Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Anyone driving to the store to buy hamburger knows how vulnerable the nation’s infrastructure has become to cyber attacks. Both the energy and food industries have been hit in recent weeks with ransomware. But what about cars and trucks themselves? The more they become rolling connected computers, the more they’ll attract cyber attacks too. Now the National Security Agency has teamed up with Morgan State University to learn more about vehicular vulnerabilities. Joining Federal Drive with Tom Temin with the details was the director of the Cybersecurity Assurance and Policy Center at Morgan State, Professor Kevin Kornegay.
Kevin Kornegay: Good morning. Thank you for having me.
Tom Temin: Tell us what it is you’re going to be working with the NSA to actually do here?
Kevin Kornegay: The project involves assessing the vulnerabilities through sort of using reverse engineering techniques. So we’re looking at both the hardware and software that comprises these systems that are deployed in the automobiles. These systems include electronic control units, also known as ECUs. They all communicate to access and control the subsystems in a car, for example, such as your braking system or your navigation system. Now, all these subsystems communicate across what they call the control area network bus, which also connects to your Bluetooth, your WiFi, and so forth. So these are the, from an adversarial standpoint, these provide access points. For a hacker to launch an attack, for example, they may inject some malicious code or firmware onto the electronic device to create havoc.
Tom Temin: So in other words, even if you don’t have one of those satellite help systems like General Motors offers, or you don’t have a software-updated car, such as some of the electrics that get firmware upgrades over the air, even then you could be vulnerable if you have a Bluetooth connection.
Kevin Kornegay: Exactly. Because you also have the supply chain issue where these devices are manufactured in other parts of the world, where again, someone with malicious intent can insert Trojans into the hardware or software, unbeknownst to the manufacturer. These provide open doors for these folks so that they can control, for example, a Tesla.
Tom Temin: Sure. And now that we have kind of a semiconductor shortage that’s plaguing the industry, and there’s going to be a rush to catch up, that could create vulnerabilities coming in now in the next generation or the next round of automobile and truck build.
Kevin Kornegay: Yes, this is so true, which is why there’s a big push from the DoD and Intelligence Community to establish what you call a trusted supply chain, manufacturing supply chain.
Tom Temin: There’s a program called Ghidra that was developed by NSA and you’re going to be working with them on that. Tell us what Ghidra is and how Morgan State will use it in this research.
Kevin Kornegay: Ghidra is an open source tool that NSA developed, we can use to reverse engineer the firmware that runs on these embedded electronic components, or it could be a microcontroller unit, and so forth. So search the code to identify the malicious functions that are inserted in the code. And it’s a tool. But to access the firmware, first, you have to exfiltrate it or extract it from the actual hardware. Now the hardware and manufactures are getting clever, they have countermeasures to make it more difficult for adversaries to extract the firmware. So you have to bypass these countermeasures, and that requires skill and instrumentation. So that’s the first part. Now once you have the firmware, then you use Ghidra to actually step through the code to assess it for malicious code.
Tom Temin: We’re speaking with Dr. Kevin Kornegay, professor and director of the Cybersecurity Assurance and Policy Center at Morgan State University. But wouldn’t the car manufacturers, I would think, want to offer the code to trusted parties like Morgan State and the NSA, for the express purpose of helping them with their cybersecurity assurances?
Kevin Kornegay: Well, you would think so. But it’s a competitive industry. So they’d like to maintain their competitive advantage over other companies. So there’s a lot of mistrust. But the industry requires some standardization to address some of the security risk that the systems pose. But again, they’re also driven by profit margins, and so forth. So you’re working against that.
Tom Temin: And there’s an almost infinite variety of car models and functions and features in the given, say, every Ford or every Chevrolet. Do they all have the same code? Or does each variation have its own firmware?
Kevin Kornegay: There is a standardization coming about in terms of the navigation systems. So there’s automotive operating systems that several manufacturers are trying to push. So there’s a big push in terms of operating systems that are exclusive to automotive navigation. So there are several companies doing it. But again, the code is open source, you don’t know where certain portions of the code were developed, certain countries that folks have a malicious intent. So it’s the open market that created this problem that we have. So unless it comes from a trusted foundry or group, and it’s software, and the hardware is developed with security in mind, as in the forefront – but again, because of the profit margins, it’s quite expensive. But then again – look, we’re paying for it in terms of, as you mentioned earlier.
Tom Temin: So with the project or the contract that you have with NSA, what is the deliverable from Morgan State?
Kevin Kornegay: Well, we hope to provide, one, best practices to the industry in the Intelligence Community in terms of what measures and things they can do in terms of design and implementation to safeguard or mitigate to plug the hole, so to speak. So we will identify the holes in the hardware and the software, provide consultation on approaches for how to plug them. So that’s a goal.
Tom Temin: And NSA then will in turn communicate with industry, I would presume?
Kevin Kornegay: With industry, yes. For example, we are also talking about bringing in Consumer Reports, for example. They review over 100 cars. They provide these assessments and evaluation. So perhaps we can use Consumer Reports as a vehicle to get the word out to the consumers.
Tom Temin: So that might be the new round dot that’s half filled in or half black, or totally black or totally white, for consumer reports on cars, is the cybersecurity rating of a car.
Kevin Kornegay: Exactly! This is how we can affect change. And it’s driven by the consumer who wants safe and secure vehicles, particularly as we move towards autonomy, where again, you’re going to see more cars, more automobiles connected, where everything is connected. So this is a new realm where the attacks are going to be remote, and they’re going to be cyber attacks. You’re still going to have your conventional types of things. But the cyber attacks, because of the connectivity, it’s just more pervasive, and you can impose more maliciousness.
Tom Temin: It’s easy to imagine the scenarios, if someone got control of a car that way. So far, though, it seems like this is more of a potential than something that’s actually happened. So maybe for once we’re ahead of the curve?
Kevin Kornegay: This is my take: We’re being probed and adversaries are already in place. I don’t think we’re anywhere close to being ahead of the curve. I think the one thing we can’t afford to be is reactive, they have our attention, we have to be proactive, and really put forth the resources to really get a handle on these attacks.
Tom Temin: Yeah, you can bring the nation to a halt, I guess, if you weren’t able to cause 25-car while ups from Route 5 in Los Angeles to the Beltway in D.C., you’d have a real problem.
Kevin Kornegay: Yes. Imagine that occurring simultaneously, just across the country. I mean, the supply chain implications are just crazy.
Tom Temin: Dr. Kevin Kornegay is professor and director of the Cybersecurity Assurance and Policy Center at Morgan State University. Thanks so much for joining me.