First publishedin ITS International
Increased connectivity in transportation is a potential goldmine for hackers. To stop them, Stacy Janes at Irdeto says it’s important to think ‘maliciously’. Adam Hill talks to him about ITS’s weak points – and why turning up car radios could be enough to bring auto manufacturers to their knees
“I was on the hacking team: my speciality was ‘malicious thinking’. I learned how to steal cars.” The speaker is Stacy Janes. He is charming and utterly disarming. Fortunately, he is not a hacker – rather, he is employed to stop hackers. And part of that involves thinking like one. He did not actually steal any vehicles, of course – he insists quickly – “but I knew how to break into different cars”. Now, as chief security architect - automotive at Irdeto, it is his business to know about the dark arts: “My fascination is how people break into things: homes, data, identities.”
If you want to beat the hackers, the answer is simple, he says: “Think maliciously!” As the ITS industry relies increasingly on data and connectivity – enjoying all the technological benefits that brings – businesses are finding themselves increasingly vulnerable to attack by people who want to steal information or disrupt the system, causing potentially massive financial harm. The parameters are always shifting: for instance, air gapping – a process by which secured computers were isolated from unsecured ones – was popular until a few years ago when it was shown to be vulnerable to ultrasonic sounds.
For this reason, Janes sees the ITS business as a battleground. “It’s intelligent engineer versus equally intelligent malicious hacker,” he insists. “It’s a cat-and-mouse game and your only aim is to be the cat. Lots of mice survive – but lots of mice don’t.”
Actually, Janes does not only view business in this way. “That goes for security on every level,” he says. “When you think of protecting your home, you’re going to take your basic steps.” He pauses, then adds with a smile: “You’ve probably never broken into someone’s home.”
Housebreaking is an analogy that works for businesses keen to protect their assets. “Every company has the same policy in response to a hack: panic!” he smiles sympathetically. But it does not have to be that way. It is important to look at those things we take for granted and accept that someone, somewhere, might want to be getting unauthorised access to them – whether that is our homes, our bank accounts, or the software that keeps our business running without interruption.
“Malicious third parties can get into the ecosystem,” he says. This goes for any ITS programme, and has the potential to make exciting developments such as Mobility as a Service (MaaS) especially vulnerable.
A connected car at a traffic light could be targeted. “The vehicle trusts the traffic light so get it to send encrypted information to the car,” Janes explains. “It’s like the weakest link in the chain – it becomes complicated very quickly. My car is taking information directly from traffic lights and is going to be taking less and less input from me.” Put like that, you can see immediately why security is so important. “All the cars are constantly changing,” he continues. “So you have a never-ending change in the ecosystem – and I’m getting less and less input.”
MaaS is an obvious target and Irdeto has partnered with Conjure to produce Keystone, a secure system that allows vehicle owners to create and control policies around multi-user vehicle access, settings and usage. Customers need to know that the person who uses a car-share vehicle after them cannot access their data, for instance – while companies do not want people being able to use services they have not paid for. Owners can decide where and how other drivers can use the vehicle, with vehicle settings customised to each authenticated user.
Irdeto provides many other protection services for companies worried about their digital platforms. “Irdeto has been doing cybersecurity since ‘cyber’ was a thing,” Janes says. “We have so much expertise. The starting point was we have to protect the assets on your computer – and every few months there is a new vulnerability. It’s a rock that someone throws through the window.”
Once an intruder gets into the house, there needs to be some form of defence – so that even if you can get in, you can’t do anything harmful. “We’re the guard dog inside the house,” says Janes. “We don’t have to shut anything down because we can ensure that you’re not doing any damage.”
An original equipment manufacturer (OEM) might realise that its telematics is vulnerable, for example. “But they can’t release a fix overnight.” That’s not necessarily vital – so long as you are defended. “So the vulnerability gets him in to your system,” Janes continues. “But the next layer of security is there. We are actually attacked every day. It’s an active situation for us – and we know how to do this, we know this works.”
‘Normal’ people are not necessarily thinking about the right things. “People don’t think maliciously,” smiles Janes. “They don’t realise that other people think that way.” The automotive industry is an interesting case. Hacking experts Charlie Miller and Chris Valasek deliberately tried to illustrate the vulnerability of car systems by remotely hacking a Jeep Cherokee in 2015, apparently controlling the steering and braking, according to an article in Wired magazine. It worked. “When the Jeep hack happened, they knew there was a problem – it got everyone’s attention,” says Janes. Fiat Chrysler recalled 1.4 million vehicles as a precaution.
The rise of connected and autonomous vehicles means that there are, potentially, multiple points of weakness for hackers to exploit. Asked to put his ‘malicious’ hat on, Janes considers how an enemy foreign government might approach this situation for gain - to disable the US road network, for instance. “The most malicious thing they can do…” he muses. “Well, I don’t have to bomb all the bridges if my state-based hacking team could shut down trucking. After a week, there is no food, there are riots, people turning on the government – and then you attack.” That sounds awful. “That’s the worst-case scenario,” he agrees. Clearly, thinking maliciously has something going for it.
On the other hand, he points out, trucks are one thing; to try and disable all the cars in North America would potentially be more difficult. But actually, you wouldn’t have to disable them at all. “Ransomware is a big thing – not to the owner, but to the OEM,” he explains. “So what if you turn all the [car] radios up to the max and then lock it there?”
For a manufacturer, this is a nightmare: cars being returned to dealerships by thousands of angry customers, all with a problem that you are unlikely to be able to fix quickly. “This is where fear comes into it,” Janes says. “Then you get the stories – the media interest.” That sort of negative publicity is potentially crippling to any brand. “That’s a more likely scenario than crashing all the cars,” he goes on. “You’re really hacking a person at the OEM.” The fear of what the ransomware can do – for example: “I can get to the fleet maintenance system to push malware out onto all the cars” – is what hackers will be trying to create.
For this reason, it pays to make things as difficult as possible for them. “Hacking is a business like any other,” he concludes. “If you make them spend $1 million to get $1 million, they’re not interested.” Not every system, therefore, has to be cast-iron and bulletproof. But it has to be good enough – and Stacy Janes does most of the worrying so that the rest of us don’t have to. He has an interesting perspective on business – one which perhaps we should all give a little more thought to as we go through our daily work routines. Another thing comes out of ITS International’s conversation with him, too: the realisation that you really want people like that on your side.