- Posted in Blog
- Hits: 3561
All modern cars employ many small computers or microprocessros to control the behaviour and the performance of everything from fuel injection timing to stability control and from streaming music to navigation. Those computers are connected together via a network or a bus but also connected to the outside world by way of Bluetooth, WiFi, GPS, wireless car key etc.
So is it possible that someone can gain access to your in car network and manipulate how those computers behave or change the software the controls them?
Security by obscurity is often the type of “security” available in vehicles since the majority of security researchers and hackers have no access to connected car systems and no understanding of how they work.
That’s about to change; earlier this year at a security conference in Singapore, former Tesla intern and embedded systems developer Eric Evenchick released a toolkit that is designed to work with the Controller Area Network (CAN) bus that controls many functions in connected cars. “Every new car has multiple CAN buses that let controllers communicate. This bus controls everything from the camshaft on your engine to your power seats,” Evenchick explained before presenting his credit card sized $59.95 device that can help researchers find security vulnerabilities in CAN systems.
In the mean time in the USA, Senator Ed Markey released a report accusing some of the biggest automakers in the market of having no clue how to prevent hackers from taking over your car. It’s just the latest in an ongoing—and sometimes breathlessly overblown—national conversation about the perils of our increasingly digital vehicles.
The report quizzed 16 major automakers on the vulnerability of their cars to hacking, and how they counteract or detect hacking events. The response wasn’t great.
Sen. Markey’s report says that “nearly 100 percent of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.” It goes on to report that most carmakers are “unaware of or unable to report on past hacking incidents,” that security measures preventing remote access to vehicle electronics are “inconsistent and haphazard across all automobile manufacturers,” and that carmakers collect “large amounts of data on driving history and most do not describe effective means to secure this data.”
The Markey report came just a day after 60 Minutes (the famous US investigative journalism TV program) aired a segment showing how easily a hacker can gain complete control of a modern vehicle. Using a laptop, the hacker dialed the car's emergency communication system and transmitted a series of tones that flooded it with data. As the car's computer tried sorting it out, the hacker inserted an attack that reprogrammed the software, gaining total remote control.
However there is currently little incentive for hackers to attack cars, beyond maliciousness. "Given the monetary motivation of most hackers, the chance of car hacking is very low" observed Damon McCoy, an assistant professor of computer science at George Mason University and a car security researcher at an event last year in Austin, Texas. For now, only the hype surrounding car hacking is very high. And it likely will continue, since it makes for great headlines.
This month WIRED published an article titled Hackers Remotely Kill a Jeep on the Highway—With Me in It accompanied by a video that show how hackers took control of Jeep driving on the highway. All of this is possible only because in this case Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which the hackers identified the Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the world.
The reality is that modern cars are enormously complex and increasingly connected. As the Markey report rightly points out, new vehicles often are capable of transmitting driving history and personal vehicle data without owners being made explicitly aware, and opt-out procedures are either unexplained or nonexistent.The same privacy concerns that circle around our internet-connected devices at home are reaching into our automobiles, and most of us are ignorant of their extent. And with Bluetooth, Wi-Fi, keyless entry, GPS navigation, and cellular telematics systems, today’s cars have become inextricably connected to the so-called internet of things. The threat of bad actors using that capability to take over a vehicle is real, very real at least technically.