The Urgent Need for Key Fob Cybersecurity

As Phoebe Wall Howard writes in her excellent Detroit Free Press article, car key fobs are extremely vulnerable to cyber-attacks.

 

“There’s technology out there that allows people to [walk up to a car and remotely open it],” said former Macomb County sheriff Mark Hackel. Mr. Hackel fell victim to a key fob hack this past May, when a criminal gained access to his vehicle and stole a pistol that was stored in the console. What’s more alarming is that car hackers can remotely start your car’s engine, and even extract your personal information by exploiting fundamental flaws in key fob and keyless entry technology.

 

These flaws are being exploited by bad actors who employ man-in-the-middle (MITM) and relay attacks – the two most common ways to take advantage of an unsecured key fob. Man-in-the-middle attacks involve a radio device that intercepts, clones, and replays communications between two endpoints. The ease with which car hackers can perform MITM attacks is being widely publicized, especially after researchers from the University of Birmingham and the German engineering firm Kasper & Oswald revealed that over 100 million Volkswagen vehicles have vulnerable keyless entry systems.

 

The other common method of compromising a key fob’s security is a relay attack, which is executed by detecting and amplifying the keyless entry system’s signal. Signal amplification can trick a vehicle into thinking the key fob is much closer than it actually is, triggering doors to open, starting the car’s engine, and enabling a car hacker to drive away without a trace. These are a significant sub-set of cyber-attacks that the automotive industry faces today. But, leaders in the cybersecurity industry are developing technologies to head off this threat.

 

“Trillium is developing end-to-end cybersecurity solutions that mitigate the risks of key fob vulnerabilities, and protect data generated by vehicles for its entire lifecycle,” said David Uze, President and CEO of Trillium Secure at the Auto-ISAC Cybersecurity Summit in Detroit.

 

As a Trusted Mobility Services provider, Trillium is developing technologies to protect drivers’ key fobs against MITM and relay attacks. Trillium secures data from its origin to its retirement for all mobility, transportation, and vehicle services. To learn more about how Trillium’s cybersecurity platform protects vulnerable data today and tomorrow, visit https://trilliumsecure.com.

Highlights from Mobile World Congress Americas 2018

Mobile World Congress Americas (MWCA), the world’s largest exhibitionfor the mobile industrytook place this year in Los Angeles between September 12-14. Last year’s show in San Francisco brought in around 22,000 attendees, and the organizers expect this year’s show to easily top that.

 

Trillium exhibited in the 4 Years From Now (4YFN) section, a specialized area that celebrates innovative startups whose technologies will impact the world in the near future. This program returned for a second year at #MWCA18, enabling startups, investors, corporations and public institutions to connect and launch new ventures together from all around the world.

 

“We met a broad spectrum of valuable partners and had the chance to hold in-depth conversations with representatives from wireless carriers and the investment community,” said David Uze, CEO of Trillium. “I communicated to the right audience about 5G and IoT vulnerabilities, and personally met with dozens of talented engineering recruits and seasoned business development candidates.”

 

The theme of this year’s event was “Imagine a Better Future,” and the bustling atmosphere of the exhibition floor reflected the optimism and excitement expressed by keynote speakers from AT&T, Verizon and Nokia. Sprint’s Executive Chairman Marcelo Claure headlined the event saying, “There are three reasons why 5G is a quantum step forward in connectivity performance: ultra-high speeds, ultra-low latency, and the Internet of Things for billions of devices. And there are many amazing use cases that will enable a number of consumer innovations.”

 

5G was one of the biggest talking points at the event, all over the exhibition floor, and in most keynote sessions. There were several interesting use cases of the new radio access technology on display at Innovation City, and the conference program featured over 400 speakers highlighting other topics such as artificial intelligence, IoT, cybersecurity, content and media, drones, blockchain, policy and regulation. Team Trillium engaged with a Tier-1 mobile operator about autonomous driving and V2X use cases as some of the key drivers of their 5G investments and network rollout.

 

It’s difficult to closely examine what happened at the mobile industry’s key event in Los Angeles without talking about Hollywood and the entertainment industry at-large. Entertainment is one of the leading drivers of the mobile telecom industry; moreover, content distributors such as Facebook, YouTube, Netflix and Amazon Prime already make up a gigantic part of mobile network traffic. With the U.S. set to lead the 5G revolution, the three largest mobile operators are already touting new mobile 5G networks as the foundation for video consumption everywhere.

 

While the potential benefits of nationwide 5G deployment dominated MWCA 2018, many representatives from the automotive, aerospace, maritime, and drone industries visited Trillium’s booth to learn more about its multi-layered cybersecurity platform and secure data lifecycle services.

 

“The amount of interest in our technology, from people of so many industries and backgrounds, really hit home how important data security is to every aspect of society,” said Kamel Ghali, field applications engineer at Trillium.

 

“The most exciting portion of MWCA for me was meeting with a representative from the Department of Homeland Security,” said Zoran Kehler, vice president and director of aerospace and defense programs at Trillium. “We learned a lot about DHS’ advanced research organizations and advanced research programs and discussed how Trillium can become involved in many more U.S. homeland security projects through DHS.”

