November 18, 2015 by Canadian Underwriter
Cyberattacks on automobiles will increase sharply in 2016 due to the rapid increase in connected automobile hardware built without foundational security principles, suggests the McAfee Labs 2016 Threats Predictions report released earlier this week.
The report said that even cars need “defense in depth, with layers of protection to reduce the risk and impact of a cyberattack.” Poorly secured driverless cars and smart highways will further expose drivers and passengers in 2017 and beyond, “likely resulting in lost lives,” the report contended. [click image below to enlarge]
The report cited estimates of 220 million connected cars on the road by 2020, with 12% of cars estimated to be connected to the Internet by 2016. Furthermore, connected vehicles will have over a dozen potential attacks surfaces, including multiple electronic control units and wireless devices, some with the ability to control critical functions from long distances. Consumers want to surf the Internet via monitor in the car; automatic identification of traffic signals, congestion and accidents; a system that allows the passenger to stop the car; front/rear end collision alarm warning; night vision capability; a fatigue warning device; and access to social media while in the car, the report added.
“All these features require software and hardware in the car to connect with external systems in a secure way to avoid unwanted or unauthorized actions in the automobile that could put passengers at risk,” McAfee Labs said. “Even on systems designed to be secure, there is always the possibility that a bug or a vulnerability will be discovered, so there should be a way to easily and remotely update the software to fix the issue.”
However, the report said that remote updates aren’t possible with selected Cherokees, as well as Dodge and Chrysler vehicles because the parent company issued a safety recall affecting 1.4 million vehicles in the United States shortly after some security researchers disclosed the details of their recent research to the public. In July, the researchers demonstrated that it was possible to hack different types of connected cars, including a Jeff Cherokee, by sending commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes and transmission, all from a remote laptop. [click image below to enlarge]
McAfee Labs also predicts that in 2016, more automotive system vulnerabilities will be found by security researchers. “It is also quite possible that zero-day vulnerabilities will be found and exploited in the wild by cybercriminals who may threaten people’s lives, impact road safety, and create transportation deadlocks,” the report said. “We predict that 2016 will be the beginning of attack campaigns that may be discovered only months after the original infections.”
Another area of concern will be wearables, with McAfee Labs predicting that these devices will be a prime target for cybercriminals in the future because they collect personal data and are “relatively insecure back doors into smartphones.”
Although much of the current focus is on the Apple Watch, the increase in wearables will continue to grow, with established companies and newcomers contributing to an estimated 780 wearable devices by 2019, according to ABI Research. This works out to a wearable device on one of every 10 people on Earth and closer to one in every four or five people in wealthier countries, the report suggested.
“From a hacker’s perspective, such densely populated areas will be a target-rich environment for attacking wearables,” McAfee Labs said. “Although breaking into a wearable device does not necessarily provide immediate value for a hacker (although farming for GPS data could improve spear phishing), the real value lies in the wearable’s connection to a smartphone.”
Many of these devices use Bluetooth low energy technology, which has suffered “a number of very well documented security flaws and likely will produce more with each new version.” Attack surfaces include the operating system kernel, networking software/WiFi, user interace, memory, local files and storage system, access control/security software, cloud virtual machine and control apps, web app, memory, local files and storage system, and access control/security software.
“Initially, we doubt that a smartphone will be completely compromised by an attack through a wearable device, but we expect to see the control apps for wearables compromised in the next 12 to 18 months in a way that will provide valuable data for spear-phishing attacks,” the report said, referring to emails that appear to be from an individual or business known to the victim.