Is Car Hacking the Next Big Security Threat?
Is Car Hacking the Next Big Security Threat?
It may seem convenient to have a hands-free phone built into your car, or to have a GPS system in your vehicle, but as automobiles incorporate more navigation and wireless communication technologies, could these super-connected cars become increasingly vulnerable to hackers?
Actually, the idea of hacking cars isn’t all that far-fetched, experts say.
“It’s not hypothetical at all,” said Chris Valasek, director of vehicle security research at IOActive, a global security services company that has its North American headquarters in Seattle. Valasek has conducted research on remote car-hacking with Twitter security engineer Charlie Miller. Researchers at the University of Washington and University of California, San Diego, have also examined this type of security breach. [Super-Intelligent Machines: seven Robotic Futures]
Valasek and Miller said the automotive industry needs to better prepare for potential attacks.
Last December, the duo hacked into a Toyota Prius and a Ford Escape from the inwards. The researchers plugged a laptop into the vehicle’s diagnostic port, which permitted them to exploit vulnerabilities in the electronic control units that communicate with the auto’s internal network. As a result, the two took control of the car’s locks, headlights, horn, steering and braking.
More recently, Valasek and Miller assessed the vulnerabilities in the electronic control units of twenty one vehicles, and introduced their findings at this year`s Def Con hacker conference in Las Vegas. Since different car manufacturers use different vehicle designs, the security analysis avoided generalities. The researchers examined specific automotive architectures, and concluded that some networks are more secure than others.
Automakers’ attitude toward cybersecurity today resembles that of software companies in the past, Valasek told Live Science. In the early 2000s, software vendors largely overlooked security risks, said Valasek, who has a background in Windows software security research. “They weren’t investing in the security of their software,” he added. Only later did they invest in proactive measures to protect users. Valasek said he hopes the automotive industry will be quicker to take act.
He said the thickest issue he sees is remediation, which means having to perform software updates for vehicles that are already on the road, should vulnerabilities emerge. Unlike software updates for private computers, which users can download and install themselves, safeguarding the control units of cars would involve tracking down owners, notifying them and then transmitting the security patch. This could be done at car dealerships, via USB key or some other method, Valasek said.
It’s potentially an expensive and complicated prospect. Presently, Tesla Motors is one of only a few automakers capable of issuing over-the-air updates, Valasek said. This means software updates can be sent wirelessly to Tesla vehicles, so the owners don`t need to bring their cars in. But Tesla vehicles account for a relatively puny number of cars on the road, he pointed out.
Valasek’s latest research with Miller builds on earlier car-hacking work led by Yoshi Kohno, an associate professor in the Department of Computer Science and Engineering at the University of Washington, and Stefan Savage, a professor of computer science at the University of California, San Diego. In 2011, Savage and Kohno tapped into a car’s wireless systems to build up finish control of the vehicle. [The eight Craziest Intelligence Leaks in US History]
“We demonstrated remote takeover of a vehicle that had not been modified in any way,” Savage told Live Science. “I think we are the only ones who have done that still, even tho’ it’s three years later.”
The researchers didn’t publish the demonstration codes they used to hack into the car, and instead collective them directly with the automakers. “Then I think we got taken much, much more earnestly,” Savage said.
Still, Savage said the threat of car hacking shouldn’t fuel paranoia among consumers. For most crimes, perpetrators would likely choose methods other than hacking, anyway, he said. “If they’re attempting to listen in to you, it’s lighter just to stick a microphone bug in the car. If they’re attempting to take you out, it’s lighter to shoot you,” he said.
The exception is theft. “There, you do see criminal innovation in defeating mobilizers and door locks,” Savage said. This is because anti-theft measures have become so effective that thieves now need to defeat computer components in order to effectively steal cars.
In terms of the automotive industry’s progress, Savage said that manufacturers are picking up implements to search for security bugs from the world of traditional software security. He added that carmakers are working, via the Society of Automotive Engineering, to standardize the threat-modeling process.
Meantime, Valasek and Miller urge automakers to add attack-detection and -prevention technology into the critical control networks of fresh cars.
“Generally speaking, car hacking isn’t mainstream. It’s very difficult and costs lots of money,” Valasek said. “That could switch in the future, which is why we’re working on the problem now.”