 

There were also many MWCA attendees from the investment banking and public sector who gave their attention to Trillium’s holistic and multi-layered approach to protecting vehicles from cyber-attack and keeping private information confidential.

 

Dan Viza, vice president and director of strategy at Trillium added, “Our first participation at MWCA was a great success and a significant milestone for us to be selected to participate in the 4YFN exhibit which recognized Trillium as a disruptor in the cybersecurity space. We engaged with many new, high-quality contacts, including productive meetings with key players in the mobile industry and investment banks.”

 

After three full days manning the booth at MWCA, Team Trillium is headed next to the Automotive ISAC Summit in Detroit from September 25-26.

CEO David Uze is Charged and Ready for Hack Across America

Trillium Secure CEO David Uze is hitting the road again to raise awareness among ordinary drivers, students, and major players in the automotive industry about the clear and present danger of car hacking. He departs this morning from Trillium headquarters in Sunnyvale and is headed to Mobile World Congress in Los Angeles to run the company’s booth in Hall West (Stand W.224C).

 

Just this week, Wired reported that KU Leuven researchers recently discovered wide-open vulnerabilities in several high-end car makers’ key fobs. To address how cybersecurity technology and secure data services can be implemented to prevent these types of attacks, Mr. Uze will be driving cross-country in a Trillium-branded electric vehicle and making a series of stopovers at research institutions.

 

The first stopover for this phase of Hack Across America will be the University of California Los Angeles, where Mr. Uze will meet with members of the Engineering Society and encourage students to learn more about the booming automotive cybersecurity industry. He will also talk about recruitment opportunities and how talented, curious, and driven students can gain experience in entrepreneurship and hands-on technology development. During the engagement, Trillium engineers will introduce the company’s cloud-based PassGO Hacking Challenge and invite passionate students to test their white hat skills.

 

Check back regularly to see if David and his colleagues will be stopping by a university near you!

Your Company’s EV Charging Station is a Prime Target for Car Hackers

Electric vehicle charging stations are the latest workplace perks used to attract the hottest engineering talent (are you the Tesla guy at your company?). But did you know that the charging port is one of the most vulnerable attack surfaces on your car?

 

A simple skimming device, similar to the ones used in ATM fraud, can easily be made and deployed on a charging station by a motivated attacker. When an unsuspecting employee plugs-in his or her electric vehicle and heads into the office, the skimming device can gain access to the private information stored on the electric vehicle’s onboard computers. This type of hacker exploit has been identified by cybersecurity experts as a weakness for charging providers.

 

Yaroslava Ryabova wrote an excellent article on the vast range of problems related to infrastructure cybersecurity due to industry players rushing unsecured charging stations to market. Some of your most private information can be viewed, modified or even deleted from your car’s in-vehicle network. In addition, an increasing number of cars are adding cell phone mirroring dashboards that enable drivers to project mobile content to the vehicle’s infotainment system. If a car hacker gained access to your infotainment system via the charging port, they could theoretically view your music playlist, frequently visited locations and, of course, your credit card information. Moreover, a chain of vulnerabilities could allow the car hacker to gain access to your company’s information from your Bluetooth connected company phone, including work-related emails, text messages, and stored files. Potential motives may include financial gain through a ransomware attack or to steal trade secrets.

 

The most horrific consequences of an electric vehicle hack could be tricking the car’s battery into thinking it has not been fully charged. Disabling the surge management system could trigger a powerful explosion causing significant damage to the car, the surrounding area, and its occupants.

 

Thankfully, Trillium’s engineering team has developed SecureIXS, one component of the company’s multi-layered cybersecurity solution that prevents would-be cyber-attackers from gaining access to your electric vehicle’s onboard computers. SecureIXS uses a firewall and machine learning algorithms to detect anomalous data patterns, such as an unauthorized request to access your private data while charging. Cutting-edge solutions like SecureIXS are a critical piece to the widespread adoption of electric vehicles and the nation-wide deployment of charging infrastructure.

Your Car is a Data Goldmine

Once upon a time, our private data was simply a paper trail that grew with every signature we made. Today, all of us are kicking up little storms of data in the wake of our journey through life – every swipe, click, face ID scan, or Sunday afternoon drive produces a ton of information that is analyzed and monetized. Private data has always been sacred, but it’s now become a valuable resource that’s sought by social media companies, automakers and, unfortunately, cyber-thieves. That’s why your private data must be kept confidential, it should remain anonymous, and it needs to be secured.

 

One rich, and often overlooked, source of private data is your car. As Zeljka Zorz mentions in her HelpNetSecurity.com article, “Smart cars gather sensitive data such as location, the driver’s daily route, apps that are used…[opening] consumers to dangers they weren’t susceptible to before.” On the surface level, corporations can leverage the potency of today’s data analytics technology to deliver unwanted ads on your infotainment system or produce other driving distractions. But if you investigate deeper, it becomes clear that our smart cars’ connectivity is an attractive target to bad actors who can easily gain access to compromising information or even the mission-critical motor functions of your vehicle.

