A string of high-profile hacks – the most recent on President Obama’s personal email account – have made cybercrime an ever-growing concern in the United States. Despite the publicity, most people still think of hacking as something that is done only to information systems like computers and mobile devices.
In reality, hacking is no longer confined to the information world. The level of automation in modern physical systems means that even everyday automobiles are now vulnerable to hacking.
On Friday, Virginia Gov. Terry McAuliffe announced a public-private working group to address the threat of automotive hacking. The University of Virginia, the Virginia State Police and the Charlottesville security firm Mission Secure Inc. will play key roles in conducting this joint research project between various government agencies and private firms.
McAuliffe appointed Barry Horowitz, professor and chair of U.Va.’s Department of Systems and Information Engineering, as a member of the Virginia Cyber Security Commission in 2014, and Horowitz will help oversee the new research project.
“The motivation has been that more and more in your everyday life you see that we’re automating physical systems,” Horowitz said. “And unlike an information system, a physical system could kill you by accident.”
In 2012, Horowitz was part of a Department of Defense-funded research team that began identifying ways to protect unmanned aerial vehicles from cyber attacks on their controls. During that project, he and his fellow researchers realized that there were broader applications for their work. Together with U.Va.’s Licensing and Venture Group, they founded Mission Secure as a way to address threats to a variety of automated physical systems.
Mission Secure’s goal is to create a monitoring system that allows critical physical systems – like the vehicles used by the defense, energy and transportation industries – to keep working during a cyber attack.
The new working group involving U.Va., the State Police and Mission Secure will help the government gain an advantage over future cyber criminals by learning to anticipate and respond to possible threats before they occur.
“Our goal is to help with this vulnerability assessment and testing and see what is potentially possible for forensics,” Mission Secure CEO David Drescher said. “At some point when the police show up at an accident, they will need to determine whether that accident was caused by human error or whether some kind of a cyber incident occurred.”
To date, there are no known cases of cyber attacks on government or civilian vehicles in the United States, but law enforcement agencies are certainly aware of the possibility. Before working with State Police, Mission Secure and U.Va. ran tests on an automated Toyota Scion owned by Charlottesville’s Perrone Robotics Inc. Using just a wireless key fob, researchers were able to take control of the Scion’s braking and acceleration.
A recent episode of CBS’s “60 Minutes” also showed how a hacker was able to cause problems to an ordinary sedan being driven by reporter Lesley Stahl. In that demonstration, the hacker used a laptop to take control of the acceleration, braking, windshield wipers and car horn.
Alarming as these possibilities are, Horowitz said that cybersecurity for physical systems already has a huge advantage that is lacking in the security for information systems. Physical systems are capable of far fewer functions, so it is much easier to recognize when they are exhibiting “illogical behavior.”
Examples of this “illogical behavior” would be continued acceleration while slamming on the brakes or automatic windshield wipers that turn on when there is no rain. It is immediately apparent that there is a problem, so the next steps are to correct the malfunction and identify its source.
That’s where Mission Secure’s patent-pending “Secure Sentinel” device comes in. It acts as a monitor that drivers can trust and is extraordinarily secure compared to the system it is guarding.
Horowitz said that the purpose of the device is twofold. “First, save the driver in the car,” he said, “and second, let’s figure out who did it and how we can find them.”
The platform will do this by simultaneously monitoring potential areas for attack and alerting the driver of any incoming issues. Further tests will determine the most efficient way to alert the driver, but Horowitz said it may start out as something as simple as a horn blast. Once any consequences of an attack are stopped, the system will then begin forensic work to track where it came from.
The Virginia State Police will use their own experience to help researchers identify the most likely points of attack.
“We’re trying to figure out what we call the ‘most likely and consequential’ cyber attacks that could occur,” Drescher said.
The State Police have provided two police cruisers to be used as test subjects for the research, one each of the standard Ford and General Motors models they use. Researchers will test them for vulnerabilities on an escalating scale starting with the most basic and working their way up to more sophisticated attacks.
“We’re starting with common tools,” said Ed Suhler, Mission Secure’s co-founder and vice president of implementation. “We want to see what your average IT person could accomplish and then work our way up from there.”
Right now, there is an information gap between the fields of mechanical engineering and computer science. By looking for ways to bridge that divide, the research team hopes to better prepare Virginia for the future of automated vehicles. This commitment from the governor’s office means more law enforcement personnel could be trained and educated on the overlap between physical systems and cybersecurity.
“As a population, we’re not prepared yet,” Horowitz said. “Luckily, nor are the attackers quite yet.”