Unlike many cybersecurity experts, Justin Cappos doesn't lay awake at night worrying about data breaches.
Instead, as today's automobiles roll off assembly lines with dozens of embedded computers on board, the New York University computer science professor worries that malicious hackers may become more adept at remotely hijacking cars as they speed down the road.
And that's not just an idle concern. Security researchers Charlie Miller and Chris Valasek, who both currently work for Uber, demonstrated in 2015 how to remotely hack a Jeep Cherokee. And with automakers outfitting cars with computers that do everything from tighten seat belts to deploy airbags, experts worry that criminals could take advantage of vulnerabilities in those digital systems.
That's why Mr. Cappos and his team at New York University's Tandon School of Engineering along with researchers at University of Michigan's Transport Research Institute (UMTRI) and the Southwest Research Institute have set out to solve a key piece of the automotive cybersecurity puzzle: Remotely patching and updating old software.
"You should expect that your car has bugs in it," says Mr. Cappos. "You wouldn't expect most car companies would have better security teams than Microsoft or Google."
Unveiled at UMTRI's headquarters in Ann Arbor, Mich., on Tuesday, their new protocol – called "Uptane" – aims to safely and securely update some of those millions of lines of code inside cars without drivers needing to return to dealerships.
Several major automakers – such as Ford, Tesla, and General Motors – already offer the ability to remotely improve or repair onboard software using WiFi or cellular connections. And the drive toward remote software updates should only speed up in the next decade. The technology research company ABI research estimates that more than 200 million cars will receive wireless upgrades by 2022.
Cappos' Uptane system would remotely update software in cars and thwart those potential digital attacks by storing the encryption keys needed to conduct software updates in an offline setting with the car manufacturer when the vehicle isn't in use. But once a driver puts the key into the ignition, the car can remotely verify any upgrades, and ensure that a hacker hasn't tampered with the directions.
What's more, since an airbag controller might require less computing power than a radio, for instance, Uptane features stronger verification checks for more powerful units that could have a more significant safety impact if hacked.
"There's a chain of trust going on," says Sam Lauzon, an automotive cybersecurity software developer at the University of Michigan who assisted on the project. "These are the same type of chips in my mobile phone that are in my dash" – and some of them, he says, have barely any memory to be hacked at all, leading to Uptane's compartmentalized approach. "Why would I spend $50 to put a crypo controller in that?"
Uptane also allows automakers such as Ford and General Motors that often don't make their own parts to verify the security of third-party software features. And instead of having one location for a private encryption key, Uptane distributes the trust across the system, storing the encryption keys on three different servers.
That's an important extra layer of digital defense for drivers, experts say, because it's not so easy for most people to go out and buy a new car if hackers tamper with the onboard software.
"You can’t just say, 'I can toss out that car and go out an buy another one.' If there’s a leak that occurs, you have to be able to manage that," says Craig Smith, head of automotive security research at Rapid7. "It’s not a huge deal to ask a user to buy the next version, but it is a huge deal when it comes to a $30,000 vehicle."
The research could have homeland security implications, too. The Department of Homeland Security has put forward a $1.4 million contract supporting NYU's work on the Uptane project, part of nearly $18 million the agency has invested in projects aimed at securing cyber-physical systems, including medical devices, vehicles, and building control tools.
"I know I've updated my laptop and my cellphone in the last month or so. The question is when's the last time you've updated your car," says Daniel Massey, a program manager in Homeland Security's Science and Technology directorate. "There are 100 million lines of code in the average car. That's more lines of code than the space shuttle."
And in an automotive world where the reach of digitization and connectivity only continues to expand – potentially even into the realm of driverless cars and networked traffic grids – securely updating the software that runs those machines will only grow in importance. Since Mr. Miller and Mr. Valasek's 2015 attack forced Chrysler to recall 1.4 million Jeep Cherokee vehicles from the road, digital incidents involving cars have become more common. In February, for instance, Google's self-driving car ran into a bus near the search giant's headquarters in Mountain View, Calif., the first recorded crash without a driver behind the wheel.
And software-enabled cars that are already on the road also faced serious flaws in 2016. In January, Australian security researcher Troy Hunt said a student had used the Nissan Leaf's vehicle identification number to reveal its driving history, drain its battery, and shut down climate control.
"We care about that car that you're going to buy today. Whether you want to or not, you're going to have a connected vehicle," says DHS' Mr. Massey. "It would also be in DHS's mission to make sure people feel safe enough to drive to work, and not get scared by a cyberattack."