Canadian Forces hiring experts to protect vehicles from online attacks
Onboard software could make vehicles vulnerable to hackers, document says
National Defence is looking for a few good instructors to show its technicians how to protect military vehicles from hackers.
A call was issued recently on the federal government's tendering website looking for experts in a field defence officials say is a growing area of concern for the Canadian Forces — particularly as more and more vehicles are connected online, making them vulnerable to cyberattacks.
"The electronic control units (ECUs) and their related software may be vulnerable to security attacks much like other communication devices such as cell phones or laptops," says the bid document. "Military vehicles which contain such ECUs are susceptible to the same type of vulnerabilities."
A spokesman for National Defence, Andrew McKelvey, described the training in a recent email as part of routine work meant to "ensure safety and suitability of equipment."
McKelvey tied the plan to the recent Liberal defence strategy, which placed new emphasis on cyber-defences and policy.
The training is meant to "mitigate cyber-associated risks," he said.
The community of online security experts started buzzing in the spring of last year over reports that an Israeli firm – Argus Cyber Security – had been able to remotely take control of a moving car via Bluetooth and kill its engine.
According to published reports in trade journals, researchers discovered two security vulnerabilities in a system that provides information about the state of a vehicle.
Getting ahead of the problem
The company that makes the system, Bosch Drivelog Connect, has instituted a fix but was, at last report, trying to come up with a permanent software solution.
It may sound like something out of a Hollywood movie, but experts at tech security companies say online attacks against vehicles represent a growing threat — especially with autonomous vehicles on the horizon and the interconnected nature of systems in the current generation of cars.
Mark Nunnikhoven, vice president of cloud research at Trendmicro, said the military is being prudent by trying to get ahead of the problem.
"We've seen some very visceral demos ... of people hacking things like a jeep driving up a highway," he said. "We've seen them hack locks on cars to get in."
The general public has no reason to panic at this point, he said, because government, military and law enforcement vehicles are more tempting targets for hackers than civilian vehicles.
"It's not necessarily that they are more vulnerable. Military vehicles and military in general — same with the government — is a more high-profile target," said Nunnikhoven.
"The job of the military, outside peacekeeping and defence ... is literally to be attacked. So, they are against a different class of adversary."
Civilian vehicles are vulnerable, though. Nunnikhoven cited the example of the onboard tracking devices insurance companies are recommending to allow drivers to reduce their rates.
Once a hacker has access, they can connect to the Controller Area Network, or 'CAN bus', which is standard on all North American vehicles. It is a system designed in the mid-1980s that allows a series of micro-controllers and devices in a car to communicate with one another without a central computer.
Connecting that in-car network to the outside world leaves the vehicle exposed to attack, said Nunnikhoven.
McKelvey refused to say whether any military vehicles have already been hacked, or what the military thinks about the vulnerabilities.
"DND/CAF does not comment on actual or alleged cyber incidences," he said in an email.
Last winter, the Senate Committee on Transportation and Communication expressed concern about the threat of vehicle hacking in a wide-ranging report about autonomous cars.
The future of war
A former senior defence official, who could only speak on background because of the sensitivity of the file, said National Defence has been studying the problem for a while and its concern is somewhat broader.
Military vehicles are not connected to the wider world in the same way as civilian cars, so they present a more sophisticated problem.
"They're called proprietary closed platforms, but you don't have to be connected to the Internet to have a cyber vulnerability," said the official.
The Department of National Defence is thinking ahead to the day when cyber weapons like the virus Stuxnet are deployed and used in a military context.
Stuxnet was an extremely sophisticated series of malicious files discovered on the computers at a uranium enrichment plant in Iran. It was deployed without using the Internet and caused havoc in that country's nuclear program.
The computer worm was considered the world's first digital weapon.