Are Connected Cars Immune to DDoS Attacks?

Imagine if thousands of people started calling your phone at the same time, preventing you from receiving calls from your friends and relatives. No one’s actually hacked your phone. But you can’t get any calls just the same.

That’s essentially what happens in a Distributed Denial of Service (DDoS) attack – a malicious hacker directs hordes of Internet-connected PCs and devices under his or her control to attack and take down Web sites and cloud services. Remember when hackers shut down the BBC Web site in January by reportedly directing 602 Gbps of traffic at it? There was also the disruption of Boston hospital networks in 2012, and the Nasdaq stock market outage in 2012.

Last Friday, a massive DDoS attack knocked out many popular U.S.-based web sites, including Twitter, PayPal, Etsy, Reddit, and New York Times. The twist? Most of the botnets directed by the hackers were comprised of Internet of Things (IoT) devices such as DVRs and webcams infected by an unsophisticated malware called Mirai. Poor security is a hallmark of IoT devices today – see our demos of hacking a drug infusion pump and connected tea kettle at our last two Security Summits. Until manufacturers of insecure IoT devices are made accountable (as my colleague Nader Henein proposes), we’ll see more unwilling soldiers added to DDoS armies.

Botnets on Wheels

Connected and autonomous cars of the future are nothing if not IoT endpoints on wheels. Automotive security is arguably more important than traditional computer security, since cars can easily become dangerous weapons. Most new high-end cars can already connect in multiple ways, including cellular, Bluetooth, Wi-Fi, and USB, and in the future via V2X. And while the IT industry has been in the networking business for decades, dealing with security and developing risk mitigations and best practices, car makers are relatively new to these issues.

Today’s high-end sedan runs software with over 100 million lines of code. It is estimated that for every 1000 lines of well-written code, there is one security vulnerability. So you can imagine how many potential vulnerabilities can stay dormant for years until exploited by hackers, armed with nothing more than OpenGarages’ Car Hacker’s Handbook. Even the new generation of high-tech cars developed from the ground up with security in mind are still subject to remote hacks, according to reports, turning them into deadly weapons.

Fast forward to a few years from now. After a few high-profile security incidents, car makers have upped their security game to the level of the tech industry. Fully autonomous vehicles are starting to appear, though they will only become widely adopted when related infrastructure has been established: command and control centers that take sensor data from cars to adjust traffic lights, bridges that inform cars if they are dangerously frozen, and cars that collectively inform each other of dangers ahead through cloud-based services. At that point, networked cars have become as secure as mainstream IT infrastructure. But they will still have a larger threat surface to deal with because of their mobility. So if a car is enlisted into some hacker’s botnet, it can be used to jam the command and control center for a particular road or region, or attack and crash an 18-wheel truck carrying a dangerous load such as gasoline.

So how should the car industry avoid DDoS exploits?

For the last 2 months, my team at BlackBerry has been doing software technology roadshows around the world, covering everything needed to make the autonomous car a reality. After hundreds of hours of meetings, a lack of security standards is the emerging theme for most car OEMs. In fact, the standards are already here, in the form of algorithms, certificate signings and secure supply chains‎. The issue is the auto industry’s knowledge-gap around best practices, how to apply these technologies in layers and, most importantly, how to manage on an on-going basis. A security ecosystem vision has not emerged yet, and even if it does it will be different for each car maker due to how they individually design and manufacture. Our Tier-1 customers that provide electronics modules to car makers (think Bosch, Delphi, etc.) all see security as a competitive advantage and want to promote their own recipe. That actually conflicts with the preferences of automakers, who always want to have second or third sources for any technology, including security.

We are not competing with other Tier 1 auto suppliers, and hence can provide solutions available throughout the supply chain. We have been supplying safety certified embedded software to the automotive industry for over 20 years, with over 60 million cars’ infotainment systems powered by our QNX platform. BlackBerry’s security and privacy have been trusted by world leaders for over two decades, which is why we are the mobility partner to 16 of the G20 governments, 10 out of 10 of the largest global law firms, and the 5 largest oil and gas companies. BlackBerry security has earned over 70 government certifications and approvals — more than any other mobile vendor. Combine that with BlackBerry’s over-the-air (OTA) managed services for timely security patches and functional software updates, our automotive security services consultants, and QNX’s industry know-how, and you have the car industry’s emerging leader in automotive security. At BlackBerry, we’re actively working with car makers and other industry leaders to protect the safety and security of your car.

Originally published at here.