Ep. 8: Drive-By Hacking and the Autonomous Vehicle

Summary

The threat of automotive hacks will affect everyone on the road, no matter what you drive. And protecting a car’s “backend”—where all the IT assets are stored controlling speed, direction, geolocation, and more—will be priority 1. But how do we get people to update their car’s operating system in a timely manner when we know how slow they are to update their computers and phones?

HOST: Shawn Surber, senior director of technical account management, Tanium
GUEST: Jennifer Tisdale, CEO, Grimm

Show notes

Check out these articles in Focal Point, Tanium’s new online cyber news magazine.

• How Business Leaders Can Steer Clear of Automotive Hacks
• Car Hacking, the Next Frontier of Cybersecurity

Transcript

The following interview has been edited for clarity.

Jennifer Tisdale: There’s just so much happening in relation to automotive and new technology that it is near impossible to think of every scenario that could go wrong. But cloud seems to be the environment on the back end that will be harboring a lot of data, and I think it’s rich for hacker curiosity.

Shawn Surber: Hi, I’m Shawn Surber, and today on Let’s Converge, we’re talking autonomous vehicles and cybersecurity. The day of driverless cars is coming soon, and so are the inevitable hacks and security issues. The threat of automotive hacks will affect everyone on the road, no matter what you drive. Researchers are particularly interested in protecting the back end of these vehicles, and by that I don’t mean taillights. The back end refers to all the IT assets that a cybercriminal might want to tamper with—the route a vehicle chooses, how it tracks the speed of other cars, and who has the right of way.

Our guest today is Jennifer Tisdale, CEO of Grimm Cyber, a firm that helps auto suppliers identify and mitigate security vulnerabilities. She also served as a cybersecurity strategy advisor for Mazda North America and is a cyber mobility program manager for the Michigan Economic Development Corporation. Welcome to the show, Jennifer.

Tisdale: Well, thanks for having me, Shawn. I’m really excited to be speaking with you.

Surber: Wonderful. Let’s just jump into it. There’s one basic question we need to get out of the way: Have you ever traveled in a driverless vehicle?

Tisdale: I have. It was a demo. It was at a conference, and it was in a very controlled environment. So maybe not a good barometer for what it will be like when they’re in the wild and on the road. For a control freak such as myself, it takes some getting used to—to be in a vehicle that doesn’t have a driver, that is using sensor technology to navigate its way around a course. It is a little disconcerting .

Surber: Yes, that would be the same for me. I’m not even a huge fan of riding in the back of a cab.

Tisdale: Right . You do have to let go a little bit .

Surber: So, in the past when people broke into a car, they were looking to swipe the car or components, or contents of it, or just wanted to take it out for a joy ride. When it comes to these autonomous vehicles, who do you think will be the prime threat activators and what’s going to motivate them to be hacking into autonomous vehicles?

Tisdale: Well, I think the primary motivation for virtually breaking into or hacking one of these vehicles, it’s going to be the same: money is the motivator. Gone are the days of crowbars and hot wiring , and now it will be done through other opportunities to manipulate the code to get the vehicle to do what they want it to do, with money being the primary motivator. In relation to automotive theft, there is some conversation within the government for what it might look like if remote control of a vehicle could happen en masse, and from how far away. What happens if there is a larger, more widespread event for a fleet manager or for a particular make, model, and trim package of a vehicle—what would that look like and what could that be? You know, these are the questions that are largely unanswered in the moment. But I think they’re getting closer every day to figuring out what that might be, beyond what I’d call petty crime, and maybe even dancing in the space of what could be a homeland security issue or something greater than that.

Surber: Right. As a longtime cybersecurity professional, it’s good to hear people are gaming it out. Like, OK, what if, what if, what if? And then, following each of those down the chain, because there’s a lot of different groups involved in protecting these vehicles. There’s the vehicle manufacturers, the software and services providers, the owners of the vehicles, of course, and then the role that governments are going to play in ensuring that these devices are secure. So let’s talk a little bit about that. Let’s start with the car makers. How responsive do you think they’re going to be to the potential for cyberattacks and cyberattacks as they occur?

