‘Hack-ademics’ prepare us for new cyber dangers
We are entering an era of ubiquitous computing as powerful sensors, smart devices and 5G networks enable billions of products and systems to be connected to the Internet - and each other. But in their rush to release futuristic gadgets, companies are also handing new opportunities to hackers. Researchers at the University of Birmingham are stress-testing smart technologies, from contactless cards to connected cars, to prepare us for a threat-filled future.
The car as code
Modern-day cars are decked with sensors and electronic components managing everything from steering, brakes and navigation to remote control door opening and entertainment. Cars are increasingly linked to each other, and the internet. By 2020, over 250 million vehicles will be connected globally, with the number of installed connectivity units increasing by 67 percent, according to Gartner, a consultancy.
This can be good news. Autonomous vehicles will ‘talk’ to each other, such as issuing warnings to cars behind when braking sharply. Computers are immune to the tiredness and distraction that cause millions of road fatalities and injuries annually. Consumers also want the convenience and novelty that 21st century automobiles will bring. But cyber experts at the University of Birmingham believe they are increasingly open to hacking - from theft to more sinister safety compromises.
Flavio Garcia, professor of computer security at the university’s School of Computer Science, has spent the last decade exploring security flaws in smart products. His past work found vulnerabilities in contactless cards used for transport and buildings access, from London’s Oyster card to government buildings and power stations in the Netherlands. Cryptographic flaws, found through cryptanalysis and ‘offensive’ research that probes for weaknesses, led the relevant institutions to migrate to new, safer systems.
Now, Garcia is turning his attention to cars – where he has found worrying flaws. One is in the smart keys that automatically open a car when the owner approaches. “These keys use a cryptographic ‘challenge response’ approach, whereby the car generates a random number and sends it to the key, and the key encrypts that number and sends it back, and by doing so, proves knowledge of a secret,” says Garcia. By exploiting flaws in the cryptographic protocols underlying this process, Garcia has opened vehicles without any key.
A more sinister problem is the electronic systems that control functions like brakes and acceleration. Car servicers and garages tap into diagnostic units when doing routine checks, but these systems are based on protocols designed decades ago, when cars were isolated networks. “As we connect cars to the internet, it is opening the door to a lot of attacks and malware. Protocols in the vehicles network were not designed with these threats in mind,” says Garcia. Hackers could, in theory, take control of in-vehicle diagnostics via a laptop near the car through a parking sensor or camera connector, or via a remote exploit, and re-programme them to, for instance, disable the brakes in 10 hours’ time.
“Once you have a vehicle with electronic components, and therefore a network, suddenly it’s all open,” says Professor Mark Ryan, HP Chair of cyber security at the University of Birmingham. “You can use a laptop to access the vehicle network and control everything, like how the brakes and steering work.”
These are not hypothetical risks, with over 260 attacks on connected cars since 2010, with 73 in 2018 alone and over 70 so far in 2019. One stunt, performed with a journalist from the magazine Wired, saw pranksters take over a Jeep remotely – blasting out cold air, turning up the radio and switching on the windscreen wipers.
People get ready
Cars are not the only smart product at risk of cutting-edge attacks. The entire consumer and home product market is open to manipulation - and the dawn of 5G connectivity will be a bonanza for hackers.
“In 4G, a mobile device talks to a tower, which relays the signal to another mobile. In 5G, there will be peer-to-peer communications between devices,” says Garcia. “There will be base stations everywhere – in lamp posts, buildings, the gaps between walls. It will be harder to switch off or isolate yourself, so more power goes to the adversary,” says Mark Ryan.
5G will make smart cars a reality, and could bring plenty of benefits. Autonomous vehicles could ‘platoon’, which means driving close together, thereby reducing wind friction and thus fuel usage. But device-to-device communication also makes cars an entry point into other cars, capable of pushing in malicious code and exploiting vulnerabilities.
Mark Ryan sees 5G bringing similar risks to home devices. “There is a big rush to market for appliances like internet-enabled kettles, fridges, ovens, TVs, thermostats, speakers and so on,” says Ryan. “They are being quickly designed and made, and they have bugs and mistakes. Hacking into a single connected device gives an adversary an entry point to the entire home network.” In one well-publicised attack, hackers sought access to a casino’s database through a smart thermostat in its fish-tank.
