Hacking smart cars without an Internet connection

Recently a Chinese hacker who goes by Daishen claims he can hack the Volkswagen Toureg, Audi A6, Audi A7 and more, without an internet connection through the car’s GPS and stereo systems exploiting the flaws
in car’s security layers. (http://www.techworm.net/2016/04/chinese-hacker-claims-can-hack-car-even-without-internet-connection.html)

On this @DFMag had the following exclusive comment from Automotive Cyber Security expert Jim Ogilvie founder of EP90group Ltd.

“Irrespective of the various potential technologies, processes and policies, any viable system of connected and autonomous vehicles to thrive, the twin requirements of security and safety must satisfy a public acceptance test and have a resilient confidence level. 
Most markets are familiar with an annual vehicle certification of roadworthiness. It is a limited assurance that provides a certification that at a moment in time a vehicle was deemed roadworthy from a safety perspective to all road users. To maintain public confidence in connected and autonomous vehicles that have an increasing proportion of software, with numerous communications protocols and over-the-air updates it is easily argued that electrical and/or electronic (E/E) security should come within the purview of this annual roadworthiness assessment and a new approach to testing will be required.

Modern vehicles have legacy systems of technology fused with tomorrow’s architecture e.g. CAN and LIN with automotive ethernet. Todays vehicles have complex communications protocols including GSM, Wifi, Dedicated short range communications (DSRC), Lidar, RFID, and Bluetooth and a variety of access points to vehicle networks that will support V2V, V2I and V2X communications (IEEE 802.11a/b/g/n and IEEE 802.11pas well as LTE-v). Increasingly we will see a migration to off-boarding processing and the sensors on vehicles will increasingly serve a wider interest, where vehicular resources become an integral part of the existing infrastructure, blending the Internet of Vehicles into the Vehicles of the Internet. All this has to be assured as safe and secure. 

Over the past twelve years numerous insecurities have been highlighted that are not dependant on internet connectivity or broadcast signals such as DAB radio, however whilst important to identify vulnerabilities and exploits it is vital for us to turn our collective attention to approaching the design and development process with security integrated throughout. This may necessitate a whole new approach to vehicle architecture and maybe we cannot rely on ‘ separation  ,’ gateways’ and ‘bug bounties’ as a way forward in the longer-term. With concepts and initiatives such as Attacker-in-the-loop (AIL), Tested-in-the-wild (TIW) and the application of blockchain technologies this may be achieved. 

What is clear is that the role of forensic examination and potential for the presentation of information for a range of investigations will be a vital component to ensure a public acceptance and confidence in connected and autonomous vehicles.”

About the Author
Jim Ogilvie is founder and owner of EP90groupo Ltd, a diversified company spanning security and investigations. With a specialist consultancy business and a growing automotive cyber security business amongst the business within the group, Jim is fusing past careers to explore new solutions and bringing together Government security, with commercial cyber security and automotive engineers to create unique and different solutions to emerging insecurity.
A former Senior UK Police Officer, Jim was a detective for over 20 years and was head of Cyber for UK Counter Terrorism Policing and Programme Director for a National Digital Exploitation Service. 

Jim was the first UK police officer to be appointed as a technical advisor to UK Secretaries of State.  Having been a Senior Investigating Officer for Serious & Organised Crime, Counter Corruption and Counter Terrorism Investigations, Jim has been involved with some of the UK’s most high profile investigations and has a keen interest in investigation methodology and innovating cyber investigation. Having started his working life an Automotive Engineer, Jim is now fusing interest areas and is actively  pursuing research into Automotive Cyber Security.