 

To guard against these contingencies, Trillium has developed a suite of cybersecurity products to protect your safety and the integrity of your data throughout the vehicle’s lifecycle. For example, Trillium SecureIXS software uses machine learning algorithms to detect anomalous data patterns in your car’s network communications to prevent hackers from stealing your data. Trillium’s products also ensure that fleet operators are following GDPR regulations, which mandates all companies securely manage their customers’ private data.

 

The car on the open road is a staple of Americana – it represents the joy of free movement and expression. Don’t let cyber-thieves hamper this freedom. Keep your connected car safe and your private data confidential.

Trillium Wins the Government Innovation Award

Trillium received the Government Innovation Award and joined the ranks of a select list of private-sector companies which government considers vital to its IT community. This year’s Industry Innovator award recipients were recognized as disruptors, innovators, and emerging leaders in the IT industry.

Trillium’s leadership role in the vehicle cybersecurity and secure data lifecycle management industries continues to be acknowledged at conferences, trade shows and competitions around the world. Join us at the Government Innovation Awards dinner on November 8th at the Ritz-Carlton Tysons Corner!

Why Securing Your Fleet’s Data is the Secret Sauce

More data is collected from a vehicle than you can imagine – all the basics, like real-time location, fuel levels and odometer readings, are easily accessible and ready for analysis by fleet owners. There are also ELD devices that track the number of hours your drivers are working for. If they go over the allotted hours of service then they are breaking the law so if you don’t have them on your fleet then it is worth looking at this review to find the best one. But there are hundreds of other data points which fleet owners can tap into to learn where their real competitive advantages lie. For example, fleet owners can decisively reduce their operational costs (and enhance safety!) by gaining insights on whether drivers are wearing seatbelts, how long each engine has idled, and if a blinker was engaged before turning. As Christina Rogers wrote in her article with the Wall Street Journal, this large data set can be contextualized, analyzed and leveraged to drive profitability and growth.

 

Vehicle data should be secured and properly managed throughout its entire lifespan just like any other closely guarded trade secret. Numerous auto-makers and their affiliated services are already monetizing this rich, new source of data. For example, McKinsey & Co. estimates data from connected cars will be valued at up to $750 billion by 2030. This trend will only accelerate as newer vehicle models come equipped with cellular modems, driver assistance devices, and other digital services. Fleet owners, such as delivery truck or car rental companies, stand to benefit the most from this sea change beginning with enhanced operational efficiencies and new opportunities for employee training.

 

On the other side of the equation, there are inherent risks with unsecured data points generated by vehicle fleets. For example, the GPS coordinates of individual vehicles can be spoofed, or worse, malicious code can be dropped into vulnerable infotainment systems leading to catastrophic system failures. To mitigate these risks and deter motivated cyber-attackers, subscribing to a cybersecurity service is a sound business judgment to secure data and to ensure fleets are operating nominally.

 

Trillium is a leader in providing secure data lifecycle management and cybersecurity solutions for vehicle and fleet operators. In addition to ensuring the integrity, authenticity and security of fleets’ data, Trillium Secure anonymizes it for fleet operators’ peace-of-mind when it comes to regulatory compliance. In other words, Trillium works to protect your data – that is – your secret sauce!

DefCon 2018: The Best Until the Rest

As the sun sets on Las Vegas, so ends the final day of DefCon 26. This year’s rendition of the hacking convention was just as full of content as its predecessors, with more speakers, workshops, vendors and villages than ever before. The coveted “Black Badges,” prizes given to winners of the best hacking competitions have found their homes in the hands of the best hacking teams from around the world.

Despite not being a Black Badge competition, the iconic Car Hacking Village too saw its best year yet. The Capture the Flag challenges this year featured disembodied head units, decapitated dashboards, riveting reverse-engineering challenges an escape from a Ford Escape and more. The challenges construed by experts in automotive cybersecurity such as GRIMM, Intrepid Control Systems, and Rapid7 gave the audience of newcomers and long-time enthusiasts plenty of material to explore in every aspect of automotive security engineering. The fierce competition was only outmatched by the enthusiasm shown by the teams as they pitted themselves against one another to compete for the first prize – a full size Polaris ATV.

All in all, Trillium is proud to have participated once again in this year’s Car Hacking Village, bringing our own CTF to the table for the best in the industry to test their skills against. As was the case last year, however, the Pass GO challenge remains uncracked. We look forward to the CHV community’s continued interest in our products and services through our up and coming automotive cyber-security sandbox environment to be released in October. Thanks again for a great event, DefCon, and we’ll see you again next year!

PassGO Holds Strong!

The second full day of the Car Hacking Village has come to an end, seeing hours of attempts at the Trillium PassGO challenge. Despite the efforts of so many participants, the challenge has yet to see defeat. Stay tuned for the exciting conclusion of this year’s Car Hacking Village!

Donkey Cars? That’s What They Call Them!

This year’s Car Hacking Village featured a race between Donkey Cars – the newest “build your own” autonomous car fad in the industry. Teams brought their own home-grown self driving cars to race on an obstacle course designed to push the cars’ autonomy to its limit. Many thanks to the Car Hacking Village for always keeping things exciting year to year!