Tisdale: They’ll have no choice but to be responsive. This is a relatively new industry, right? It wasn’t until 2015 when we had the first media hit with the Jeep hack that happened.

Surber: For those of you who don’t know, that was when two security researchers demonstrated they could take remote control of the brakes and steering of a Jeep Cherokee. They were able to exploit a flaw in the car’s cellular connection. Chrysler had to issue a recall to patch it.

Tisdale: That was a game-changer in the industry because it forced the conversation. But the automakers from 2015 to 2022 have done a great deal of work in not just figuring out how to react but also how to be proactive. So, as somebody in cybersecurity, that gives me some level of confidence that they are tackling vehicle cybersecurity as best they can during the R&D phase.

Automotive has a five-year production cycle, so vehicles that won’t be on the road for five years are already being looked at in terms of security, which is very reassuring. Where I think it gets into a little bit of gray area is with legacy systems and trying to figure out how to maintain security over the lifecycle. And that, I think, will be largely driven by all the stakeholders that are involved.

Surber: I think a big key here is maintenance, right? You know, traditionally when there’s a problem with something, they issue a recall, you take the vehicle in to the shop, and they fix it. With the new era of over-the-air updates, we’re gonna see a whole ‘nother aspect of it—forced updates, updates that the consumers can accept or decline. What about that over-the-air avenue as a vector of attack? Are you concerned about that?

Tisdale: Yes, it certainly is an area of concern. I see this all the time, especially with my in-laws and my kids: If they’re not accepting the security update on their personal devices, what happens if they don’t accept it in their vehicle? It’s one thing if we’re talking about protecting our data and our personal information, but it’s something else if it’s an update that could impact our life and limb, right?

Surber: Absolutely. We all see it, even in traditional enterprise environments, just getting patches pushed out and people to reboot systems—oh, you know, we can’t reboot these devices because they’re mission critical at certain times. But it’s a whole ‘nother thing when you’re driving down the road. I mean, obviously you can’t have a system restart while you’re driving, but are owners of these vehicles going to be forced to wait, when they go to power up their car, you know, are they going to be expected to wait a couple of minutes for these updates?

Tisdale: Yeah. And I don’t think it’s wrong to consider [the car] a device . I think that’s pretty accurate. There might be a lag time, but what we’re typically seeing in the industry now, so many vehicles are using apps, you know, phone apps that let you know when your car is due for service or maintenance. And so you’ll get the warning for when the update needs to happen in your software. If it’s something that might impact what I would call critical function of the vehicle, the operation of the vehicle, it might even be something they need to go into the dealership to do. I think that standard practice is being worked out right now.

I believe we wanted to also chat about the government’s role in this. And I think we will see down the road some regulation that helps address cybersecurity from almost a cyber safety perspective. I often have to remind people that we might not have airbags or seat belts in our cars if a government body hadn’t regulated safety into the vehicle. And I think down the road we will see cybersecurity managed much the same way.

Surber: Do you think that government regulation is the best way to go? Or would you like to see a coalition of manufacturers come up with their own internal regulations that they might actually enforce on each other, even more strictly than the government could?

Tisdale: I don’t think anybody in the industry wants government to dictate how to build their business. The people who own the vehicles, in most states in this country, should have the right to repair the goods they buy. We have a lot of tinkerers. I’m in Detroit, where everybody likes to tinker with their vehicles, soup ‘em up, see how they work. And we’ll see that continue as we move more into that autonomous-vehicle system. So do we let people tinker on their own cars? You know, this is a question mark. Right now we do, but I foresee how that might not be a great idea when it comes to critical safety features of a vehicle that are software-driven. So, where might the government want to step in? I think anytime there’s a chance for somebody to be physically harmed or for things to go sideways quickly by messing with code intentionally or unintentionally that can cause harm to others, they’ll likely step in in that space.

