Note: This article first appeared at In Cyber Defense.
By Wes O’Donnell
Managing Editor, In Military and In Cyber Defense
A modern vehicle is the most expensive computer that you own. While car hacking may seem like science fiction, today’s cars have serious security vulnerabilities. These security gaps could allow a remote hacker to take control of vehicles’ computer systems and cause crashes.
According to the British online newspaper the Independent, the makers of the Jeep Cherokee were forced to recall 1.4 million vehicles in 2015, after U.S. researchers demonstrated they could remotely hijack a test car’s computer system over the Internet during an experiment.
According to Wired magazine, the test car was traveling 70 mph through a suburb of St. Louis, Missouri, when the researchers interfered with its air conditioning, radio and windshield wipers. The researchers then cut the transmission, so the car slowed to a stop after doing 64 mph on a highway.
Cars built after 2005 have between 50 and 100 electronic control units. They are essentially small computers that control many of the car’s automated systems — everything from the locking system to the power steering and even the brakes.
Adoption of Self-Driving Vehicles Add Another Layer of Vulnerability for Hackers to Exploit
Moreover, it seems the nation is hurtling toward a future of driverless vehicles with huge strides made by Tesla, Waymo, Audi and eight other major automotive manufacturers. Even the U.S. Army, through its Tank Automotive Research, Development and Engineering Center (TARDEC), is deep in the development of autonomous tanks. As a result, autonomous vehicles will add another layer of vulnerability on top of an already complicated system.
From a national security perspective, the stakes have never been higher. According to Justin Cappos, a professor in the Computer Science and Engineering Department at New York University, an adversary with a mature cyberattack capability like Russia or China could kill millions of drivers and passengers in a coordinated cyber strike.
Defeating Car Hacking Require Extraordinary Cybersecurity Companies
At the invitation of the Michigan Economic Development Corporation (MEDC), I recently toured, Grimm, a company that has set up a Cybersecurity Research Lab for Automobility and Aerospace Industries in Sparta, Michigan, a small village a few miles north of Grand Rapids.
As a cybersecurity engineering and consulting firm, Grimm researches, develops, solves and advises government and commercial organizations on cybersecurity. Led by former military officers, government leaders and industry experts, Grimm provides tailored security assessments based on current and emerging techniques.
When I asked, “Why Sparta?” Grimm CEO Brian DeMuth looked at me as if he’s answered this question many times before. “West Michigan’s low cost of doing business, combined with its talented pool of technology workers makes our company more competitive,” DeMuth’s responded.
It doesn’t hurt that Michigan is home to not only some of the largest automobile manufacturers in the world, but also several aviation powerhouses like Arconic and GE Aviation.
Grimm received a $216,000 performance-based MEDC grant to hire dozens of local tech experts.
Grimm is a pioneer in embedded systems. “When it comes to embedded device chipsets, there is a ubiquity across multiple industries,” DeMuth said. While this ubiquity might increase the potential for vulnerabilities, it also provides a framework for the experts at Grimm to harden multiple systems simultaneously.
How Grimm Assesses Vehicle Security Vulnerabilities
Grimm’s philosophy for preventing transportation hacking is a traditional security assessment approach, including reconnaissance, analysis, exploitation and consulting, all through the lens of an attacker. The company motto is “Our offense informs your defense.”
Grimm designs its security systems by asking:
- How do you know if your systems are vulnerable to cyberattacks?
- Do other systems in a vehicle or in a smart infrastructure make you vulnerable to cyberattacks?
- Is ransomware a concern for automotive security?
- What sort of communications go to and from your fleet and why are they vulnerable?
- What are the threats to your system?
The result is a detailed vulnerabilities report that is ranked by risks from the most severe to the least. The report includes recommended technical solutions and security knowledge transfer to the client’s technical personnel.
Grimm is the brainchild of Bryson Bort, a National Security Institute Fellow at George Mason University’s Antonin Scalia School of Law. Bort is also the co-founder of ICS Village, a non-profit provider of education and awareness of Industrial Control System security.
Grimm is led by some of the most passionate and dedicated white hat hackers in the country. Grimm’s logo, a caricature of the Grim Reaper, speaks to veterans’ dark sense of humor. That is not surprising, given Bort’s background as a U.S. Army veteran and West Point graduate.
Despite Grimm’s knowledge and expertise, I can’t help but feel that we Americans are playing catch-up to cyber criminals who seem to have a huge head start.
That’s why we need more companies like Grimm. We also desperately need more trained cybersecurity professionals.
DeMuth said Grimm wants to hire 65 new employees in the near future. But the challenge is finding qualified candidates.
Enter Grimm internships. The company offers competitive internships and interesting, meaningful work. Prospective interns must be willing to relocate to Northern Virginia for 10 weeks in the summer.
As for Michigan, the state is poised to serve as the primary mobility provider to the nation in the decades to come. Grimm and companies like it have a key role to play to ensure that advances in transportation and mobility are achieved securely and safely.