Just as the DDoS (Distributed Denial of Service) attacks seem to     increasingly become, in the last  few  years,  only minor disturbing events, that are mostly irritating, more recent events have shown that they are coming back in force.

One of  them, of  particular gravity,   took   place in  France, in  September   2016, when a major  host of servers,  OVH,  faced  attempts  to  paralyze the network by 1 Tbps (TeraBits per Second)  attacks. The saturation  flux  density  of the attack  is  remarkable, but its  feed  is  the most  worrying.  Investigations  have  since shown  that this attack would  have been facilitated  by IP (Internet  Protocol)  surveillance  cameras  with  poor or non-existent  protection.  And IP  cameras   equal to  the Internet of Things.

The issue regarding  the Internet  of Things  security is structured  into  two  branches: one that  looks  at their demographic  explosion, from 8 billion in 2010 to probably 80 billion in the year 2020 (according  to the IDATE study bureau); the other concerns their securing. Both branches are correlated: how can a rapidly expanding phenomenon, in perpetual change,  be effectively  secured?  And here, the cars of the future start to intervene.

The well-known designers, such as  the  giants of the digital sector, are already seriously planning the autonomous machine of the future  that  is, steered  with artificial intelligence. Artificial intelligence  involves  the partial and then  full delegation of driving. This can only be achieved  if the vehicle  is capable  to guarantee compliance  with the most reliable route selected, and in order for it to comply with the starting command, the vehicle must be permanently connected to its environment and with some communication  relays.

If the vehicles  produced   between 2000-2015   had a  pre-installed  and integrated database on the controlling screen, guiding the human  driver (e.g. GPS  navigation), the current  challenge  for the designer  is to  provide  a self- evolving  and up-to-date database  that can respond  to  even more specific requirements  such as a change  in itinerary  due to  a temporary  traffic jam or service  space  search  with the most advantageous  rates  in a radius  of x kilometers. This is the first step towards a dynamic autonomous driving style (1). This driving style will require an up-to-date  information flow, ranging  from leisure information (for example: a festival that takes place close to the vehicle’s itinerary), to security (for example: a temporary inaccessible route due to floods).

To this end, four categories can be defined:

  • Entertainment   information   (signaling   touristic  spots near the vehicle location or entertainment software integrated in the control screen);
  • Vehicle  interaction  (indication  of battery usage  or allowing  calls  to  the manufacturer’s assistance center);
  • Driving assistance (ecological driving style or itinerary planning);
  •  Vehicle   self-security   (distance,   payment   of  parking   spaces or  global positioning service to locate a rented vehicle).

And yet, what is the link between these connected vehicles and the IP cameras mentioned at the beginning  of this article? A simple one: they follow the same worrying path. Their number will exponentially increase in the years to come, and some examples raise legitimate questions.

It may also be noted in particular, an example that triggered a scandal in the specialized press: two  computer   science  researchers,  Charlie  Miller and  Chris Valasek, managed to interact remotely with a Jeep Cherokee (2), being able to use at will all the elements on board this 4X4: from the air conditioning system to brakes and steering, all from a distance of about 10 miles (16 kilometers).

The Fiat-Chrysler Group  took  this  demonstration  seriously  and asked  the users  to correct  this IT  security  weakness   by adding  a patch.  This control takeover can be even more insidious, as it was demonstrated  by the substantial alteration of a chosen itinerary on the navigation map. Dissected, the Uconnect system is a set of functions that allow you to browse, as well as play music or make a phone  call. This multifunctional  electronic system, found more or less in other groups in this sector, is just an entry gate for malicious  persons.

The entry  / exit points  that  may  be the weak points of modern vehicles are:

  •  On Board Diagnostics (OBD) Port
  •  The 4G / LTE (Long Term Evolution) Modem
  •  Bluetooth
  •  CAN (Controller   Area Network)  Bus /  VAN ( Vehicle Area Network) Bus
  •  The RFID chip (Radio Frequency Identification)
  •  The CD / DVD Reader

These weak points are not always due to lack of attention or refusal to take security measures on the part of the manufacturers, or  their subcontractors.  Many   weaknesses of the software   are   actually unknown  (Zero Day) and are only corrected  once  their existence  appears.  It is just that the inventiveness  of the hackers and the growth of access points to  modern  vehicles  complicates  the work  of the responsible   staff  for their eradication.  In addition,  the consumers’ demand  and habits to have a set of functions  inside the vehicle  makes  their technical  limitation impossible;  the issue of deactivating electronic functions that help stabilize the vehicle in any situation does not even come into question.

Under these circumstances, the growing market for connected  vehicles will be easily integrated into the Internet of Things, as they will communicate and interact according with the passenger and the static and mobile terminals.

The difference between  hacking an IP camera  and that of a connected car consists in the fact that, in the absence of a second  takeover control system, the risk of a fatal accident becomes  extremely high for both the driver and the passengers, and for other users, as well.

It  is  a real  danger   that has drawn the attention  of many  equipment manufacturers and designers   who are   trying   to   eliminate   the problem by  reaching   a  minimum risk threshold,   for   example   by  implementing collaborative  initiatives  that  aim to exchange  information  and redirect  the researchers to the IT security field, as well towards antivirus and firewall design companies (for  example,  the Auto-ISAC [Information Sharing and Analysis Center] case or EVITA [E-safety Vehicle Intrusion Protected Applications]). This is a necessity  because  the work is Herculean: it is estimated that a connected vehicle contains almost 100 million code  lines, compared  to a modern fighter jet with just 8 million code lines.

These  exchanges  between  different players in the field should  allow  not only the increase of security level, but also the protection  from theft of crucial elements  from the holders of technological  secrets.  As the remote takeover control of a vehicle  is a major risk, the  risk of technical data theft can not be avoided as the data concerns both the driver and the electromagnetic details of his/hers means of transport. Therefore we must not forget that the first step of defense in the field of computer  security remains  still the user, concerned about protecting  his/her  own  good  … and his/her  own  life.

Andy Geenberg, Hackers  remotely kill a jeep on the highway  with me in it,  Wired,   July 21,  2015 – https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway
Auto-ISA – https://www.automotiveisac.com/
EVITA Project – http://www.evita-project.org/

  1. An autonomous vehicle is not necessarily connected, for example, it may use different receptors  and integrated cameras  (such as LIDAR  [Light  Detection  and Ranging]) in the motion process   to  navigate  in space.  However, its  effectiveness  depends   on a certain geographic  limit and driving   activity.  In   addition,   the vehicle   does not communicate with objects around it: it receives  information without emitting it. Dynamic  autonomous driving requires real-time   data exchange.   Also,   a  connected vehicle is not necessarily autonomous   either,  because   the driving delegation option might not have been selected or is just not available on that model.
  2. In 2013, a Toyota Prius and a Ford Espace  were also hacked; however, the procedure required the presence  of two specialists inside the vehicles, and it was made possible through cable and not remotely. In 2015, a remote hacking demonstration was made.


Translated from original article in French

Yannick Harrel | Expert and lecturer in Cyberstrategy at the Business & Finance School in Strasbourg

Other Magazines