Car hacking may sound like something out of the latest Die Hard or James Bond film, but it’s newsworthy, real and likely to happen much more regularly in the future. We look at the top facts you need to know about this emerging trend.
- The first cars were ‘hacked’ at least five years ago
While car hacking may be headline news these days, the vulnerabilities associated with them go back by as much as half a decade.
In 2010, a team of researchers from the University of Washington and the University of California San Diego reported that they could take over a car via a number of wireless vulnerabilities.
This landmark paper explained that as a result of automobiles being equipped with more and more technology, cybercriminals can “infiltrate virtually any electronic control unit … [and] leverage this ability to completely circumvent a broad array of safety-critical systems”.
They documented how, through a number of experiments, they were able to take control of the vehicle they were testing – they could mess about with the radio and, more seriously, completely disable both the brakes and the engine.
At the time, the team chose not to disclose the name of the manufacturer to the public. However, it was later revealed that the car in question was General Motors’ 2009 Chevy Impala.
- Security fails can result in big recalls
Charlie Miller and Chris Valasek exploited vulnerabilities in the radio system of the vehicle to remotely control the car’s air-conditioning, radio and its brakes and engine – they even managed to stop the car with a journalist in it.
Mr. Miller and Mr. Valasek responsibly disclosed the flaws to the manufacturer as and when they found them. This resulted in Fiat Chrysler Automobiles issuing a US-based 1.4 million-vehicle recall for Jeeps, Dodges and Chryslers so that it could update their software.
“The 2014 Jeep Cherokee was chosen because we felt like it would provide us the best opportunity to successfully demonstrate that a remote compromise of a vehicle could result in sending messages that could invade a driver’s privacy and perform physical actions on the attacker’s behalf,” the duo stated in their paper.
- Car components are just as vulnerable
The rising demand for “connected cars” has led many to question the security repercussions related to this particular development, but it’s also worth noting that car components are just as vulnerable.
Take vehicle immobilizers as an example. One study showed that cybercriminals could disable these electronic security devices and take off with a vehicle without the need of a “genuine key”.
The researchers, Roel Verdult, Flavio Garcia and Baris Ege, explained how they were able to exploit a weakness in the cryptography and authentication protocol used in the Megamos RFID transponder (which is used in many immobilizers).
“The implications of the attacks are serious for those vehicles with keyless ignition. At some point the mechanical key was removed from the vehicle but the cryptographic mechanisms were not strengthened to compensate.”
They said in their paper: “The implications of the attacks presented in this paper are especially serious for those vehicles with keyless ignition. At some point the mechanical key was removed from the vehicle but the cryptographic mechanisms were not strengthened to compensate.”
Another well-cited vulnerability concerns OBD (On Board Diagnostics) USB sticks, which are used in cars to check driving habits. Earlier this year, the US-based insurer Progressive came under pressure for handing out insecure thumb drives that were found to be lacking security.
Security researcher Corey Thuen told Forbes: “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication [and so on] … basically it uses no security technologies whatsoever.”
- Insiders remain a danger
Like any business, disgruntled employees can pose an information security risk to all types of organizations, and this is exactly what the Texas Auto Center found out in 2010.
Five years ago, a former member of staff at the car dealer exploited its remote web-based vehicle mobilization system to disable and tamper with more than 100 cars.
Drivers who had purchased vehicles from the Texas Auto Center reported that their respective vehicles were not working or that, in the middle of the night, their car alarms were inexplicably going off.
“First rolled out about 10 years ago, remote immobilization systems are a controversial answer to delinquent car payments, with critics voicing concerns that debtors could suffer needless humiliation, or find themselves stranded during an emergency,” Wired reported at the time.
- They don’t have to be connected to the internet
It is often assumed that only connected cars can only be attacked, but this isn’t exactly true with Dark Reading reporting earlier this year that even certain “non-networked cars” can be tampered with. The Virginian State Police, it said, has found this out through its experiments with 2012 Chevrolet Impalas and 2013 Ford Tauruses.
In an ongoing project that also includes the Mitre Corp, the Virginia Department of Motor Vehicles, the University of Virginia, researchers found that they could make it impossible to shift gears from park to drive, push up engine revs, and – crucially – cause the engine to accelerate or cut off completely.
In addition, Mitre wrote attack code which opened the trunk, unlocked the passenger doors, locked the driver’s door, turned on the windshield wipers and squirted wiper fluid.
These attacks weren’t easy, as they required the attackers to hijack the state police car computer systems, which in turn required physically jacking the car. Mitre’s first attacks involved a mobile phone app, which was connected to a device in the car via Bluetooth.
This type of attack requires knowledge of the car model’s electronics, and physical access, but it proves attacks are possible – even when there is no internet connection.
- Patches take years to be applied
Patch management remains one of the biggest challenges for information security experts and car developers. Many have argued that the latter has struggled to grasp the seriousness of the situation.
One such individual is US senator Edward Markey, who issued a report in February 2015 criticizing the car manufacturing industry for its weak response to addressing security vulnerabilities.
He said: “Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyberattacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.”
Exemplary of this is the incident concerning the 2009 Chevy Impala, as discussed at the start of the feature. This took General Motors five years to resolve, Wired magazine reported in September.
“It’s kind of sad that the whole industry was not in a place to deal with this at the time, and that today, five years later, there still isn’t a universal incident response and update system that exists,” commented security researcher Karl Koscher.
- Cybercriminals could target driverless cars
Cybercriminals are already targeting car manufacturers, but they could step up their attacks as autonomous cars edge closer to reality.
A number of security experts have questioned the dangers of driverless cars, and some have actually proved it. Jonathan Petit, principal scientist at software security company Security Innovation, discovered that a laser pointer could interfere with the laser ranging (Lidar) systems that most self-driving cars rely on to navigate.
The Lidar system creates a 3D map allowing the car to “see” potential hazards by bouncing a laser beam off obstacles. However, Dr. Pettit discovered that shining the laser pointer at a self-driving car, so that it was picked up by the system, could trick the car into thinking that something was right in front of it. This would cause it to brake quickly.
Alternatively, an attacker could overwhelm it with numerous signals, forcing the car to remain stationary for fear of hitting phantom obstacles.
“There are ways to solve it,” Dr. Petit explained in his interview with IEEE Spectrum. “A strong system that does misbehavior detection could crosscheck with other data and filter out those that aren’t plausible. “But I don’t think carmakers have done it yet. This might be a good wake-up call for them.”