Today’s technologically advanced cars are increasingly vulnerable to malware and viruses introduced by hackers – similar to the type of stuff that regularly vexes PC users – and automakers and policymakers have some ways to go toward addressing this emerging safety risk.
Disgruntled Texas Dealership Employee Hacks 100 Cars
Drivers were confronted with cars that wouldn’t start and horns that wouldn’t go off after a laid-off employee at a Texas auto dealership, Omar Ramos-Lopez, hacked over 100 cars installed with a web-based vehicle immobilization system.
The cars were installed with a system called WebTech Plus, operated by Pay Technologies of Cleveland. This immobilization system comes as a small black box fitted under the dashboard, and it allows an operator to remotely disable a car’s ignition or trigger its horns (it cannot stop a running vehicle). The system is intended for use by auto lenders trying to collect on delinquent car payments. In this case, it was used by a disgruntled 20-year-old former employee for retaliation against Texas Auto Center, which was swamped by complaints from bewildered customers who had to miss work, call for tow trucks, or unplug their car batteries.
This incident occurred in 2010; the computerized systems and electronics used in automobiles sold since then have only gotten ever more complex and integral to the functioning of our vehicles. These systems have created new security holes that many auto manufacturers simply have not considered. In fact, the episode in Texas is peanuts compared to the work of other hackers, serving as analysts, who – in an effort to demonstrate security holes – have managed to remotely gain control of crucial functions like the gas and brakes while vehicles were running.
How does a car get infected?
For years now, modern cars have employed small computers called “embedded systems” to operate everything from tire pressure monitors, to airbags, cruise control, and brakes. These embedded systems use hardware, software, memory, and a processor, mirroring a standard PC, although they are closer to a smartphone in terms of sophistication. The activities of these embedded systems are typically coordinated by complex software code and an internal computer network, called a CAN bus. Similar to when your computer gets infected with a virus, if your car’s CAN bus or software code becomes infected, any embedded systems controlled by the computer or linked by software code can also become infected.
Most of the computer systems and code used to work your car were never explicitly designed to counter hacking and malware. Some solace can be found in the fact that the proprietary software code used by your car is one of the most closely guarded secrets held by auto manufacturers. It can be exceedingly difficult and time-consuming for hackers to penetrate this code to find weaknesses. Additionally, most vehicle models (not to mention brands) use different software code and hardware, meaning that malware designed to infiltrate one car probably won’t work on another of a different make or model. Even so, developments in our latest cars expose them to ever greater risk from the mischievous schemes of hackers.
Hacking via physical access
Traditionally, the main reason our technology-loaded cars have not been subject to viruses and hacking is because they are “closed” systems. Unlike your PC, there are few ways for the computer system in an older vehicle to come in contact with outside computers or people: uploading a virus requires physical control of the vehicle and use of specialized, manufacturer-issued equipment. Recalling the Texas episode, this basically means it would take a mechanic or someone at the dealership to infect a car’s computer system.
Craig Smith, founder of open source car hacking group Open Garages, raises a potential pathway for malware to make its way from one car to another via the dealership. Smith argues it would be very possible for an infected car to come into a mechanic or dealership and then upload its malware into the shop’s diagnostic equipment. From here, this malware could spread into cars hooked up to the infected equipment. At a hacking and cybersecurity conference called DerbyCon in September, Smith presented a cheap tool he designed to seek out the kind of vulnerabilities in auto diagnostic equipment that malware could potentially use to gain access from an outside vehicle.
Smith says, “Once you compromise the dealership, you have a lot of control.” To be fair, the risk of hacking by a highly computer-literate mechanic isn’t exactly the biggest concern for most car owners. Bigger cybersecurity risks are being created by the more recent trend to load new cars with many of the same internet-connective features smartphones have.
New car features open door to remote hacking
Wired magazine covered a story in July in which one of their writers, Andy Greenberg, drove a 2014 Jeep Cherokee that got hacked remotely. The hackers fiddled with the air conditioning, began blaring Kanye West from the audio system at full volume, and activated the windshield wipers and washer fluid, obscuring Greenberg’s view while he was traveling at 70 mph down a St Louis interstate. The two hackers responsible, Charlie Miller and Chris Valasek, appeared on the digital display console, sitting on a couch about 10 miles away. Finally, they cut off power to the Jeep’s engine as the vehicle was going up an overpass. The Jeep had barely enough momentum to make it over the crest, and Greenberg rolled the decommissioned vehicle off the interstate at an exit ramp.
