I’ve just about recovered from the sensory overload that is CES to gather my thoughts from what was another fascinating event. This blog, on connected car hacking, is the first of two posts.
New cars are networked computers with an engine attached. Yours doesn’t sync with your phone when it detects you driving? That’s so 2016. At this year’s CES, we saw cars that attempt to connect all the dots along your morning commute, including suggesting routes with less congestion, reminding you of appointments and such. But when this complex ecosystem has issues, who do you call? Auto manufacturers point to the third party computer systems, and they, in turn, point to upstream providers. You’re now driving a tech mashup that just happens to be mobile.
Recently, I bought a new car, and the sales guy told me I needed the extended warranty because the computer replacement cost more than any other single component on the car, including the engine. Try to explain that to classic car collectors. It won’t skid on slippery surfaces, tries to park itself, and a host of other distracting things I haven’t quite figured out. Their manuals are big thick books, but who reads the manuals?
“IT’S BECOMING CLEAR TO THE FOLKS AT CES THAT YOUR ENGINE IS REALLY AN ACCESSORY.”
It’s becoming clear to the folks at CES that your engine is really an accessory, which can be replaced by a very large electric one very soon, and your computer needs to keep track of voltage to that accessory and let you know about it, probably on an app on your smartphone, which seamlessly appears on your in-dash monitor when you get close to the car.
So we’ve come full circle. While years back you had an office computer where you sat at a chair and did a task, now you sit in a chair with a seatbelt surrounded by a computer that happens to be moving. But in the same way we’ve been fighting attacks for years on desktop computers (which still have issues), we’ll increasingly see issues with that whole mobile experience. But I’m just not sure who to call anymore.
I put that question to one of the booth staff. He had no idea. Apparently, the connectivity to the car is handled by a bulk communication company as a partnership with the folks who make the car, who also partner with the computer people at the booth I was visiting.
I have a colleague in the industry who tried to hack his car for performance with some software he got online. He managed to brick his car, or at least it dropped into limp mode with very limited functionality. He basically could only minimally drive it, and wound up going the dealer and just saying something was broken and he didn’t know what. They couldn’t understand it either, and eventually replaced the computer. They didn’t charge him. He was very lucky.
“DEALERS WILL BECOME MORE SOPHISTICATED IN SPOTTING HACK ATTEMPTS, EVEN AS THE HACKING MARKET FOR PERFORMANCE MODIFICATIONS INCREASE.”
Dealers will become more sophisticated in spotting hack attempts, even as the hacking market for performance modifications increase. There are a host of new doodads here that allow you to interface with your car more easily, and every year at DefCon there is a larger area devoted to the subject.
Manufacturers are at least working on better firewalls now to keep the computers all protected, but that won’t hit the showroom floors for years, meaning there are millions of cars on the road (basically all of them) that hackers will try to exploit.
If a vulnerability is found, they will have millions of vehicles to target that have no effective way of being updated, since few would heed the warning to take it to the dealer for a fix.
It’s not hopeless. There are lots of startups that are looking at building anti-hacking equipment for modern cars. It will remain to be seen whether manufacturers will let you use any of it without voiding the warranty and bricking a very expensive car. If they learn to work together with the community, however, we can bring to bear lessons learned over a long period of time from chairs in front of computers-on-desks and keep us all a little safer.
by Cameron Camp, ESET We Live Security