Tisdale: I’d hate to see us having 50 states with 50 different laws. That’s not going to work for anybody, but that’s the conversation we’re hearing right now. Some states are looking at modifying or tweaking the right-to-repair laws specifically toward this conversation of who can get into the back end and what can be done to the code, what’s within a consumer’s rights and what’s not. Some states that I’ve been tracking are looking at making it a criminal act, if you are hacking a vehicle and you are not in the industry and not a researcher or not part of academia. And I think that’s a real slippery slope as well. So the states have to come together as well as with the federal government to figure out how they want to handle those things. But it is so new, Shawn — everybody’s trying to be proactive, but they’re not quite educated yet on what it is they’re dealing with, especially at the government level.

Surber: The right to repair is an interesting point. I mean, I know all sorts of ways that people are souping up and modifying vehicles by simply introducing a different programming to the chip set. I think we’re going to start seeing more of a walled-garden approach where you might be able to modify this area but it requires a significant level of additional security, perhaps even physical security devices that are only available to dealerships and authorized repair centers and things like that. Because you’re absolutely right: If you go in and you’re increasing the horsepower, but at the same time you disable the motion sensors, you could have a real problem there.

Tisdale: It’s definitely an area to watch; it’s been getting more attention over the last year or so. And I would foresee that’s only going to increase.

Surber: Right. And so we’ve talked a lot about the security of the vehicles themselves, but what about the back end, all of the servers, the systems, the code? What do you think business owners need to be especially concerned about in securing the back end of the system?

Tisdale: Yes, we have to keep at the very front of our mind that the whole reason this is happening is to get to zero deaths. OK? Zero vehicular fatality industry. Absolutely. Both the industry and government can agree on that one point, that that is the ultimate end game, right? The vehicle as they inch closer toward fully autonomous systems will be reliant on the communication to its operating environment that relies on what they call ITS systems, intelligent transportation systems, which are the sensors and the technology that’s embedded in the roadway. This is what’s going to get us to smart cities that go hand in glove with our smart cars. I like to call ‘em cloud cars because it’s just humorous to me , but we’ll have these cloud cars on the road that are communicating to other vehicles next to them, in front of them, behind them.

Tisdale: They’ll be communicating with those digital billboards where they give you the update, right? Like, you’re 15 miles from whatever exit and you have one accident, get over to the right or whatever, right? So all of this is going to be interfacing with the vehicle itself. So that makes the cloud ripe for the picking, as the cloud will be leveraging AI and machine learning. They’ll be collecting all that data to make super-quick decisions for the operation of the vehicle and pushing that information out into the ITS system. All of this will feed into safety features like driver-assist systems and cooperating with the road itself, with the ITS system itself to prevent accidents and increase road safety and, all in all, improve traffic flow? So that’s that cloud backend, and what happens if you can penetrate it, if you can manipulate the data, if you can make the vehicle think it should be turning left instead of right?

Tisdale: Those are the things that I think are really of interest. What I hate to see are too many companies rushing to market on this, right? Everybody wants to be first, but being first comes with a lot of risks. I think in this conversation the industry is watching Tesla very closely , you know, for what happens. We haven’t even teased out the next evolution from combustion engines into electric vehicles and that interconnectivity to the grid and how they’ll be charging the roadways and transferring energy. I mean, there’s just so much happening in relation to automotive and new technology that it is near impossible to think of every scenario that could go wrong. But cloud seems to be the environment on the back end that will be harboring a lot of data. And I think it’s rich for hacker curiosity, quite honestly.

