Before you sign the papers on a tricked-out Tesla or other high-tech car, you might want to read this report from Consumer Watchdog, which warns that some 2020, internet-connected vehicles can be weaponized via a fleet-wide hack—and there’s no kill switch to disengage.
We decided to get our own guidance and tracked down two cyber experts: Brian DeMuth, CEO of cyber R&D firm GRIMM, and Bryson Bort, GRIMM founder and current head of security consultancy SCYTHE. Both companies are a familiar presence at AvengerCons and work with members of the US Army Cyber Command, as well as intelligence community organizations.
Bort filled us in on why connected cars are relatively easy to hack, and DeMuth how GRIMM’s defensive automotive engineering training can help.
Brian, let’s say I just took delivery of a brand-new 2020 Tesla Model X.
How can I ensure malevolent operatives aren’t going to hack into its systems and wreck my ride? What steps should I take?
[CEO Brian DeMuth] There are currently no easy ways to ensure attackers cannot compromise your Tesla, or most vehicles.
There are a few things that can reduce the risk if you are willing to accept diminished functionality in the car.
For example, the telematics unit can be removed from the vehicle to eliminate attacks over the cellular network, but this also will prevent mobile apps and other remote functionality from working.
Removing the telematics unit could also trigger warnings and other errors to appear in the instrument cluster or infotainment system.
In the extreme case, the vehicle may refuse to operate or will only operate in a diminished capacity without extensive reverse engineering to trick the vehicle into believing that the telematics unit is alive and well.
But this will cause problems with the vehicle, right?
[DeMuth] Removing this functionality on a Tesla will prevent automatic software updates.
These automatic updates could fix security issues in other parts of the vehicle or improve functionality and safety.
Is it possible to protect a vehicle from ransomware?
[Bryson Bort] If you’ve seen my talks, this is my five-year prediction.
No, there is nothing a consumer can do.
So I’d better sign up for GRIMM's [$4,000] Defensive Automotive Engineering Security Training.
[DeMuth] This course is primarily geared toward automotive engineers and security professionals who want a better understanding of the security issues facing modern connected automobiles, how many car attacks work, and how to implement secure vehicle systems.
[But the] course covers a breadth of topics, [from] hacking of a modern infotainment system [to] remote keyless entry.
The class gives students hands-on experience attacking automotive systems and gives them the tools to defend against attacks.
The students can use these tools to create resilient automotive designs.
There was an issue in 2018 with hackers scanning areas looking for connected vehicles broadcasting key data via their iBeacons.
Has that been fixed? Or do you show car owners how to disable that?
[DeMuth] Nope.
Still an issue.
The affected OEMs generally consider it largely a privacy issue and not a safety concern.
While work is ongoing within many OEMs, this currently goes largely unresolved.
Disabling this functionality requires a degree of technical sophistication, and like the previous question about securing a new Tesla, could cause some functionality to stop working.
Recommended by Our Editors
Also, if I want to be somewhat stealth in a geographic area, can I protect my vehicle from Automatic License Plate Recognition (ALPR)?
[Bort] First, follow the law.
Some states and local laws forbid license plate obscuration.
[But] where it is legal, there are coatings and covers that allow the plate to be visible to the human eye, but block automatic cameras.
Finally, how do you both hire white hats for SCYTHE and GRIMM? Or is that why you participate in events like this week's Wild West Hacking Fest (WWHF)?
[DeMuth] Certainly we meet many candidates through our community outreach at conferences.
However, we understand the critical importance in growing the talent pool to address the global workforce shortage in cyber security.
Cue our strategic program, HAX, which builds our future cybersecurity practitioners to be creative, inquisitive, highly skilled, and prepared for the workforce to immediately help solve the toughest security challenges.
This is a robust internship and mentorship program for GRIMM that we work to expand each year.
DeMuth and Bort will attend WWHF this week, albeit virtually, as the San Diego conference is now an online-only event thanks to the coronavirus.
Bort will be speaking on Thursday at 2 p.m.
PT.