
It’s now clear that an expanded perspective on security requirements needs to be considered well in advance of new Internet-enabled products hitting the market. In fact, our personal information, health records, corporate data, national security, public utilities, and now the lives of anyone riding in a connected vehicle all depend on us getting this right.
There are four key areas where the cybersecurity industry, network providers, and vendors of IoT products must fundamentally adjust their collective mindsets:
Detection vs. prevention: Many in the IT industry have been convinced that, because it’s so difficult to prevent advanced attacks, we should all give up and focus on detecting and responding to breaches. This does not translate well into the world of connected vehicles, and frankly, was never a good argument in the IT environment either.
Sure, it’s much easier to detect that something has already been hacked than it is to prevent it. By definition, you will have a much higher success rate if you focus on detection. So if you set out to maximize your success and then subsequently set the criteria for that success, you will inevitably choose detection as your objective.
On the other hand, if you begin with the noble goal of breach prevention, you face a bigger challenge, but you’re working towards something that will ultimately provide far more value, and in this case, could even save lives. That is our goal here at Palo Alto Networks. We provide a security platform that can prevent zero-day exploits without the need for updates or patches.
Patching vs. exploit prevention: Patching vulnerable systems and applications is a good practice, but it’s generally too little, too late. A patch will never protect you from a zero-day exploit, because by the time the patch is available, it’s no longer a zero-day. Exploit prevention technology, like that used in Palo Alto Networks Traps endpoint protection product, is key to preventing compromise via exploitation.
Open networks vs. zero-trust/micro-segmentation: The first step in hacking automobiles is to connect to the Internet via a publicly available wireless telecom provider’s mobile Internet gateway. The hacker can then scan for and connect to other devices on the network. Why is this possible? Shouldn’t there be restrictions in place to prevent the general public from connecting to a vehicle on that network?
I posed this question in 2004 when, as a then-security consultant, I was tasked with running a security risk assessment at a large telecom provider. It was just as clear to me then as it is now: allowing these connections to exist is risky business. During this assessment, I realized that an attacker or automated exploit could travel between customer IP addresses on the same gateway interface. Many customers expect a private mobile network with no inbound traffic allowed, and they may not be prepared for the possibility of worm infection or other attacks from outside networks.
The telecom provider in this case didn’t feel it was their responsibility to address this issue because their business is simply to provide an Internet connection.
At Palo Alto Networks we advocate for micro-segmentation and deep protocol inspection to ensure that only legitimate traffic is allowed and only to the correct places. We enable this with our next-generation firewalls.
Secure product architecture: Organizations must take a security-centric approach to the design of their Internet-enabled products. Rather than design based on how the product should work, begin with the assumption that anything connected to the Internet will be at risk, and then design the product accordingly.
For instance, does your car need to be connected to the Internet at all times? Or should you have the ability to disconnect it when you prefer? Does the Internet-connected component of your car need to be able to communicate with the brakes, transmission, and other critical systems? Or can it be isolated to communicate only with the navigation, entertainment, and other conveniences that require Internet connectivity?
In the age of IoT, prevention is the only viable path forward. At Palo Alto Networks, we believe that our prevention-based approach to securing enterprise networks ought to be applied to every industry that deals in Internet-enabled products and devices. Our products enable enterprise customers to properly segment their network traffic, thereby allowing only legitimate users and protocols, and prevent exploitation of vulnerabilities.