Surber: The concepts of what’s available to consumers in an autonomous driving world are so inviting. I remember seeing a video many, many years ago talking about like car trains, right? Where you’re out on a freeway and you can actually link up a whole series of cars and it gives you the opportunity to move much, much faster than we are potentially allowed to drive ourselves, but in a much safer way. And I think that’s really great. It’s really cool, but that’s going to require massive amounts of processing on the back end. It’s gonna require millions if not billions of lines of code. And with every line of code comes the opportunity for a bug, an error, or a vulnerability.

Tisdale: It starts to feel like we’re just doing an exchange, a responsibility exchange for where things can go wrong.

Surber: Vehicle hacks actually go back as far as 2010, when, I believe, it was a Chevy Impala had its OnStar system hacked. You talked about the Jeep hack in 2015, and earlier we had 25 Teslas compromised through a third-party app. So let’s talk about the 2021 Global Automotive Security Report, which said 57% of the known automotive hacks in 2021 were performed by malicious actors. So we know this isn’t just a theoretical problem, right? We know that while we’ve got a ton of researchers out there and white hats that are trying to find the vulnerabilities in advance, we already know the bad guys are after it, and 40% of those breaches were breaches of servers—that back end we were talking about that’s communicating with these connected vehicles. So what do we do today about this?

Tisdale: We have to have more people looking at these systems, quite honestly. And more frequently, one of the largest issues isn’t exclusive to automotive, I know for sure they’re not prioritizing the budget necessary to do this type of work. And if they are, they have internal red teams doing it and, you know, you start to dance on the line for what’s good enough and how far is too far. So getting some consistency for what they need to be looking at, how frequently they need to look, and how deep they need to go. I’m an anti-compliance person in the sense that I don’t believe we just need to check a box; I think we have to do a little bit better than that as an industry, as a collective. And I think I’m probably in the minority on that. Maybe not in theory—in theory everyone would agree we wanna do more than check a box—but in practicality, the amount of time and money that takes is a little prohibitive.

Surber: Yeah, I agree. Compliance does not equal security. But I think we all recognize that compliance gets budget. That’s right . And so it becomes a continuing problem. And there are some fundamental steps that all stakeholders can take to protect things, especially the backend, but even on the front end like your basic cyber hygiene, your patch management, your supply chain management, things like software, bills of materials, knowing what’s embedded in the software you’re using to make your software, right? These things are all about limiting first-, second-, and third-party risks. As an IT industry, we know how to do those things. Do you think they’re being effectively applied in this new world?

Tisdale: The basics for in-vehicle security are being fairly well managed today. I’m saying that cautiously . Can they do more? Yeah, absolutely. They can do more. Can they put more budget behind it? Heck, yes. Can they engage more with the research community? Absolutely. But I think that for the most part, they have improved by leaps and bounds over where they were just a couple of short years ago.

Surber: Well, Jen, thank you so much for your time today. Are there any closing thoughts you’d like to leave us with as we drive boldly into this future?

Tisdale: Yep. I love technology. I love the advantages that future transportation will bring to our communities, to the underrepresented pockets around the globe that don’t have easy access to transportation. I think the good outweighs the scary. Yes, there is scary. There are people addressing it, and I think we’re seeing a lot of new and interested parties getting engaged and involved, much like yourself, and we can never have too many people looking at the problem and helping us solve it. So I wouldn’t let this conversation scare people away from what the future looks like in terms of connected and automated and eventually autonomous systems. I’m really excited for it. We just have to be smart. We have to be smarter than our smart car.

Surber: There you go. That’s going to be a tough, tough gig, but I think we can do it. .

Surber: I’ve been talking today with Jennifer Tisdale, the CEO of Grimm Cyber. If you’d like to read more about cybersecurity issues related to autonomous vehicles, check out Focal Point, Tanium’s online cyber news magazine. We’ve got links to several articles in the show notes. Or just go to tanium.com to hear more conversations with today’s top business leaders and security experts.

Make sure to subscribe to Let’s Converge on your favorite podcast app. And if you like this episode, please give us that five-star rating. Thanks for listening. We look forward to sharing more cyber insights on the next episode of Let’s Converge.