Forget about hackers targeting smartphones or your home computer because "hackers have scopes set on your automobile," according to The Montreal Gazette. From a lab, security researchers were able to "send nasty messages to their test car's display board, start and stop the engine, disable the brakes and even make two cars 1,000 miles apart perform in unison. Could any basement-dwelling computer geek do the same thing?"
Some security researchers warn that any electronic system in a car is a potential target for hackers, from the brakes to the radio. In fact there are all kinds of sweet spot automotive attack surfaces [PDF]. We are incorporating more entertainment-related computers in cars, entertainment systems that can be hacked to tell safety computers what to do. Yet we continue forward so we can be connected to the Internet and social media while driving -- cause that Facebook status update just can't wait.
Last month the Transportation Research Board (TRB) published a report about the "challenges arising from the expanding functionality and use of automotive electronics." There are hundreds of sensors, circuits and "microprocessors running on increasingly complex software and exchanging information through one or more communication networks." The TRB report advised the biggest issue of concern is car hacking or "automotive vulnerabilities to cyberattack."
The last few years, in demonstrations, security researchers "hacked into a test car's electronic braking system and prevented a test driver from braking a moving car -- no matter how hard he pressed on the brakes. In other tests, they were able to kill the engine, falsify the speedometer reading, and automatically lock the car's brakes unevenly, a maneuver that could destabilize the car traveling high speeds. They ran their test by plugging a laptop into the car's diagnostic system and then controlling that computer wirelessly, from a laptop in a vehicle riding next to the car."
The TRB report continued, "Some failures of software and other faults in electronics systems do not leave physical evidence of their occurrence." Bluetooth, GPS, and entertainment-related embedded systems will become increasingly complex. "In the more distant future, features such as vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications will likely require further increases in software complexity, new sensor technologies and other hardware that will require dependability assessments, and the deployment of additional technologies such as wireless connections that could increase vehicle susceptibility to cyberattack."
Lynda Tran, an NHTSA spokeswoman, told Bloomberg, "The agency recognizes there are potential vulnerabilities, especially those related to future connected vehicles, that need to be fully understood and addressed."
Then Stefan Savage, a University of California-San Diego computer science professor, told Bloomberg, "Car thieves could exploit security weaknesses to remotely open and start a car, or a spy could listen to conversations inside a car. Unlike automotive standards that specify performance minimums, a security standard would have to specify what systems shouldn't do. Such as not allowing a CD to send signals to the brakes."
"We found that basically anything under computer control in a car is vulnerable to malicious attack," says computer scientist Stephen Checkoway. "This includes the brakes, engine, lights, radio, wipers and electronic display. If a computer controls it, it can be controlled by an attacker." According to the National Post, Checkoway warned, "They could seize control remotely through the panoply of wireless devices attached to the car, such as cellular, Bluetooth, radio and tire pressure monitoring system. If you can take over the radio, you can use it to reprogram all the other computers."
Tom Clancy-like scenarios included:
Numerous cars could be jointly infected, perhaps using audio files. This could be used to prompt mass brake failure at a particular time or location. Tire pressure monitors could also be used as a triggering mechanism. And while his test car lacked self-parking capabilities, the possibility of driving a remotely-steered car off a cliff via Bluetooth seems viable.
Or an enterprising hacker could use a combination of wireless devices to seek out specific vehicles, disable their anti-theft devices, unlock the doors, start the engines and then sell the locations to eager car thieves. And it seems like child's play to eavesdrop on in-car conversations using built-in microphones and an Internet connection, or to lift personal information off connected cell phones, a sure boon to corporate espionage.
Freaked out yet? SANS Technology Institute reported on 2012 - 2013 security predictions, including malware that morphs into scareware and attacks embedded systems in your vehicle. A potential scareware example might be "physical hostage malware: Your car doors will not unlock until you pay $X. You'll either be locked in or out of your vehicle. Your smartphone's e-pay function can pay a small ransom and release the doors instantly. Out of desperation, many would immediately pay a token amount (less than 3 dollars, perhaps)."
In the past we looked at 'War Texting,' an SMS attack to steal a car, hacking to pwn a cop car, and how the Nissan Leaf secretly leaks driver location, speed to websites. So I'm sure we'll be hearing more about car hacking, how vehicles may be vulnerable to cyberattack, and other ways attackers can target and exploit your high tech car.
Until then, happy driving and Happy Valentine's Day!