Hardly a historical target for cybercriminals, automobiles have recently entered the cyber security spotlight as hackers devote new attention to the microprocessors and sophisticated engine control units in modern vehicles. Most modern cars and trucks ship with numerous computers than facilitate systems communication over an internal network. While these amenities have streamlined the ability of automobiles to accelerate, brake and steer, they also represent a new frontier for digital deviance. Successfully executing a technically demanding car hack has become a badge of distinction for the few cybercriminals skilled enough to hijack a vehicle using only a laptop.
As manufacturers create increasingly “smart” cars and trucks, they should be mindful that new technologies not only makes their products more convenient to use, but also create major security obligations with respect to privacy. In this respect, automobiles are no different than smartphones, tablets or PCs. However, they should be regarded as potentially hackable assets that, if compromised, could result in actual loss of life on top of privacy intrusion. Cybersecurity experts and the automobile industry must work together to shore up defenses on vehicles, which to date have been incorrectly regarded as old-fashioned assets unworthy of security attention.
The evolution of cars as hackable, computerized devices
The notion that cars could be hacked was first raised in 2010, when a group of university researchers known as the the Center for Automotive Embedded Systems Security (CAESS) published details about the exploits it found in a particular model’s computer system.
Commenting on the study, Helium contributor Leigh Goessl stated that the investigators plugged a laptop into the car’s diagnostic port, which a common feature on latter-day vehicles, including the 2009 model that was test subject. They also set up a wireless network in a nearby automobile to transmit data. Once connected, the researchers had complete control over basic car functions like steering, braking, radio playback, climate control and door locks.
While they downplayed the prospect of automobile hacking going mainstream, the CAESS team stated that current car computer systems are “fragile,” as if designed without security or privacy in mind. Advances in vehicle technology could make cars even more vulnerable, precisely because they would put automobiles into the [same] computerized class as desktop and mobile devices.
“The more technology they add to the vehicle, the more opportunities there are for that to be abused for nefarious purposes,” said Securoris CEO Rich Mogul. “Anything with a computer chip in it is vulnerable, history keeps showing us.”
The OnStar navigation system included in many American-made vehicles may be a particular weakness in automotive cybersecurity. According to Claims Journal writer Tom Krisher, CAESS members took advantage of OnStar’s cellular connectivity, which is normally a tool for users to report issues to a remote support center. Other data connections like Bluetooth, as well as built-in CD players, proved similarly vulnerable.
Specific exploits shown off at Defcon conference
At the 2013 Defcon security conference in August, Twitter’s Charlie Miller and IOActive’s Chris Valasek revealed some terrifying automobile hacks proven to work on the 2010 models of popular hybrids including the Toyota Prius and Ford Escape. According to Ars Technica’s Dan Goodin, the pair’s findings, which were funded by the Pentagon’s Defense Advanced Research Projects Agency, indicated that hacking a car can be as simple as getting a user to connect a particular Bluetooth handset or play a specific optical disc.
However, the underlying issue is the rising number of electronic control units (ECUs) in vehicles. Some vehicles have nearly 50 ECUs connected via an internal network, meaning that a successful hack could put control of a car’s brakes and engines into the hands of an unknown party. To pull that off, Miller and Valasek reverse-engineered the vehicles’ networks and began sending malicious code to ECU nodes, which currently have no screening process for authenticating messages or blocking suspected rogue transmissions.
“By examining the [controller area network] on which the ECUs communicate, it is possible to send proprietary messages to the ECUs in order to cause them to take some action, or even completely reprogram the ECU,” Miller and Valasek wrote in their findings. “ECUs are essentially embedded devices, networked together on the CAN bus. Each is powered and has a number of sensors and actuators attached to them.”
In the case of the Prius, the pair used a precise sequence of ECU messages to delve into its “smart” parallel parking system and manipulate the car’s steering wheel at high speeds. Like the CAESS researchers, they were also able to change the speedometer and odometer readings.
Putting ECUs and automobiles on the cybersecurity radar
Automobiles could become key components of the emerging “Internet of things,” the close-proximity collection of networked appliances that would supplement or even replace traditional computers. However, carmakers have a ways to go in terms of taking cybersecurity as seriously as they take passenger safety. In fact, the two may become inseparable: One successful hack could lead to a disastrous accident, now that ECUs are attached to almost every critical automotive function.
Manufacturers could start by making ECUs easier to monitor, control and develop for, rather than keeping them so close the vest. They are not simply computers, but devices tasked with keeping people safe.
“Currently, there is no easy way to write custom software to monitor and interact with the ECUs in modern automobiles,” stated a white paper summarizing Miller and Valasek’s findings. “The fact that a risk of attack exists but there is not a way for researchers to monitor or interact with the system is distressing.”
Fortunately, mainstream car hacking may not be viable for some time, perhaps giving the automotive industry ample time to reboot its approach to cyber security. One CAESS contributor referred to car hackers as a “rarefied group,” and he did not foresee real-world duplication of the researcher’s extraordinary exploits. In the short-term, car owners may have to be more conscious of simple hacks that could compromise their door locks and facilitate. Ultimately, however, manufacturers must ensure that vehicles, like computers, are better prepared even for worst-case scenarios.