Fortunately in this case, Miller and Valasek were working with Greenberg for his magazine article; however, for the purposes of maximizing the panic-inducing effect of the exercise, they did not tell Greenberg how or when they planned to attack his vehicle. A scenario like this one, Miller and Valasek say, could easily be replicated – and under far less controlled circumstances.
The 2014 Jeep Cherokee in question uses Fiat Chrysler’s Uconnect system, a web-based platform installed in hundreds of thousands of their vehicles, which controls entertainment, navigation, and phone calls and can also act as a Wi-Fi hotspot. This system provided a “super nice vulnerability” that anyone (so long as they know the car’s IP address and have the requisite skills) could exploit, according to Wired. Miller and Valasek used the Jeep’s internet-connectivity as a door into the entertainment system’s actual hardware, where they could rewrite the software code – known as firmware – used to control the vehicle’s embedded systems, such as those for the windshield wipers, brakes, and steering control. The firmware gives commands to the embedded systems via the car’s internal computer network, the CAN bus; automobile CAN networks currently have very little ability to shield themselves from malware attacks.
In new well-equipped cars, there are already about 40 wireless access points, such as Bluetooth, satellite, Wi-Fi, and tire pressure monitoring systems, which are inherently vulnerable to outside hacking. In future Audi models, plans exist to include features that would allow you to pay for gas or parking straight from the car’s multimedia interface. New internet-connectivity features make it easier for hackers to break into our vehicles; in the proposed Audi cars, these new features give hackers a direct incentive to comb your car’s hard drive for personal information like credit cards, social security numbers, and passwords.
Presently for most newer cars, the hacking of multimedia interfaces doesn’t pose too big of a safety risk. “As long as the multimedia interface is separated from the car’s control computers, the worst that could happen is a malfunction of the multimedia equipment,” says Cas Mollien, an IT strategist. Mollien adds, though, that without this separation, everything is basically left up to the hacker’s initiative.
Peering into the near future, it’s fairly clear that automobiles are becoming more, not less, connected with the outside world. The next big thing in this trend is likely to be cars communicating with one another, sharing information about road conditions, traffic, and so forth. Further into the future is probably the widespread use of self-driving cars. As these developments deepen connectivity and more and more people operate newer vehicles, we need to be prepared for threats against our cars coming from cyberspace. For the time being, hacking incidents are few and far between, and almost all of them have been done by people like Charlie Miller and Chris Valasek, trying to bring attention to the danger.
Cybersecurity and legal measures catching up
It is somewhat ironic that many of the same computerized systems that are responsible for the marked improvements in the safety, comfort, convenience, and efficiency of today’s vehicles also make our cars increasingly vulnerable to cyber threats.
Major auto manufacturers have begun looking into how to tackle the challenges of cybersecurity. In most cases, this requires carmakers to go outside their usual areas of expertise. Tesla has hired a new security chief who previously managed the security of Google’s Chrome web browser. The company also offers a $10,000 bounty to anyone who brings bugs and other security vulnerabilities to their attention. Not all automakers match Tesla’s forward-thinking when it comes to cybersecurity. Fiat Chrysler issued a recall of 1.4 million vehicles installed with Uconnect in response to the Wired story discussed in this writing. To fix the problem, they mailed USB drives with a software update to affected customers, which isn’t exactly the most secure patching technique (think if one of the USB drives fell into the wrong hands).
In February, 16 automakers were asked by by U.S. Senators Ed Markey and Richard Blumenthal how they would respond to a cyber-attack in real time: only two companies could adequately answer the question. Markey and Blumenthal have been working on a bill in the Senate that would make uniform standards for privacy and hacking protections for cars sold in the United States. Likewise this October, a bill was proposed in the House of Representatives that would issue civil penalties up to $100,000 for illegally hacking cars and would also require automakers to “develop and implement” privacy policies regarding their collection, use, and sharing of data from vehicle electronics.
Such measures are positive steps that demonstrate manufacturers and authorities are not stumbling into a total blind alley when it comes to the security of our new internet-surfing cars. Still, these companies and the law have some distance to cover in addressing cybersecurity issues. Meanwhile, it is probably only a matter of time before hackers – who aren’t working in the public interest – turn their sights to our automobiles.
Picture source: http://www.apple.com/ios/carplay/