Many scary things are afoot in the modern world of telecommunications: unauthorized surveillance, fraudulent online transactions, and interception of passwords.
Then there is the braking system of a car being turned off. That last one almost certainly is scarier than the others. After all, it’s a bad thing to have somebody steal your credit card info. It’s a really bad thing to have somebody turn your brakes off while you are on the Cross Bronx Expressway.
And, while nobody can say with certainty that such a hack has been committed maliciously, it’s been proven to be possible.
“It's not time to panic, but there's certainly cause for concern,” wrote security expert Beau Woods in response to my emailed questions. “While there are no confirmed examples of malicious car hacking, there's also no forensically sound evidence capture to be able to know for sure.” Woods is the founder and CEO of Stratigos Security and a core contributor to I Am The Cavalry initiative, a group that confronts online automotive issues.
The idea that the only reason it’s impossible to say that such hacks have not happened is because we don’t have the technology to detect them is anything but comforting.
It’s not cause to panic – certainly not in the same way that a person might if he or she suddenly was brakeless.
“The threat is real, however, the alarmist nature of some reporting is often over the top,” wrote Craig Smith, the founder of Open Garages and a core contributor to I Am The Cavalry. “I feel researchers are still ahead of the game a bit on finding vulnerabilities. Ideally, we will have solutions and methods for handling incidents in place before abuse of these discovered vulnerabilities becomes widespread.”
We saw some scary pieces in the news on this topic over the summer, however. In July, Wired ran a piece that described how a Jeep Cherokee was taken over in a planned test by hackers miles away. The hackers didn’t do anything dangerous – they turned on the air conditioner, took over the radio, started the windshield wipers and other such annoyances – but certainly could have.
Is the Auto Industry Listening?
One major reason to be concerned is that it is possible that the automobile industry is not acting as it should. A hack to technology made by the Swiss firm EM Microelectronic on several car manufacturers granted unauthorized physical access to cars and made them start. The flaw was known for three years, but no steps were taken to address it. Indeed, the researchers were taken to court to stop publication of the situation.
And we must hope that the recent misuse of technology at Volkswagen is not a harbinger of the industry’s approach over the long haul. A bad sign was the revelation that Volkswagen and, if reports are accurate, perhaps other manufacturers -- used software to change emission tests in its favor. While not directly related, it doesn’t show an industry that is putting the customer first.
Good signs abound, however. Tripwire security analyst Ken Westin thinks that the industry is doing its job.
“The automotive industry is doing quite a bit regarding these risks,” he wrote. “I have actually seen more collaboration than ever between the manufacturers to help mitigate these risks. A lot of the vulnerabilities and exposure comes from third-party components that you find in the entertainment systems, or through wireless networks, so having the industry understand these risks and taking steps to mitigate them is going to go a long way to secure these systems.”
At this point, the biggest challenge may not be from the type of highly targeted hack that the news sites are portraying. It could be hackers taking a blunt-force approach.
“The biggest danger is not going to come from a hacker targeting one specific person, taking control of their car, and putting them into an unsafe state,” Woods wrote. “That takes a lot of skill and knowledge today. It's much easier for a malicious adversary to disable a car by corrupting its software, or to trigger a remote kill switch accidentally or intentionally. If done across a fleet of vehicles, it could clog the streets until the cars (or transport trucks) are removed.”
Lots of Vulnerabilities
The responses of Lorie Wigle, the vice president and general manager for IoT Security Solutions at Intel, to my emailed questions suggest the size of the issue:
“We document fifteen hackable surfaces for the car in our white paper with threats ranging from theft of the car to revelation of private information such as where the car has traveled to controlling safety-critical functions such as steering and brakes,” she wrote. “The latter presents the greatest physical risk, but the others are important also.”
The bottom line, though, is that there may be a short run between the more generalized attacks that Woods sees as likely today and the more targeted attacks that are the true stuff of nightmares.
More targeted attacks certainly will come sooner rather than later. The use of electronics in cars is evolving rapidly, which will provide more attack surfaces. The cracking community will truly sit up and take notice when the monetary value of this flavor of nefarious activity becomes apparent. This can be juxtaposed against an automobile industry in which traditional changes have been done by recall.
The two key questions, then, are:
As the answers are clarified, enterprises with large mobile fleets or a reliance on employees using their own vehicles for corporate purposes should follow the issue closely. Where possible, automobiles with greater security should be favored. It also is time to pay attention to vehicle cyber security in corporate policies.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.