Date: May 20, 2015 Author: Chris Bing Source: DCInno (
click here to go to the source)
Less than a week removed from news that a commercial airliner was allegedly hacked and redirected in midair by One World Labs Founder Chris Roberts, many have questioned whether such a task is possible and if so, what it may mean in terms of future transportation safety. Given the current perceived security threat surrounding transportation, one avenue of particular concern is public transit vehicles. Many public transportation vehicles in the U.S. employ some variation of bluetooth, geo-location, WiFi-connection and sensor technology. As a result, it is possible that they could be susceptible to a networked attack.
Reston, Va.-based cloud and mobility cybersecurity startup, Kaprica Security, has developed a cyber system to stop hackers from targeting the most common form of transportation in the U.S., commercial automobiles. Originally developed for DARPA I2O and the US Army CERDAC program, the product, called RunSafe, encrypts a vehicle's OS.
Founded in 2011, Kaprica Security was recently brought on by Virginia Governor Terry McAuliffe as part of a new cybersecurity initiatives that is working together with a myriad of public and private entities to research potential cyberthreats.
RunSafe was developed, according to Kaprica, because the underlying operating systems of many cloud deployments are still extremely vulnerable. Because of these vulnerabilities, attackers can create reliable payloads that can compromise server infrastructure. Kaprica Security, a two time winner at the hacking conference DEFCON, was recently awarded a $270,000 DARPA contract.
"Our OS and application security system RunSafe allows for the inoculation of entire swaths of dangerous vulnerabilities, without rewriting a line of code, altering system structure, without source code, and completely automatically. We are currently using a few research avenues to demonstrate the efficacy of RunSafe in the auto sector, as well as several others. Said another way, our goal is to invent things that remove toolkits from the attackers," Kaprica Security CEO Doug Britton told DC Inno.
The larger discussion concerning the evolution of IoT (internet of things) innovaton, and the subsequent lack of security behind it, continues to play an important role in understanding why cybersecurity is a growing market.
In early May, a local CBS affiliate (KEYE TV) taped a presentation involving members of Kaprica's team. In the video, a car being driven on a closed course is hacked by two cybersecurity engineers. In this case, the car's brakes were disengaged and the test driver wasn't able to stop the car from blaring its horn, among other things. In the video, Kaprica says that most bluetooth enabled and internet connected vehicles are susceptible to a breach in some form or facet.
If the talking points surrounding the recent United Airlines flight hack have taught us anything, it is that in an ever connected digital world — where the internet is being used to connect us not only virtually but through hardware experiences — there needs to be some sort of security infrastructure. Otherwise, consumers will not be able to feel safe and as a result, service-oriented businesses may suffer.
Kaprica Security CEO and Co-Founder Doug Britton
To get a better idea of what is going on in the IoT and transportation cybersecurity space, DC Inno interviewed Kaprica Labs CEO Doug Britton.
Here's our full interview:
[Chris Bing] Q: How widespread is the issue of cyberattacks on automobiles? What can an attack of this sort on a vehicle do to its driver?
[Doug Britton] A: As a potential attack surface, the issue is prevalent on a large number of vehicles. There are elements in the vehicles that allows for attack remotely. The average citizen doesn't likely need to worry though, as the attacks would require a great deal of targeting. In the auto space, there isn't yet the equivalent to SPAM or Phishing, whereby broad anonymous messages could infect random cars. The military is a different question. Foreign governments are prepared to go to great lengths to learn about the capabilities of vehicles and develop means to opportunistically alter their behavior. For the military, the question can't be asked "Will someone try to hack this, steal this, counterfeit this, etc?" That must already be assumed to be yes. The military must design systems and methods, knowing they will be under constant "cyber attack" that could begin as soon as the vehicle is designed, before the parts suppliers are known.
Q: How accessible is the technology needed to orchestrate a cyberattack on an automobile? Is that accessibility for criminals growing or will it be very limited?
A: Today, the number of hackers that are qualified to create and deploy attacks against automobiles (private and military) is very small. I would describe it in the hundreds, worldwide. Also, the deployment vector to apply the attack to a vehicle isn't extremely accessible. The motivated attacker though will utilize the "industrialization of attack" to their advantage. The "industrialization" has been described by some as the formation of a well ordered hacking supply chain. The impact to the citizenry from this industrialization is that local criminal elements, with no specific hacking skills, can buy the pieces they need to craft attacks. If someone is in a position where they have historically been sensitive to targeting, for industrial espionage, criminal reprisals, etc, this opens up a new vector to guard against. Successful deployment of these approaches in an industrial espionage scenario would take a great deal of sophistication and expense, but some motivated parties could consider that a worthwhile expense.
Q: What do you think the future of cybersecurity in the transportation industry will look like 5 years down the line? Is the hacking of transit transportation just a trend?
A: This answer is my opinion and only my opinion, not that of Kaprica Security. Physical security has existed around transportation, because we realized that things are structurally vulnerable in motion, by air, sea, or surface means. Unfortunately, my belief is that the importance of cybersecurity in transportation will rise to level of concern as physical security. Motivated people will use the means at their disposal to create their outcomes, be they financial, political, terror, etc. The connected nature of transportation systems isn't going to stop, which means that motivated adversaries will use that to their advantage. Transportation hacking isn't, in my opinion, a trend. It is a structural fact.
Q: How is Kaprica Security approaching the issue of transportation cybersecurity. How is this specific IoT cybersecurity market expanding based on your experience in the industry?
A: The modern, motor transportation industry is more than 100 years old and has logged trillions of miles. Instead of going straight to "product marketing," we are working with research opportunities in the industry to learn, test, adapt, retest, and connect. Our first formal engagement in the transportation space was a DARPA contract (HACMS) on which we performed vehicle security research. While this was far removed from the manufacturers, it gave us great insights into industry economics. From there, we were able to better align some of our capabilities with focused efforts by DOT, SAE, and others.The number of cars will be dwarfed by the other "things," but certain structural components will make automotive participation in IoT important. Some have hypothesized that connected vehicles will provide a rolling broadband network for other devices. If auto assumes an infrastructure capacity in IoT, then its role and responsibilities will be pretty massive.