Cryptography is the dominant form of protection, in everything from instant messaging to contactless payments, and inadequate cryptography is a critical vulnerability. But hackers can prosper even when cryptography is sound through ‘relay attacks’, by which they intercept and hijack cryptographic communications between two entities.
“People can steal cars by pushing an aerial through someone’s front door and, if they have left their keys by the front door, this box picks up the signal and relays it to someone standing at the car,” says Dr Tom Chothia, senior lecturer in cyber security at the University of Birmingham. The same vulnerability can be used to exploit contactless payments cards. “If you hold a mobile next to someone’s bag, they could relay the signals from the card to someone else’s phone and make a payment. So even if the cryptography is perfect, this relay attack works.”
Offensive cyber research, such as that conducted by the University of Birmingham team, can help the companies building our cars, apps, smart cards and devices. Too often, companies lack the in-house cyber expertise to predict how their products could be manipulated. Vulnerabilities can also be ‘emergent’, meaning a product is secure in itself but becomes exposed when combined with other products or integrated into a certain type of network.
The sheer quantity and complexity of software today also opens up vulnerabilities over time. The growing library of software used in cars, for instance, requires regular updates. “It’s hard for manufacturers to keep up with maintaining all this,” says Garcia. “How can they make sure they are not incorporating new vulnerabilities? The amount and complexity of code has gone beyond the limits of what humans can check, so we need automated systems.”
Manufacturers, rushing smart products to market, are pushing out products at ever-quicker development cycles, increasing the likelihood of flaws. They are also buying more and more components for which they often do not even have the source code, making them “literal black boxes” says Garcia. “This is worrying because security is, in general, not compositional; two elements can be secure in isolation but compromised when you put them together.”
Academic researchers can play a crucial role in stress-testing products and working with industry to develop solutions. Researchers at the University of Birmingham, for instance, are developing ‘trust anchors’ that enable devices and technologies, including vehicles, to authenticate vital instructions such as those from the engine control module. To fight relay attacks, they are designing protocols that can detect tiny delays in communication speed that indicate a new device entering a network. “Car key manufacturers will start to integrate this into their systems in the near term and we are currently doing the groundwork for this,” says Chothia.
“Universities have two roles to play here,” says Mark Ryan. “One is looking at longer-term trends that companies find it difficult to find the time and resources to look at. Another is taking a fresh look at products. The industry is facing a great pressure to quicken their time to market. We can take a second look at their products and point out vulnerabilities.”
Companies once bristled when academics identified problems with their products, but that is beginning to change. “It is better that academics point these out in a reasonable dialogue than that it gets picked up by criminals and the company doesn’t hear about it until it’s major news,” says Ryan.
Tom Chothia recalls that banks moved rapidly in response to security flaws he and his collaborators had found. “We found major vulnerabilities in several major banking apps. The best ones were able to fix this incredibly quickly. We told them on the Friday, and by Monday morning their team had come in to go through it with us. By Wednesday they had a fix, and by Friday it was pushed out to everybody and the system was safe.” But, Chothia warns, this is much more difficult for hardware that is already out in the world and with customers (regulators in the US had the unenviable task of weighing up whether to replace pacemakers that can now be hacked and reprogrammed. Eventually they opted not to).
Academic cyber experts also have the expertise to examine how future trends could change the risk landscape, as with 5G. The next, they warn, is the dawn of quantum computing which promises to be incomparably more powerful than classical computing. This, warns Mark Ryan, will have a “devastating consequences on the kind of cryptography we are currently using, and vast amounts of it will simply be broken. There is an effort to develop post-quantum cryptography to be prepared for that era,” says Mark Ryan.
“All cryptography is based on some hard problem,” explains Tom Chothia. Around half of current cryptography puzzles are based on factoring large numbers, but quantum computers will be able to do this with ease. “Quantum computing would change all assumptions about what’s mathematically hard,” Chothia explains. Researchers are exploring quantum-resistant cryptography in preparation for supercomputers.
From car theft to banking apps, home appliances to contactless cards, these cyber academics are securing the technologies on which we increasingly depend. Governments, companies and the public can all rest easier at night knowing that every flaw they find is one less flaw for a criminal to exploit. “If it wasn’t for people like us, there would be the people securing systems, who will inevitably make mistakes, and criminals, who will exploit them, and no-one in between,” says Tom Chothia. “Without this offensive cyber research, security would be much worse - and the internet would be a much more dangerous place.”