WannaDrive? – Ransom demand from the dashboard

If the automotive industry hadn’t gotten the message before, the WannaCry attacks of May 2017 must have hammered it home: crypto-ransomware is a credible threat. As digital connectivity reshapes the economy and our daily lives, it is offering online extortionists a bigger and bigger target for attacks. In the future, it will not be only companies, hospitals, and public authorities at risk – thanks to smart mobility and the functions enabled by digitalization, any vehicle could be the next target.

Online extortionists are far less likely to target private cars than they are commercial vehicles and fleets. These may include delivery trucks with tight schedules or ones transporting perishable goods; bus companies; rental car fleets; expensive construction machines; and special-purpose vehicles. If the extortionists manage to use ransomware to take one of these as a digital hostage, there is a good chance the ransom will be paid. But what’s the best way to protect against potential ransomware attacks?

It wouldn’t take much to launch a ransomware attack

Although there have been no known successful ransomware attacks on vehicles to date, it’s possible to predict typical scenarios based on approaches in other areas. Cybercriminals tend to favor existing, ready-to-use ransomware kits or ransomware-as-a-service offers that include bot masters and bitcoin payment systems. So far, the main targets of such ransomware kits have been traditional desktops and IT servers. But as soon as there are enough vulnerable vehicles and fleet operators online, ransomware variants for automotive Linux or AUTOSAR are bound to start cropping up. In the meantime, there are already plenty of ransomware gateways out there – websites accessed on infotainment systems, messages received in the car (e.g. e-mails, texts, instant messages, digital radio), smartphones or navigation systems connected to the car, FOTA updates, remote diagnostics, and cloud services provided by automakers.

ESCRYPT security engineers have successfully simulated just such a ransomware attack. Using a Raspberry Pi with Linux OS and a touchscreen as an automotive infotainment system, they connected it via a gateway ECU and proprietary bus network to a genuine speedometer control unit with the original manufacturer’s firmware – similar to how it would be in a normal car. Acting as host ECU, the Raspberry was “infected” with Python-based ransomware via the USB interface.

As planned, the ransomware client then jammed the speedometer, setting it to permanently display the maximum speed. At the same time, the ransom demand and payment details for an anonymous bitcoin account appeared on the “infotainment system” touchscreen. Conclusion: if the level of IT security doesn’t keep pace with increasing automotive connectivity, ransomware attacks on vehicles are a real threat that would be easy to carry out.

Prevention through integrated approach to security

Not only are today’s vehicles open to attacks, most also offer no mechanism for backing up important data and functions. They don’t receive regular updates, usually have only rudimentary (gateway) firewalls, and very few are equipped with an adequate automatic intrusion detection and protection system (IDPS). Retrofitting suitable safeguards is often difficult and expensive. The best way to protect vehicle IT against ransomware and other cyberattacks is for manufacturers to take an integrated approach to automotive data security, starting in the development stage. Any such approach should cover at least the following three areas:

  • The entire vehicle system including its IT infrastructure – from each individual control unit to the backend in the cloud
  • The entire vehicle life cycle – from the first requirements analysis to decommissioning
  • The entire organization – from individual security permissions to company-wide security governance

It follows that holistic vehicle protection calls for a series of dovetailing security measures. In the vehicle itself, embedded security components help protect against hacker attacks and malware with known signatures. In addition, an intrusion detection and prevention system (IDPS) detects and disables any communication anomalies relating to the vehicle’s electrical system such as potential ransomware attacks. This is done either directly in the vehicle or via a cyber defense center tied into the backend. Whenever it detects a new attack pattern, the center can perform suitable, effective security updates for the entire fleet. And should a ransomware attack slip through, what is needed is a swift and effective response – for instance, a predefined incident response procedure that provides approved recommendations for action and can even consider payment of the ransom.

The potential threat from ransomware attacks targeting vehicles must be taken seriously. Integrated, effective automotive security should not be regarded as a burdensome cost factor, but rather as a decisive success factor. It helps fleet operators and automakers arm themselves against online extortion, product recalls, and compensation claims.

Download our full article with detailed information about automotive ransomware and suitable countermeasures here.

Leave a Reply