Don’t hack my V2V

By John Bendel, editor-at-large

The future is on its way and will be here shortly. And, boy, are we gonna be safe. Or maybe not.

The technology folks tell us trucks and cars will soon be talking with each other as well as to traffic lights and stop signs.

What will they be saying?

If all goes according to plan, they’ll be saying things like: Excuse me, but may I merge here? Of course you may! Ah, Mr. Stop Sign, so good to hear from you! No, after you, ma’am!

What if things don’t go as planned?

Then those wireless conversations may include commands and misinformation from criminals or terrorists who want to hold your car for ransom, rob the toll authorities, or maybe just kill you and everyone on the road around you.

Either way, the future is still on its way.

In December, the National Highway Traffic Safety Administration proposed requiring all cars and light trucks (but no big trucks; see article Page 71) to be equipped with electronic devices that will enable that exchange of information in real time. It’s called Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) communication.

You or your autonomous vehicle will know there’s a traffic light up ahead and what color it will be. You will know there’s a stop sign ahead. You will know traffic is backed up just over the hill so you won’t rear-end someone while trying to stop. You will know someone is about to barrel through the intersection you’re heading into. According to its boosters, V2V and V2I will prevent crashes. Not only that, but they’ll keep traffic moving at a steady, efficient pace.

However, not everyone is convinced these technologies are as safe as they need to be. Take Certified Information Systems Security Professional Andrew Strutt.

“There’s always going to be risk and vulnerability. You can’t ever just completely get rid of it all,” Strutt said.

Strutt is a network security engineer with Spirent Federal, a security company that does business with the federal government, particularly the military. “And one area we have focused on is the trucking industry. They’re the most likely to run the first automated, widely deployed vehicles,” Strutt said.

“Not that we want to eliminate drivers,” he added.

Strutt explained the information that flows between vehicles can be subject to hacking. A hacker could use the system protocols to inject messages. “For example, hackers could use the emergency alert system codes and messages to cause accidents and traffic delays,” he said.

Some V2V hackers might be crooks looking for money. The simplest target for them, Strutt said, would be toll authorities, which use the same technology as V2V for automated toll collection. “A hacker could fake a message so the toll is charged to someone else’s account or not charged at all,” according to Strutt.

Then there’s the threat of ransomware.

“Why wouldn’t (hackers) be able to go through V2V to exploit the onboard computer of the vehicle to insert ransomware? You would not be able to start or drive your car unless you pay the fee. I haven’t done the research to see if they’ve actually firewalled off those communication networks within the onboard computers, but my confidence is very low that they’ve done it correctly. So there is probably vulnerability using V2V to exploit onboard computers,” Strutt said.

Strutt believes exploits by a hostile power could come in a form other than murderous terrorism.

“There are risks to human lives, but also to the economy – to cause traffic to slow vehicles down, to send trucks to the wrong destinations. These things will waste money and time. Those are things they’ll go after and use against us,” Strutt said.

Hackers could use V2V to cause massive traffic jams, he explained, perhaps in a particular area at a given time. Hackers could tie up a city or cause chaos at a major event.

And those hackers could have help from down the supply chain.

“A lot of integrated circuits, micro-controllers, and computers come from other countries. Most manufacturers don’t necessarily quantify or secure their supply chain of equipment and property. So theoretically you could embed a Trojan or embed a back door into the onboard computers of vehicles that could be exploited en masse,” Strutt said.

“A vehicle can have dozens of computer systems on board. All those chips come from manufacturers, mostly in China. We should be able to quantify and understand the risk inherent there. We should be able to audit and interrogate all the equipment that gets on board a vehicle,” he said.

Here, Strutt cited Spirent’s security work.

“We found numerous times that cellphones are coming pre-exploited with a Trojan or back door to let Chinese manufacturers get into all the phones they distributed to the United States of America,” he said.

Manufacturers could do the same with vehicle electronic components, he noted.

With or without help from hardware makers, hacking incidents are on the rise. Literally thousands of companies and government agency computer systems have been broken into. We’re talking about major players like Sony, AT&T, JP Morgan Chase, Dow Jones, Target, Home Depot, AOL, Uber, the IRS, the U.S. military, and the U.S. Federal Reserve, not to mention Yahoo where hackers came away with information on more than 1 billion users – data that was recently sold on the dark internet to criminal organizations.

In November, someone hacked into the San Francisco public transit system, preventing fare payments. The hacker demanded the Bitcoin equivalent of $73,000 to unlock the payment system. The ransom was not paid. The following month in a more ominous exploit, hackers took down the power grid in the Ukraine.

These hacks did not involve wireless communications like V2V and V2I, but they demonstrate the growing expertise of hackers.

What about an upside?

Well in San Francisco where the transit authority could not collect fares, they simply opened the gates, and for a day or so everyone rode for free. And in Seattle where a thief made off with a BMW 500i, police contacted BMW corporate, which tracked the car and remotely locked the doors with the thief inside.

Of course, there is the very real potential of V2V and V2I technology to do what it’s supposed to – save lives and keeps traffic flowing.

“Advanced vehicle technologies may well prove to be the silver bullet in saving lives on our roadways,” said NHTSA Administrator Mark Rosekind in a NHTSA press release. “V2V and automated vehicle technologies each hold great potential to make our roads safer, and when combined their potential is untold.” LL