It may seem convenient to have a hands-free phone built into your car, or to have a GPS system in your vehicle, but as automobiles incorporate more navigation and wireless communication technologies, could these super-connected cars become increasingly vulnerable to hackers?
Actually, the idea of hacking cars isn’t all that far-fetched, experts say.
“It’s not hypothetical at all,” said Chris Valasek, director of vehicle security research at IOActive, a global security services company that has its North American headquarters in Seattle. Valasek has conducted research on remote car-hacking with Twitter security engineer Charlie Miller. Researchers at the University of Washington and University of California, San Diego, have also examined this type of security breach. [Super-Intelligent Machines: 7 Robotic Futures]
Valasek and Miller said the automotive industry needs to better prepare for potential attacks.
Last December, the duo hacked into a Toyota Prius and a Ford Escape from the inside. The researchers plugged a laptop into the vehicle’s diagnostic port, which allowed them to exploit vulnerabilities in the electronic control units that communicate with the auto’s internal network. As a result, the two took control of the car’s locks, headlights, horn, steering and braking.
More recently, Valasek and Miller assessed the vulnerabilities in the electronic control units of 21 vehicles, and presented their findings at this year’s Def Con hacker conference in Las Vegas. Since different car manufacturers use different vehicle designs, the security analysis avoided generalities. The researchers examined specific automotive architectures, and concluded that some networks are more secure than others.
Automakers’ attitude toward cyber security today resembles that of software companies in the past, Valasek told Live Science. In the early 2000s, software vendors largely overlooked security risks, said Valasek, who has a background in Windows software security research. “They weren’t investing in the security of their software,” he added. Only later did they invest in proactive measures to protect users. Valasek said he hopes the automotive industry will be quicker to take action.
He said the biggest issue he sees is remediation, which means having to perform software updates for vehicles that are already on the road, should vulnerabilities emerge. Unlike software updates for personal computers, which users can download and install themselves, safeguarding the control units of cars would involve tracking down owners, notifying them and then transmitting the security patch. This could be done at car dealerships, via USB key or some other method, Valasek said.
It’s potentially an expensive and complicated prospect. Currently, Tesla Motors is one of only a few automakers capable of issuing over-the-air updates, Valasek said. This means software updates can be sent wirelessly to Tesla vehicles, so the owners don’t need to bring their cars in. But Tesla vehicles account for a relatively small number of cars on the road, he pointed out.
Valasek’s latest research with Miller builds on earlier car-hacking work led by Yoshi Kohno, an associate professor in the Department of Computer Science and Engineering at the University of Washington, and Stefan Savage, a professor of computer science at the University of California, San Diego. In 2011, Savage and Kohno tapped into a car’s wireless systems to gain complete control of the vehicle. [The 8 Craziest Intelligence Leaks in US History]
“We demonstrated remote takeover of a vehicle that had not been modified in any way,” Savage told Live Science. “I think we are the only ones who have done that still, even though it’s three years later.”
The researchers didn’t publish the demonstration codes they used to hack into the car, and instead shared them directly with the automakers. “Then I think we got taken much, much more seriously,” Savage said.
Still, Savage said the threat of car hacking shouldn’t fuel paranoia among consumers. For most crimes, perpetrators would likely choose methods other than hacking, anyway, he said. “If they’re trying to listen in to you, it’s easier just to stick a microphone bug in the car. If they’re trying to take you out, it’s easier to shoot you,” he said.
The exception is theft. “There, you do see criminal innovation in defeating mobilizers and door locks,” Savage said. This is because anti-theft measures have become so effective that thieves now need to defeat computer components in order to effectively steal cars.
In terms of the automotive industry’s progress, Savage said that manufacturers are picking up tools to search for security bugs from the world of traditional software security. He added that car makers are working, via the Society of Automotive Engineering, to standardize the threat-modeling process.
Meanwhile, Valasek and Miller urge automakers to add attack-detection and -prevention technology into the critical control networks of new cars.
“Generally speaking, car hacking isn’t mainstream. It’s very difficult and costs lots of money,” Valasek said. “That could change in the future, which is why we’re working on the problem now.”