Trying to balance security and convenience provided by technological advancements isn’t new news. Nor is the latest hubbub around keyless vehicle entry and the obvious security risk. A recent video issued by West Midland Police, shows two criminals using information gathered from the electronic key to enter, start and drive away a car. Research reveals that this is a simple “Ghost and Leech” attack, where the boxes held by the thieves extend the read range of the key. When the keyless entry system on the car was initially designed, the cost and size of these boxes confined the fraud to laboratory conditions. Now however, the boxes are readily available on the internet, are smaller and require less power thus making them portable and a convenient tool for organized criminals.
Are the automotive OEMs or their suppliers recognizing these risks and developing countermeasures?
As any information security expert will tell you, you need to understand the threat landscape in which your vehicle will operate and ensure that all cost-effective countermeasures are included in its design prior to commercial launch. It is likely that that countermeasures will have to change over the lifetime of the vehicle, as new functionality is added, e.g. in-car payments, or, as highlighted above, the criminals find new ways of attacking of the car. And so, future proofing becomes front of mind.
The long development and product lifecycles associated with the automotive industry, compared with say smartphones, combined with high certification requirements surrounding any change to the vehicle, makes this difficult. The reputational and financial costs of recalling vehicles to insert a new piece of hardware or load new software, for examples, make the business case for such interventions difficult. Many owners are reluctant to upgrade their vehicles fearing that it will impede its performance. Others are prone to litigation on the grounds that the vehicle is not performing as advertised.
Even in the advent of software advances, there is still the problem of ensuring that the software upgrade is correctly implemented across all vehicles. The mobile network operators (MNOs) are working closely with the automotive OEMs to ensure that software upgrades can be remotely downloaded over the air to connected cars; this is still in its nascent stages. We know of electric car owners that have had to wait for 30 minutes in the morning whilst their cars rebooted and others that have had the functionality of their vehicle changed when the vehicle showed signs of being imported into a different country. Does this process introduce new information security risks as criminals take advantage of inconsistencies in the version of the software loaded into different vehicles?
At Consult Hyperion we use the return on the criminal’s investment in the fraud to determine the probability that it will be committed; always low when the keyless entry system was initially designed and now, many years later, high. The reputational or financial gains from such attacks allow us to evaluate the cost of a countermeasure against the potential losses if it is not implemented. Our clients’ risk appetite determines whether or not they make the investment. We use our understanding about how technology is likely to evolve to assess how and when the current level of risk is likely to change and therefore when the investment in a countermeasure becomes crucial.
Consult Hyperion has around 20 years experience of managing information security risks within distributed systems deployed primarily within the global financial services industry. Whist the context in which the criminals deploy them is different, the techniques the criminals use are the same. The Ghost and Leech attack posed a potential threat to the use of contactless payment cards following the introduction of NFC technology in smartphones. The UK press ran multiple stories about how the phones could be used to collect account information from contactless cards in peoples’ wallets. Consult Hyperion was commissioned to analyze the data that could be collected by devices snooping on the contactless card transaction at the Point of Sale and the opportunity to use that data to buy other goods in another store. As a result of this analysis the UK banks agreed to add additional countermeasures into their systems, all of which had been recommended by the international card schemes. Their introduction was coordinated by APACS, now part of the UK Payments Administration, who had commissioned some of the earlier analysis.