Car hacking: how cyber security is stepping up

Tech company Harman, supplier of infotainment systems to brands such as Mercedes-Benz, BMW and Porsche, has launched new software to tackle the increasing threat of car hacking, having acquired two software security companies.

The purchase of Towersec and Redbend means their technology contributes to Harman’s new ‘5+1 cyber security framework’, which provides five layers of protection against attack, from the hardware level right up to the vehicle network.

Harman’s director of technology marketing, Hans Roth, said: “As we move forward towards autonomous driving, cars require more built-in connectivity embedded deeply into the car, so cyber security has become a priority.”Towersec, a specialist in ‘intrusion prevention’, has developed software to protect military weapons systems from hacking, as well as two automotive software products, ECUshield and TCUshield.

TCUshield prevents unwanted wireless connections with a vehicle’s TCU (telematics connecting unit), while ECUshield detects and prevents attempts to hack into a vehicle’s ECUs (electronic control units) or the network connecting them.

“There could be as many as 120 ECUs in a modern luxury car,” said Roth.

Redbend has developed OTA (over the air) technology to update a car’s security systems remotely. All three are offered as part of the 5+1 framework.

Its flexible nature allows car makers to choose which elements of it they wish to use.  “Some may substitute another method for one or more layers,” said a spokesman.

For example, one manufacturer has adopted the Redbend OTA system for remote software updates so far, although it is not yet being used to update security systems.

ECOshield and TCUshield include an algorithm that can “spot an attack without knowing the method of attack up front”, said the spokesman.

Unlike PC antivirus software, which must be updated continually with lists of viruses, Towersec’s algorithm recognises authentic data in the Controller Area Network (CAN — the car equivalent of an office computer network), treats any it doesn’t recognise as a threat and tells the car not to use it.

This prevents unwanted instructions given to a car from the outside from taking effect, even if hackers manage to connect to the car in the first place.

The news comes as US authorities, including the FBI, issued a warning to “manufacturers — of vehicles, vehicle components and aftermarket devices — to maintain awareness of potential issues and cyber security threats related to connected vehicle technologies in modern vehicles”.

Hacking a Jeep Cherokee

American software experts Charlie Miller and Chris Valasek made headlines last year by hacking a Jeep Cherokee via the mobile phone network.

The demonstration resulted in Fiat Chrysler recalling 1.4 million cars thought to be vulnerable to attack.

Miller and Valasek were able to connect to a communications chip in the Jeep’s infotainment unit — ironically, a Harman Ucontrol system designed some years previously.

From there, they were able to access the Jeep’s Controller Area Network and some crucial functions.

At the Def Con hacking conference in Las Vegas, Miller said it was a “superdifficult” task that took three and a half months to complete.

The pair also had full access to the header unit and other areas of the Jeep, which they purchased for the experiment.

According to the FBI, the pair could shut down the engine, disable the brakes and control the steering below 16kph.

At any speed, they were able to operate less crucial functions, such as the door locks, turn signals, the radio and GPS. Some technology has left today’s cars vulnerable to attack.

Recommended: How real is the risk of car hacking?