Malware could just as easily target a connected vehicle as a smartphone or a computer. There are numerous ways for the enterprising hacker to compromise entire fleets of cars and trucks using vehicle hacking.
A cyber attacker could pepper a vehicle-owner community with socially engineered emails about seemingly legitimate software updates. But instead of upgrading their cars with the latest software fixes, eager recipients could be tricked into clicking on dangerous attachments or links to malicious Web sites. Malware could be embedded in a seemingly innocent vehicle software update file and transferred to the car unknowingly by its owner via USB drive. With more investment, attackers could mail infected USB drives directly to car owners. Even the dealership or maintenance center could be invaded and turned into ransomware proliferator. According to the FBI, ““Third party aftermarket devices with Internet or cellular access plugged into diagnostics ports could also introduce wireless vulnerabilities.”
The possibilities for vehicle ransomware mayhem seem endless.
Here is a scenario that could become the nightmare of an automotive manufacturer or fleet owner.
The Automotive Cyber Security Incident Response Team, CSIRT, was roused from their offices at 4pm just moments after two simultaneous events occurred. The first was the company’s Security Operations Center (SOC) alarms going off, indicating that a serious cyber attack on some significant part of the 2018 car fleet was in progress. The second, even more distressing and harder to deal with, was the cascade of hysterical calls from individual car owners and drivers who were frantically reporting that their vehicles had suddenly, and without warning, ceased to operate, sometimes in dangerous circumstances.
The Automotive CSIRT had been carefully assembled with heavy-hitters of cybersecurity. They were painstakingly coached for this very situation. Months of highly specialized training went into learning the details about connected-car technology replete with countless drills on every scenario that can be imagined. But like a squad of Navy Seals, you don’t know how good you are until you confront the real thing—in this case, an advanced cyber attack conducted by international hacking experts. The challenge was on.
The four cyber defense specialists of the CSIRT rushed to the SOC to confront the attack that strikes terror in the hearts of every IT department and auto manufacturer: ransomware.
Already, the real-time maps on rows of screens in the SOC were lighting up locations where affected cars were now unable to move, probably exceeding one hundred by now with more reports coming in.
The customer support lines were inundated with irate customers complaining about the vehicle’s RSOD—"red screen of death”, in cyber security parlance—that had suddenly popped up on their dashboard screens: “Your car has been taken over by the Dark Vehicle Gang. Pay us if you want to drive.”
The specialists of the CSIRT were well trained in the anatomy of a ransomware attack on cars and other vehicles:
From four workstations each with two large screens, the CSIRT team fired up their bag of incident response software tools. The team knew what they were looking for:
The Board of Directors and Senior Management of the company were now on the scene. They impatiently probed, “What do we know so far?” and delivered the bottom-line questions, “If we pay the ransom, do we get those cars back and how long does it take?”
The CSIRT specialists connected to two of the infected cars over the air to collect evidence. They quickly established that the ignition-control ECU was the target and had been incapacitated. After bringing back a memory dump and comparing it with a normal version, they determined that malware was there. By replacing the infected image with a clean one via a firmware-over-the-air (FOTA) update and rebooting the ECU, they could eliminate the malware and re-set ECU to proper operation.
The CSIRT specialists called the driver of one of the infected cars on her mobile phone and informed her of what they were about to do. She was only too happy to cooperate. They sent the FOTA update that quickly repaired the ECU.
“Madame, please try to start your car now.”
A turn of the key and the car jumped back to life. The scream of joy was all the CSIRT heroes had to hear to know that they had won the battle and that the company had dodged the bullet this time.
Now, the painstaking effort of repeating these remediation steps on a hundred or more cars could take place. The CSIRT team showed the two-dozen SOC analysts on-shift how to do it. If each one could perform the remediation within 5 minutes on each of 5 cars, all the infected cars could be brought back to life within 30 minutes.
No doubt, other drivers would be reporting the attack in the hours and days ahead. (Maybe they weren’t driving today.) The SOC analysts would immediately apply the remediation upon receipt of any new report as they've successfully proven themselves as automotive defense specialists.
Case closed. The company lucked out. They got all the cars back on the road in short order and didn’t have to pay the ransom. But the labors of the CSIRT were hardly over. In fact, the hard work had just begun. Now, they had to answer the big questions after 'dissecting' the anatomy of the ransomware attack:
And the biggest one:
If this OEM had deployed GuardKnox technology, then any improper command to an ECU controlling the ignition switch, instructing it to shut off at a time when the ECU should not enter that state, would have been ignored and reported. The ransomware would not have put the fleet at risk.
GuardKnox’s patented Communication Lockdown™ Methodology, delivers fighter jet cyber protection to connected vehicles. Communication Lockdown™ does not allow any command to take an ECU out of a legitimate state. Despite the greatest efforts of hackers to develop highly sophisticated ransomware attacks, the GuardKnox solution locks them out.