Need to beef up against vehicle hacking

By CARSIFU | 2 April 2021

KUALA LUMPUR: It's a cat-and-mouse game.

As security systems by Original Equipment Manufacturers (OEMs) are the benchmark of the industry, sometimes even OEM Tier 1 and 2 suppliers also get hacked too.

In August 2020, researchers assessed 10 OEM and suppliers and evaluated hardware and software of more than 40 electronic control unit (ECU) in development and found over 300 vulnerabilities.

In October 2020, hackers learned from two CVE (Common Vulnerabilities Exposure) from main stream Continental models and hacked through the infotainment system.

Some 79.6% of attacks between 2010 and 2020 were done remotely.

These attacks are not affecting auto manufacturers or OEM only but the industry as a whole.

Even Smart City as cities grow smarter, new intelligent transport innovations such as smart traffic lights, parking and navigation become higher risk.

Common Attack Sectors

So how does that affect the common Joe? Simple... all a black hat hacker has to do is hack your system and render the vehicle inoperable and hold you for ransom.

The ransom is a small amount which you would gladly pay as replacing the system would cost you more money.

What happens after you are hacked?

Firstly the loss of transportation. Secondly to continue financial commitment even with the loss of use.

Hopefully the hackers dont hack your vehicle while you driving with your family as the hackers might want to prove a point while you driving to make it more real and create the fear in you.

You might consider insurance covering the loss of use and cover the hacked vehicle.

Firstly in Malaysia many of us dont even cover flood in our insurance clause as that adds more premium.

In that case worldwide auto insurance is a USD$200bil business and they are not 'in it to lose it'.

So insurance companies will be smart enough to access the CVE of the auto manufacturers and charge you according to the CVE.

So once again we will be at the mercy of the black hat hackers.

So what can be done to protect ourselves and industries alike from falling victim to these black hats hackers? Basically this will fall under the jurisdiction of the government.

The government has to impose adhering to international cyber security standards and not like the hastily conceived MS 1742 of which was passed as law in 2004 but no enforcement be taken until 2006.

Cyber Attack Breakdown

Until today there is no enforcement as no government agency can handle the audit.

MS 1742 is a security system that all auto manufacturer has to follow to reduce vehicle theft.

MS 1742 was conceived by a few people who 'cut & paste' requirements from other standards but these people fail to note was that the copied standards were already 10 years old at that time and were not relevant in 2004.

And if the government is looking at establishing security and cyber security standards, let the experts handle it and dont let bureaucrats manage it.

Like Euro 2M (diesel) where we have to pay a bit more for the M rather than use the common Euro 2. Thats another story.'

Firstly the governemnt should revised MS1742 that meets with today requirement as not all vehicles will be connected.

Thieves know exactly how to override the security system of popular vehicles and can steal them in less than five minutes.

We can follow VSST (model after Thatcham and run by Thatcham ex-engineer) standards.

After revising the MS 1742, pass it as law that compel auto manufacturers to adhere.

This will help to bring down at least another 20% in vehicle theft.

Since cyber security is still relatively new, Malaysia should not be smart to venture on our own but rather join international researchers who have done extensive and intensive research into it.

So what are the world cyber security standards now?

Malaysia can either adopt either one of the following best practices:-

• UNECE WP 29 – adopted by UN and most EU countries.

• ISO-SAE 21434 – German standards.

• NHTSA – National Highway Traffic Safety Administration USA is looking at best practise from ISO-SAE 21434.

• APCOSEC – IPA (Information-Technology Promotion Agency) Japan.

Malaysia crime fighting agencies consisting of the police, Bank Negara, Persatuan Insurans Am Malaysia, Royal Customs Department and other related agencies should study and advise the government accordingly. 



President International Association of Automotive Theft Investigators (IAATI)
Asian Branch